When you expect a function to return a particular value, don't put a comment

saying that you expect it to return that value and compare it against zero
because it is supposedly faster, for this leads to bugs (especially given the
high rate of sloppy cut'n'paste within ssl3 and dtls1 routines in this
library).

Instead, compare for the exact value it ought to return upon success.

ok deraadt@

1 files changed, 4 insertions, 4 deletions

diff --git a/lib/libssl/d1_clnt.c b/lib/libssl/d1_clnt.c
index 552667f6c13..165f9441f60 100644
--- a/lib/libssl/d1_clnt.c
+++ b/lib/libssl/d1_clnt.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: d1_clnt.c,v 1.31 2014/07/12 22:33:39 jsing Exp $ */
+/* $OpenBSD: d1_clnt.c,v 1.32 2014/08/07 19:46:31 miod Exp $ */
 /*
  * DTLS implementation written by Nagendra Modadugu
  * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
@@ -778,8 +778,9 @@ dtls1_client_hello(SSL *s)
 
 		/* if client_random is initialized, reuse it, we are
 		 * required to use same upon reply to HelloVerify */
-		for (i = 0; p[i]=='\0' && i < sizeof(s->s3->client_random); i++)
-			;
+		for (i = 0; i < sizeof(s->s3->client_random); i++)
+			if (p[i] != '\0')
+				break;
 		if (i == sizeof(s->s3->client_random))
 			RAND_pseudo_bytes(p, sizeof(s->s3->client_random));
 
@@ -1338,7 +1339,6 @@ dtls1_send_client_certificate(SSL *s)
 		/* If we get an error, we need to
 		 * ssl->rwstate=SSL_X509_LOOKUP; return(-1);
 		 * We then get retied later */
-		i = 0;
 		i = ssl_do_client_cert_cb(s, &x509, &pkey);
 		if (i < 0) {
 			s->rwstate = SSL_X509_LOOKUP;