From 9fe1d1f41069eda254e11746512d6be032db81d5 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Thu, 19 Feb 2026 00:38:47 +0100
Subject: Drop auth parameter from create_unsecure_client_config

Credentials over plaintext SecurityPolicy#None are insecure, so the
unsecure client path now always uses anonymous authentication.
---
 src/bobink_opcua_client.c |  4 ++--
 src/common.c              | 16 ++--------------
 src/common.h              |  9 +++------
 src/server_register.c     |  2 +-
 4 files changed, 8 insertions(+), 23 deletions(-)

(limited to 'src')

diff --git a/src/bobink_opcua_client.c b/src/bobink_opcua_client.c
index 35a3e6f..79edef6 100644
--- a/src/bobink_opcua_client.c
+++ b/src/bobink_opcua_client.c
@@ -342,13 +342,13 @@ main (int argc, char **argv)
   UA_StatusCode retval;
   if (op == OP_DOWNLOAD_CERT)
     retval = create_unsecure_client_config (UA_Client_getConfig (client),
-                                            application_uri, NULL);
+                                            application_uri);
   else if (sec.cert_path)
     retval = create_secure_client_config (UA_Client_getConfig (client),
                                           application_uri, &sec, &auth);
   else
     retval = create_unsecure_client_config (UA_Client_getConfig (client),
-                                            application_uri, &auth);
+                                            application_uri);
 
   if (retval != UA_STATUSCODE_GOOD)
     {
diff --git a/src/common.c b/src/common.c
index 8f141d7..7964d62 100644
--- a/src/common.c
+++ b/src/common.c
@@ -379,7 +379,7 @@ print_application_description (const UA_ApplicationDescription *description,
 }
 
 void
-print_endpoint (const UA_EndpointDescription *endpoint, size_t index)
+print_endpoint_description (const UA_EndpointDescription *endpoint, size_t index)
 {
   const char *mode = "Unknown";
   switch (endpoint->securityMode)
@@ -484,16 +484,8 @@ create_server (UA_UInt16 port, const char *application_uri,
 
 UA_StatusCode
 create_unsecure_client_config (UA_ClientConfig *cc,
-                               const char *application_uri,
-                               const auth_config *auth)
+                               const char *application_uri)
 {
-  if (auth && auth->mode == AUTH_CERT)
-    {
-      UA_LOG_ERROR (UA_Log_Stdout, UA_LOGCATEGORY_APPLICATION,
-                    "Certificate authentication requires encryption");
-      return UA_STATUSCODE_BADINVALIDARGUMENT;
-    }
-
   UA_StatusCode retval = UA_ClientConfig_setDefault (cc);
   if (retval != UA_STATUSCODE_GOOD)
     return retval;
@@ -505,10 +497,6 @@ create_unsecure_client_config (UA_ClientConfig *cc,
   UA_String_clear (&cc->securityPolicyUri);
   UA_String_copy (&UA_SECURITY_POLICY_NONE_URI, &cc->securityPolicyUri);
 
-  if (auth && auth->mode == AUTH_USER)
-    UA_ClientConfig_setAuthenticationUsername (cc, auth->user.username,
-                                               auth->user.password);
-
   return UA_STATUSCODE_GOOD;
 }
 
diff --git a/src/common.h b/src/common.h
index 0196e06..66bf905 100644
--- a/src/common.h
+++ b/src/common.h
@@ -215,18 +215,15 @@ UA_Server *create_server (UA_UInt16 port, const char *application_uri,
  *
  * Sets up a default client config with SecurityPolicy#None and the given
  * application URI.  Explicitly sets securityMode and securityPolicyUri so
- * that internal endpoint negotiation matches None endpoints.  When @p auth
- * is non-NULL and mode is AUTH_USER, configures username/password
- * authentication.  AUTH_CERT returns an error (requires encryption).
+ * that internal endpoint negotiation matches None endpoints.  Always uses
+ * anonymous authentication (credentials over plaintext are insecure).
  *
  * @param cc Pointer to a zero-initialized UA_ClientConfig.
  * @param application_uri OPC UA application URI.
- * @param auth Authentication config, or NULL for anonymous.
  * @return UA_STATUSCODE_GOOD on success, error code otherwise.
  */
 UA_StatusCode create_unsecure_client_config (UA_ClientConfig *cc,
-                                             const char *application_uri,
-                                             const auth_config *auth);
+                                             const char *application_uri);
 
 /**
  * @brief Initializes a UA_ClientConfig with encryption.
diff --git a/src/server_register.c b/src/server_register.c
index b675e2f..b1d87fd 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -59,7 +59,7 @@ _s_make_lds_client_config (UA_ClientConfig *cc, const lds_client_params *p)
   if (p->sec.cert_path)
     rv = create_secure_client_config (cc, p->app_uri, &p->sec, &p->auth);
   else
-    rv = create_unsecure_client_config (cc, p->app_uri, &p->auth);
+    rv = create_unsecure_client_config (cc, p->app_uri);
   if (rv != UA_STATUSCODE_GOOD)
     return rv;
   cc->logging->context = (void *)(uintptr_t)p->log_level;
-- 
cgit v1.2.3