Incorporate review comments

Frauschi · Frauschi · commit aed780b59b93 · 2026-03-03T16:00:29.000+01:00
diff --git a/src/dtls.c b/src/dtls.c
@@ -295,42 +295,6 @@ static int CheckDtlsCookie(const WOLFSSL* ssl, WolfSSL_CH* ch,
     return ret;
 }
 
-#if defined(WOLFSSL_DTLS13) && defined(WOLFSSL_SEND_HRR_COOKIE)
-static int ParseCookieExt(WOLFSSL* ssl, WolfSSL_CH* ch)
-{
-    int ret = 0;
-    word16 len;
-    const byte* cookie = NULL;
-
-    if (ch->cookieExt.size < OPAQUE16_LEN + 1)
-        return BUFFER_E;
-    ato16(ch->cookieExt.elements, &len);
-    if (ch->cookieExt.size - OPAQUE16_LEN != len)
-        return BUFFER_E;
-    cookie = ch->cookieExt.elements + OPAQUE16_LEN;
-    ret = TlsCheckCookie(ssl, cookie, len);
-    if (ret < 0)
-        return ret;
-    len = (word16)ret;
-
-    /* Cookie Data = Hash Len | Hash | CS | KeyShare Group (optional) */
-
-    /* Check if the cookie has a key share group */
-    if (len > cookie[0] + 4) {
-        word16 keyShareGroup = 0;
-        ato16(cookie + 3 + cookie[0], &keyShareGroup);
-
-        /* The key share group in the cookie is the group selected by the
-         * server in the HelloRetryRequest. Hence, the client must use this
-         * group in the second ClientHello.
-         */
-        ssl->hrr_keyshare_group = keyShareGroup;
-    }
-
-    return 0;
-}
-#endif /* WOLFSSL_DTLS13 && WOLFSSL_SEND_HRR_COOKIE */
-
 static int ParseClientHello(const byte* input, word32 helloSz, WolfSSL_CH* ch,
         byte isFirstCHFrag)
 {
@@ -1077,10 +1041,6 @@ int DoClientHelloStateless(WOLFSSL* ssl, const byte* input, word32 helloSz,
                 e = Dtls13GetEpoch(ssl, ssl->keys.curEpoch64);
                 if (e != NULL)
                     XMEMSET(e->window, 0xFF, sizeof(e->window));
-
-                ret = ParseCookieExt(ssl, &ch);
-                if (ret != 0)
-                    return ret;
             }
             else
 #endif
diff --git a/src/tls.c b/src/tls.c
@@ -7248,6 +7248,53 @@ static int TLSX_Cookie_Write(Cookie* cookie, byte* output, byte msgType,
     return 0;
 }
 
+#ifdef WOLFSSL_DTLS13
+/* Extract the key share group from the cookie and store it in the
+ * ssl session for later checks.
+ *
+ * ssl    The SSL/TLS object.
+ * returns 0 on success and other values indicate failure.
+ */
+static int TLSX_Cookie_RestoreHrrGroup(WOLFSSL* ssl)
+{
+    TLSX* extension;
+    Cookie* cookie;
+#ifndef NO_SHA256
+    byte macSz = WC_SHA256_DIGEST_SIZE;
+#elif defined(WOLFSSL_SHA384)
+    byte macSz = WC_SHA384_DIGEST_SIZE;
+#elif defined(WOLFSSL_TLS13_SHA512)
+    byte macSz = WC_SHA512_DIGEST_SIZE;
+#elif defined(WOLFSSL_SM3)
+    byte macSz = WC_SM3_DIGEST_SIZE;
+#endif /* NO_SHA */
+
+    extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
+    if (extension == NULL)
+        return 0;
+
+    cookie = (Cookie*)extension->data;
+    if (cookie == NULL)
+        return 0;
+
+    /* Cookie Data = Hash Len | Hash | CS | KeyShare Group (optional) | MAC */
+
+    /* Check if the cookie has a key share group */
+    if (cookie->data[0] + 4 + macSz < cookie->len) {
+        word16 keyShareGroup = 0;
+        ato16(cookie->data + 3 + cookie->data[0], &keyShareGroup);
+
+        /* The key share group in the cookie is the group selected by the
+         * server in the HelloRetryRequest. Hence, the client must use this
+         * group in the second ClientHello.
+         */
+        ssl->hrr_keyshare_group = keyShareGroup;
+    }
+
+    return 0;
+}
+#endif /* WOLFSSL_DTLS13 */
+
 /* Parse the Cookie extension.
  * In messages: ClientHello and HelloRetryRequest.
  *
@@ -7290,12 +7337,20 @@ static int TLSX_Cookie_Parse(WOLFSSL* ssl, const byte* input, word16 length,
     extension = TLSX_Find(ssl->extensions, TLSX_COOKIE);
     if (extension == NULL) {
 #ifdef WOLFSSL_DTLS13
-        if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version))
+        if (ssl->options.dtls && IsAtLeastTLSv1_3(ssl->version)) {
+            int ret = 0;
             /* Allow a cookie extension with DTLS 1.3 because it is possible
              * that a different SSL instance sent the cookie but we are now
              * receiving it. */
-            return TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 0,
-                                   &ssl->extensions);
+            ret = TLSX_Cookie_Use(ssl, input + idx, len, NULL, 0, 0,
+                                  &ssl->extensions);
+
+            if (ret == 0 && ssl->options.dtlsStateful) {
+                /* Try to extract a HRR key share group from the cookie */
+                ret = TLSX_Cookie_RestoreHrrGroup(ssl);
+            }
+            return ret;
+        }
         else
 #endif
         {
