Fix the ECDSA timing attack mentioned in the paper at:

	http://eprint.iacr.org/2011/232.pdf

Thanks to the original authors Billy Bob Brumley and Nicola Tuveri for
bringing this to our attention.

diff --git a/crypto/ocsp/ocsp_lib.c b/crypto/ocsp/ocsp_lib.c
index 0090bc267c418a7cfcd0dc6bcde1ceaf9e14437d..a94dc838eecbfc84ecae6a14c9acb88bdc9234ec 100644 (file)
--- a/crypto/ocsp/ocsp_lib.c
+++ b/crypto/ocsp/ocsp_lib.c
@@ -171,14 +171,14 @@ int OCSP_parse_url(char *url, char **phost, char **pport, char **ppath, int *pss
 
        char *host, *port;
 
-       /* dup the buffer since we are going to mess with it */
-       buf = BUF_strdup(url);
-       if (!buf) goto mem_err;
-
        *phost = NULL;
        *pport = NULL;
        *ppath = NULL;
 
+       /* dup the buffer since we are going to mess with it */
+       buf = BUF_strdup(url);
+       if (!buf) goto mem_err;
+
        /* Check for initial colon */
        p = strchr(buf, ':');