Use array sizeof for dtls cookie size checks instead of DTLS1_COOKIE_LENGTH

author Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>

Fri, 17 Oct 2025 04:17:53 +0000 (06:17 +0200)

committer Tomas Mraz <tomas@openssl.org>

Mon, 10 Nov 2025 19:57:23 +0000 (20:57 +0100)
author Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Fri, 17 Oct 2025 04:17:53 +0000 (06:17 +0200)
committer Tomas Mraz <tomas@openssl.org>
Mon, 10 Nov 2025 19:57:23 +0000 (20:57 +0100)
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c

index 5f6d64662ac1a83f9168ff918ff58ee3a7837a6e..4582a70ba96c649ae621a95dd801cfdbb39ed7f0 100644 (file)
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1405,7 +1405,7 @@ CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s,
      if (sctx->app_gen_cookie_cb == NULL
          || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_USER_SSL(s), s->d1->cookie,
                                     &cookie_leni) == 0
-        || cookie_leni > DTLS1_COOKIE_LENGTH) {
+        || cookie_leni > sizeof(s->d1->cookie)) {
          SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
          return CON_FUNC_ERROR;
      }
@@ -1633,7 +1633,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt)
                  goto err;
              }
              if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
-                                 DTLS1_COOKIE_LENGTH,
+                                 sizeof(clienthello->dtls_cookie),
                                   &clienthello->dtls_cookie_len)) {
                  SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                  goto err;
author	Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
	Fri, 17 Oct 2025 04:17:53 +0000 (06:17 +0200)
committer	Tomas Mraz <tomas@openssl.org>
	Mon, 10 Nov 2025 19:57:23 +0000 (20:57 +0100)