(tomcat) branch 11.0.x updated: Add size limit for OCSP responses

Fri, 06 Feb 2026 14:42:24 -0800 

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new 71c6436844 Add size limit for OCSP responses
71c6436844 is described below

commit 71c643684429da86a8fd2d33314a5c59858c1dbf
Author: remm <[email protected]>
AuthorDate: Fri Feb 6 23:39:49 2026 +0100

    Add size limit for OCSP responses
    
    Based on code submitted by Chenjp.
---
 java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java | 4 ++++
 webapps/docs/changelog.xml                                        | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java 
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
index 9b4ec1c95a..71aca03fb8 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLEngine.java
@@ -97,6 +97,7 @@ public final class OpenSSLEngine extends SSLEngine implements 
SSLUtil.ProtocolIn
     private static final int MAX_CIPHERTEXT_LENGTH = MAX_COMPRESSED_LENGTH + 
1024;
     // 15 minutes aligns with JSSE
     private static final int OCSP_MAX_SKEW = 60 * 15;
+    private static final int OCSP_MAX_RESPONSE_SIZE = 64 * 1024;
 
     // Header (5) + Data (2^14) + Compression (1024) + Encryption (1024) + MAC 
(20) + Padding (256)
     private static final int MAX_ENCRYPTED_PACKET_LENGTH = 
MAX_CIPHERTEXT_LENGTH + 5 + 20 + 256;
@@ -1354,6 +1355,9 @@ public final class OpenSSLEngine extends SSLEngine 
implements SSLUtil.ProtocolIn
             int read;
             byte[] responseBuf = new byte[1024];
             while ((read = is.read(responseBuf)) > 0) {
+                if (baos.size() > OCSP_MAX_RESPONSE_SIZE) {
+                    return V_OCSP_CERTSTATUS_UNKNOWN();
+                }
                 baos.write(responseBuf, 0, read);
             }
             byte[] responseData = baos.toByteArray();
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index a994f73434..810ee98c61 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -113,6 +113,10 @@
         compressed when compression is enabled. Based on pull request
         <pr>914</pr> by Long9725. (markt)
       </add>
+      <fix>
+        Add size limit for OCSP responses. Based on code submitted by Chenjp.
+        (remm)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to