diff --git a/src/openssl/tls.c b/src/openssl/tls.c
index 9569fe89..72e8645b 100644
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@@ -731,7 +731,7 @@ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h,
 	unsigned char* res;
 	unsigned int md_len;
 
-	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, EVP_MAX_MD_SIZE);
+	res = (unsigned char*) GETDNS_XMALLOC(*mfs, unsigned char, GETDNS_TLS_MAX_DIGEST_LENGTH);
 	if (!res)
 		return NULL;
 
@@ -752,4 +752,21 @@ void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf)
 	SHA1(data, data_size, buf);
 }
 
+void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen)
+{
+	const EVP_MD *md;
+	EVP_MD_CTX *mdctx;
+	unsigned int md_len;
+
+	md = EVP_sha256();
+	mdctx = EVP_MD_CTX_create();
+	EVP_DigestInit_ex(mdctx, md, NULL);
+	EVP_DigestUpdate(mdctx, &secret, sizeof(secret));
+	EVP_DigestUpdate(mdctx, addr, addrlen);
+	EVP_DigestFinal_ex(mdctx, buf, &md_len);
+	EVP_MD_CTX_destroy(mdctx);
+
+	*buflen = md_len;
+}
+
 /* tls.c */
diff --git a/src/stub.c b/src/stub.c
index 3bbcc53f..f1421edb 100644
--- a/src/stub.c
+++ b/src/stub.c
@@ -121,10 +121,8 @@ rollover_secret()
 static void
 calc_new_cookie(getdns_upstream *upstream, uint8_t *cookie)
 {
-        const EVP_MD *md;
-        EVP_MD_CTX *mdctx;
-        unsigned char md_value[EVP_MAX_MD_SIZE];
-        unsigned int md_len;
+        unsigned char md_value[GETDNS_TLS_MAX_DIGEST_LENGTH];
+        size_t md_len;
         size_t i;
         sa_family_t af = upstream->addr.ss_family;
         void *sa_addr = ((struct sockaddr*)&upstream->addr)->sa_data;
@@ -132,13 +130,7 @@ calc_new_cookie(getdns_upstream *upstream, uint8_t *cookie)
 	                  : af == AF_INET  ? sizeof(struct sockaddr_in)
 	                  : 0 ) - sizeof(sa_family_t);
 
-        md = EVP_sha256();
-        mdctx = EVP_MD_CTX_create();
-        EVP_DigestInit_ex(mdctx, md, NULL);
-        EVP_DigestUpdate(mdctx, &secret, sizeof(secret));
-        EVP_DigestUpdate(mdctx, sa_addr, addr_len);
-        EVP_DigestFinal_ex(mdctx, md_value, &md_len);
-        EVP_MD_CTX_destroy(mdctx);
+	_getdns_tls_cookie_sha256(secret, sa_addr, addr_len, md_value, &md_len);
 
         (void) memset(cookie, 0, 8);
         for (i = 0; i < md_len; i++)
diff --git a/src/tls.h b/src/tls.h
index fae8e939..434d79fb 100644
--- a/src/tls.h
+++ b/src/tls.h
@@ -388,4 +388,15 @@ unsigned char* _getdns_tls_hmac_end(struct mem_funcs* mfs, _getdns_tls_hmac* h,
  */
 void _getdns_tls_sha1(const void* data, size_t data_size, unsigned char* buf);
 
+/**
+ * Calculate SHA256 for cookie.
+ *
+ * @param secret	the secret.
+ * @param addr		the address.
+ * @param addrlen	the address length.
+ * @param buf		buffer to receive hash.
+ * @param buflen	receive the hash length.
+ */
+void _getdns_tls_cookie_sha256(uint32_t secret, void* addr, size_t addrlen, unsigned char* buf, size_t* buflen);
+
 #endif /* _GETDNS_TLS_H */