When responding to a HelloVerifyRequest, the client MUST use the same parameter values (version, random, session_id, cipher_suites, compression_method) as it did in the original ClientHello. The server SHOULD use those values to generate its cookie and verify that they are correct upon cookie receipt.
Do not calculate the cookie using the Extensions as these are different between DTLS1.2 and DTLS1.3
https://datatracker.ietf.org/doc/html/rfc6347#section-4.2.1
When responding to a HelloVerifyRequest, the client MUST use the same parameter values (version, random, session_id, cipher_suites, compression_method) as it did in the original ClientHello. The server SHOULD use those values to generate its cookie and verify that they are correct upon cookie receipt.
https://www.rfc-editor.org/rfc/rfc9147.html#section-5.3
The ClientHello up to, but not including the Extensions is the same for DTLS1.2 and DTLS1.3
Alternative implementation for PR #223 with boundary checks using SKIP_VAR_FIELD.