Are cookie-required handshakes at least REKEY_TIMEOUT long?

[Jason A. Donenfeld]

Yes, to prevent certain types of DoS. Most packets only move around
the timer state machine, but don't actually result in a direct action.
Rather, a timer firing sometime later is what starts an action. In the
case of cookies, the cookie is used in the subsequent message. See
section 6.6 of https://www.wireguard.com/papers/wireguard.pdf