client basic 256sha256 / server sample / tests / various fixes (#1691)

* client basic 256sha256 / tests / various fixes

* fix server basic256sha256

* remove duplicated loadFile

* Fix fuzzing by making backup of message buffer

* Disable sonarcloud on PRs

examples/CMakeLists.txt

@@ -76,8 +76,10 @@ add_example(server_inheritance server_inheritance.c)
 
 if(UA_ENABLE_ENCRYPTION)
     add_example(server_basic128rsa15 encryption/server_basic128rsa15.c)
+    add_example(server_basic256sha256 encryption/server_basic256sha256.c)
     # Add secure client example application
     add_example(client_basic128rsa15 encryption/client_basic128rsa15.c)
+    add_example(client_basic256sha256 encryption/client_basic256sha256.c)
 endif()
 
 add_example(custom_datatype_client custom_datatype/client_types_custom.c)

examples/common.h

@@ -0,0 +1,34 @@
+/* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
+ * See http://creativecommons.org/publicdomain/zero/1.0/ for more information. */
+
+/* loadFile parses the certificate file.
+ *
+ * @param  path               specifies the file name given in argv[]
+ * @return Returns the file content after parsing */
+static UA_INLINE UA_ByteString
+loadFile(const char *const path) {
+    UA_ByteString fileContents = UA_STRING_NULL;
+
+    /* Open the file */
+    FILE *fp = fopen(path, "rb");
+    if(!fp) {
+        errno = 0; /* We read errno also from the tcp layer... */
+        return fileContents;
+    }
+
+    /* Get the file length, allocate the data and read */
+    fseek(fp, 0, SEEK_END);
+    fileContents.length = (size_t)ftell(fp);
+    fileContents.data = (UA_Byte *)UA_malloc(fileContents.length * sizeof(UA_Byte));
+    if(fileContents.data) {
+        fseek(fp, 0, SEEK_SET);
+        size_t read = fread(fileContents.data, sizeof(UA_Byte), fileContents.length, fp);
+        if(read != fileContents.length)
+            UA_ByteString_deleteMembers(&fileContents);
+    } else {
+        fileContents.length = 0;
+    }
+    fclose(fp);
+
+    return fileContents;
+}

examples/discovery/server_multicast.c

@@ -250,7 +250,8 @@ UA_Client *getRegisterClient(UA_EndpointDescription *endpointRegister, int argc,
                                           certificate, privateKey,
                                           &endpointRegister->serverCertificate,
                                           trustList, trustListSize,
-                                          revocationList, revocationListSize);
+                                          revocationList, revocationListSize,
+                                          UA_SecurityPolicy_Basic128Rsa15);
     UA_ByteString_deleteMembers(&certificate);
     UA_ByteString_deleteMembers(&privateKey);
     for (size_t deleteCount = 0; deleteCount < trustListSize; deleteCount++) {

examples/encryption/client_basic128rsa15.c

@@ -1,52 +1,16 @@
-/* This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- *
- *     Copyright 2018 (c) Kalycito Infotech Private Limited
- */
+/* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
+ * See http://creativecommons.org/publicdomain/zero/1.0/ for more information. */
 
 #include <stdio.h>
 #include <errno.h>
 
 #include "open62541.h"
+#include "../common.h"
 
 #define MIN_ARGS           3
 #define FAILURE            1
 #define CONNECTION_STRING  "opc.tcp://localhost:4840"
 
-/* loadFile parses the certificate file.
- *
- * @param  path               specifies the file name given in argv[]
- * @return Returns the file content after parsing */
-static UA_ByteString loadFile(const char *const path) {
-    UA_ByteString fileContents = UA_BYTESTRING_NULL;
-    if(path == NULL)
-        return fileContents;
-
-    /* Open the file */
-    FILE *fp = fopen(path, "rb");
-    if(!fp) {
-        errno = 0; /* We read errno also from the tcp layer */
-        return fileContents;
-    }
-
-    /* Get the file length, allocate the data and read */
-    fseek(fp, 0, SEEK_END);
-    fileContents.length = (size_t)ftell(fp);
-    fileContents.data = (UA_Byte*)UA_malloc(fileContents.length * sizeof(UA_Byte));
-    if(fileContents.data) {
-        fseek(fp, 0, SEEK_SET);
-        size_t read = fread(fileContents.data, sizeof(UA_Byte), fileContents.length, fp);
-        if(read != fileContents.length)
-            UA_ByteString_deleteMembers(&fileContents);
-    } else {
-        fileContents.length = 0;
-    }
-
-    fclose(fp);
-    return fileContents;
-}
-
 /* cleanupClient deletes the memory allocated for client configuration.
  *
  * @param  client             client configuration that need to be deleted
@@ -123,6 +87,8 @@ int main(int argc, char* argv[]) {
     UA_Array_delete(endpointArray, endpointArraySize,
                     &UA_TYPES[UA_TYPES_ENDPOINTDESCRIPTION]);
 
+    UA_Client_delete(client); /* Disconnects the client internally */
+
     /* Load the trustList. Load revocationList is not supported now */
     if(argc > MIN_ARGS) {
         trustListSize = (size_t)argc-MIN_ARGS;
@@ -142,7 +108,8 @@ int main(int argc, char* argv[]) {
                                   certificate, privateKey,
                                   remoteCertificate,
                                   trustList, trustListSize,
-                                  revocationList, revocationListSize);
+                                  revocationList, revocationListSize,
+                                  UA_SecurityPolicy_Basic128Rsa15);
     if(client == NULL) {
         UA_ByteString_delete(remoteCertificate); /* Dereference the memory */
         return FAILURE;
@@ -154,13 +121,6 @@ int main(int argc, char* argv[]) {
         UA_ByteString_deleteMembers(&trustList[deleteCount]);
     }
 
-    if(!client) {
-        UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                     "Could not create the server config");
-        cleanupClient(client, remoteCertificate);
-        return FAILURE;
-    }
-
     /* Secure client connect */
     retval = UA_Client_connect(client, CONNECTION_STRING);
     if(retval != UA_STATUSCODE_GOOD) {

examples/encryption/client_basic256sha256.c

@@ -0,0 +1,150 @@
+/* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
+ * See http://creativecommons.org/publicdomain/zero/1.0/ for more information. */
+
+#include <stdio.h>
+#include <errno.h>
+
+#include "open62541.h"
+#include "../common.h"
+
+#define MIN_ARGS           3
+#define FAILURE            1
+#define CONNECTION_STRING  "opc.tcp://localhost:4840"
+
+/* cleanupClient deletes the memory allocated for client configuration.
+ *
+ * @param  client             client configuration that need to be deleted
+ * @param  remoteCertificate  server certificate */
+static void cleanupClient(UA_Client* client, UA_ByteString* remoteCertificate) {
+    UA_ByteString_delete(remoteCertificate); /* Dereference the memory */
+    UA_Client_delete(client); /* Disconnects the client internally */
+}
+
+/* main function for secure client implementation.
+ *
+ * @param  argc               count of command line variable provided
+ * @param  argv[]             array of strings include certificate, private key,
+ *                            trust list and revocation list
+ * @return Return an integer representing success or failure of application */
+int main(int argc, char* argv[]) {
+    UA_Client*              client             = NULL;
+    UA_ByteString*          remoteCertificate  = NULL;
+    UA_StatusCode           retval             = UA_STATUSCODE_GOOD;
+    UA_ByteString*          trustList          = NULL;
+    size_t                  trustListSize      = 0;
+    UA_ByteString*          revocationList     = NULL;
+    size_t                  revocationListSize = 0;
+
+    /* endpointArray is used to hold the available endpoints in the server
+     * endpointArraySize is used to hold the number of endpoints available */
+    UA_EndpointDescription* endpointArray      = NULL;
+    size_t                  endpointArraySize  = 0;
+
+    /* Load certificate and private key */
+    UA_ByteString           certificate        = loadFile(argv[1]);
+    UA_ByteString           privateKey         = loadFile(argv[2]);
+
+    if(argc < MIN_ARGS) {
+        UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                     "The Certificate and key is missing."
+                     "The required arguments are "
+                     "<client-certificate.der> <client-private-key.der> "
+                     "[<trustlist1.crl>, ...]");
+        return FAILURE;
+    }
+
+    /* The Get endpoint (discovery service) is done with
+     * security mode as none to see the server's capability
+     * and certificate */
+    client = UA_Client_new(UA_ClientConfig_default);
+    remoteCertificate = UA_ByteString_new();
+    retval = UA_Client_getEndpoints(client, CONNECTION_STRING,
+                                    &endpointArraySize, &endpointArray);
+    if(retval != UA_STATUSCODE_GOOD) {
+        UA_Array_delete(endpointArray, endpointArraySize,
+                        &UA_TYPES[UA_TYPES_ENDPOINTDESCRIPTION]);
+        cleanupClient(client, remoteCertificate);
+        return (int)retval;
+    }
+
+    printf("%i endpoints found\n", (int)endpointArraySize);
+    for(size_t endPointCount = 0; endPointCount < endpointArraySize; endPointCount++) {
+        printf("URL of endpoint %i is %.*s\n", (int)endPointCount,
+               (int)endpointArray[endPointCount].endpointUrl.length,
+               endpointArray[endPointCount].endpointUrl.data);
+        if(endpointArray[endPointCount].securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT)
+            UA_ByteString_copy(&endpointArray[endPointCount].serverCertificate, remoteCertificate);
+    }
+
+    if(UA_ByteString_equal(remoteCertificate, &UA_BYTESTRING_NULL)) {
+        UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                     "Server does not support Security Mode of"
+                     " UA_MESSAGESECURITYMODE_SIGNANDENCRYPT");
+        cleanupClient(client, remoteCertificate);
+        return FAILURE;
+    }
+
+    UA_Array_delete(endpointArray, endpointArraySize,
+                    &UA_TYPES[UA_TYPES_ENDPOINTDESCRIPTION]);
+
+    UA_Client_delete(client); /* Disconnects the client internally */
+
+    /* Load the trustList. Load revocationList is not supported now */
+    if(argc > MIN_ARGS) {
+        trustListSize = (size_t)argc-MIN_ARGS;
+        retval = UA_ByteString_allocBuffer(trustList, trustListSize);
+        if(retval != UA_STATUSCODE_GOOD) {
+            cleanupClient(client, remoteCertificate);
+            return (int)retval;
+        }
+
+        for(size_t trustListCount = 0; trustListCount < trustListSize; trustListCount++) {
+            trustList[trustListCount] = loadFile(argv[trustListCount+3]);
+        }
+    }
+
+    /* Secure client initialization */
+    client = UA_Client_secure_new(UA_ClientConfig_default,
+                                  certificate, privateKey,
+                                  remoteCertificate,
+                                  trustList, trustListSize,
+                                  revocationList, revocationListSize,
+                                  UA_SecurityPolicy_Basic256Sha256);
+    if(client == NULL) {
+        UA_ByteString_delete(remoteCertificate); /* Dereference the memory */
+        return FAILURE;
+    }
+
+    UA_ByteString_deleteMembers(&certificate);
+    UA_ByteString_deleteMembers(&privateKey);
+    for(size_t deleteCount = 0; deleteCount < trustListSize; deleteCount++) {
+        UA_ByteString_deleteMembers(&trustList[deleteCount]);
+    }
+
+    /* Secure client connect */
+    retval = UA_Client_connect(client, CONNECTION_STRING);
+    if(retval != UA_STATUSCODE_GOOD) {
+        cleanupClient(client, remoteCertificate);
+        return (int)retval;
+    }
+
+    UA_Variant value;
+    UA_Variant_init(&value);
+
+    /* NodeId of the variable holding the current time */
+    const UA_NodeId nodeId = UA_NODEID_NUMERIC(0, UA_NS0ID_SERVER_SERVERSTATUS_CURRENTTIME);
+    retval = UA_Client_readValueAttribute(client, nodeId, &value);
+
+    if(retval == UA_STATUSCODE_GOOD &&
+       UA_Variant_hasScalarType(&value, &UA_TYPES[UA_TYPES_DATETIME])) {
+        UA_DateTime raw_date  = *(UA_DateTime *) value.data;
+        UA_DateTimeStruct dts = UA_DateTime_toStruct(raw_date);
+        UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "date is: %u-%u-%u %u:%u:%u.%03u\n",
+                    dts.day, dts.month, dts.year, dts.hour, dts.min, dts.sec, dts.milliSec);
+    }
+
+    /* Clean up */
+    UA_Variant_deleteMembers(&value);
+    cleanupClient(client, remoteCertificate);
+    return (int)retval;
+}

examples/encryption/server_basic128rsa15.c

@@ -5,33 +5,7 @@
 #include <stdio.h>
 #include <errno.h>
 #include "open62541.h"
-
-static UA_ByteString loadFile(const char *const path) {
-    UA_ByteString fileContents = UA_STRING_NULL;
-
-    /* Open the file */
-    FILE *fp = fopen(path, "rb");
-    if(!fp) {
-        errno = 0; /* We read errno also from the tcp layer... */
-        return fileContents;
-    }
-
-    /* Get the file length, allocate the data and read */
-    fseek(fp, 0, SEEK_END);
-    fileContents.length = (size_t)ftell(fp);
-    fileContents.data = (UA_Byte*)UA_malloc(fileContents.length * sizeof(UA_Byte));
-    if(fileContents.data) {
-        fseek(fp, 0, SEEK_SET);
-        size_t read = fread(fileContents.data, sizeof(UA_Byte), fileContents.length, fp);
-        if(read != fileContents.length)
-            UA_ByteString_deleteMembers(&fileContents);
-    } else {
-        fileContents.length = 0;
-    }
-    fclose(fp);
-
-    return fileContents;
-}
+#include "../common.h"
 
 UA_Boolean running = true;
 static void stopHandler(int sig) {
@@ -63,7 +37,7 @@ int main(int argc, char* argv[]) {
     for(size_t i = 0; i < trustListSize; i++)
         trustList[i] = loadFile(argv[i+3]);
 
-    /* Loading of a revocation list currentlu unsupported */
+    /* Loading of a revocation list currently unsupported */
     UA_ByteString *revocationList = NULL;
     size_t revocationListSize = 0;
 

examples/encryption/server_basic256sha256.c

@@ -0,0 +1,64 @@
+/* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
+ * See http://creativecommons.org/publicdomain/zero/1.0/ for more information. */
+
+#include <signal.h>
+#include <stdio.h>
+#include <errno.h>
+#include "open62541.h"
+#include "../common.h"
+
+UA_Boolean running = true;
+static void stopHandler(int sig) {
+    UA_LOG_INFO(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "received ctrl-c");
+    running = false;
+}
+
+int main(int argc, char* argv[]) {
+    signal(SIGINT, stopHandler);
+    signal(SIGTERM, stopHandler);
+
+    if(argc < 3) {
+        UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                     "Missing arguments. Arguments are "
+                     "<server-certificate.der> <private-key.der> "
+                     "[<trustlist1.crl>, ...]");
+        return 1;
+    }
+
+    /* Load certificate and private key */
+    UA_ByteString certificate = loadFile(argv[1]);
+    UA_ByteString privateKey = loadFile(argv[2]);
+
+    /* Load the trustlist */
+    size_t trustListSize = 0;
+    if(argc > 3)
+        trustListSize = (size_t)argc-3;
+    UA_STACKARRAY(UA_ByteString, trustList, trustListSize);
+    for(size_t i = 0; i < trustListSize; i++)
+        trustList[i] = loadFile(argv[i+3]);
+
+    /* Loading of a revocation list currently unsupported */
+    UA_ByteString *revocationList = NULL;
+    size_t revocationListSize = 0;
+
+    UA_ServerConfig *config =
+        UA_ServerConfig_new_basic256sha256(4840, &certificate, &privateKey,
+                                          trustList, trustListSize,
+                                          revocationList, revocationListSize);
+    UA_ByteString_deleteMembers(&certificate);
+    UA_ByteString_deleteMembers(&privateKey);
+    for(size_t i = 0; i < trustListSize; i++)
+        UA_ByteString_deleteMembers(&trustList[i]);
+
+    if(!config) {
+        UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                     "Could not create the server config");
+        return 1;
+    }
+
+    UA_Server *server = UA_Server_new(config);
+    UA_StatusCode retval = UA_Server_run(server, &running);
+    UA_Server_delete(server);
+    UA_ServerConfig_delete(config);
+    return (int)retval;
+}

examples/server_certificate.c

@@ -10,36 +10,11 @@
 #include <errno.h> // errno, EINTR
 #include <stdlib.h>
 #include "open62541.h"
+#include "common.h"
 
 UA_Boolean running = true;
 UA_Logger logger = UA_Log_Stdout;
 
-static UA_ByteString loadCertificate(void) {
-    UA_ByteString certificate = UA_STRING_NULL;
-    //FIXME: a potiential bug of locating the certificate, we need to get the path from the server's config
-    FILE *fp = fopen("server_cert.der", "rb");
-    if(!fp) {
-        errno = 0; // we read errno also from the tcp layer...
-        UA_LOG_ERROR(logger, UA_LOGCATEGORY_SERVER, "Could not open certificate file");
-        return certificate;
-    }
-
-    fseek(fp, 0, SEEK_END);
-    certificate.length = (size_t)ftell(fp);
-    certificate.data = (UA_Byte *)UA_malloc(certificate.length*sizeof(UA_Byte));
-    if(!certificate.data) {
-        fclose(fp);
-        return UA_STRING_NULL;
-    }
-
-    fseek(fp, 0, SEEK_SET);
-    if(fread(certificate.data, sizeof(UA_Byte), certificate.length, fp) < (size_t)certificate.length)
-        UA_ByteString_deleteMembers(&certificate); // error reading the cert
-    fclose(fp);
-
-    return certificate;
-}
-
 static void stopHandler(int sign) {
     UA_LOG_INFO(logger, UA_LOGCATEGORY_SERVER, "received ctrl-c");
     running = false;
@@ -51,7 +26,7 @@ int main(int argc, char** argv) {
     UA_ServerConfig *config = UA_ServerConfig_new_default();
 
     /* load certificate */
-    config->serverCertificate = loadCertificate();
+    config->serverCertificate = loadFile("server_cert.der");
     if(config->serverCertificate.length > 0)
         UA_LOG_INFO(logger, UA_LOGCATEGORY_SERVER, "Certificate loaded");
 

examples/server_ctt.c

@@ -12,6 +12,7 @@
 #include <string.h>
 #include <open62541.h>
 #include "open62541.h"
+#include "common.h"
 
 /* This server is configured to the Compliance Testing Tools (CTT) against. The
  * corresponding CTT configuration is available at
@@ -22,34 +23,6 @@ UA_Logger logger = UA_Log_Stdout;
 
 static const UA_NodeId baseDataVariableType = {0, UA_NODEIDTYPE_NUMERIC, {UA_NS0ID_BASEDATAVARIABLETYPE}};
 
-static UA_ByteString
-loadFile(const char *const path) {
-    UA_ByteString fileContents = UA_STRING_NULL;
-
-    /* Open the file */
-    FILE *fp = fopen(path, "rb");
-    if(!fp) {
-        errno = 0; /* We read errno also from the tcp layer... */
-        return fileContents;
-    }
-
-    /* Get the file length, allocate the data and read */
-    fseek(fp, 0, SEEK_END);
-    fileContents.length = (size_t)ftell(fp);
-    fileContents.data = (UA_Byte *)UA_malloc(fileContents.length * sizeof(UA_Byte));
-    if(fileContents.data) {
-        fseek(fp, 0, SEEK_SET);
-        size_t read = fread(fileContents.data, sizeof(UA_Byte), fileContents.length, fp);
-        if(read != fileContents.length)
-            UA_ByteString_deleteMembers(&fileContents);
-    } else {
-        fileContents.length = 0;
-    }
-    fclose(fp);
-
-    return fileContents;
-}
-
 static void
 stopHandler(int sign) {
     UA_LOG_INFO(logger, UA_LOGCATEGORY_SERVER, "Received Ctrl-C");

include/ua_client.h

@@ -24,6 +24,7 @@ extern "C" {
 #include "ua_types.h"
 #include "ua_types_generated.h"
 #include "ua_types_generated_handling.h"
+#include "ua_plugin_securitypolicy.h"
 #include "ua_plugin_network.h"
 #include "ua_plugin_log.h"
 #include "ua_client_config.h"
@@ -58,20 +59,22 @@ UA_Client_new(UA_ClientConfig config);
 /* Creates a new secure client with the required configuration, certificate
  * privatekey, trustlist and revocation list.
  *
- * @param  config               new secure configuration for client
- * @param  certificate          client certificate
- * @param  privateKey           client's private key
- * @param  remoteCertificate    server certificate form the endpoints
- * @param  trustList            list of trustable certificate
- * @param  trustListSize        count of trustList
- * @param  revocationList       list of revoked digital certificate
- * @param  revocationListSize   count of revocationList
+ * @param  config                   new secure configuration for client
+ * @param  certificate              client certificate
+ * @param  privateKey               client's private key
+ * @param  remoteCertificate        server certificate form the endpoints
+ * @param  trustList                list of trustable certificate
+ * @param  trustListSize            count of trustList
+ * @param  revocationList           list of revoked digital certificate
+ * @param  revocationListSize       count of revocationList
+ * @param  securityPolicyFunction   securityPolicy function
  * @return Returns a client configuration for secure channel */
 UA_Client UA_EXPORT *
 UA_Client_secure_new(UA_ClientConfig config, UA_ByteString certificate,
                      UA_ByteString privateKey, const UA_ByteString *remoteCertificate,
                      const UA_ByteString *trustList, size_t trustListSize,
-                     const UA_ByteString *revocationList, size_t revocationListSize);
+                     const UA_ByteString *revocationList, size_t revocationListSize,
+                     UA_SecurityPolicy_Func securityPolicyFunction);
 
 /* Get the client connection status */
 UA_ClientState UA_EXPORT

include/ua_plugin_securitypolicy.h

@@ -378,6 +378,13 @@ UA_SecurityPolicy_getRemoteAsymEncryptionBufferLengthOverhead(const UA_SecurityP
                                                               const void *channelContext,
                                                               size_t maxEncryptionLength);
 
+
+typedef UA_StatusCode (*UA_SecurityPolicy_Func)(UA_SecurityPolicy *policy,
+                                                UA_CertificateVerification *certificateVerification,
+                                                const UA_ByteString localCertificate,
+                                                const UA_ByteString localPrivateKey,
+                                                UA_Logger logger);
+
 #ifdef __cplusplus
 }
 #endif

plugins/ua_securitypolicy_basic256sha256.c

@@ -200,7 +200,6 @@ asym_encrypt_sp_basic256sha256(const UA_SecurityPolicy *securityPolicy,
     size_t lenDataToEncrypt = data->length;
     size_t inOffset = 0;
     size_t offset = 0;
-    size_t outLength = 0;
     const unsigned char *label = NULL;
     Basic256Sha256_PolicyContext *pc = cc->policyContext;
     while(lenDataToEncrypt >= plainTextBlockSize) {
@@ -215,9 +214,8 @@ asym_encrypt_sp_basic256sha256(const UA_SecurityPolicy *securityPolicy,
             return retval;
         }
 
-        outLength += remoteRsaContext->len;
         inOffset += plainTextBlockSize;
-        offset += outLength;
+        offset += remoteRsaContext->len;
         lenDataToEncrypt -= plainTextBlockSize;
     }
 

src/client/ua_client.c

@@ -58,15 +58,16 @@ UA_Client_new(UA_ClientConfig config) {
 /* Initializes a secure client with the required configuration, certificate
  * privatekey, trustlist and revocation list.
  *
- * @param  client               client to store configuration
- * @param  config               new secure configuration for client
- * @param  certificate          client certificate
- * @param  privateKey           client's private key
- * @param  remoteCertificate    server certificate form the endpoints
- * @param  trustList            list of trustable certificate
- * @param  trustListSize        count of trustList
- * @param  revocationList       list of revoked digital certificate
- * @param  revocationListSize   count of revocationList
+ * @param  client                   client to store configuration
+ * @param  config                   new secure configuration for client
+ * @param  certificate              client certificate
+ * @param  privateKey               client's private key
+ * @param  remoteCertificate        server certificate form the endpoints
+ * @param  trustList                list of trustable certificate
+ * @param  trustListSize            count of trustList
+ * @param  revocationList           list of revoked digital certificate
+ * @param  revocationListSize       count of revocationList
+ * @param  securityPolicyFunction   securityPolicy function
  * @return Returns a client configuration for secure channel */
 static UA_StatusCode
 UA_Client_secure_init(UA_Client* client, UA_ClientConfig config,
@@ -75,7 +76,8 @@ UA_Client_secure_init(UA_Client* client, UA_ClientConfig config,
                       const UA_ByteString *remoteCertificate,
                       const UA_ByteString *trustList, size_t trustListSize,
                       const UA_ByteString *revocationList,
-                      size_t revocationListSize) {
+                      size_t revocationListSize,
+                      UA_SecurityPolicy_Func securityPolicyFunction) {
     if(client == NULL || remoteCertificate == NULL)
         return STATUS_CODE_BAD_POINTER;
 
@@ -93,10 +95,10 @@ UA_Client_secure_init(UA_Client* client, UA_ClientConfig config,
     if(retval != UA_STATUSCODE_GOOD)
          return retval;
 
-    /* Initiate client security policy as Basic128Rsa15 */
-    UA_SecurityPolicy_Basic128Rsa15(&client->securityPolicy,
-                                    client->securityPolicy.certificateVerification,
-                                    certificate, privateKey, config.logger);
+    /* Initiate client security policy */
+    (*securityPolicyFunction)(&client->securityPolicy,
+                              client->securityPolicy.certificateVerification,
+                              certificate, privateKey, config.logger);
     client->channel.securityPolicy = &client->securityPolicy;
     client->channel.securityMode = UA_MESSAGESECURITYMODE_SIGNANDENCRYPT;
     client->config = config;
@@ -135,20 +137,22 @@ UA_Client_secure_init(UA_Client* client, UA_ClientConfig config,
 
 /* Creates a new secure client.
  *
- * @param  config               new secure configuration for client
- * @param  certificate          client certificate
- * @param  privateKey           client's private key
- * @param  remoteCertificate    server certificate form the endpoints
- * @param  trustList            list of trustable certificate
- * @param  trustListSize        count of trustList
- * @param  revocationList       list of revoked digital certificate
- * @param  revocationListSize   count of revocationList
+ * @param  config                   new secure configuration for client
+ * @param  certificate              client certificate
+ * @param  privateKey               client's private key
+ * @param  remoteCertificate        server certificate form the endpoints
+ * @param  trustList                list of trustable certificate
+ * @param  trustListSize            count of trustList
+ * @param  revocationList           list of revoked digital certificate
+ * @param  revocationListSize       count of revocationList
+ * @param  securityPolicyFunction   securityPolicy function
  * @return Returns a client with secure configuration */
 UA_Client *
 UA_Client_secure_new(UA_ClientConfig config, UA_ByteString certificate,
                      UA_ByteString privateKey, const UA_ByteString *remoteCertificate,
                      const UA_ByteString *trustList, size_t trustListSize,
-                     const UA_ByteString *revocationList, size_t revocationListSize) {
+                     const UA_ByteString *revocationList, size_t revocationListSize,
+                     UA_SecurityPolicy_Func securityPolicyFunction) {
     if(remoteCertificate == NULL)
         return NULL;
 
@@ -158,7 +162,8 @@ UA_Client_secure_new(UA_ClientConfig config, UA_ByteString certificate,
 
     UA_StatusCode retval = UA_Client_secure_init(client, config, certificate, privateKey,
                                                  remoteCertificate, trustList, trustListSize,
-                                                 revocationList, revocationListSize);
+                                                 revocationList, revocationListSize,
+                                                 securityPolicyFunction);
     if(retval != UA_STATUSCODE_GOOD){
         return NULL;
     }
@@ -205,6 +210,8 @@ UA_Client_delete(UA_Client* client) {
      * which is deallocated */
     if(client->channel.securityMode == UA_MESSAGESECURITYMODE_SIGN ||
        client->channel.securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT) {
+        if (client->securityPolicy.certificateVerification->deleteMembers)
+            client->securityPolicy.certificateVerification->deleteMembers(client->securityPolicy.certificateVerification);
         UA_free(client->securityPolicy.certificateVerification);
     }
 

src/client/ua_client_connect.c

@@ -506,6 +506,7 @@ createSession(UA_Client *client) {
     if(response.responseHeader.serviceResult == UA_STATUSCODE_GOOD &&
         (client->channel.securityMode == UA_MESSAGESECURITYMODE_SIGN ||
          client->channel.securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT)) {
+        UA_ByteString_deleteMembers(&client->channel.remoteNonce);
         UA_ByteString_copy(&response.serverNonce, &client->channel.remoteNonce);
 
         if(!UA_ByteString_equal(&response.serverCertificate,

tests/CMakeLists.txt

@@ -203,6 +203,18 @@ add_executable(check_client_highlevel client/check_client_highlevel.c $<TARGET_O
 target_link_libraries(check_client_highlevel ${LIBS})
 add_test_valgrind(client_highlevel ${TESTS_BINARY_DIR}/check_client_highlevel)
 
+# Test Encryption
+
+if(UA_ENABLE_ENCRYPTION)
+    add_executable(check_encryption_basic128rsa15 encryption/check_encryption_basic128rsa15.c $<TARGET_OBJECTS:open62541-object> $<TARGET_OBJECTS:open62541-testplugins>)
+    target_link_libraries(check_encryption_basic128rsa15 ${LIBS})
+    add_test_valgrind(encryption_basic128rsa15 ${TESTS_BINARY_DIR}/check_encryption_basic128rsa15)
+
+    add_executable(check_encryption_basic256sha256 encryption/check_encryption_basic256sha256.c $<TARGET_OBJECTS:open62541-object> $<TARGET_OBJECTS:open62541-testplugins>)
+    target_link_libraries(check_encryption_basic256sha256 ${LIBS})
+    add_test_valgrind(encryption_basic256sha256 ${TESTS_BINARY_DIR}/check_encryption_basic256sha256)
+endif()
+
 #############################
 #                           #
 # Test for Nodeset Compiler #

tests/encryption/certificates.h

@@ -0,0 +1,158 @@
+#ifndef CERTIFICATES_H_
+#define CERTIFICATES_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#include "ua_types.h"
+
+#define KEY_DER_LENGTH 1193
+UA_Byte KEY_DER_DATA[1193] = {
+	0x30, 0x82, 0x04, 0xa5, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe0, 0xc9, 0x91, 0x62, 
+	0xcd, 0x91, 0x68, 0x75, 0x2c, 0x32, 0x7a, 0xdd, 0xf1, 0xd6, 0x64, 0x77, 0x8b, 0x72, 0x9e, 0x14, 
+	0x2a, 0x62, 0x08, 0xd1, 0x89, 0x7d, 0xe2, 0x17, 0xdc, 0xb3, 0xda, 0xbc, 0x3a, 0x9f, 0x84, 0x03, 
+	0xd3, 0x2e, 0x68, 0xbe, 0xc1, 0x57, 0xcb, 0x2a, 0xe2, 0xd6, 0xcf, 0xc4, 0x7f, 0xbd, 0x53, 0x3f, 
+	0xeb, 0x39, 0x98, 0x69, 0xb0, 0x40, 0x14, 0xbf, 0xf5, 0x5a, 0x23, 0x23, 0xf4, 0x4c, 0xf8, 0xf1, 
+	0x03, 0x56, 0x6d, 0x7d, 0x1b, 0x93, 0xd7, 0x0f, 0xc1, 0x8c, 0x70, 0xe0, 0x2c, 0x55, 0x7e, 0xa1, 
+	0xfc, 0x05, 0xe9, 0xd7, 0xea, 0xb1, 0x5c, 0x0f, 0x9b, 0xac, 0x6a, 0x2e, 0xb4, 0xc5, 0xbf, 0x41, 
+	0x8f, 0xda, 0xfc, 0x85, 0xc6, 0xaa, 0x25, 0xe4, 0xb9, 0x9a, 0xc6, 0xd8, 0x9a, 0x31, 0x8a, 0x17, 
+	0x8b, 0x8c, 0x4e, 0x20, 0xd9, 0x71, 0xfc, 0x66, 0x3a, 0xfd, 0x49, 0x95, 0x54, 0xa8, 0xaf, 0x42, 
+	0x5e, 0xba, 0x26, 0xe6, 0xd3, 0xa0, 0xd2, 0x02, 0x3b, 0x51, 0x8b, 0x39, 0xd3, 0x97, 0xd2, 0xe4, 
+	0xd1, 0x01, 0x65, 0xab, 0x8e, 0xa2, 0x80, 0x5b, 0x5e, 0xbb, 0x11, 0x7f, 0x50, 0x1b, 0x2b, 0x0d, 
+	0x20, 0x40, 0xb5, 0xbf, 0xd1, 0x32, 0xfa, 0x25, 0xe1, 0x0d, 0x75, 0xfc, 0x11, 0xcf, 0x21, 0xdd, 
+	0x45, 0x16, 0xe4, 0x56, 0x58, 0x49, 0x33, 0xca, 0xaf, 0xe3, 0x17, 0x7b, 0x7a, 0x8f, 0xb1, 0xec, 
+	0x1c, 0x4d, 0xa2, 0xc2, 0xce, 0x8b, 0x19, 0x4b, 0xc0, 0xc4, 0x36, 0x6a, 0x7c, 0x5b, 0x89, 0x14, 
+	0x98, 0xcb, 0xa9, 0xca, 0x66, 0xf2, 0xaa, 0xf9, 0x12, 0x40, 0x0e, 0x6a, 0x78, 0x4d, 0x1f, 0x54, 
+	0x3c, 0x03, 0x7a, 0x91, 0xf5, 0xb7, 0x3d, 0xe2, 0xfc, 0x65, 0xb7, 0xaa, 0xa9, 0x39, 0x68, 0xa7, 
+	0xdb, 0x29, 0xc1, 0x40, 0x0b, 0x4e, 0xfb, 0xce, 0x74, 0xa5, 0x46, 0xb9, 0x02, 0x03, 0x01, 0x00, 
+	0x01, 0x02, 0x82, 0x01, 0x01, 0x00, 0xb4, 0xc8, 0x07, 0x60, 0x01, 0xd9, 0xb6, 0xbb, 0xbd, 0x8e, 
+	0xdf, 0x97, 0xcd, 0xde, 0x51, 0xb0, 0x7e, 0xfa, 0xf0, 0x3d, 0x61, 0x94, 0xb4, 0x68, 0xe8, 0x7d, 
+	0xd0, 0x2e, 0xc6, 0xb5, 0xf2, 0xed, 0xbc, 0xeb, 0xfb, 0x3d, 0x24, 0x43, 0x47, 0xc4, 0x5a, 0x34, 
+	0x64, 0x56, 0x1a, 0x57, 0x0e, 0x83, 0x87, 0x04, 0x59, 0x86, 0xa7, 0x84, 0x0b, 0x9a, 0xbc, 0x3f, 
+	0xdd, 0x30, 0x40, 0x7f, 0x7c, 0x91, 0x76, 0xf1, 0xcc, 0xa7, 0xf0, 0xba, 0x3a, 0x96, 0x0a, 0x6e, 
+	0xcc, 0xe0, 0x84, 0x15, 0x91, 0xd6, 0x08, 0x71, 0xbd, 0xc5, 0x42, 0xad, 0xf2, 0xd2, 0x4e, 0x92, 
+	0xd3, 0x6a, 0x4e, 0x15, 0xcc, 0xd3, 0xc1, 0x58, 0xe4, 0x27, 0x33, 0x2d, 0xb8, 0x37, 0x52, 0x7e, 
+	0x16, 0xb9, 0xab, 0xb7, 0xd9, 0xc1, 0xeb, 0xc8, 0x79, 0xb9, 0xd3, 0xe6, 0x44, 0x13, 0x51, 0x2d, 
+	0xc6, 0x02, 0xe5, 0xe0, 0x3c, 0xa3, 0x15, 0x9b, 0x49, 0xae, 0x85, 0xbe, 0x8c, 0x84, 0xf9, 0x87, 
+	0x5d, 0x91, 0x9e, 0xf4, 0xf9, 0xf2, 0x8d, 0x81, 0x77, 0x7c, 0xfc, 0x60, 0x09, 0x48, 0x43, 0x2e, 
+	0xbb, 0xaf, 0xc9, 0xd6, 0x90, 0x2d, 0x40, 0x80, 0x59, 0xbd, 0x3b, 0x04, 0xda, 0x50, 0x2a, 0x53, 
+	0xf5, 0xc0, 0x97, 0x54, 0x04, 0x14, 0xb1, 0x8e, 0xd1, 0x6b, 0x53, 0x9e, 0xa4, 0xaa, 0x5e, 0x6e, 
+	0x1c, 0x11, 0x6b, 0x0a, 0xc4, 0xec, 0x5b, 0x77, 0xa8, 0x00, 0x83, 0x77, 0xdb, 0xf4, 0xfb, 0x00, 
+	0xf4, 0x06, 0x57, 0x25, 0x8e, 0x1c, 0x87, 0xb4, 0xbe, 0xb8, 0x04, 0x35, 0x93, 0x67, 0xaa, 0x36, 
+	0xa5, 0x62, 0xe4, 0xf6, 0xcb, 0xc8, 0xa6, 0x58, 0x77, 0x96, 0xc4, 0x6c, 0x0b, 0xc8, 0x41, 0xe2, 
+	0x36, 0x01, 0x94, 0xa5, 0xe9, 0x46, 0x17, 0xd3, 0x0b, 0x18, 0x7e, 0x06, 0x88, 0x9b, 0x7e, 0xdd, 
+	0x92, 0x20, 0xc6, 0xe3, 0x7e, 0xb1, 0x02, 0x81, 0x81, 0x00, 0xf5, 0xa6, 0xda, 0x32, 0xb9, 0x37, 
+	0x61, 0xe9, 0x7c, 0x99, 0xf7, 0x4a, 0x37, 0xee, 0x52, 0x30, 0x4f, 0xbf, 0x57, 0x6f, 0xfe, 0x20, 
+	0xdc, 0xa3, 0xfe, 0x51, 0xbf, 0x72, 0x13, 0x8a, 0xb1, 0xd7, 0x99, 0x7d, 0x67, 0xa8, 0xd4, 0xb0, 
+	0x35, 0x40, 0x7c, 0xc8, 0xdc, 0x03, 0x6b, 0x90, 0xb5, 0x65, 0x04, 0x7f, 0x97, 0x8b, 0xa8, 0x69, 
+	0x20, 0x04, 0xcb, 0x48, 0x39, 0xb7, 0x57, 0xe0, 0xd9, 0xbb, 0x15, 0xe1, 0x59, 0x16, 0xf3, 0xe1, 
+	0xab, 0x91, 0xea, 0x8a, 0x88, 0xad, 0x8d, 0xa3, 0x24, 0x4a, 0x35, 0xa5, 0xd2, 0x32, 0x19, 0x66, 
+	0xa8, 0xbb, 0x32, 0x9d, 0xf4, 0x94, 0x99, 0xc1, 0x2e, 0x2b, 0xf8, 0x98, 0x6a, 0x6e, 0x72, 0x77, 
+	0xd0, 0xc9, 0xfc, 0x5f, 0xd7, 0x69, 0xd1, 0x08, 0x12, 0xbf, 0x81, 0xc1, 0xa1, 0x1b, 0x3b, 0x41, 
+	0xb0, 0x24, 0x11, 0x0a, 0x65, 0xab, 0x81, 0x39, 0xb3, 0xd5, 0x02, 0x81, 0x81, 0x00, 0xea, 0x41, 
+	0xb5, 0xed, 0xac, 0xa0, 0x43, 0xd7, 0xde, 0x1e, 0x6b, 0x95, 0xbe, 0x88, 0x02, 0xaf, 0x2f, 0xbb, 
+	0x37, 0xf7, 0x2f, 0xf6, 0x4f, 0xa0, 0xaa, 0x43, 0x03, 0x7d, 0x33, 0xdd, 0x1e, 0x7a, 0xba, 0xa0, 
+	0x10, 0x77, 0x1f, 0x4a, 0xc9, 0x88, 0x58, 0x9d, 0x81, 0x3a, 0xe8, 0xac, 0x86, 0x2f, 0x80, 0x6c, 
+	0xc7, 0xa0, 0xe5, 0xed, 0x8d, 0x90, 0xa9, 0xa7, 0x36, 0x23, 0xd7, 0xb5, 0x89, 0xfc, 0xad, 0x4d, 
+	0xae, 0x0e, 0xec, 0xdc, 0xe7, 0x7e, 0x69, 0xfe, 0x62, 0x4b, 0x81, 0xfe, 0x52, 0x81, 0x77, 0x6a, 
+	0x35, 0xab, 0x52, 0x6f, 0x56, 0x41, 0x6c, 0x57, 0x3d, 0x75, 0x92, 0x14, 0x42, 0xa2, 0xc9, 0x50, 
+	0x52, 0x57, 0x9f, 0x26, 0x3c, 0xcd, 0x61, 0xa9, 0xda, 0x9b, 0x2c, 0xda, 0xc1, 0xd0, 0x26, 0x07, 
+	0x90, 0x15, 0x8c, 0x81, 0xe2, 0xde, 0xc0, 0x98, 0x58, 0x9d, 0x96, 0x0f, 0xcd, 0x55, 0x02, 0x81, 
+	0x81, 0x00, 0x87, 0xfb, 0xf8, 0x77, 0xf1, 0xcd, 0xf5, 0xb6, 0xa1, 0xd2, 0x3d, 0x71, 0x69, 0x6a, 
+	0xd5, 0x36, 0x87, 0x3e, 0xdd, 0xb1, 0x52, 0x55, 0x70, 0xae, 0x9b, 0x9f, 0x37, 0x42, 0x78, 0x0c, 
+	0xe4, 0x0b, 0xfc, 0x9c, 0xce, 0x20, 0x48, 0xb4, 0xce, 0x95, 0xc7, 0x3e, 0x0d, 0x85, 0x1b, 0x2b, 
+	0x7d, 0x2e, 0xd1, 0x81, 0xac, 0x2b, 0x94, 0x6b, 0xb5, 0x5c, 0xd2, 0x07, 0x46, 0x63, 0xf7, 0x12, 
+	0xb2, 0x94, 0xfd, 0x34, 0xc4, 0xf3, 0x8e, 0xc8, 0x13, 0x08, 0xf0, 0x74, 0x05, 0xdb, 0x45, 0x37, 
+	0xd5, 0x63, 0xfb, 0x34, 0xb3, 0x1a, 0x26, 0xb3, 0x8c, 0x9e, 0x2c, 0x14, 0x02, 0x8b, 0xac, 0x5d, 
+	0xa3, 0x28, 0x96, 0x32, 0x11, 0x60, 0xd8, 0x9e, 0xf9, 0x06, 0x87, 0x5d, 0xaa, 0xca, 0x99, 0xfb, 
+	0x45, 0x1d, 0x9c, 0x3f, 0xca, 0xe6, 0x5f, 0x34, 0x2a, 0xc4, 0x9c, 0x66, 0x4c, 0x07, 0xd7, 0xbe, 
+	0x50, 0x8d, 0x02, 0x81, 0x80, 0x51, 0xdb, 0x96, 0x6c, 0x30, 0x37, 0x6c, 0x9d, 0xa1, 0x43, 0x76, 
+	0x0a, 0xc4, 0xa2, 0x98, 0x75, 0x89, 0x33, 0x5d, 0xd2, 0x25, 0xd3, 0x67, 0x6d, 0xd8, 0x31, 0x44, 
+	0xa5, 0xda, 0x9a, 0xb9, 0x0c, 0xdf, 0xec, 0x10, 0xf4, 0xdf, 0x5d, 0x6d, 0xe1, 0x14, 0x3e, 0x2d, 
+	0xab, 0x5d, 0x24, 0xf4, 0x5a, 0xe3, 0x00, 0xa0, 0x1d, 0x8c, 0x5b, 0x1f, 0x6d, 0xde, 0xaa, 0xcc, 
+	0x93, 0x67, 0xcc, 0x4b, 0x24, 0x9d, 0x96, 0x98, 0x6d, 0x24, 0xbd, 0xe8, 0xb2, 0xd6, 0xed, 0x0a, 
+	0x82, 0x22, 0x31, 0xb1, 0xb9, 0x05, 0xf6, 0x7a, 0x3c, 0x9c, 0xb8, 0xc5, 0x26, 0x65, 0x6a, 0x72, 
+	0xd2, 0x83, 0xb2, 0x4a, 0xba, 0xc1, 0xa8, 0x2c, 0xad, 0xeb, 0xb2, 0x1b, 0xeb, 0x14, 0xe6, 0x9a, 
+	0xba, 0x40, 0xc9, 0x4c, 0x92, 0xa4, 0xc7, 0x5d, 0xc4, 0xf9, 0xed, 0x65, 0x4e, 0xbb, 0x74, 0x40, 
+	0xfb, 0x08, 0x36, 0x0b, 0x65, 0x02, 0x81, 0x81, 0x00, 0xeb, 0x60, 0x01, 0x21, 0x22, 0xa1, 0xde, 
+	0x89, 0x62, 0xfa, 0x68, 0x03, 0x09, 0xf1, 0xa6, 0x14, 0xf0, 0xbe, 0xf7, 0x71, 0x3a, 0x01, 0x85, 
+	0x1f, 0x2c, 0x86, 0xde, 0x4a, 0xfb, 0x35, 0x16, 0xc4, 0x84, 0x22, 0x83, 0x49, 0xeb, 0x0d, 0xf7, 
+	0x33, 0x47, 0x8f, 0x96, 0x37, 0x32, 0xd3, 0xd2, 0xec, 0xea, 0x0f, 0xd0, 0xde, 0x0d, 0x27, 0x9e, 
+	0xc1, 0xf1, 0xe0, 0x39, 0xa6, 0x3e, 0x6c, 0xd4, 0x39, 0xdf, 0xde, 0xbd, 0x4c, 0xb8, 0xe7, 0xb7, 
+	0x4e, 0x2a, 0x32, 0x92, 0x83, 0xd3, 0x12, 0xb9, 0xa1, 0x91, 0x52, 0x46, 0x24, 0x58, 0x05, 0x35, 
+	0x22, 0x5f, 0x10, 0x3c, 0x13, 0x5b, 0xbe, 0x47, 0x5e, 0xbf, 0x85, 0xd6, 0xac, 0xfc, 0xbb, 0xd9, 
+	0x91, 0xf9, 0x50, 0x8f, 0xfc, 0xc2, 0x2c, 0x81, 0x5c, 0xa5, 0xc3, 0xc2, 0x15, 0xbe, 0xf4, 0x72, 
+	0xfd, 0x4d, 0xf0, 0x10, 0x6f, 0xe5, 0xbf, 0x8c, 0xb1  
+	};
+
+#define CERT_DER_LENGTH 968
+UA_Byte CERT_DER_DATA[968] = {
+	0x30, 0x82, 0x03, 0xc4, 0x30, 0x82, 0x02, 0xac, 0xa0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 
+	0xa7, 0x17, 0x44, 0x2f, 0x8e, 0x6b, 0x74, 0xba, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 
+	0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x39, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 
+	0x04, 0x06, 0x13, 0x02, 0x44, 0x45, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 
+	0x09, 0x6f, 0x70, 0x65, 0x6e, 0x36, 0x32, 0x35, 0x34, 0x31, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 
+	0x55, 0x04, 0x03, 0x0c, 0x0d, 0x6f, 0x70, 0x65, 0x6e, 0x36, 0x32, 0x35, 0x34, 0x31, 0x2e, 0x6f, 
+	0x72, 0x67, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x38, 0x30, 0x33, 0x32, 0x38, 0x30, 0x38, 0x33, 0x33, 
+	0x35, 0x37, 0x5a, 0x17, 0x0d, 0x32, 0x38, 0x30, 0x33, 0x32, 0x35, 0x30, 0x38, 0x33, 0x33, 0x35, 
+	0x37, 0x5a, 0x30, 0x45, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x44, 
+	0x45, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x09, 0x6f, 0x70, 0x65, 0x6e, 
+	0x36, 0x32, 0x35, 0x34, 0x31, 0x31, 0x22, 0x30, 0x20, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x19, 
+	0x6f, 0x70, 0x65, 0x6e, 0x36, 0x32, 0x35, 0x34, 0x31, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x40, 
+	0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 
+	0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 
+	0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xe0, 0xc9, 0x91, 0x62, 0xcd, 0x91, 
+	0x68, 0x75, 0x2c, 0x32, 0x7a, 0xdd, 0xf1, 0xd6, 0x64, 0x77, 0x8b, 0x72, 0x9e, 0x14, 0x2a, 0x62, 
+	0x08, 0xd1, 0x89, 0x7d, 0xe2, 0x17, 0xdc, 0xb3, 0xda, 0xbc, 0x3a, 0x9f, 0x84, 0x03, 0xd3, 0x2e, 
+	0x68, 0xbe, 0xc1, 0x57, 0xcb, 0x2a, 0xe2, 0xd6, 0xcf, 0xc4, 0x7f, 0xbd, 0x53, 0x3f, 0xeb, 0x39, 
+	0x98, 0x69, 0xb0, 0x40, 0x14, 0xbf, 0xf5, 0x5a, 0x23, 0x23, 0xf4, 0x4c, 0xf8, 0xf1, 0x03, 0x56, 
+	0x6d, 0x7d, 0x1b, 0x93, 0xd7, 0x0f, 0xc1, 0x8c, 0x70, 0xe0, 0x2c, 0x55, 0x7e, 0xa1, 0xfc, 0x05, 
+	0xe9, 0xd7, 0xea, 0xb1, 0x5c, 0x0f, 0x9b, 0xac, 0x6a, 0x2e, 0xb4, 0xc5, 0xbf, 0x41, 0x8f, 0xda, 
+	0xfc, 0x85, 0xc6, 0xaa, 0x25, 0xe4, 0xb9, 0x9a, 0xc6, 0xd8, 0x9a, 0x31, 0x8a, 0x17, 0x8b, 0x8c, 
+	0x4e, 0x20, 0xd9, 0x71, 0xfc, 0x66, 0x3a, 0xfd, 0x49, 0x95, 0x54, 0xa8, 0xaf, 0x42, 0x5e, 0xba, 
+	0x26, 0xe6, 0xd3, 0xa0, 0xd2, 0x02, 0x3b, 0x51, 0x8b, 0x39, 0xd3, 0x97, 0xd2, 0xe4, 0xd1, 0x01, 
+	0x65, 0xab, 0x8e, 0xa2, 0x80, 0x5b, 0x5e, 0xbb, 0x11, 0x7f, 0x50, 0x1b, 0x2b, 0x0d, 0x20, 0x40, 
+	0xb5, 0xbf, 0xd1, 0x32, 0xfa, 0x25, 0xe1, 0x0d, 0x75, 0xfc, 0x11, 0xcf, 0x21, 0xdd, 0x45, 0x16, 
+	0xe4, 0x56, 0x58, 0x49, 0x33, 0xca, 0xaf, 0xe3, 0x17, 0x7b, 0x7a, 0x8f, 0xb1, 0xec, 0x1c, 0x4d, 
+	0xa2, 0xc2, 0xce, 0x8b, 0x19, 0x4b, 0xc0, 0xc4, 0x36, 0x6a, 0x7c, 0x5b, 0x89, 0x14, 0x98, 0xcb, 
+	0xa9, 0xca, 0x66, 0xf2, 0xaa, 0xf9, 0x12, 0x40, 0x0e, 0x6a, 0x78, 0x4d, 0x1f, 0x54, 0x3c, 0x03, 
+	0x7a, 0x91, 0xf5, 0xb7, 0x3d, 0xe2, 0xfc, 0x65, 0xb7, 0xaa, 0xa9, 0x39, 0x68, 0xa7, 0xdb, 0x29, 
+	0xc1, 0x40, 0x0b, 0x4e, 0xfb, 0xce, 0x74, 0xa5, 0x46, 0xb9, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 
+	0x81, 0xc2, 0x30, 0x81, 0xbf, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 
+	0x60, 0x6e, 0x44, 0x94, 0xa8, 0xa2, 0x4e, 0x7a, 0x3e, 0xe2, 0x4b, 0x84, 0x5e, 0xec, 0x01, 0xc9, 
+	0xa3, 0xf9, 0x69, 0xaf, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 
+	0x14, 0x53, 0x77, 0xe0, 0xa2, 0xf2, 0x49, 0x38, 0xcf, 0x71, 0x58, 0x0a, 0x67, 0xa6, 0xc0, 0x17, 
+	0xd7, 0xb5, 0xdc, 0x52, 0x4b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x04, 0x02, 0x30, 0x00, 
+	0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x05, 0xe0, 0x30, 0x1d, 0x06, 
+	0x03, 0x55, 0x1d, 0x25, 0x04, 0x16, 0x30, 0x14, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 
+	0x03, 0x01, 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x02, 0x30, 0x46, 0x06, 0x03, 
+	0x55, 0x1d, 0x11, 0x04, 0x3f, 0x30, 0x3d, 0x82, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 
+	0x73, 0x74, 0x82, 0x06, 0x64, 0x65, 0x62, 0x69, 0x61, 0x6e, 0x87, 0x04, 0x7f, 0x00, 0x00, 0x01, 
+	0x87, 0x04, 0x00, 0x00, 0x00, 0x00, 0x86, 0x1c, 0x75, 0x72, 0x6e, 0x3a, 0x75, 0x6e, 0x63, 0x6f, 
+	0x6e, 0x66, 0x69, 0x67, 0x75, 0x72, 0x65, 0x64, 0x3a, 0x61, 0x70, 0x70, 0x6c, 0x69, 0x63, 0x61, 
+	0x74, 0x69, 0x6f, 0x6e, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 
+	0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0xa4, 0xc1, 0x4f, 0x0e, 0xfe, 0xce, 0x2d, 0x91, 
+	0x8a, 0x51, 0x25, 0xd2, 0x6c, 0x07, 0x86, 0x95, 0xba, 0xc5, 0xe0, 0xad, 0x9b, 0x09, 0x3e, 0x7f, 
+	0x36, 0xc4, 0xa8, 0x10, 0x5b, 0x33, 0x77, 0xe5, 0xb5, 0x3b, 0xd8, 0x98, 0x7c, 0x42, 0x05, 0xcb, 
+	0xb7, 0x91, 0x07, 0x3f, 0x47, 0xff, 0x13, 0x15, 0x45, 0xff, 0x05, 0x03, 0x3d, 0xed, 0x63, 0x96, 
+	0x3a, 0x5c, 0xf8, 0x59, 0xd0, 0xbc, 0x68, 0x8c, 0xfb, 0xf8, 0x29, 0x07, 0x76, 0x63, 0xa7, 0x39, 
+	0xc1, 0x82, 0xc1, 0x10, 0x8b, 0x17, 0xf2, 0x1d, 0x14, 0xdd, 0x88, 0xe7, 0xdc, 0x2f, 0xa7, 0x9d, 
+	0xa3, 0xaa, 0xfd, 0x1a, 0x70, 0xce, 0x57, 0xb5, 0x9f, 0xc3, 0x7b, 0xd0, 0xc0, 0x6f, 0x73, 0x81, 
+	0x74, 0x41, 0x93, 0x0d, 0x0d, 0x1a, 0x95, 0xf6, 0xe4, 0x1c, 0x04, 0x2b, 0x37, 0x4f, 0xf9, 0x99, 
+	0x82, 0x57, 0xf0, 0x4f, 0x14, 0xcb, 0x0f, 0x3d, 0x1a, 0x52, 0x69, 0x18, 0x3f, 0xbe, 0x1c, 0x1c, 
+	0x1b, 0xca, 0xbd, 0xe7, 0xe0, 0x81, 0x44, 0x6d, 0x4a, 0x08, 0x8a, 0xe2, 0x7e, 0x59, 0x9f, 0x89, 
+	0x44, 0x7e, 0x4d, 0xaf, 0x5a, 0x8e, 0xe8, 0xd2, 0x2e, 0x98, 0x72, 0x86, 0xef, 0x7b, 0xcf, 0x88, 
+	0xd0, 0xe2, 0xd5, 0xd9, 0xd5, 0x19, 0xa2, 0x8c, 0xf4, 0x40, 0x98, 0x86, 0x32, 0x9f, 0x3e, 0x25, 
+	0x05, 0xd0, 0xdc, 0xf8, 0x1a, 0x0f, 0xdf, 0xc0, 0x54, 0x46, 0x20, 0xbd, 0xd4, 0xf6, 0xf5, 0xdd, 
+	0x10, 0x2e, 0xa7, 0x1a, 0xf4, 0xbb, 0xed, 0x5d, 0xf3, 0x1c, 0x96, 0x44, 0x81, 0x69, 0xd4, 0x0b, 
+	0xbe, 0x59, 0x07, 0x1b, 0x7f, 0x93, 0xc3, 0x4e, 0x7b, 0x32, 0x51, 0xd0, 0x13, 0x47, 0x57, 0x52, 
+	0xf0, 0x5c, 0x54, 0x36, 0x22, 0xb6, 0xf5, 0x67, 0xbb, 0xd3, 0xa6, 0x43, 0xf0, 0xca, 0x98, 0x91, 
+	0xda, 0x31, 0x3e, 0xd2, 0x8c, 0xfe, 0xd7, 0x51  
+	};
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif /* CERTIFICATES_H_ */

tests/encryption/check_encryption_basic128rsa15.c

@@ -0,0 +1,195 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "ua_types.h"
+#include "ua_server.h"
+#include "ua_server_internal.h"
+#include "ua_client.h"
+#include "client/ua_client_internal.h"
+#include "ua_securitypolicy_basic128rsa15.h"
+#include "ua_config_default.h"
+#include "ua_client_highlevel.h"
+#include "ua_network_tcp.h"
+#include "testing_clock.h"
+#include "testing_networklayers.h"
+#include "check.h"
+#include "thread_wrapper.h"
+#include "certificates.h"
+
+UA_Server *server;
+UA_ServerConfig *config;
+UA_Boolean *running;
+UA_ServerNetworkLayer nl;
+THREAD_HANDLE server_thread;
+
+THREAD_CALLBACK(serverloop) {
+    while(*running)
+        UA_Server_run_iterate(server, true);
+    return 0;
+}
+
+static void setup(void) {
+    running = UA_Boolean_new();
+    *running = true;
+
+    /* Load certificate and private key */
+    UA_ByteString certificate;
+    certificate.length = CERT_DER_LENGTH;
+    certificate.data = CERT_DER_DATA;
+
+    UA_ByteString privateKey;
+    privateKey.length = KEY_DER_LENGTH;
+    privateKey.data = KEY_DER_DATA;
+
+    /* Load the trustlist */
+    size_t trustListSize = 0;
+    UA_ByteString *trustList = NULL;
+
+    /* TODO test trustList
+    if(argc > 3)
+        trustListSize = (size_t)argc-3;
+    UA_STACKARRAY(UA_ByteString, trustList, trustListSize);
+    for(size_t i = 0; i < trustListSize; i++)
+        trustList[i] = loadFile(argv[i+3]);
+    */
+
+    /* Loading of a revocation list currently unsupported */
+    UA_ByteString *revocationList = NULL;
+    size_t revocationListSize = 0;
+
+    config = UA_ServerConfig_new_basic128rsa15(4840, &certificate, &privateKey,
+                                               trustList, trustListSize,
+                                               revocationList, revocationListSize);
+
+    for(size_t i = 0; i < trustListSize; i++)
+        UA_ByteString_deleteMembers(&trustList[i]);
+
+    server = UA_Server_new(config);
+    UA_Server_run_startup(server);
+    THREAD_CREATE(server_thread, serverloop);
+}
+
+static void teardown(void) {
+    *running = false;
+    THREAD_JOIN(server_thread);
+    UA_Server_run_shutdown(server);
+    UA_Boolean_delete(running);
+    UA_Server_delete(server);
+    UA_ServerConfig_delete(config);
+}
+
+START_TEST(encryption_connect) {
+    UA_Client *client = NULL;
+    UA_EndpointDescription* endpointArray = NULL;
+    size_t endpointArraySize = 0;
+    UA_ByteString *trustList = NULL;
+    size_t trustListSize = 0;
+    UA_ByteString *revocationList = NULL;
+    size_t revocationListSize = 0;
+    UA_ByteString *remoteCertificate = NULL;
+
+    /* Load certificate and private key */
+    UA_ByteString certificate;
+    certificate.length = CERT_DER_LENGTH;
+    certificate.data = CERT_DER_DATA;
+    ck_assert_int_ne(certificate.length, 0);
+
+    UA_ByteString privateKey;
+    privateKey.length = KEY_DER_LENGTH;
+    privateKey.data = KEY_DER_DATA;
+    ck_assert_int_ne(privateKey.length, 0);
+
+    /* The Get endpoint (discovery service) is done with
+     * security mode as none to see the server's capability
+     * and certificate */
+    client = UA_Client_new(UA_ClientConfig_default);
+    ck_assert_msg(client != NULL);
+    remoteCertificate = UA_ByteString_new();
+    UA_StatusCode retval = UA_Client_getEndpoints(client, "opc.tcp://localhost:4840",
+                                                  &endpointArraySize, &endpointArray);
+    ck_assert_uint_eq(retval, UA_STATUSCODE_GOOD);
+
+    for(size_t endPointCount = 0; endPointCount < endpointArraySize; endPointCount++) {
+        if(endpointArray[endPointCount].securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT)
+            UA_ByteString_copy(&endpointArray[endPointCount].serverCertificate, remoteCertificate);
+    }
+
+    if(UA_ByteString_equal(remoteCertificate, &UA_BYTESTRING_NULL)) {
+        ck_abort_msg("Server does not support Security Mode of UA_MESSAGESECURITYMODE_SIGNANDENCRYPT");
+    }
+
+    UA_Array_delete(endpointArray, endpointArraySize,
+                    &UA_TYPES[UA_TYPES_ENDPOINTDESCRIPTION]);
+
+    /* TODO test trustList Load revocationList is not supported now
+    if(argc > MIN_ARGS) {
+        trustListSize = (size_t)argc-MIN_ARGS;
+        retval = UA_ByteString_allocBuffer(trustList, trustListSize);
+        if(retval != UA_STATUSCODE_GOOD) {
+            cleanupClient(client, remoteCertificate);
+            return (int)retval;
+        }
+
+        for(size_t trustListCount = 0; trustListCount < trustListSize; trustListCount++) {
+            trustList[trustListCount] = loadFile(argv[trustListCount+3]);
+        }
+    }
+    */
+
+    UA_Client_delete(client);
+
+    /* Secure client initialization */
+    client = UA_Client_secure_new(UA_ClientConfig_default,
+                                  certificate, privateKey,
+                                  remoteCertificate,
+                                  trustList, trustListSize,
+                                  revocationList, revocationListSize,
+                                  UA_SecurityPolicy_Basic128Rsa15);
+    ck_assert_msg(client != NULL);
+
+    for(size_t deleteCount = 0; deleteCount < trustListSize; deleteCount++) {
+        UA_ByteString_deleteMembers(&trustList[deleteCount]);
+    }
+
+    /* Secure client connect */
+    retval = UA_Client_connect(client, "opc.tcp://localhost:4840");
+    ck_assert_uint_eq(retval, UA_STATUSCODE_GOOD);
+
+    UA_Variant val;
+    UA_Variant_init(&val);
+    UA_NodeId nodeId = UA_NODEID_NUMERIC(0, UA_NS0ID_SERVER_SERVERSTATUS_STATE);
+    retval = UA_Client_readValueAttribute(client, nodeId, &val);
+    ck_assert_uint_eq(retval, UA_STATUSCODE_GOOD);
+    UA_Variant_deleteMembers(&val);
+
+    UA_ByteString_delete(remoteCertificate);
+
+    UA_Client_disconnect(client);
+    UA_Client_delete(client);
+}
+END_TEST
+
+static Suite* testSuite_encryption(void) {
+    Suite *s = suite_create("Encryption");
+    TCase *tc_encryption = tcase_create("Encryption basic128rsa15");
+    tcase_add_checked_fixture(tc_encryption, setup, teardown);
+#ifdef UA_ENABLE_ENCRYPTION
+    tcase_add_test(tc_encryption, encryption_connect);
+#endif /* UA_ENABLE_ENCRYPTION */
+    suite_add_tcase(s,tc_encryption);
+    return s;
+}
+
+int main(void) {
+    Suite *s = testSuite_encryption();
+    SRunner *sr = srunner_create(s);
+    srunner_set_fork_status(sr, CK_NOFORK);
+    srunner_run_all(sr,CK_NORMAL);
+    int number_failed = srunner_ntests_failed(sr);
+    srunner_free(sr);
+    return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}

tests/encryption/check_encryption_basic256sha256.c

@@ -0,0 +1,195 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "ua_types.h"
+#include "ua_server.h"
+#include "ua_server_internal.h"
+#include "ua_client.h"
+#include "client/ua_client_internal.h"
+#include "ua_securitypolicy_basic256sha256.h"
+#include "ua_config_default.h"
+#include "ua_client_highlevel.h"
+#include "ua_network_tcp.h"
+#include "testing_clock.h"
+#include "testing_networklayers.h"
+#include "check.h"
+#include "thread_wrapper.h"
+#include "certificates.h"
+
+UA_Server *server;
+UA_ServerConfig *config;
+UA_Boolean *running;
+UA_ServerNetworkLayer nl;
+THREAD_HANDLE server_thread;
+
+THREAD_CALLBACK(serverloop) {
+    while(*running)
+        UA_Server_run_iterate(server, true);
+    return 0;
+}
+
+static void setup(void) {
+    running = UA_Boolean_new();
+    *running = true;
+
+    /* Load certificate and private key */
+    UA_ByteString certificate;
+    certificate.length = CERT_DER_LENGTH;
+    certificate.data = CERT_DER_DATA;
+
+    UA_ByteString privateKey;
+    privateKey.length = KEY_DER_LENGTH;
+    privateKey.data = KEY_DER_DATA;
+
+    /* Load the trustlist */
+    size_t trustListSize = 0;
+    UA_ByteString *trustList = NULL;
+
+    /* TODO test trustList
+    if(argc > 3)
+        trustListSize = (size_t)argc-3;
+    UA_STACKARRAY(UA_ByteString, trustList, trustListSize);
+    for(size_t i = 0; i < trustListSize; i++)
+        trustList[i] = loadFile(argv[i+3]);
+    */
+
+    /* Loading of a revocation list currently unsupported */
+    UA_ByteString *revocationList = NULL;
+    size_t revocationListSize = 0;
+
+    config = UA_ServerConfig_new_basic256sha256(4840, &certificate, &privateKey,
+                                                trustList, trustListSize,
+                                                revocationList, revocationListSize);
+
+    for(size_t i = 0; i < trustListSize; i++)
+        UA_ByteString_deleteMembers(&trustList[i]);
+
+    server = UA_Server_new(config);
+    UA_Server_run_startup(server);
+    THREAD_CREATE(server_thread, serverloop);
+}
+
+static void teardown(void) {
+    *running = false;
+    THREAD_JOIN(server_thread);
+    UA_Server_run_shutdown(server);
+    UA_Boolean_delete(running);
+    UA_Server_delete(server);
+    UA_ServerConfig_delete(config);
+}
+
+START_TEST(encryption_connect) {
+    UA_Client *client = NULL;
+    UA_EndpointDescription* endpointArray = NULL;
+    size_t endpointArraySize = 0;
+    UA_ByteString *trustList = NULL;
+    size_t trustListSize = 0;
+    UA_ByteString *revocationList = NULL;
+    size_t revocationListSize = 0;
+    UA_ByteString *remoteCertificate = NULL;
+
+    /* Load certificate and private key */
+    UA_ByteString certificate;
+    certificate.length = CERT_DER_LENGTH;
+    certificate.data = CERT_DER_DATA;
+    ck_assert_int_ne(certificate.length, 0);
+
+    UA_ByteString privateKey;
+    privateKey.length = KEY_DER_LENGTH;
+    privateKey.data = KEY_DER_DATA;
+    ck_assert_int_ne(privateKey.length, 0);
+
+    /* The Get endpoint (discovery service) is done with
+     * security mode as none to see the server's capability
+     * and certificate */
+    client = UA_Client_new(UA_ClientConfig_default);
+    ck_assert_msg(client != NULL);
+    remoteCertificate = UA_ByteString_new();
+    UA_StatusCode retval = UA_Client_getEndpoints(client, "opc.tcp://localhost:4840",
+                                                  &endpointArraySize, &endpointArray);
+    ck_assert_uint_eq(retval, UA_STATUSCODE_GOOD);
+
+    for(size_t endPointCount = 0; endPointCount < endpointArraySize; endPointCount++) {
+        if(endpointArray[endPointCount].securityMode == UA_MESSAGESECURITYMODE_SIGNANDENCRYPT)
+            UA_ByteString_copy(&endpointArray[endPointCount].serverCertificate, remoteCertificate);
+    }
+
+    if(UA_ByteString_equal(remoteCertificate, &UA_BYTESTRING_NULL)) {
+        ck_abort_msg("Server does not support Security Mode of UA_MESSAGESECURITYMODE_SIGNANDENCRYPT");
+    }
+
+    UA_Array_delete(endpointArray, endpointArraySize,
+                    &UA_TYPES[UA_TYPES_ENDPOINTDESCRIPTION]);
+
+    /* TODO test trustList Load revocationList is not supported now
+    if(argc > MIN_ARGS) {
+        trustListSize = (size_t)argc-MIN_ARGS;
+        retval = UA_ByteString_allocBuffer(trustList, trustListSize);
+        if(retval != UA_STATUSCODE_GOOD) {
+            cleanupClient(client, remoteCertificate);
+            return (int)retval;
+        }
+
+        for(size_t trustListCount = 0; trustListCount < trustListSize; trustListCount++) {
+            trustList[trustListCount] = loadFile(argv[trustListCount+3]);
+        }
+    }
+    */
+
+    UA_Client_delete(client);
+
+    /* Secure client initialization */
+    client = UA_Client_secure_new(UA_ClientConfig_default,
+                                  certificate, privateKey,
+                                  remoteCertificate,
+                                  trustList, trustListSize,
+                                  revocationList, revocationListSize,
+                                  UA_SecurityPolicy_Basic256Sha256);
+    ck_assert_msg(client != NULL);
+
+    for(size_t deleteCount = 0; deleteCount < trustListSize; deleteCount++) {
+        UA_ByteString_deleteMembers(&trustList[deleteCount]);
+    }
+
+    /* Secure client connect */
+    retval = UA_Client_connect(client, "opc.tcp://localhost:4840");
+    ck_assert_uint_eq(retval, UA_STATUSCODE_GOOD);
+
+    UA_Variant val;
+    UA_Variant_init(&val);
+    UA_NodeId nodeId = UA_NODEID_NUMERIC(0, UA_NS0ID_SERVER_SERVERSTATUS_STATE);
+    retval = UA_Client_readValueAttribute(client, nodeId, &val);
+    ck_assert_uint_eq(retval, UA_STATUSCODE_GOOD);
+    UA_Variant_deleteMembers(&val);
+
+    UA_ByteString_delete(remoteCertificate);
+
+    UA_Client_disconnect(client);
+    UA_Client_delete(client);
+}
+END_TEST
+
+static Suite* testSuite_encryption(void) {
+    Suite *s = suite_create("Encryption");
+    TCase *tc_encryption = tcase_create("Encryption basic256sha256");
+    tcase_add_checked_fixture(tc_encryption, setup, teardown);
+#ifdef UA_ENABLE_ENCRYPTION
+    tcase_add_test(tc_encryption, encryption_connect);
+#endif /* UA_ENABLE_ENCRYPTION */
+    suite_add_tcase(s,tc_encryption);
+    return s;
+}
+
+int main(void) {
+    Suite *s = testSuite_encryption();
+    SRunner *sr = srunner_create(s);
+    srunner_set_fork_status(sr, CK_NOFORK);
+    srunner_run_all(sr,CK_NORMAL);
+    int number_failed = srunner_ntests_failed(sr);
+    srunner_free(sr);
+    return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
+}

tests/fuzz/ua_debug_dump_pkgs_file.c

@@ -158,8 +158,11 @@ UA_debug_dumpCompleteChunk(UA_Server *const server, UA_Connection *const connect
     } else {
         // make a backup of the sequence number and reset it, because processChunk increases it
         UA_UInt32 seqBackup = connection->channel->receiveSequenceNumber;
-        UA_SecureChannel_processChunk(connection->channel, messageBuffer,
+        UA_ByteString messageBufferCopy;
+        UA_ByteString_copy(messageBuffer, &messageBufferCopy);
+        UA_SecureChannel_processChunk(connection->channel, &messageBufferCopy,
                                       UA_debug_dump_setName_withChannel, &dump_filename);
+        UA_ByteString_deleteMembers(&messageBufferCopy);
         connection->channel->receiveSequenceNumber = seqBackup;
     }
 

tools/travis/travis_linux_script.sh

@@ -4,7 +4,10 @@ set -e
 
 # Sonar code quality
 if ! [ -z ${SONAR+x} ]; then
-    if ! [ "${TRAVIS_REPO_SLUG}" = "open62541/open62541" ]; then
+    if ([ "${TRAVIS_REPO_SLUG}" != "open62541/open62541" ] ||
+        [ "${TRAVIS_PULL_REQUEST}" != "false" ] ||
+        [ "${TRAVIS_BRANCH}" != "master" ]); then
+        echo "Skipping Sonarcloud on forks"
         # Skip on forks
         exit 0;
     fi