Fix the ECDSA timing attack mentioned in the paper at:

	http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.

diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index 27450811d7208529a8ef99b5b089e9ce6c3c0bcc..441ccb7a9e4eba8326b0d0d752941a90500f49e2 100644 (file)
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -169,14 +169,14 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
 
        char *host, *port;
 
-       /* dup the buffer since we are going to mess with it */
-       buf = BUF_strdup(url);
-       if (!buf) goto mem_err;
-
        *phost = NULL;
        *pport = NULL;
        *ppath = NULL;
 
+       /* dup the buffer since we are going to mess with it */
+       buf = BUF_strdup(url);
+       if (!buf) goto mem_err;
+
        /* Check for initial colon */
        p = strchr(buf, ':');