Bernhard.Linz/openvpn-install
1
0
Fork 0
mirror of https://github.com/angristan/openvpn-install.git synced 2025-12-16 17:07:02 +01:00
Code Issues Projects Releases Wiki Activity

fix: validate client name length to prevent invalid certificates (#1420)

Browse Source 
## Summary
- Add `is_valid_client_name()` helper and `validate_client_name()`
function to enforce client name constraints
- Reject client names longer than 64 characters (OpenSSL CN limit)
- Apply validation at all entry points: interactive prompt, `client add`
CLI, and `--client` install option

## Problem
Client names longer than 64 bytes cause Easy-RSA/OpenSSL to silently
truncate or reject Common Names, resulting in `.ovpn` files with empty
`<cert>/<key>` sections. Users (especially in headless/automated
deployments) would see the script complete successfully but get
non-functional output.

Fixes #1306
This commit is contained in:
Stanislas
2025-12-15 11:24:01 +01:00
committed by GitHub
parent 8375af5452
commit 2e0605e2eb
1 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
openvpn-install.sh
View File

@@ -510,6 +510,29 @@ validate_mtu() {
fi fi
} }
# Maximum length for client names (OpenSSL CN limit)
readonly MAX_CLIENT_NAME_LENGTH=64
# Check if client name is valid (non-fatal, returns true/false)
is_valid_client_name() {
local name="$1"
[[ "$name" =~ ^[a-zA-Z0-9_-]+$ ]] && [[ ${#name} -le $MAX_CLIENT_NAME_LENGTH ]]
}
# Validate client name and exit with error if invalid
validate_client_name() {
local name="$1"
if [[ -z "$name" ]]; then
log_fatal "Client name cannot be empty."
fi
if ! [[ "$name" =~ ^[a-zA-Z0-9_-]+$ ]]; then
log_fatal "Invalid client name: $name. Only alphanumeric characters, underscores, and hyphens are allowed."
fi
if [[ ${#name} -gt $MAX_CLIENT_NAME_LENGTH ]]; then
log_fatal "Client name too long: ${#name} characters. Maximum is $MAX_CLIENT_NAME_LENGTH characters (OpenSSL CN limit)."
fi
}
# Handle install command # Handle install command
cmd_install() { cmd_install() {
local interactive=false local interactive=false
@@ -686,6 +709,7 @@ cmd_install() {
;; ;;
--client) --client)
[[ -z "${2:-}" ]] && log_fatal "--client requires an argument" [[ -z "${2:-}" ]] && log_fatal "--client requires an argument"
validate_client_name "$2"
CLIENT="$2" CLIENT="$2"
shift 2 shift 2
;; ;;
@@ -893,6 +917,7 @@ cmd_client_add() {
done done
[[ -z "$client_name" ]] && log_fatal "Client name is required. See '$SCRIPT_NAME client add --help' for usage." [[ -z "$client_name" ]] && log_fatal "Client name is required. See '$SCRIPT_NAME client add --help' for usage."
validate_client_name "$client_name"
requireOpenVPN requireOpenVPN
@@ -3088,11 +3113,11 @@ function listConnectedClients() {
function newClient() { function newClient() {
log_header "New Client Setup" log_header "New Client Setup"
# Only prompt for client name if not already set # Only prompt for client name if not already set or invalid
if ! [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; then if ! is_valid_client_name "$CLIENT"; then
log_prompt "Tell me a name for the client." log_prompt "Tell me a name for the client."
log_prompt "The name must consist of alphanumeric character. It may also include an underscore or a dash." log_prompt "The name must consist of alphanumeric characters, underscores, or dashes (max $MAX_CLIENT_NAME_LENGTH characters)."
until [[ $CLIENT =~ ^[a-zA-Z0-9_-]+$ ]]; do until is_valid_client_name "$CLIENT"; do
read -rp "Client name: " -e CLIENT read -rp "Client name: " -e CLIENT
done done
fi fi