From 7d2a2273adc66120d7882cfc177a5fcae70da672 Mon Sep 17 00:00:00 2001
From: Frederik Wedel-Heinen <frederik.wedel-heinen@dencrypt.dk>
Date: Fri, 17 Oct 2025 06:17:53 +0200
Subject: [PATCH] Use array sizeof for dtls cookie size checks instead of
 DTLS1_COOKIE_LENGTH

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/28940)
---
 ssl/statem/statem_srvr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index 5f6d64662ac..4582a70ba96 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -1405,7 +1405,7 @@ CON_FUNC_RETURN dtls_construct_hello_verify_request(SSL_CONNECTION *s,
     if (sctx->app_gen_cookie_cb == NULL
         || sctx->app_gen_cookie_cb(SSL_CONNECTION_GET_USER_SSL(s), s->d1->cookie,
                                    &cookie_leni) == 0
-        || cookie_leni > DTLS1_COOKIE_LENGTH) {
+        || cookie_leni > sizeof(s->d1->cookie)) {
         SSLfatal(s, SSL_AD_NO_ALERT, SSL_R_COOKIE_GEN_CALLBACK_FAILURE);
         return CON_FUNC_ERROR;
     }
@@ -1633,7 +1633,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL_CONNECTION *s, PACKET *pkt)
                 goto err;
             }
             if (!PACKET_copy_all(&cookie, clienthello->dtls_cookie,
-                                 DTLS1_COOKIE_LENGTH,
+                                 sizeof(clienthello->dtls_cookie),
                                  &clienthello->dtls_cookie_len)) {
                 SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR);
                 goto err;
-- 
2.47.3