From: Dr. Stephen Henson <steve@openssl.org>
Date: Wed, 25 May 2011 14:52:44 +0000 (+0000)
Subject: Fix the ECDSA timing attack mentioned in the paper at:
X-Git-Tag: OpenSSL_1_0_0e~37
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=92107f81508aef4e74dbbfe9d6f9f169e80644b9;p=oweals%2Fopenssl.git

Fix the ECDSA timing attack mentioned in the paper at:

	http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.
---

diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index 36905d76cd..e92b86c060 100644
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -170,14 +170,14 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
 
 	char *host, *port;
 
-	/* dup the buffer since we are going to mess with it */
-	buf = BUF_strdup(url);
-	if (!buf) goto mem_err;
-
 	*phost = NULL;
 	*pport = NULL;
 	*ppath = NULL;
 
+	/* dup the buffer since we are going to mess with it */
+	buf = BUF_strdup(url);
+	if (!buf) goto mem_err;
+
 	/* Check for initial colon */
 	p = strchr(buf, ':');