fix: validate client name length to prevent invalid certificates (#1420)

## Summary - Add `is_valid_client_name()` helper and `validate_client_name()` function to enforce client name constraints - Reject client names longer than 64 characters (OpenSSL CN limit) - Apply validation at all entry points: interactive prompt, `client add` CLI, and `--client` install option ## Problem Client names longer than 64 bytes cause Easy-RSA/OpenSSL to silently truncate or reject Common Names, resulting in `.ovpn` files with empty `<cert>/<key>` sections. Users (especially in headless/automated deployments) would see the script complete successfully but get non-functional output. Fixes #1306
2025-12-16 08:57:03 +01:00 · 2025-12-15 11:24:01 +01:00
parent 8375af5452
commit 2e0605e2eb
1 changed files with 29 additions and 4 deletions
--- a/openvpn-install.sh
+++ b/openvpn-install.sh
@@ -510,6 +510,29 @@ validate_mtu() {
 	fi
 }

+# Maximum length for client names (OpenSSL CN limit)
+readonly MAX_CLIENT_NAME_LENGTH=64
+
+# Check if client name is valid (non-fatal, returns true/false)
+is_valid_client_name() {
+	local name="$1"
+	[[ "$name" =~ ^[a-zA-Z0-9_-]+$ ]] && [[ ${#name} -le $MAX_CLIENT_NAME_LENGTH ]]
+}
+
+# Validate client name and exit with error if invalid
+validate_client_name() {
+	local name="$1"
+	if [[ -z "$name" ]]; then
+		log_fatal "Client name cannot be empty."
+	fi
+	if ! [[ "$name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
+		log_fatal "Invalid client name: $name. Only alphanumeric characters, underscores, and hyphens are allowed."
+	fi
+	if [[ ${#name} -gt $MAX_CLIENT_NAME_LENGTH ]]; then
+		log_fatal "Client name too long: ${#name} characters. Maximum is $MAX_CLIENT_NAME_LENGTH characters (OpenSSL CN limit)."
+	fi
+}
+
 # Handle install command
 cmd_install() {
 	local interactive=false
@@ -686,6 +709,7 @@ cmd_install() {
 			;;
 		--client)
 			[[ -z "${2:-}" ]] && log_fatal "--client requires an argument"
+			validate_client_name "$2"
 			CLIENT="$2"
 			shift 2
 			;;
@@ -893,6 +917,7 @@ cmd_client_add() {
 	done

 	[[ -z "$client_name" ]] && log_fatal "Client name is required. See '$SCRIPT_NAME client add --help' for usage."
+	validate_client_name "$client_name"

 	requireOpenVPN

@@ -3088,11 +3113,11 @@ function listConnectedClients() {
 function newClient() {
 	log_header "New Client Setup"

-	# Only prompt for client name if not already set
-	if ! [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; then
+	# Only prompt for client name if not already set or invalid
+	if ! is_valid_client_name "$CLIENT"; then
 		log_prompt "Tell me a name for the client."
-		log_prompt "The name must consist of alphanumeric character. It may also include an underscore or a dash."
-		until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do
+		log_prompt "The name must consist of alphanumeric characters, underscores, or dashes (max $MAX_CLIENT_NAME_LENGTH characters)."
+		until is_valid_client_name "$CLIENT"; do
 			read -rp "Client name: " -e CLIENT
 		done
 	fi