Move extension data into sub-structs

Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2052)
2025-01-19 16:33:33 +08:00 · 2016-12-08 14:18:40 -05:00 · 2016-12-08 14:18:40 -05:00 · aff8c126fd
commit aff8c126fd
parent 18e3ab7bc4
16 changed files with 643 additions and 607 deletions
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@ -656,19 +656,23 @@ void SSL_CTX_set_cookie_verify_cb(SSL_CTX *ctx,
                                                               unsigned int
                                                               cookie_len));
 # ifndef OPENSSL_NO_NEXTPROTONEG
+#  define SSL_CTX_set_npn_select_cb SSL_CTX_set_next_proto_select_cb
+#  define SSL_CTX_set_npn_advertised_cb SSL_CTX_set_next_protos_advertised_cb
+#  define SSL_get0_npn_negotiated SSL_get0_next_proto_negotiated
 void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *s,
                                           int (*cb) (SSL *ssl,
-                                                      const unsigned char
-                                                      **out,
+                                                      const unsigned char **out,
                                                      unsigned int *outlen,
-                                                      void *arg), void *arg);
+                                                      void *arg),
+                                           void *arg);
 void SSL_CTX_set_next_proto_select_cb(SSL_CTX *s,
                                      int (*cb) (SSL *ssl,
                                                 unsigned char **out,
                                                 unsigned char *outlen,
                                                 const unsigned char *in,
                                                 unsigned int inlen,
-                                                 void *arg), void *arg);
+                                                 void *arg),
+                                      void *arg);
 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
                                    unsigned *len);
 # endif
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -2882,9 +2882,9 @@ void ssl3_clear(SSL *s)
    s->version = SSL3_VERSION;

 #if !defined(OPENSSL_NO_NEXTPROTONEG)
-    OPENSSL_free(s->next_proto_negotiated);
-    s->next_proto_negotiated = NULL;
-    s->next_proto_negotiated_len = 0;
+    OPENSSL_free(s->ext.npn);
+    s->ext.npn = NULL;
+    s->ext.npn_len = 0;
 #endif
 }

@ -2969,8 +2969,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
            nid = EC_GROUP_get_curve_name(group);
            if (nid == NID_undef)
                return 0;
-            return tls1_set_groups(&s->tlsext_supportedgroupslist,
-                                   &s->tlsext_supportedgroupslist_length,
+            return tls1_set_groups(&s->ext.supportedgroups,
+                                   &s->ext.supportedgroups_len,
                                   &nid, 1);
        }
        break;
@ -2979,8 +2979,8 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        if (larg == TLSEXT_NAMETYPE_host_name) {
            size_t len;

-            OPENSSL_free(s->tlsext_hostname);
-            s->tlsext_hostname = NULL;
+            OPENSSL_free(s->ext.hostname);
+            s->ext.hostname = NULL;

            ret = 1;
            if (parg == NULL)
@ -2990,7 +2990,7 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
                SSLerr(SSL_F_SSL3_CTRL, SSL_R_SSL3_EXT_INVALID_SERVERNAME);
                return 0;
            }
-            if ((s->tlsext_hostname = OPENSSL_strdup((char *)parg)) == NULL) {
+            if ((s->ext.hostname = OPENSSL_strdup((char *)parg)) == NULL) {
                SSLerr(SSL_F_SSL3_CTRL, ERR_R_INTERNAL_ERROR);
                return 0;
            }
@ -3000,50 +3000,50 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        }
        break;
    case SSL_CTRL_SET_TLSEXT_DEBUG_ARG:
-        s->tlsext_debug_arg = parg;
+        s->ext.debug_arg = parg;
        ret = 1;
        break;

    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
-        ret = s->tlsext_status_type;
+        ret = s->ext.status_type;
        break;

    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
-        s->tlsext_status_type = larg;
+        s->ext.status_type = larg;
        ret = 1;
        break;

    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_EXTS:
-        *(STACK_OF(X509_EXTENSION) **)parg = s->tlsext_ocsp_exts;
+        *(STACK_OF(X509_EXTENSION) **)parg = s->ext.ocsp.exts;
        ret = 1;
        break;

    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_EXTS:
-        s->tlsext_ocsp_exts = parg;
+        s->ext.ocsp.exts = parg;
        ret = 1;
        break;

    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_IDS:
-        *(STACK_OF(OCSP_RESPID) **)parg = s->tlsext_ocsp_ids;
+        *(STACK_OF(OCSP_RESPID) **)parg = s->ext.ocsp.ids;
        ret = 1;
        break;

    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_IDS:
-        s->tlsext_ocsp_ids = parg;
+        s->ext.ocsp.ids = parg;
        ret = 1;
        break;

    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_OCSP_RESP:
-        *(unsigned char **)parg = s->tlsext_ocsp_resp;
-        if (s->tlsext_ocsp_resplen == 0
-                || s->tlsext_ocsp_resplen > LONG_MAX)
+        *(unsigned char **)parg = s->ext.ocsp.resp;
+        if (s->ext.ocsp.resp_len == 0
+                || s->ext.ocsp.resp_len > LONG_MAX)
            return -1;
-        return (long)s->tlsext_ocsp_resplen;
+        return (long)s->ext.ocsp.resp_len;

    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_OCSP_RESP:
-        OPENSSL_free(s->tlsext_ocsp_resp);
-        s->tlsext_ocsp_resp = parg;
-        s->tlsext_ocsp_resplen = larg;
+        OPENSSL_free(s->ext.ocsp.resp);
+        s->ext.ocsp.resp = parg;
+        s->ext.ocsp.resp_len = larg;
        ret = 1;
        break;

@ -3101,10 +3101,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        {
            unsigned char *clist;
            size_t clistlen;
+
            if (!s->session)
                return 0;
-            clist = s->session->tlsext_supportedgroupslist;
-            clistlen = s->session->tlsext_supportedgroupslist_length / 2;
+            clist = s->session->ext.supportedgroups;
+            clistlen = s->session->ext.supportedgroups_len / 2;
            if (parg) {
                size_t i;
                int *cptr = parg;
@ -3123,12 +3124,12 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        }

    case SSL_CTRL_SET_GROUPS:
-        return tls1_set_groups(&s->tlsext_supportedgroupslist,
-                               &s->tlsext_supportedgroupslist_length, parg, larg);
+        return tls1_set_groups(&s->ext.supportedgroups,
+                               &s->ext.supportedgroups_len, parg, larg);

    case SSL_CTRL_SET_GROUPS_LIST:
-        return tls1_set_groups_list(&s->tlsext_supportedgroupslist,
-                                    &s->tlsext_supportedgroupslist_length, parg);
+        return tls1_set_groups_list(&s->ext.supportedgroups,
+                                    &s->ext.supportedgroups_len, parg);

    case SSL_CTRL_GET_SHARED_GROUP:
        return tls1_shared_group(s, larg);
@ -3208,10 +3209,11 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg)
        {
            SSL_SESSION *sess = s->session;
            const unsigned char **pformat = parg;
-            if (!sess || !sess->tlsext_ecpointformatlist)
+
+            if (sess == NULL || sess->ext.ecpointformats == NULL)
                return 0;
-            *pformat = sess->tlsext_ecpointformatlist;
-            return (int)sess->tlsext_ecpointformatlist_length;
+            *pformat = sess->ext.ecpointformats;
+            return (int)sess->ext.ecpointformats_len;
        }
 #endif

@ -3234,7 +3236,7 @@ long ssl3_callback_ctrl(SSL *s, int cmd, void (*fp) (void))
        break;
 #endif
    case SSL_CTRL_SET_TLSEXT_DEBUG_CB:
-        s->tlsext_debug_cb = (void (*)(SSL *, int, int,
+        s->ext.debug_cb = (void (*)(SSL *, int, int,
                                       const unsigned char *, int, void *))fp;
        break;

@ -3306,69 +3308,69 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
            nid = EC_GROUP_get_curve_name(group);
            if (nid == NID_undef)
                return 0;
-            return tls1_set_groups(&ctx->tlsext_supportedgroupslist,
-                                   &ctx->tlsext_supportedgroupslist_length,
+            return tls1_set_groups(&ctx->ext.supportedgroups,
+                                   &ctx->ext.supportedgroups_len,
                                   &nid, 1);
        }
        /* break; */
 #endif                          /* !OPENSSL_NO_EC */
    case SSL_CTRL_SET_TLSEXT_SERVERNAME_ARG:
-        ctx->tlsext_servername_arg = parg;
+        ctx->ext.servername_arg = parg;
        break;
    case SSL_CTRL_SET_TLSEXT_TICKET_KEYS:
    case SSL_CTRL_GET_TLSEXT_TICKET_KEYS:
        {
            unsigned char *keys = parg;
-            long tlsext_tick_keylen = (sizeof(ctx->tlsext_tick_key_name) +
-                                       sizeof(ctx->tlsext_tick_hmac_key) +
-                                       sizeof(ctx->tlsext_tick_aes_key));
+            long tick_keylen = (sizeof(ctx->ext.tick_key_name) +
+                                sizeof(ctx->ext.tick_hmac_key) +
+                                sizeof(ctx->ext.tick_aes_key));
            if (keys == NULL)
-                return tlsext_tick_keylen;
-            if (larg != tlsext_tick_keylen) {
+                return tick_keylen;
+            if (larg != tick_keylen) {
                SSLerr(SSL_F_SSL3_CTX_CTRL, SSL_R_INVALID_TICKET_KEYS_LENGTH);
                return 0;
            }
            if (cmd == SSL_CTRL_SET_TLSEXT_TICKET_KEYS) {
-                memcpy(ctx->tlsext_tick_key_name, keys,
-                       sizeof(ctx->tlsext_tick_key_name));
-                memcpy(ctx->tlsext_tick_hmac_key,
-                       keys + sizeof(ctx->tlsext_tick_key_name),
-                       sizeof(ctx->tlsext_tick_hmac_key));
-                memcpy(ctx->tlsext_tick_aes_key,
-                       keys + sizeof(ctx->tlsext_tick_key_name) +
-                       sizeof(ctx->tlsext_tick_hmac_key),
-                       sizeof(ctx->tlsext_tick_aes_key));
+                memcpy(ctx->ext.tick_key_name, keys,
+                       sizeof(ctx->ext.tick_key_name));
+                memcpy(ctx->ext.tick_hmac_key,
+                       keys + sizeof(ctx->ext.tick_key_name),
+                       sizeof(ctx->ext.tick_hmac_key));
+                memcpy(ctx->ext.tick_aes_key,
+                       keys + sizeof(ctx->ext.tick_key_name) +
+                       sizeof(ctx->ext.tick_hmac_key),
+                       sizeof(ctx->ext.tick_aes_key));
            } else {
-                memcpy(keys, ctx->tlsext_tick_key_name,
-                       sizeof(ctx->tlsext_tick_key_name));
-                memcpy(keys + sizeof(ctx->tlsext_tick_key_name),
-                       ctx->tlsext_tick_hmac_key,
-                       sizeof(ctx->tlsext_tick_hmac_key));
-                memcpy(keys + sizeof(ctx->tlsext_tick_key_name) +
-                       sizeof(ctx->tlsext_tick_hmac_key),
-                       ctx->tlsext_tick_aes_key,
-                       sizeof(ctx->tlsext_tick_aes_key));
+                memcpy(keys, ctx->ext.tick_key_name,
+                       sizeof(ctx->ext.tick_key_name));
+                memcpy(keys + sizeof(ctx->ext.tick_key_name),
+                       ctx->ext.tick_hmac_key,
+                       sizeof(ctx->ext.tick_hmac_key));
+                memcpy(keys + sizeof(ctx->ext.tick_key_name) +
+                       sizeof(ctx->ext.tick_hmac_key),
+                       ctx->ext.tick_aes_key,
+                       sizeof(ctx->ext.tick_aes_key));
            }
            return 1;
        }

    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_TYPE:
-        return ctx->tlsext_status_type;
+        return ctx->ext.status_type;

    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_TYPE:
-        ctx->tlsext_status_type = larg;
+        ctx->ext.status_type = larg;
        break;

    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB_ARG:
-        ctx->tlsext_status_arg = parg;
+        ctx->ext.status_arg = parg;
        return 1;

    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB_ARG:
-        *(void**)parg = ctx->tlsext_status_arg;
+        *(void**)parg = ctx->ext.status_arg;
        break;

    case SSL_CTRL_GET_TLSEXT_STATUS_REQ_CB:
-        *(int (**)(SSL*, void*))parg = ctx->tlsext_status_cb;
+        *(int (**)(SSL*, void*))parg = ctx->ext.status_cb;
        break;

 #ifndef OPENSSL_NO_SRP
@ -3404,13 +3406,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)

 #ifndef OPENSSL_NO_EC
    case SSL_CTRL_SET_GROUPS:
-        return tls1_set_groups(&ctx->tlsext_supportedgroupslist,
-                               &ctx->tlsext_supportedgroupslist_length,
+        return tls1_set_groups(&ctx->ext.supportedgroups,
+                               &ctx->ext.supportedgroups_len,
                               parg, larg);

    case SSL_CTRL_SET_GROUPS_LIST:
-        return tls1_set_groups_list(&ctx->tlsext_supportedgroupslist,
-                                    &ctx->tlsext_supportedgroupslist_length,
+        return tls1_set_groups_list(&ctx->ext.supportedgroups,
+                                    &ctx->ext.supportedgroups_len,
                                    parg);
 #endif
    case SSL_CTRL_SET_SIGALGS:
@ -3502,15 +3504,15 @@ long ssl3_ctx_callback_ctrl(SSL_CTX *ctx, int cmd, void (*fp) (void))
        break;
 #endif
    case SSL_CTRL_SET_TLSEXT_SERVERNAME_CB:
-        ctx->tlsext_servername_callback = (int (*)(SSL *, int *, void *))fp;
+        ctx->ext.servername_cb = (int (*)(SSL *, int *, void *))fp;
        break;

    case SSL_CTRL_SET_TLSEXT_STATUS_REQ_CB:
-        ctx->tlsext_status_cb = (int (*)(SSL *, void *))fp;
+        ctx->ext.status_cb = (int (*)(SSL *, void *))fp;
        break;

    case SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB:
-        ctx->tlsext_ticket_key_cb = (int (*)(SSL *, unsigned char *,
+        ctx->ext.ticket_key_cb = (int (*)(SSL *, unsigned char *,
                                             unsigned char *,
                                             EVP_CIPHER_CTX *,
                                             HMAC_CTX *, int))fp;
--- a/ssl/ssl_asn1.c
+++ b/ssl/ssl_asn1.c
@ -183,13 +183,13 @@ int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp)
    as.peer = in->peer;

    ssl_session_sinit(&as.tlsext_hostname, &tlsext_hostname,
-                      in->tlsext_hostname);
-    if (in->tlsext_tick) {
+                      in->ext.hostname);
+    if (in->ext.tick) {
        ssl_session_oinit(&as.tlsext_tick, &tlsext_tick,
-                          in->tlsext_tick, in->tlsext_ticklen);
+                          in->ext.tick, in->ext.ticklen);
    }
-    if (in->tlsext_tick_lifetime_hint > 0)
-        as.tlsext_tick_lifetime_hint = in->tlsext_tick_lifetime_hint;
+    if (in->ext.tick_lifetime_hint > 0)
+        as.tlsext_tick_lifetime_hint = in->ext.tick_lifetime_hint;
 #ifndef OPENSSL_NO_PSK
    ssl_session_sinit(&as.psk_identity_hint, &psk_identity_hint,
                      in->psk_identity_hint);
@ -315,7 +315,7 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
    /* NB: this defaults to zero which is X509_V_OK */
    ret->verify_result = as->verify_result;

-    if (!ssl_session_strndup(&ret->tlsext_hostname, as->tlsext_hostname))
+    if (!ssl_session_strndup(&ret->ext.hostname, as->tlsext_hostname))
        goto err;

 #ifndef OPENSSL_NO_PSK
@ -325,13 +325,13 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
        goto err;
 #endif

-    ret->tlsext_tick_lifetime_hint = as->tlsext_tick_lifetime_hint;
+    ret->ext.tick_lifetime_hint = as->tlsext_tick_lifetime_hint;
    if (as->tlsext_tick) {
-        ret->tlsext_tick = as->tlsext_tick->data;
-        ret->tlsext_ticklen = as->tlsext_tick->length;
+        ret->ext.tick = as->tlsext_tick->data;
+        ret->ext.ticklen = as->tlsext_tick->length;
        as->tlsext_tick->data = NULL;
    } else {
-        ret->tlsext_tick = NULL;
+        ret->ext.tick = NULL;
    }
 #ifndef OPENSSL_NO_COMP
    if (as->comp_id) {
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@ -589,49 +589,46 @@ SSL *SSL_new(SSL_CTX *ctx)

    SSL_CTX_up_ref(ctx);
    s->ctx = ctx;
-    s->tlsext_debug_cb = 0;
-    s->tlsext_debug_arg = NULL;
-    s->tlsext_ticket_expected = 0;
-    s->tlsext_status_type = ctx->tlsext_status_type;
-    s->tlsext_status_expected = 0;
-    s->tlsext_ocsp_ids = NULL;
-    s->tlsext_ocsp_exts = NULL;
-    s->tlsext_ocsp_resp = NULL;
-    s->tlsext_ocsp_resplen = 0;
+    s->ext.debug_cb = 0;
+    s->ext.debug_arg = NULL;
+    s->ext.ticket_expected = 0;
+    s->ext.status_type = ctx->ext.status_type;
+    s->ext.status_expected = 0;
+    s->ext.ocsp.ids = NULL;
+    s->ext.ocsp.exts = NULL;
+    s->ext.ocsp.resp = NULL;
+    s->ext.ocsp.resp_len = 0;
    SSL_CTX_up_ref(ctx);
    s->initial_ctx = ctx;
 #ifndef OPENSSL_NO_EC
-    if (ctx->tlsext_ecpointformatlist) {
-        s->tlsext_ecpointformatlist =
-            OPENSSL_memdup(ctx->tlsext_ecpointformatlist,
-                           ctx->tlsext_ecpointformatlist_length);
-        if (!s->tlsext_ecpointformatlist)
+    if (ctx->ext.ecpointformats) {
+        s->ext.ecpointformats =
+            OPENSSL_memdup(ctx->ext.ecpointformats,
+                           ctx->ext.ecpointformats_len);
+        if (!s->ext.ecpointformats)
            goto err;
-        s->tlsext_ecpointformatlist_length =
-            ctx->tlsext_ecpointformatlist_length;
+        s->ext.ecpointformats_len =
+            ctx->ext.ecpointformats_len;
    }
-    if (ctx->tlsext_supportedgroupslist) {
-        s->tlsext_supportedgroupslist =
-            OPENSSL_memdup(ctx->tlsext_supportedgroupslist,
-                           ctx->tlsext_supportedgroupslist_length);
-        if (!s->tlsext_supportedgroupslist)
+    if (ctx->ext.supportedgroups) {
+        s->ext.supportedgroups =
+            OPENSSL_memdup(ctx->ext.supportedgroups,
+                           ctx->ext.supportedgroups_len);
+        if (!s->ext.supportedgroups)
            goto err;
-        s->tlsext_supportedgroupslist_length =
-            ctx->tlsext_supportedgroupslist_length;
+        s->ext.supportedgroups_len = ctx->ext.supportedgroups_len;
    }
 #endif
 #ifndef OPENSSL_NO_NEXTPROTONEG
-    s->next_proto_negotiated = NULL;
+    s->ext.npn = NULL;
 #endif

-    if (s->ctx->alpn_client_proto_list) {
-        s->alpn_client_proto_list =
-            OPENSSL_malloc(s->ctx->alpn_client_proto_list_len);
-        if (s->alpn_client_proto_list == NULL)
+    if (s->ctx->ext.alpn) {
+        s->ext.alpn = OPENSSL_malloc(s->ctx->ext.alpn_len);
+        if (s->ext.alpn == NULL)
            goto err;
-        memcpy(s->alpn_client_proto_list, s->ctx->alpn_client_proto_list,
-               s->ctx->alpn_client_proto_list_len);
-        s->alpn_client_proto_list_len = s->ctx->alpn_client_proto_list_len;
+        memcpy(s->ext.alpn, s->ctx->ext.alpn, s->ctx->ext.alpn_len);
+        s->ext.alpn_len = s->ctx->ext.alpn_len;
    }

    s->verified_chain = NULL;
@ -838,7 +835,7 @@ int SSL_dane_enable(SSL *s, const char *basedomain)
     * accepts them and disables host name checks.  To avoid side-effects with
     * invalid input, set the SNI name first.
     */
-    if (s->tlsext_hostname == NULL) {
+    if (s->ext.hostname == NULL) {
        if (!SSL_set_tlsext_host_name(s, basedomain)) {
            SSLerr(SSL_F_SSL_DANE_ENABLE, SSL_R_ERROR_SETTING_TLSA_BASE_DOMAIN);
            return -1;
@ -997,22 +994,22 @@ void SSL_free(SSL *s)
    ssl_cert_free(s->cert);
    /* Free up if allocated */

-    OPENSSL_free(s->tlsext_hostname);
+    OPENSSL_free(s->ext.hostname);
    SSL_CTX_free(s->initial_ctx);
 #ifndef OPENSSL_NO_EC
-    OPENSSL_free(s->tlsext_ecpointformatlist);
-    OPENSSL_free(s->tlsext_supportedgroupslist);
+    OPENSSL_free(s->ext.ecpointformats);
+    OPENSSL_free(s->ext.supportedgroups);
 #endif                          /* OPENSSL_NO_EC */
-    sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts, X509_EXTENSION_free);
+    sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts, X509_EXTENSION_free);
 #ifndef OPENSSL_NO_OCSP
-    sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
+    sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
 #endif
 #ifndef OPENSSL_NO_CT
    SCT_LIST_free(s->scts);
-    OPENSSL_free(s->tlsext_scts);
+    OPENSSL_free(s->ext.scts);
 #endif
-    OPENSSL_free(s->tlsext_ocsp_resp);
-    OPENSSL_free(s->alpn_client_proto_list);
+    OPENSSL_free(s->ext.ocsp.resp);
+    OPENSSL_free(s->ext.alpn);

    sk_X509_NAME_pop_free(s->client_CA, X509_NAME_free);

@ -1028,7 +1025,7 @@ void SSL_free(SSL *s)
    ASYNC_WAIT_CTX_free(s->waitctx);

 #if !defined(OPENSSL_NO_NEXTPROTONEG)
-    OPENSSL_free(s->next_proto_negotiated);
+    OPENSSL_free(s->ext.npn);
 #endif

 #ifndef OPENSSL_NO_SRTP
@ -2168,15 +2165,15 @@ const char *SSL_get_servername(const SSL *s, const int type)
    if (type != TLSEXT_NAMETYPE_host_name)
        return NULL;

-    return s->session && !s->tlsext_hostname ?
-        s->session->tlsext_hostname : s->tlsext_hostname;
+    return s->session && !s->ext.hostname ?
+        s->session->ext.hostname : s->ext.hostname;
 }

 int SSL_get_servername_type(const SSL *s)
 {
    if (s->session
-        && (!s->tlsext_hostname ? s->session->
-            tlsext_hostname : s->tlsext_hostname))
+        && (!s->ext.hostname ? s->session->
+            ext.hostname : s->ext.hostname))
        return TLSEXT_NAMETYPE_host_name;
    return -1;
 }
@ -2251,16 +2248,16 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen,
 void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
                                    unsigned *len)
 {
-    *data = s->next_proto_negotiated;
+    *data = s->ext.npn;
    if (!*data) {
        *len = 0;
    } else {
-        *len = (unsigned int)s->next_proto_negotiated_len;
+        *len = (unsigned int)s->ext.npn_len;
    }
 }

 /*
- * SSL_CTX_set_next_protos_advertised_cb sets a callback that is called when
+ * SSL_CTX_set_npn_advertised_cb sets a callback that is called when
 * a TLS server needs a list of supported protocols for Next Protocol
 * Negotiation. The returned list must be in wire format.  The list is
 * returned by setting |out| to point to it and |outlen| to its length. This
@ -2269,15 +2266,15 @@ void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data,
 * wishes to advertise. Otherwise, no such extension will be included in the
 * ServerHello.
 */
-void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx,
-                                           int (*cb) (SSL *ssl,
-                                                      const unsigned char
-                                                      **out,
-                                                      unsigned int *outlen,
-                                                      void *arg), void *arg)
+void SSL_CTX_set_npn_advertised_cb(SSL_CTX *ctx,
+                                   int (*cb) (SSL *ssl,
+                                              const unsigned char **out,
+                                              unsigned int *outlen,
+                                              void *arg),
+                                   void *arg)
 {
-    ctx->next_protos_advertised_cb = cb;
-    ctx->next_protos_advertised_cb_arg = arg;
+    ctx->ext.npn_advertised_cb = cb;
+    ctx->ext.npn_advertised_cb_arg = arg;
 }

 /*
@ -2290,15 +2287,16 @@ void SSL_CTX_set_next_protos_advertised_cb(SSL_CTX *ctx,
 * select a protocol. It is fatal to the connection if this callback returns
 * a value other than SSL_TLSEXT_ERR_OK.
 */
-void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
-                                      int (*cb) (SSL *s, unsigned char **out,
-                                                 unsigned char *outlen,
-                                                 const unsigned char *in,
-                                                 unsigned int inlen,
-                                                 void *arg), void *arg)
+void SSL_CTX_set_npn_select_cb(SSL_CTX *ctx,
+                               int (*cb) (SSL *s, unsigned char **out,
+                                          unsigned char *outlen,
+                                          const unsigned char *in,
+                                          unsigned int inlen,
+                                          void *arg),
+                               void *arg)
 {
-    ctx->next_proto_select_cb = cb;
-    ctx->next_proto_select_cb_arg = arg;
+    ctx->ext.npn_select_cb = cb;
+    ctx->ext.npn_select_cb_arg = arg;
 }
 #endif

@ -2310,13 +2308,13 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
 int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
                            unsigned int protos_len)
 {
-    OPENSSL_free(ctx->alpn_client_proto_list);
-    ctx->alpn_client_proto_list = OPENSSL_memdup(protos, protos_len);
-    if (ctx->alpn_client_proto_list == NULL) {
+    OPENSSL_free(ctx->ext.alpn);
+    ctx->ext.alpn = OPENSSL_memdup(protos, protos_len);
+    if (ctx->ext.alpn == NULL) {
        SSLerr(SSL_F_SSL_CTX_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
        return 1;
    }
-    ctx->alpn_client_proto_list_len = protos_len;
+    ctx->ext.alpn_len = protos_len;

    return 0;
 }
@ -2329,13 +2327,13 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos,
 int SSL_set_alpn_protos(SSL *ssl, const unsigned char *protos,
                        unsigned int protos_len)
 {
-    OPENSSL_free(ssl->alpn_client_proto_list);
-    ssl->alpn_client_proto_list = OPENSSL_memdup(protos, protos_len);
-    if (ssl->alpn_client_proto_list == NULL) {
+    OPENSSL_free(ssl->ext.alpn);
+    ssl->ext.alpn = OPENSSL_memdup(protos, protos_len);
+    if (ssl->ext.alpn == NULL) {
        SSLerr(SSL_F_SSL_SET_ALPN_PROTOS, ERR_R_MALLOC_FAILURE);
        return 1;
    }
-    ssl->alpn_client_proto_list_len = protos_len;
+    ssl->ext.alpn_len = protos_len;

    return 0;
 }
@ -2353,8 +2351,8 @@ void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
                                           unsigned int inlen,
                                           void *arg), void *arg)
 {
-    ctx->alpn_select_cb = cb;
-    ctx->alpn_select_cb_arg = arg;
+    ctx->ext.alpn_select_cb = cb;
+    ctx->ext.alpn_select_cb_arg = arg;
 }

 /*
@ -2513,12 +2511,12 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
    ret->split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH;

    /* Setup RFC5077 ticket keys */
-    if ((RAND_bytes(ret->tlsext_tick_key_name,
-                    sizeof(ret->tlsext_tick_key_name)) <= 0)
-        || (RAND_bytes(ret->tlsext_tick_hmac_key,
-                       sizeof(ret->tlsext_tick_hmac_key)) <= 0)
-        || (RAND_bytes(ret->tlsext_tick_aes_key,
-                       sizeof(ret->tlsext_tick_aes_key)) <= 0))
+    if ((RAND_bytes(ret->ext.tick_key_name,
+                    sizeof(ret->ext.tick_key_name)) <= 0)
+        || (RAND_bytes(ret->ext.tick_hmac_key,
+                       sizeof(ret->ext.tick_hmac_key)) <= 0)
+        || (RAND_bytes(ret->ext.tick_aes_key,
+                       sizeof(ret->ext.tick_aes_key)) <= 0))
        ret->options |= SSL_OP_NO_TICKET;

 #ifndef OPENSSL_NO_SRP
@ -2556,7 +2554,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *meth)
     */
    ret->options |= SSL_OP_NO_COMPRESSION;

-    ret->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
+    ret->ext.status_type = TLSEXT_STATUSTYPE_nothing;

    return ret;
 err:
@ -2629,10 +2627,10 @@ void SSL_CTX_free(SSL_CTX *a)
 #endif

 #ifndef OPENSSL_NO_EC
-    OPENSSL_free(a->tlsext_ecpointformatlist);
-    OPENSSL_free(a->tlsext_supportedgroupslist);
+    OPENSSL_free(a->ext.ecpointformats);
+    OPENSSL_free(a->ext.supportedgroups);
 #endif
-    OPENSSL_free(a->alpn_client_proto_list);
+    OPENSSL_free(a->ext.alpn);

    CRYPTO_THREAD_lock_free(a->lock);

@ -4040,9 +4038,9 @@ static int ct_extract_tls_extension_scts(SSL *s)
 {
    int scts_extracted = 0;

-    if (s->tlsext_scts != NULL) {
-        const unsigned char *p = s->tlsext_scts;
-        STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->tlsext_scts_len);
+    if (s->ext.scts != NULL) {
+        const unsigned char *p = s->ext.scts;
+        STACK_OF(SCT) *scts = o2i_SCT_LIST(NULL, &p, s->ext.scts_len);

        scts_extracted = ct_move_scts(&s->scts, scts, SCT_SOURCE_TLS_EXTENSION);

@ -4070,11 +4068,11 @@ static int ct_extract_ocsp_response_scts(SSL *s)
    STACK_OF(SCT) *scts = NULL;
    int i;

-    if (s->tlsext_ocsp_resp == NULL || s->tlsext_ocsp_resplen == 0)
+    if (s->ext.ocsp.resp == NULL || s->ext.ocsp.resp_len == 0)
        goto err;

-    p = s->tlsext_ocsp_resp;
-    rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->tlsext_ocsp_resplen);
+    p = s->ext.ocsp.resp;
+    rsp = d2i_OCSP_RESPONSE(NULL, &p, (int)s->ext.ocsp.resp_len);
    if (rsp == NULL)
        goto err;

--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@ -553,18 +553,21 @@ struct ssl_session_st {
     * implement a maximum cache size.
     */
    struct ssl_session_st *prev, *next;
-    char *tlsext_hostname;
+
+    struct {
+        char *hostname;
 # ifndef OPENSSL_NO_EC
-    size_t tlsext_ecpointformatlist_length;
-    unsigned char *tlsext_ecpointformatlist; /* peer's list */
-    size_t tlsext_supportedgroupslist_length;
-    unsigned char *tlsext_supportedgroupslist; /* peer's list */
+        size_t ecpointformats_len;
+        unsigned char *ecpointformats; /* peer's list */
+        size_t supportedgroups_len;
+        unsigned char *supportedgroups; /* peer's list */
 # endif                         /* OPENSSL_NO_EC */
    /* RFC4507 info */
-    unsigned char *tlsext_tick; /* Session ticket */
-    size_t tlsext_ticklen;      /* Session ticket length */
-    unsigned long tlsext_tick_lifetime_hint; /* Session lifetime hint in
-                                              * seconds */
+        unsigned char *tick; /* Session ticket */
+        size_t ticklen;      /* Session ticket length */
+        /* Session lifetime hint in seconds */
+        unsigned long tick_lifetime_hint;
+    } ext;
 # ifndef OPENSSL_NO_SRP
    char *srp_username;
 # endif
@ -775,22 +778,85 @@ struct ssl_ctx_st {
    ENGINE *client_cert_engine;
 # endif

-    /* TLS extensions servername callback */
-    int (*tlsext_servername_callback) (SSL *, int *, void *);
-    void *tlsext_servername_arg;
-    /* RFC 4507 session ticket keys */
-    unsigned char tlsext_tick_key_name[TLSEXT_KEYNAME_LENGTH];
-    unsigned char tlsext_tick_hmac_key[32];
-    unsigned char tlsext_tick_aes_key[32];
-    /* Callback to support customisation of ticket key setting */
-    int (*tlsext_ticket_key_cb) (SSL *ssl,
-                                 unsigned char *name, unsigned char *iv,
-                                 EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);
+    /* TLS extensions. */
+    struct {
+        /* TLS extensions servername callback */
+        int (*servername_cb) (SSL *, int *, void *);
+        void *servername_arg;
+        /* RFC 4507 session ticket keys */
+        unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH];
+        unsigned char tick_hmac_key[32];
+        unsigned char tick_aes_key[32];
+        /* Callback to support customisation of ticket key setting */
+        int (*ticket_key_cb) (SSL *ssl,
+                              unsigned char *name, unsigned char *iv,
+                              EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc);

-    /* certificate status request info */
-    /* Callback for status request */
-    int (*tlsext_status_cb) (SSL *ssl, void *arg);
-    void *tlsext_status_arg;
+        /* certificate status request info */
+        /* Callback for status request */
+        int (*status_cb) (SSL *ssl, void *arg);
+        void *status_arg;
+        /* ext status type used for CSR extension (OCSP Stapling) */
+        int status_type;
+
+# ifndef OPENSSL_NO_EC
+        /* EC extension values inherited by SSL structure */
+        size_t ecpointformats_len;
+        unsigned char *ecpointformats;
+        size_t supportedgroups_len;
+        unsigned char *supportedgroups;
+# endif                         /* OPENSSL_NO_EC */
+
+# ifndef OPENSSL_NO_NEXTPROTONEG
+        /*
+         * ALPN information (we are in the process of transitioning from NPN to
+         * ALPN.)
+         */
+
+        /*-
+         * For a server, this contains a callback function that allows the
+         * server to select the protocol for the connection.
+         *   out: on successful return, this must point to the raw protocol
+         *        name (without the length prefix).
+         *   outlen: on successful return, this contains the length of |*out|.
+         *   in: points to the client's list of supported protocols in
+         *       wire-format.
+         *   inlen: the length of |in|.
+         */
+        int (*alpn_select_cb) (SSL *s,
+                               const unsigned char **out,
+                               unsigned char *outlen,
+                               const unsigned char *in,
+                               unsigned int inlen, void *arg);
+        void *alpn_select_cb_arg;
+
+        /*
+         * For a client, this contains the list of supported protocols in wire
+         * format.
+         */
+        unsigned char *alpn;
+        size_t alpn_len;
+
+        /* Next protocol negotiation information */
+
+        /*
+         * For a server, this contains a callback function by which the set of
+         * advertised protocols can be provided.
+         */
+        int (*npn_advertised_cb) (SSL *s, const unsigned char **buf,
+                                          unsigned int *len, void *arg);
+        void *npn_advertised_cb_arg;
+        /*
+         * For a client, this contains a callback function that selects the next
+         * protocol from the list provided by the server.
+         */
+        int (*npn_select_cb) (SSL *s, unsigned char **out,
+                                     unsigned char *outlen,
+                                     const unsigned char *in,
+                                     unsigned int inlen, void *arg);
+        void *npn_select_cb_arg;
+# endif
+    } ext;

 # ifndef OPENSSL_NO_PSK
    unsigned int (*psk_client_callback) (SSL *ssl, const char *hint,
@ -807,56 +873,6 @@ struct ssl_ctx_st {
    SRP_CTX srp_ctx;            /* ctx for SRP authentication */
 # endif

-# ifndef OPENSSL_NO_NEXTPROTONEG
-    /* Next protocol negotiation information */
-
-    /*
-     * For a server, this contains a callback function by which the set of
-     * advertised protocols can be provided.
-     */
-    int (*next_protos_advertised_cb) (SSL *s, const unsigned char **buf,
-                                      unsigned int *len, void *arg);
-    void *next_protos_advertised_cb_arg;
-    /*
-     * For a client, this contains a callback function that selects the next
-     * protocol from the list provided by the server.
-     */
-    int (*next_proto_select_cb) (SSL *s, unsigned char **out,
-                                 unsigned char *outlen,
-                                 const unsigned char *in,
-                                 unsigned int inlen, void *arg);
-    void *next_proto_select_cb_arg;
-# endif
-
-    /*
-     * ALPN information (we are in the process of transitioning from NPN to
-     * ALPN.)
-     */
-
-        /*-
-         * For a server, this contains a callback function that allows the
-         * server to select the protocol for the connection.
-         *   out: on successful return, this must point to the raw protocol
-         *        name (without the length prefix).
-         *   outlen: on successful return, this contains the length of |*out|.
-         *   in: points to the client's list of supported protocols in
-         *       wire-format.
-         *   inlen: the length of |in|.
-         */
-    int (*alpn_select_cb) (SSL *s,
-                           const unsigned char **out,
-                           unsigned char *outlen,
-                           const unsigned char *in,
-                           unsigned int inlen, void *arg);
-    void *alpn_select_cb_arg;
-
-    /*
-     * For a client, this contains the list of supported protocols in wire
-     * format.
-     */
-    unsigned char *alpn_client_proto_list;
-    size_t alpn_client_proto_list_len;
-
    /* Shared DANE context */
    struct dane_ctx_st dane;

@ -867,16 +883,6 @@ struct ssl_ctx_st {
     * basis, depending on the chosen cipher.
     */
    int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
-# ifndef OPENSSL_NO_EC
-    /* EC extension values inherited by SSL structure */
-    size_t tlsext_ecpointformatlist_length;
-    unsigned char *tlsext_ecpointformatlist;
-    size_t tlsext_supportedgroupslist_length;
-    unsigned char *tlsext_supportedgroupslist;
-# endif                         /* OPENSSL_NO_EC */
-
-    /* ext status type used for CSR extension (OCSP Stapling) */
-    int tlsext_status_type;

    CRYPTO_RWLOCK *lock;
 };
@ -1039,11 +1045,67 @@ struct ssl_st {
    size_t max_send_fragment;
    /* Up to how many pipelines should we use? If 0 then 1 is assumed */
    size_t max_pipelines;
-    /* TLS extension debug callback */
-    void (*tlsext_debug_cb) (SSL *s, int client_server, int type,
-                             const unsigned char *data, int len, void *arg);
-    void *tlsext_debug_arg;
-    char *tlsext_hostname;
+
+    struct {
+        /* TLS extension debug callback */
+        void (*debug_cb) (SSL *s, int client_server, int type,
+                                 const unsigned char *data, int len, void *arg);
+        void *debug_arg;
+        char *hostname;
+        /* certificate status request info */
+        /* Status type or -1 if no status type */
+        int status_type;
+        /* Raw extension data, if seen */
+        unsigned char *scts;
+        /* Length of raw extension data, if seen */
+        uint16_t scts_len;
+        /* Expect OCSP CertificateStatus message */
+        int status_expected;
+
+        struct {
+            /* OCSP status request only */
+            STACK_OF(OCSP_RESPID) *ids;
+            X509_EXTENSIONS *exts;
+            /* OCSP response received or to be sent */
+            unsigned char *resp;
+            size_t resp_len;
+        } ocsp;
+
+        /* RFC4507 session ticket expected to be received or sent */
+        int ticket_expected;
+# ifndef OPENSSL_NO_EC
+        size_t ecpointformats_len;
+        /* our list */
+        unsigned char *ecpointformats;
+        size_t supportedgroups_len;
+        /* our list */
+        unsigned char *supportedgroups;
+# endif                         /* OPENSSL_NO_EC */
+        /* TLS Session Ticket extension override */
+        TLS_SESSION_TICKET_EXT *session_ticket;
+        /* TLS Session Ticket extension callback */
+        tls_session_ticket_ext_cb_fn session_ticket_cb;
+        void *session_ticket_cb_arg;
+        /* TLS pre-shared secret session resumption */
+        tls_session_secret_cb_fn session_secret_cb;
+        void *session_secret_cb_arg;
+        /*
+         * For a client, this contains the list of supported protocols in wire
+         * format.
+         */
+        unsigned char *alpn;
+        size_t alpn_len;
+        /*
+         * Next protocol negotiation. For the client, this is the protocol that
+         * we sent in NextProtocol and is set when handling ServerHello
+         * extensions. For a server, this is the client's selected_protocol from
+         * NextProtocol and is set when handling the NextProtocol message, before
+         * the Finished message.
+         */
+        unsigned char *npn;
+        size_t npn_len;
+    } ext;
+
    /*-
     * no further mod of servername
     * 0 : call the servername extension callback.
@ -1051,9 +1113,6 @@ struct ssl_st {
     * 2 : don't call servername callback, no ack in server hello
     */
    int servername_done;
-    /* certificate status request info */
-    /* Status type or -1 if no status type */
-    int tlsext_status_type;
 # ifndef OPENSSL_NO_CT
    /*
     * Validates that the SCTs (Signed Certificate Timestamps) are sufficient.
@ -1067,62 +1126,17 @@ struct ssl_st {
     * Lazily populated by CT_get_peer_scts(SSL*)
     */
    STACK_OF(SCT) *scts;
-    /* Raw extension data, if seen */
-    unsigned char *tlsext_scts;
-    /* Length of raw extension data, if seen */
-    uint16_t tlsext_scts_len;
    /* Have we attempted to find/parse SCTs yet? */
    int scts_parsed;
 # endif
-    /* Expect OCSP CertificateStatus message */
-    int tlsext_status_expected;
-    /* OCSP status request only */
-    STACK_OF(OCSP_RESPID) *tlsext_ocsp_ids;
-    X509_EXTENSIONS *tlsext_ocsp_exts;
-    /* OCSP response received or to be sent */
-    unsigned char *tlsext_ocsp_resp;
-    size_t tlsext_ocsp_resplen;
-    /* RFC4507 session ticket expected to be received or sent */
-    int tlsext_ticket_expected;
-# ifndef OPENSSL_NO_EC
-    size_t tlsext_ecpointformatlist_length;
-    /* our list */
-    unsigned char *tlsext_ecpointformatlist;
-    size_t tlsext_supportedgroupslist_length;
-    /* our list */
-    unsigned char *tlsext_supportedgroupslist;
-# endif                         /* OPENSSL_NO_EC */
-    /* TLS Session Ticket extension override */
-    TLS_SESSION_TICKET_EXT *tlsext_session_ticket;
-    /* TLS Session Ticket extension callback */
-    tls_session_ticket_ext_cb_fn tls_session_ticket_ext_cb;
-    void *tls_session_ticket_ext_cb_arg;
-    /* TLS pre-shared secret session resumption */
-    tls_session_secret_cb_fn tls_session_secret_cb;
-    void *tls_session_secret_cb_arg;
    SSL_CTX *initial_ctx;       /* initial ctx, used to store sessions */
 # ifndef OPENSSL_NO_NEXTPROTONEG
-    /*
-     * Next protocol negotiation. For the client, this is the protocol that
-     * we sent in NextProtocol and is set when handling ServerHello
-     * extensions. For a server, this is the client's selected_protocol from
-     * NextProtocol and is set when handling the NextProtocol message, before
-     * the Finished message.
-     */
-    unsigned char *next_proto_negotiated;
-    size_t next_proto_negotiated_len;
 # endif
 # define session_ctx initial_ctx
    /* What we'll do */
    STACK_OF(SRTP_PROTECTION_PROFILE) *srtp_profiles;
    /* What's been chosen */
    SRTP_PROTECTION_PROFILE *srtp_profile;
-    /*
-     * For a client, this contains the list of supported protocols in wire
-     * format.
-     */
-    unsigned char *alpn_client_proto_list;
-    size_t alpn_client_proto_list_len;
    /*-
     * 1 if we are renegotiating.
     * 2 if we are a server and are inside a handshake
@ -1277,7 +1291,7 @@ typedef struct ssl3_state_st {
    /*
     * Set if we saw the Next Protocol Negotiation extension from our peer.
     */
-    int next_proto_neg_seen;
+    int npn_seen;
 # endif

    /*
--- a/ssl/ssl_sess.c
+++ b/ssl/ssl_sess.c
@ -129,12 +129,12 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
    dest->psk_identity = NULL;
 #endif
    dest->ciphers = NULL;
-    dest->tlsext_hostname = NULL;
+    dest->ext.hostname = NULL;
 #ifndef OPENSSL_NO_EC
-    dest->tlsext_ecpointformatlist = NULL;
-    dest->tlsext_supportedgroupslist = NULL;
+    dest->ext.ecpointformats = NULL;
+    dest->ext.supportedgroups = NULL;
 #endif
-    dest->tlsext_tick = NULL;
+    dest->ext.tick = NULL;
 #ifndef OPENSSL_NO_SRP
    dest->srp_username = NULL;
 #endif
@ -184,37 +184,37 @@ SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int ticket)
        goto err;
    }

-    if (src->tlsext_hostname) {
-        dest->tlsext_hostname = OPENSSL_strdup(src->tlsext_hostname);
-        if (dest->tlsext_hostname == NULL) {
+    if (src->ext.hostname) {
+        dest->ext.hostname = OPENSSL_strdup(src->ext.hostname);
+        if (dest->ext.hostname == NULL) {
            goto err;
        }
    }
 #ifndef OPENSSL_NO_EC
-    if (src->tlsext_ecpointformatlist) {
-        dest->tlsext_ecpointformatlist =
-            OPENSSL_memdup(src->tlsext_ecpointformatlist,
-                           src->tlsext_ecpointformatlist_length);
-        if (dest->tlsext_ecpointformatlist == NULL)
+    if (src->ext.ecpointformats) {
+        dest->ext.ecpointformats =
+            OPENSSL_memdup(src->ext.ecpointformats,
+                           src->ext.ecpointformats_len);
+        if (dest->ext.ecpointformats == NULL)
            goto err;
    }
-    if (src->tlsext_supportedgroupslist) {
-        dest->tlsext_supportedgroupslist =
-            OPENSSL_memdup(src->tlsext_supportedgroupslist,
-                           src->tlsext_supportedgroupslist_length);
-        if (dest->tlsext_supportedgroupslist == NULL)
+    if (src->ext.supportedgroups) {
+        dest->ext.supportedgroups =
+            OPENSSL_memdup(src->ext.supportedgroups,
+                           src->ext.supportedgroups_len);
+        if (dest->ext.supportedgroups == NULL)
            goto err;
    }
 #endif

    if (ticket != 0) {
-        dest->tlsext_tick =
-            OPENSSL_memdup(src->tlsext_tick, src->tlsext_ticklen);
-        if (dest->tlsext_tick == NULL)
+        dest->ext.tick =
+            OPENSSL_memdup(src->ext.tick, src->ext.ticklen);
+        if (dest->ext.tick == NULL)
            goto err;
    } else {
-        dest->tlsext_tick_lifetime_hint = 0;
-        dest->tlsext_ticklen = 0;
+        dest->ext.tick_lifetime_hint = 0;
+        dest->ext.ticklen = 0;
    }

 #ifndef OPENSSL_NO_SRP
@ -353,7 +353,7 @@ int ssl_get_new_session(SSL *s, int session)
         *     ServerHello extensions, and before recording the session
         *     ID received from the server, so this block is a noop.
         */
-        if (s->tlsext_ticket_expected) {
+        if (s->ext.ticket_expected) {
            ss->session_id_length = 0;
            goto sess_id_done;
        }
@ -398,9 +398,9 @@ int ssl_get_new_session(SSL *s, int session)
        }

 sess_id_done:
-        if (s->tlsext_hostname) {
-            ss->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
-            if (ss->tlsext_hostname == NULL) {
+        if (s->ext.hostname) {
+            ss->ext.hostname = OPENSSL_strdup(s->ext.hostname);
+            if (ss->ext.hostname == NULL) {
                SSLerr(SSL_F_SSL_GET_NEW_SESSION, ERR_R_INTERNAL_ERROR);
                SSL_SESSION_free(ss);
                return 0;
@ -441,7 +441,7 @@ int ssl_get_new_session(SSL *s, int session)
 * Side effects:
 *   - If a session is found then s->session is pointed at it (after freeing an
 *     existing session if need be) and s->verify_result is set from the session.
- *   - Both for new and resumed sessions, s->tlsext_ticket_expected is set to 1
+ *   - Both for new and resumed sessions, s->ext.ticket_expected is set to 1
 *     if the server should issue a new session ticket (to 0 otherwise).
 */
 int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
@ -456,7 +456,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
    if (hello->session_id_len == 0)
        try_session_cache = 0;

-    /* sets s->tlsext_ticket_expected */
+    /* sets s->ext.ticket_expected */
    r = tls_get_ticket_from_client(s, hello, &ret);
    switch (r) {
    case -1:                   /* Error during processing */
@ -635,7 +635,7 @@ int ssl_get_prev_session(SSL *s, CLIENTHELLO_MSG *hello)
             * The session was from a ticket, so we should issue a ticket for
             * the new session
             */
-            s->tlsext_ticket_expected = 1;
+            s->ext.ticket_expected = 1;
        }
    }
    if (fatal)
@ -765,13 +765,15 @@ void SSL_SESSION_free(SSL_SESSION *ss)
    X509_free(ss->peer);
    sk_X509_pop_free(ss->peer_chain, X509_free);
    sk_SSL_CIPHER_free(ss->ciphers);
-    OPENSSL_free(ss->tlsext_hostname);
-    OPENSSL_free(ss->tlsext_tick);
+    OPENSSL_free(ss->ext.hostname);
+    OPENSSL_free(ss->ext.tick);
 #ifndef OPENSSL_NO_EC
-    ss->tlsext_ecpointformatlist_length = 0;
-    OPENSSL_free(ss->tlsext_ecpointformatlist);
-    ss->tlsext_supportedgroupslist_length = 0;
-    OPENSSL_free(ss->tlsext_supportedgroupslist);
+    OPENSSL_free(ss->ext.ecpointformats);
+    ss->ext.ecpointformats = NULL;
+    ss->ext.ecpointformats_len = 0;
+    OPENSSL_free(ss->ext.supportedgroups);
+    ss->ext.supportedgroups = NULL;
+    ss->ext.supportedgroups_len = 0;
 #endif                          /* OPENSSL_NO_EC */
 #ifndef OPENSSL_NO_PSK
    OPENSSL_free(ss->psk_identity_hint);
@ -869,25 +871,25 @@ const SSL_CIPHER *SSL_SESSION_get0_cipher(const SSL_SESSION *s)

 const char *SSL_SESSION_get0_hostname(const SSL_SESSION *s)
 {
-    return s->tlsext_hostname;
+    return s->ext.hostname;
 }

 int SSL_SESSION_has_ticket(const SSL_SESSION *s)
 {
-    return (s->tlsext_ticklen > 0) ? 1 : 0;
+    return (s->ext.ticklen > 0) ? 1 : 0;
 }

 unsigned long SSL_SESSION_get_ticket_lifetime_hint(const SSL_SESSION *s)
 {
-    return s->tlsext_tick_lifetime_hint;
+    return s->ext.tick_lifetime_hint;
 }

 void SSL_SESSION_get0_ticket(const SSL_SESSION *s, const unsigned char **tick,
                             size_t *len)
 {
-    *len = s->tlsext_ticklen;
+    *len = s->ext.ticklen;
    if (tick != NULL)
-        *tick = s->tlsext_tick;
+        *tick = s->ext.tick;
 }

 X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
@ -927,20 +929,13 @@ long SSL_CTX_get_timeout(const SSL_CTX *s)
 }

 int SSL_set_session_secret_cb(SSL *s,
-                              int (*tls_session_secret_cb) (SSL *s,
-                                                            void *secret,
-                                                            int *secret_len,
-                                                            STACK_OF(SSL_CIPHER)
-                                                            *peer_ciphers,
-                                                            const SSL_CIPHER
-                                                            **cipher,
-                                                            void *arg),
+                              tls_session_secret_cb_fn tls_session_secret_cb,
                              void *arg)
 {
    if (s == NULL)
        return (0);
-    s->tls_session_secret_cb = tls_session_secret_cb;
-    s->tls_session_secret_cb_arg = arg;
+    s->ext.session_secret_cb = tls_session_secret_cb;
+    s->ext.session_secret_cb_arg = arg;
    return (1);
 }

@ -949,30 +944,30 @@ int SSL_set_session_ticket_ext_cb(SSL *s, tls_session_ticket_ext_cb_fn cb,
 {
    if (s == NULL)
        return (0);
-    s->tls_session_ticket_ext_cb = cb;
-    s->tls_session_ticket_ext_cb_arg = arg;
+    s->ext.session_ticket_cb = cb;
+    s->ext.session_ticket_cb_arg = arg;
    return (1);
 }

 int SSL_set_session_ticket_ext(SSL *s, void *ext_data, int ext_len)
 {
    if (s->version >= TLS1_VERSION) {
-        OPENSSL_free(s->tlsext_session_ticket);
-        s->tlsext_session_ticket = NULL;
-        s->tlsext_session_ticket =
+        OPENSSL_free(s->ext.session_ticket);
+        s->ext.session_ticket = NULL;
+        s->ext.session_ticket =
            OPENSSL_malloc(sizeof(TLS_SESSION_TICKET_EXT) + ext_len);
-        if (s->tlsext_session_ticket == NULL) {
+        if (s->ext.session_ticket == NULL) {
            SSLerr(SSL_F_SSL_SET_SESSION_TICKET_EXT, ERR_R_MALLOC_FAILURE);
            return 0;
        }

        if (ext_data) {
-            s->tlsext_session_ticket->length = ext_len;
-            s->tlsext_session_ticket->data = s->tlsext_session_ticket + 1;
-            memcpy(s->tlsext_session_ticket->data, ext_data, ext_len);
+            s->ext.session_ticket->length = ext_len;
+            s->ext.session_ticket->data = s->ext.session_ticket + 1;
+            memcpy(s->ext.session_ticket->data, ext_data, ext_len);
        } else {
-            s->tlsext_session_ticket->length = 0;
-            s->tlsext_session_ticket->data = NULL;
+            s->ext.session_ticket->length = 0;
+            s->ext.session_ticket->data = NULL;
        }

        return 1;
--- a/ssl/ssl_txt.c
+++ b/ssl/ssl_txt.c
@ -119,18 +119,18 @@ int SSL_SESSION_print(BIO *bp, const SSL_SESSION *x)
    if (BIO_printf(bp, "%s", x->srp_username ? x->srp_username : "None") <= 0)
        goto err;
 #endif
-    if (x->tlsext_tick_lifetime_hint) {
+    if (x->ext.tick_lifetime_hint) {
        if (BIO_printf(bp,
                       "\n    TLS session ticket lifetime hint: %ld (seconds)",
-                       x->tlsext_tick_lifetime_hint) <= 0)
+                       x->ext.tick_lifetime_hint) <= 0)
            goto err;
    }
-    if (x->tlsext_tick) {
+    if (x->ext.tick) {
        if (BIO_puts(bp, "\n    TLS session ticket:\n") <= 0)
            goto err;
        /* TODO(size_t): Convert this call */
        if (BIO_dump_indent
-            (bp, (const char *)x->tlsext_tick, (int)x->tlsext_ticklen, 4)
+            (bp, (const char *)x->ext.tick, (int)x->ext.ticklen, 4)
            <= 0)
            goto err;
    }
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@ -457,11 +457,11 @@ int tls_parse_extension(SSL *s, TLSEXT_INDEX idx, int context,
    if (!currext->present)
        return 1;

-    if (s->tlsext_debug_cb)
-        s->tlsext_debug_cb(s, !s->server, currext->type,
-                           PACKET_data(&currext->data),
-                           PACKET_remaining(&currext->data),
-                           s->tlsext_debug_arg);
+    if (s->ext.debug_cb)
+        s->ext.debug_cb(s, !s->server, currext->type,
+                        PACKET_data(&currext->data),
+                        PACKET_remaining(&currext->data),
+                        s->ext.debug_arg);

    /* Skip if we've already parsed this extension */
    if (currext->parsed)
@ -714,13 +714,13 @@ static int final_server_name(SSL *s, unsigned int context, int sent,
    int ret = SSL_TLSEXT_ERR_NOACK;
    int altmp = SSL_AD_UNRECOGNIZED_NAME;

-    if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
-        ret = s->ctx->tlsext_servername_callback(s, &altmp,
-                                                 s->ctx->tlsext_servername_arg);
+    if (s->ctx != NULL && s->ctx->ext.servername_cb != 0)
+        ret = s->ctx->ext.servername_cb(s, &altmp,
+                                        s->ctx->ext.servername_arg);
    else if (s->initial_ctx != NULL
-             && s->initial_ctx->tlsext_servername_callback != 0)
-        ret = s->initial_ctx->tlsext_servername_callback(s, &altmp,
-                                       s->initial_ctx->tlsext_servername_arg);
+             && s->initial_ctx->ext.servername_cb != 0)
+        ret = s->initial_ctx->ext.servername_cb(s, &altmp,
+                                       s->initial_ctx->ext.servername_arg);

    switch (ret) {
    case SSL_TLSEXT_ERR_ALERT_FATAL:
@ -757,20 +757,20 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
     * suite, then if server returns an EC point formats lists extension it
     * must contain uncompressed.
     */
-    if (s->tlsext_ecpointformatlist != NULL
-            && s->tlsext_ecpointformatlist_length > 0
-            && s->session->tlsext_ecpointformatlist != NULL
-            && s->session->tlsext_ecpointformatlist_length > 0
+    if (s->ext.ecpointformats != NULL
+            && s->ext.ecpointformats_len > 0
+            && s->session->ext.ecpointformats != NULL
+            && s->session->ext.ecpointformats_len > 0
            && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
        /* we are using an ECC cipher */
        size_t i;
-        unsigned char *list = s->session->tlsext_ecpointformatlist;
+        unsigned char *list = s->session->ext.ecpointformats;

-        for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
+        for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
            if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
                break;
        }
-        if (i == s->session->tlsext_ecpointformatlist_length) {
+        if (i == s->session->ext.ecpointformats_len) {
            SSLerr(SSL_F_FINAL_EC_PT_FORMATS,
                   SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
            return 0;
@ -784,7 +784,7 @@ static int final_ec_pt_formats(SSL *s, unsigned int context, int sent,
 static int init_session_ticket(SSL *s, unsigned int context)
 {
    if (!s->server)
-        s->tlsext_ticket_expected = 0;
+        s->ext.ticket_expected = 0;

    return 1;
 }
@ -793,25 +793,43 @@ static int init_session_ticket(SSL *s, unsigned int context)
 static int init_status_request(SSL *s, unsigned int context)
 {
    if (s->server) {
-        s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
+        s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
    } else {
        /*
         * Ensure we get sensible values passed to tlsext_status_cb in the event
         * that we don't receive a status message
         */
        OPENSSL_free(s->tlsext_ocsp_resp);
-        s->tlsext_ocsp_resp = NULL;
-        s->tlsext_ocsp_resplen = 0;
+        s->ext.ocsp_resp = NULL;
+        s->ext.ocsp_resplen = 0;
    }

    return 1;
 }
+
+static int final_status_request(SSL *s, unsigned int context, int sent,
+                                        int *al)
+{
+    if (s->server)
+        return 1;
+
+    /*
+     * Ensure we get sensible values passed to ext.status_cb in the event
+     * that we don't receive a status message
+     */
+    OPENSSL_free(s->ext.ocsp.resp);
+    s->ext.ocsp.resp = NULL;
+    s->ext.ocsp.resp_len = 0;
+>>>>>>> Move extension data into sub-structs
+
+    return 1;
+}
 #endif

 #ifndef OPENSSL_NO_NEXTPROTONEG
 static int init_npn(SSL *s, unsigned int context)
 {
-    s->s3->next_proto_neg_seen = 0;
+    s->s3->npn_seen = 0;

    return 1;
 }
@ -838,11 +856,11 @@ static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
    if (!s->server)
        return 1;

-    if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
-        int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
-                                       s->s3->alpn_proposed,
-                                       (unsigned int)s->s3->alpn_proposed_len,
-                                       s->ctx->alpn_select_cb_arg);
+    if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
+        int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
+                                           s->s3->alpn_proposed,
+                                           (unsigned int)s->s3->alpn_proposed_len,
+                                           s->ctx->ext.alpn_select_cb_arg);

        if (r == SSL_TLSEXT_ERR_OK) {
            OPENSSL_free(s->s3->alpn_selected);
@ -854,7 +872,7 @@ static int final_alpn(SSL *s, unsigned int context, int sent, int *al)
            s->s3->alpn_selected_len = selected_len;
 #ifndef OPENSSL_NO_NEXTPROTONEG
            /* ALPN takes precedence over NPN. */
-            s->s3->next_proto_neg_seen = 0;
+            s->s3->npn_seen = 0;
 #endif
        } else {
            *al = SSL_AD_NO_APPLICATION_PROTOCOL;
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@ -34,7 +34,7 @@ int tls_construct_ctos_renegotiate(SSL *s, WPACKET *pkt, X509 *x,
 int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, X509 *x,
                                   size_t chainidx, int *al)
 {
-    if (s->tlsext_hostname == NULL)
+    if (s->ext.hostname == NULL)
        return 1;

    /* Add TLS extension servername to the Client Hello message */
@ -44,8 +44,8 @@ int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, X509 *x,
               /* Sub-packet for servername list (always 1 hostname)*/
            || !WPACKET_start_sub_packet_u16(pkt)
            || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
-            || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
-                                       strlen(s->tlsext_hostname))
+            || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
+                                       strlen(s->ext.hostname))
            || !WPACKET_close(pkt)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR);
@ -145,7 +145,7 @@ int tls_construct_ctos_supported_groups(SSL *s, WPACKET *pkt, X509 *x,
     * Add TLS extension supported_groups to the ClientHello message
     */
    /* TODO(TLS1.3): Add support for DHE groups */
-    pcurves = s->tlsext_supportedgroupslist;
+    pcurves = s->ext.supportedgroups;
    if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
               ERR_R_INTERNAL_ERROR);
@ -191,30 +191,30 @@ int tls_construct_ctos_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
        return 1;

    if (!s->new_session && s->session != NULL
-            && s->session->tlsext_tick != NULL) {
-        ticklen = s->session->tlsext_ticklen;
-    } else if (s->session && s->tlsext_session_ticket != NULL
-               && s->tlsext_session_ticket->data != NULL) {
-        ticklen = s->tlsext_session_ticket->length;
-        s->session->tlsext_tick = OPENSSL_malloc(ticklen);
-        if (s->session->tlsext_tick == NULL) {
+            && s->session->ext.tick != NULL) {
+        ticklen = s->session->ext.ticklen;
+    } else if (s->session && s->ext.session_ticket != NULL
+               && s->ext.session_ticket->data != NULL) {
+        ticklen = s->ext.session_ticket->length;
+        s->session->ext.tick = OPENSSL_malloc(ticklen);
+        if (s->session->ext.tick == NULL) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
                   ERR_R_INTERNAL_ERROR);
            return 0;
        }
-        memcpy(s->session->tlsext_tick,
-               s->tlsext_session_ticket->data, ticklen);
-        s->session->tlsext_ticklen = ticklen;
+        memcpy(s->session->ext.tick,
+               s->ext.session_ticket->data, ticklen);
+        s->session->ext.ticklen = ticklen;
    } else {
        ticklen = 0;
    }

-    if (ticklen == 0 && s->tlsext_session_ticket != NULL &&
-            s->tlsext_session_ticket->data == NULL)
+    if (ticklen == 0 && s->ext.session_ticket != NULL &&
+            s->ext.session_ticket->data == NULL)
        return 1;

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
-            || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick, ticklen)) {
+            || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
        return 0;
    }
@ -257,7 +257,7 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
    if (x != NULL)
        return 1;

-    if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp)
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
        return 1;

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
@ -269,9 +269,9 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
        return 0;
    }
-    for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
+    for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
        unsigned char *idbytes;
-        OCSP_RESPID *id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
+        OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
        int idlen = i2d_OCSP_RESPID(id, NULL);

        if (idlen <= 0
@ -288,9 +288,9 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
        return 0;
    }
-    if (s->tlsext_ocsp_exts) {
+    if (s->ext.ocsp.exts) {
        unsigned char *extbytes;
-        int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
+        int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);

        if (extlen < 0) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
@ -298,7 +298,7 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
            return 0;
        }
        if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
-                || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
+                || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
                   != extlen) {
            SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
                   ERR_R_INTERNAL_ERROR);
@ -318,7 +318,7 @@ int tls_construct_ctos_status_request(SSL *s, WPACKET *pkt, X509 *x,
 int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
                           int *al)
 {
-    if (s->ctx->next_proto_select_cb == NULL || s->s3->tmp.finish_md_len != 0)
+    if (s->ctx->ext.npn_select_cb == NULL || s->s3->tmp.finish_md_len != 0)
        return 1;

    /*
@ -344,15 +344,14 @@ int tls_construct_ctos_alpn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
     * finish_md_len is non-zero during a renegotiation, so
     * this avoids sending ALPN during the renegotiation
     */
-    if (s->alpn_client_proto_list == NULL || s->s3->tmp.finish_md_len != 0)
+    if (s->ext.alpn == NULL || s->s3->tmp.finish_md_len != 0)
        return 1;

    if (!WPACKET_put_bytes_u16(pkt,
                TLSEXT_TYPE_application_layer_protocol_negotiation)
               /* Sub-packet ALPN extension */
            || !WPACKET_start_sub_packet_u16(pkt)
-            || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
-                                       s->alpn_client_proto_list_len)
+            || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
            || !WPACKET_close(pkt)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR);
        return 0;
@ -516,7 +515,7 @@ int tls_construct_ctos_key_share(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
        return 0;
    }

-    pcurves = s->tlsext_supportedgroupslist;
+    pcurves = s->ext.supportedgroups;
    if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
        return 0;
@ -698,18 +697,18 @@ int tls_parse_stoc_renegotiate(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
                               int *al)
 {
-    if (s->tlsext_hostname == NULL || PACKET_remaining(pkt) > 0) {
+    if (s->ext.hostname == NULL || PACKET_remaining(pkt) > 0) {
        *al = SSL_AD_UNRECOGNIZED_NAME;
        return 0;
    }

    if (!s->hit) {
-        if (s->session->tlsext_hostname != NULL) {
+        if (s->session->ext.hostname != NULL) {
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }
-        s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
-        if (s->session->tlsext_hostname == NULL) {
+        s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
+        if (s->session->ext.hostname == NULL) {
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }
@ -722,7 +721,7 @@ int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
                                 int *al)
 {
-    unsigned int ecpointformatlist_length;
+    unsigned int ecpointformats_len;
    PACKET ecptformatlist;

    if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
@ -730,22 +729,21 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
        return 0;
    }
    if (!s->hit) {
-        ecpointformatlist_length = PACKET_remaining(&ecptformatlist);
-        s->session->tlsext_ecpointformatlist_length = 0;
+        ecpointformats_len = PACKET_remaining(&ecptformatlist);
+        s->session->ext.ecpointformats_len = 0;

-        OPENSSL_free(s->session->tlsext_ecpointformatlist);
-        s->session->tlsext_ecpointformatlist =
-             OPENSSL_malloc(ecpointformatlist_length);
-        if (s->session->tlsext_ecpointformatlist == NULL) {
+        OPENSSL_free(s->session->ext.ecpointformats);
+        s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
+        if (s->session->ext.ecpointformats == NULL) {
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }

-        s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+        s->session->ext.ecpointformats_len = ecpointformats_len;

        if (!PACKET_copy_bytes(&ecptformatlist,
-                               s->session->tlsext_ecpointformatlist,
-                               ecpointformatlist_length)) {
+                               s->session->ext.ecpointformats,
+                               ecpointformats_len)) {
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }
@ -758,10 +756,10 @@ int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
                                  int *al)
 {
-    if (s->tls_session_ticket_ext_cb != NULL &&
-        !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
-                                      PACKET_remaining(pkt),
-                                      s->tls_session_ticket_ext_cb_arg)) {
+    if (s->ext.session_ticket_cb != NULL &&
+        !s->ext.session_ticket_cb(s, PACKET_data(pkt),
+                              PACKET_remaining(pkt),
+                              s->ext.session_ticket_cb_arg)) {
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }
@ -771,7 +769,7 @@ int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
        return 0;
    }

-    s->tlsext_ticket_expected = 1;
+    s->ext.ticket_expected = 1;

    return 1;
 }
@ -784,7 +782,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
     * MUST only be sent if we've requested a status
     * request message. In TLS <= 1.2 it must also be empty.
     */
-    if (s->tlsext_status_type == TLSEXT_STATUSTYPE_nothing
+    if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
            || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
        *al = SSL_AD_UNSUPPORTED_EXTENSION;
        return 0;
@ -800,7 +798,7 @@ int tls_parse_stoc_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
    }

    /* Set flag to expect CertificateStatus message */
-    s->tlsext_status_expected = 1;
+    s->ext.status_expected = 1;

    return 1;
 }
@ -819,14 +817,14 @@ int tls_parse_stoc_sct(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
        size_t size = PACKET_remaining(pkt);

        /* Simply copy it off for later processing */
-        OPENSSL_free(s->tlsext_scts);
-        s->tlsext_scts = NULL;
+        OPENSSL_free(s->ext.scts);
+        s->ext.scts = NULL;

-        s->tlsext_scts_len = size;
+        s->ext.scts_len = size;
        if (size > 0) {
-            s->tlsext_scts = OPENSSL_malloc(size);
-            if (s->tlsext_scts == NULL
-                    || !PACKET_copy_bytes(pkt, s->tlsext_scts, size)) {
+            s->ext.scts = OPENSSL_malloc(size);
+            if (s->ext.scts == NULL
+                    || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
                *al = SSL_AD_INTERNAL_ERROR;
                return 0;
            }
@ -872,7 +870,7 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
        return 1;

    /* We must have requested it. */
-    if (s->ctx->next_proto_select_cb == NULL) {
+    if (s->ctx->ext.npn_select_cb == NULL) {
        *al = SSL_AD_UNSUPPORTED_EXTENSION;
        return 0;
    }
@ -883,10 +881,10 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }
-    if (s->ctx->next_proto_select_cb(s, &selected, &selected_len,
-                                     PACKET_data(pkt),
-                                     PACKET_remaining(pkt),
-                                     s->ctx->next_proto_select_cb_arg) !=
+    if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
+                                  PACKET_data(pkt),
+                                  PACKET_remaining(pkt),
+                                  s->ctx->ext.npn_select_cb_arg) !=
             SSL_TLSEXT_ERR_OK) {
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
@ -896,16 +894,16 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
     * Could be non-NULL if server has sent multiple NPN extensions in
     * a single Serverhello
     */
-    OPENSSL_free(s->next_proto_negotiated);
-    s->next_proto_negotiated = OPENSSL_malloc(selected_len);
-    if (s->next_proto_negotiated == NULL) {
+    OPENSSL_free(s->ext.npn);
+    s->ext.npn = OPENSSL_malloc(selected_len);
+    if (s->ext.npn == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
        return 0;
    }

-    memcpy(s->next_proto_negotiated, selected, selected_len);
-    s->next_proto_negotiated_len = selected_len;
-    s->s3->next_proto_neg_seen = 1;
+    memcpy(s->ext.npn, selected, selected_len);
+    s->ext.npn_len = selected_len;
+    s->s3->npn_seen = 1;

    return 1;
 }
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@ -116,7 +116,7 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
            return 0;
        }

-        if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
+        if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
            *al = TLS1_AD_INTERNAL_ERROR;
            return 0;
        }
@ -127,9 +127,9 @@ int tls_parse_ctos_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
         * TODO(openssl-team): if the SNI doesn't match, we MUST
         * fall back to a full handshake.
         */
-        s->servername_done = s->session->tlsext_hostname
-            && PACKET_equal(&hostname, s->session->tlsext_hostname,
-                            strlen(s->session->tlsext_hostname));
+        s->servername_done = s->session->ext.hostname
+            && PACKET_equal(&hostname, s->session->ext.hostname,
+                            strlen(s->session->ext.hostname));
    }

    return 1;
@ -173,8 +173,8 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,

    if (!s->hit) {
        if (!PACKET_memdup(&ec_point_format_list,
-                           &s->session->tlsext_ecpointformatlist,
-                           &s->session->tlsext_ecpointformatlist_length)) {
+                           &s->session->ext.ecpointformats,
+                           &s->session->ext.ecpointformats_len)) {
            *al = TLS1_AD_INTERNAL_ERROR;
            return 0;
        }
@ -187,10 +187,10 @@ int tls_parse_ctos_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
                                  int *al)
 {
-    if (s->tls_session_ticket_ext_cb &&
-            !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
-                                          PACKET_remaining(pkt),
-                                          s->tls_session_ticket_ext_cb_arg)) {
+    if (s->ext.session_ticket_cb &&
+            !s->ext.session_ticket_cb(s, PACKET_data(pkt),
+                                  PACKET_remaining(pkt),
+                                  s->ext.session_ticket_cb_arg)) {
        *al = TLS1_AD_INTERNAL_ERROR;
        return 0;
    }
@ -229,16 +229,16 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
    if (x != NULL)
        return 1;

-    if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
+    if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }

-    if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
        /*
         * We don't know what to do with any other type so ignore it.
         */
-        s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
+        s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
        return 1;
    }

@ -251,15 +251,15 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
     * We remove any OCSP_RESPIDs from a previous handshake
     * to prevent unbounded memory growth - CVE-2016-6304
     */
-    sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
+    sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
    if (PACKET_remaining(&responder_id_list) > 0) {
-        s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
-        if (s->tlsext_ocsp_ids == NULL) {
+        s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
+        if (s->ext.ocsp.ids == NULL) {
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
        }
    } else {
-        s->tlsext_ocsp_ids = NULL;
+        s->ext.ocsp.ids = NULL;
    }

    while (PACKET_remaining(&responder_id_list) > 0) {
@ -288,7 +288,7 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
            return 0;
        }

-        if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
+        if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
            OCSP_RESPID_free(id);
            *al = SSL_AD_INTERNAL_ERROR;
            return 0;
@ -304,11 +304,11 @@ int tls_parse_ctos_status_request(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
    if (PACKET_remaining(&exts) > 0) {
        const unsigned char *ext_data = PACKET_data(&exts);

-        sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
+        sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
                                   X509_EXTENSION_free);
-        s->tlsext_ocsp_exts =
+        s->ext.ocsp.exts =
            d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
-        if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
+        if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
            *al = SSL_AD_DECODE_ERROR;
            return 0;
        }
@ -339,7 +339,7 @@ int tls_parse_ctos_npn(SSL *s, PACKET *pkt, X509 *x, size_t chainidx, int *al)
     * Finished message could have been computed.)
     */
    if (s->s3->tmp.finish_md_len == 0)
-        s->s3->next_proto_neg_seen = 1;
+        s->s3->npn_seen = 1;

    return 1;
 }
@ -643,8 +643,8 @@ int tls_parse_ctos_supported_groups(SSL *s, PACKET *pkt, X509 *x,

    if (!s->hit
            && !PACKET_memdup(&supported_groups_list,
-                              &s->session->tlsext_supportedgroupslist,
-                              &s->session->tlsext_supportedgroupslist_length)) {
+                              &s->session->ext.supportedgroups,
+                              &s->session->ext.supportedgroups_len)) {
        *al = SSL_AD_DECODE_ERROR;
        return 0;
    }
@ -695,7 +695,7 @@ int tls_construct_stoc_server_name(SSL *s, WPACKET *pkt, X509 *x,
                                   size_t chainidx, int *al)
 {
    if (s->hit || s->servername_done != 1
-            || s->session->tlsext_hostname == NULL)
+            || s->session->ext.hostname == NULL)
        return 1;

    if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
@ -714,7 +714,7 @@ int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
    unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
    unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
    int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
-                    && (s->session->tlsext_ecpointformatlist != NULL);
+                    && (s->session->ext.ecpointformats != NULL);
    const unsigned char *plist;
    size_t plistlen;

@ -737,8 +737,8 @@ int tls_construct_stoc_ec_pt_formats(SSL *s, WPACKET *pkt, X509 *x,
 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
                                      size_t chainidx, int *al)
 {
-    if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
-        s->tlsext_ticket_expected = 0;
+    if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
+        s->ext.ticket_expected = 0;
        return 1;
    }

@ -755,7 +755,7 @@ int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
                                     size_t chainidx, int *al)
 {
-    if (!s->tlsext_status_expected)
+    if (!s->ext.status_expected)
        return 1;

    if (SSL_IS_TLS13(s) && chainidx != 0)
@ -789,14 +789,14 @@ int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
    const unsigned char *npa;
    unsigned int npalen;
    int ret;
-    int next_proto_neg_seen = s->s3->next_proto_neg_seen;
+    int npn_seen = s->s3->npn_seen;

-    s->s3->next_proto_neg_seen = 0;
-    if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
+    s->s3->npn_seen = 0;
+    if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
        return 1;

-    ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
-                                      s->ctx->next_protos_advertised_cb_arg);
+    ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
+                                        s->ctx->ext.npn_advertised_cb_arg);
    if (ret == SSL_TLSEXT_ERR_OK) {
        if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
                || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
@ -804,7 +804,7 @@ int tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, X509 *x,
                   ERR_R_INTERNAL_ERROR);
            return 0;
        }
-        s->s3->next_proto_neg_seen = 1;
+        s->s3->npn_seen = 1;
    }

    return 1;
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@ -225,7 +225,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)

    case TLS_ST_CR_SRVR_HELLO:
        if (s->hit) {
-            if (s->tlsext_ticket_expected) {
+            if (s->ext.ticket_expected) {
                if (mt == SSL3_MT_NEWSESSION_TICKET) {
                    st->hand_state = TLS_ST_CR_SESSION_TICKET;
                    return 1;
@ -239,8 +239,8 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
                st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
                return 1;
            } else if (s->version >= TLS1_VERSION
-                       && s->tls_session_secret_cb != NULL
-                       && s->session->tlsext_tick != NULL
+                       && s->ext.session_secret_cb != NULL
+                       && s->session->ext.tick != NULL
                       && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                /*
                 * Normally, we can tell if the server is resuming the session
@ -282,9 +282,9 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
    case TLS_ST_CR_CERT:
        /*
         * The CertificateStatus message is optional even if
-         * |tlsext_status_expected| is set
+         * |ext.status_expected| is set
         */
-        if (s->tlsext_status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
+        if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
            st->hand_state = TLS_ST_CR_CERT_STATUS;
            return 1;
        }
@ -321,7 +321,7 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
        break;

    case TLS_ST_CW_FINISHED:
-        if (s->tlsext_ticket_expected) {
+        if (s->ext.ticket_expected) {
            if (mt == SSL3_MT_NEWSESSION_TICKET) {
                st->hand_state = TLS_ST_CR_SESSION_TICKET;
                return 1;
@ -478,7 +478,7 @@ WRITE_TRAN ossl_statem_client_write_transition(SSL *s)
 #if defined(OPENSSL_NO_NEXTPROTONEG)
        st->hand_state = TLS_ST_CW_FINISHED;
 #else
-        if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen)
+        if (!SSL_IS_DTLS(s) && s->s3->npn_seen)
            st->hand_state = TLS_ST_CW_NEXT_PROTO;
        else
            st->hand_state = TLS_ST_CW_FINISHED;
@ -872,7 +872,7 @@ int tls_construct_client_hello(SSL *s, WPACKET *pkt)
         * In the case of EAP-FAST, we can have a pre-shared
         * "ticket" without a session ID.
         */
-        (!sess->session_id_length && !sess->tlsext_tick) ||
+        (!sess->session_id_length && !sess->ext.tick) ||
        (sess->not_resumable)) {
        if (!ssl_get_new_session(s, 0))
            return 0;
@ -1122,7 +1122,7 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
     * server wants to resume.
     */
    if (s->version >= TLS1_VERSION && !SSL_IS_TLS13(s)
-            && s->tls_session_secret_cb != NULL && s->session->tlsext_tick) {
+            && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
        const SSL_CIPHER *pref_cipher = NULL;
        /*
         * s->session->master_key_length is a size_t, but this is an int for
@ -1130,10 +1130,10 @@ MSG_PROCESS_RETURN tls_process_server_hello(SSL *s, PACKET *pkt)
         */
        int master_key_length;
        master_key_length = sizeof(s->session->master_key);
-        if (s->tls_session_secret_cb(s, s->session->master_key,
+        if (s->ext.session_secret_cb(s, s->session->master_key,
                                     &master_key_length,
                                     NULL, &pref_cipher,
-                                     s->tls_session_secret_cb_arg)
+                                     s->ext.session_secret_cb_arg)
                 && master_key_length > 0) {
            s->session->master_key_length = master_key_length;
            s->session->cipher = pref_cipher ?
@ -2134,22 +2134,23 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
        s->session = new_sess;
    }

-    OPENSSL_free(s->session->tlsext_tick);
-    s->session->tlsext_ticklen = 0;
+    OPENSSL_free(s->session->ext.tick);
+    s->session->ext.tick = NULL;
+    s->session->ext.ticklen = 0;

-    s->session->tlsext_tick = OPENSSL_malloc(ticklen);
-    if (s->session->tlsext_tick == NULL) {
+    s->session->ext.tick = OPENSSL_malloc(ticklen);
+    if (s->session->ext.tick == NULL) {
        SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
        goto err;
    }
-    if (!PACKET_copy_bytes(pkt, s->session->tlsext_tick, ticklen)) {
+    if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
        al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
        goto f_err;
    }

-    s->session->tlsext_tick_lifetime_hint = ticket_lifetime_hint;
-    s->session->tlsext_ticklen = ticklen;
+    s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
+    s->session->ext.ticklen = ticklen;
    /*
     * There are two ways to detect a resumed ticket session. One is to set
     * an appropriate session ID and then the server must return a match in
@ -2165,7 +2166,7 @@ MSG_PROCESS_RETURN tls_process_new_session_ticket(SSL *s, PACKET *pkt)
     * TODO(size_t): we use sess_len here because EVP_Digest expects an int
     * but s->session->session_id_length is a size_t
     */
-    if (!EVP_Digest(s->session->tlsext_tick, ticklen,
+    if (!EVP_Digest(s->session->ext.tick, ticklen,
                    s->session->session_id, &sess_len,
                    EVP_sha256(), NULL)) {
        SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB);
@ -2204,17 +2205,17 @@ int tls_process_cert_status_body(SSL *s, PACKET *pkt, int *al)
        return 0;
    }
    s->tlsext_ocsp_resp = OPENSSL_malloc(resplen);
-    if (s->tlsext_ocsp_resp == NULL) {
+    if (s->ext.ocsp_resp == NULL) {
        *al = SSL_AD_INTERNAL_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE);
        return 0;
    }
-    if (!PACKET_copy_bytes(pkt, s->tlsext_ocsp_resp, resplen)) {
+    if (!PACKET_copy_bytes(pkt, s->ext.ocsp_resp, resplen)) {
        *al = SSL_AD_DECODE_ERROR;
        SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
        return 0;
    }
-    s->tlsext_ocsp_resplen = resplen;
+    s->ext.ocsp_resplen = resplen;

    return 1;
 }
@ -2251,14 +2252,14 @@ int tls_process_initial_server_flight(SSL *s, int *al)
    }

    /*
-     * Call the ocsp status callback if needed. The |tlsext_ocsp_resp| and
-     * |tlsext_ocsp_resplen| values will be set if we actually received a status
+     * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
+     * |ext.ocsp.resp_len| values will be set if we actually received a status
     * message, or NULL and -1 otherwise
     */
-    if (s->tlsext_status_type != TLSEXT_STATUSTYPE_nothing
-            && s->ctx->tlsext_status_cb != NULL) {
-        int ret;
-        ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
+            && s->ctx->ext.status_cb != NULL) {
+        int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
+
        if (ret == 0) {
            *al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
            SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
@ -3112,10 +3113,10 @@ int tls_construct_next_proto(SSL *s, WPACKET *pkt)
    size_t len, padding_len;
    unsigned char *padding = NULL;

-    len = s->next_proto_negotiated_len;
+    len = s->ext.npn_len;
    padding_len = 32 - ((len + 2) % 32);

-    if (!WPACKET_sub_memcpy_u8(pkt, s->next_proto_negotiated, len)
+    if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
            || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
        SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
        goto err;
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -255,7 +255,7 @@ int ossl_statem_server_read_transition(SSL *s, int mt)

    case TLS_ST_SR_CHANGE:
 #ifndef OPENSSL_NO_NEXTPROTONEG
-        if (s->s3->next_proto_neg_seen) {
+        if (s->s3->npn_seen) {
            if (mt == SSL3_MT_NEXT_PROTO) {
                st->hand_state = TLS_ST_SR_NEXT_PROTO;
                return 1;
@ -488,7 +488,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)

    case TLS_ST_SW_SRVR_HELLO:
        if (s->hit) {
-            if (s->tlsext_ticket_expected)
+            if (s->ext.ticket_expected)
                st->hand_state = TLS_ST_SW_SESSION_TICKET;
            else
                st->hand_state = TLS_ST_SW_CHANGE;
@ -509,7 +509,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
        return WRITE_TRAN_CONTINUE;

    case TLS_ST_SW_CERT:
-        if (s->tlsext_status_expected) {
+        if (s->ext.status_expected) {
            st->hand_state = TLS_ST_SW_CERT_STATUS;
            return WRITE_TRAN_CONTINUE;
        }
@ -541,7 +541,7 @@ WRITE_TRAN ossl_statem_server_write_transition(SSL *s)
            st->hand_state = TLS_ST_OK;
            ossl_statem_set_in_init(s, 0);
            return WRITE_TRAN_CONTINUE;
-        } else if (s->tlsext_ticket_expected) {
+        } else if (s->ext.ticket_expected) {
            st->hand_state = TLS_ST_SW_SESSION_TICKET;
        } else {
            st->hand_state = TLS_ST_SW_CHANGE;
@ -1527,7 +1527,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
        }
    }

-    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
+    if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) {
        const SSL_CIPHER *pref_cipher = NULL;
        /*
         * s->session->master_key_length is a size_t, but this is an int for
@ -1536,10 +1536,10 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
        int master_key_length;

        master_key_length = sizeof(s->session->master_key);
-        if (s->tls_session_secret_cb(s, s->session->master_key,
+        if (s->ext.session_secret_cb(s, s->session->master_key,
                                     &master_key_length, ciphers,
                                     &pref_cipher,
-                                     s->tls_session_secret_cb_arg)
+                                     s->ext.session_secret_cb_arg)
                && master_key_length > 0) {
            s->session->master_key_length = master_key_length;
            s->hit = 1;
@ -1691,7 +1691,7 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
 */
 static int tls_handle_status_request(SSL *s, int *al)
 {
-    s->tlsext_status_expected = 0;
+    s->ext.status_expected = 0;

    /*
     * If status request then ask callback what to do. Note: this must be
@ -1699,8 +1699,8 @@ static int tls_handle_status_request(SSL *s, int *al)
     * and must be called after the cipher has been chosen because this may
     * influence which certificate is sent
     */
-    if (s->tlsext_status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
-            && s->ctx->tlsext_status_cb != NULL) {
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
+            && s->ctx->ext.status_cb != NULL) {
        int ret;
        CERT_PKEY *certpkey = ssl_get_server_send_pkey(s);

@ -1711,16 +1711,16 @@ static int tls_handle_status_request(SSL *s, int *al)
             * et al can pick it up.
             */
            s->cert->key = certpkey;
-            ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
            switch (ret) {
                /* We don't want to send a status request response */
            case SSL_TLSEXT_ERR_NOACK:
-                s->tlsext_status_expected = 0;
+                s->ext.status_expected = 0;
                break;
                /* status request response should be sent */
            case SSL_TLSEXT_ERR_OK:
-                if (s->tlsext_ocsp_resp)
-                    s->tlsext_status_expected = 1;
+                if (s->ext.ocsp.resp)
+                    s->ext.status_expected = 1;
                break;
                /* something bad happened */
            case SSL_TLSEXT_ERR_ALERT_FATAL:
@ -1773,7 +1773,7 @@ WORK_STATE tls_post_process_client_hello(SSL *s, WORK_STATE wst)
                                                   != 0));
            if (s->session->not_resumable)
                /* do not send a session ticket */
-                s->tlsext_ticket_expected = 0;
+                s->ext.ticket_expected = 0;
        } else {
            /* Session-id reuse */
            s->s3->tmp.new_cipher = s->session->cipher;
@ -3371,9 +3371,9 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
     * Initialize HMAC and cipher contexts. If callback present it does
     * all the work otherwise use generated values from parent ctx.
     */
-    if (tctx->tlsext_ticket_key_cb) {
+    if (tctx->ext.ticket_key_cb) {
        /* if 0 is returned, write an empty ticket */
-        int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx,
+        int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
                                             hctx, 1);

        if (ret == 0) {
@ -3400,14 +3400,14 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
        if (RAND_bytes(iv, iv_len) <= 0)
            goto err;
        if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
-                                tctx->tlsext_tick_aes_key, iv))
+                                tctx->ext.tick_aes_key, iv))
            goto err;
-        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
-                          sizeof(tctx->tlsext_tick_hmac_key),
+        if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
+                          sizeof(tctx->ext.tick_hmac_key),
                          EVP_sha256(), NULL))
            goto err;
-        memcpy(key_name, tctx->tlsext_tick_key_name,
-               sizeof(tctx->tlsext_tick_key_name));
+        memcpy(key_name, tctx->ext.tick_key_name,
+               sizeof(tctx->ext.tick_key_name));
    }

    /*
@ -3465,6 +3465,7 @@ int tls_construct_new_session_ticket(SSL *s, WPACKET *pkt)
 */
 int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
 {
+<<<<<<< 3b72dcd5fb4d2c756a830dba1fc34f4a7ae61b73
    if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
            || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
                                       s->tlsext_ocsp_resplen)) {
@ -3478,6 +3479,12 @@ int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
 int tls_construct_cert_status(SSL *s, WPACKET *pkt)
 {
    if (!tls_construct_cert_status_body(s, pkt)) {
+=======
+    if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
+            || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
+                                       s->ext.ocsp.resp_len)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
+>>>>>>> Move extension data into sub-structs
        ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
        return 0;
    }
@ -3509,12 +3516,12 @@ MSG_PROCESS_RETURN tls_process_next_proto(SSL *s, PACKET *pkt)
        goto err;
    }

-    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) {
-        s->next_proto_negotiated_len = 0;
+    if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
+        s->ext.npn_len = 0;
        goto err;
    }

-    s->next_proto_negotiated_len = (unsigned char)next_proto_len;
+    s->ext.npn_len = (unsigned char)next_proto_len;

    return MSG_PROCESS_CONTINUE_READING;
 err:
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@ -112,7 +112,7 @@ int tls1_new(SSL *s)

 void tls1_free(SSL *s)
 {
-    OPENSSL_free(s->tlsext_session_ticket);
+    OPENSSL_free(s->ext.session_ticket);
    ssl3_free(s);
 }

@ -265,8 +265,8 @@ int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves,
 {
    size_t pcurveslen = 0;
    if (sess) {
-        *pcurves = s->session->tlsext_supportedgroupslist;
-        pcurveslen = s->session->tlsext_supportedgroupslist_length;
+        *pcurves = s->session->ext.supportedgroups;
+        pcurveslen = s->session->ext.supportedgroups_len;
    } else {
        /* For Suite B mode only include P-256, P-384 */
        switch (tls1_suiteb(s)) {
@ -285,8 +285,8 @@ int tls1_get_curvelist(SSL *s, int sess, const unsigned char **pcurves,
            pcurveslen = 2;
            break;
        default:
-            *pcurves = s->tlsext_supportedgroupslist;
-            pcurveslen = s->tlsext_supportedgroupslist_length;
+            *pcurves = s->ext.supportedgroups;
+            pcurveslen = s->ext.supportedgroups_len;
        }
        if (!*pcurves) {
            *pcurves = eccurves_default;
@ -556,9 +556,9 @@ static int tls1_check_ec_key(SSL *s,
     * If point formats extension present check it, otherwise everything is
     * supported (see RFC4492).
     */
-    if (comp_id && s->session->tlsext_ecpointformatlist) {
-        pformats = s->session->tlsext_ecpointformatlist;
-        num_formats = s->session->tlsext_ecpointformatlist_length;
+    if (comp_id && s->session->ext.ecpointformats) {
+        pformats = s->session->ext.ecpointformats;
+        num_formats = s->session->ext.ecpointformats_len;
        for (i = 0; i < num_formats; i++, pformats++) {
            if (*comp_id == *pformats)
                break;
@ -601,9 +601,9 @@ void tls1_get_formatlist(SSL *s, const unsigned char **pformats,
    /*
     * If we have a custom point format list use it otherwise use default
     */
-    if (s->tlsext_ecpointformatlist) {
-        *pformats = s->tlsext_ecpointformatlist;
-        *num_formats = s->tlsext_ecpointformatlist_length;
+    if (s->ext.ecpointformats) {
+        *pformats = s->ext.ecpointformats;
+        *num_formats = s->ext.ecpointformats_len;
    } else {
        *pformats = ecformats_default;
        /* For Suite B we don't support char2 fields */
@ -749,12 +749,12 @@ static int tls1_check_cert_param(SSL *s, X509 *x, int set_ee_md)

 static const unsigned char tls12_sigalgs[] = {
    tlsext_sigalg(TLSEXT_hash_sha512)
-        tlsext_sigalg(TLSEXT_hash_sha384)
-        tlsext_sigalg(TLSEXT_hash_sha256)
-        tlsext_sigalg(TLSEXT_hash_sha224)
-        tlsext_sigalg(TLSEXT_hash_sha1)
+    tlsext_sigalg(TLSEXT_hash_sha384)
+    tlsext_sigalg(TLSEXT_hash_sha256)
+    tlsext_sigalg(TLSEXT_hash_sha224)
+    tlsext_sigalg(TLSEXT_hash_sha1)
 #ifndef OPENSSL_NO_GOST
-        TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
+    TLSEXT_hash_gostr3411, TLSEXT_signature_gostr34102001,
    TLSEXT_hash_gostr34112012_256, TLSEXT_signature_gostr34102012_256,
    TLSEXT_hash_gostr34112012_512, TLSEXT_signature_gostr34102012_512
 #endif
@ -763,9 +763,10 @@ static const unsigned char tls12_sigalgs[] = {
 #ifndef OPENSSL_NO_EC
 static const unsigned char suiteb_sigalgs[] = {
    tlsext_sigalg_ecdsa(TLSEXT_hash_sha256)
-        tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
+    tlsext_sigalg_ecdsa(TLSEXT_hash_sha384)
 };
 #endif
+
 size_t tls12_get_psigalgs(SSL *s, const unsigned char **psigs)
 {
    /*
@ -1039,7 +1040,7 @@ RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts, size_t numexts,
 *
 * If s->tls_session_secret_cb is set then we are expecting a pre-shared key
 * ciphersuite, in which case we have no use for session tickets and one will
- * never be decrypted, nor will s->tlsext_ticket_expected be set to 1.
+ * never be decrypted, nor will s->ext.ticket_expected be set to 1.
 *
 * Returns:
 *   -1: fatal error, either from parsing or decrypting the ticket.
@ -1051,12 +1052,12 @@ RAW_EXTENSION *tls_get_extension_by_type(RAW_EXTENSION *exts, size_t numexts,
 *    3: a ticket was successfully decrypted and *ret was set.
 *
 * Side effects:
- *   Sets s->tlsext_ticket_expected to 1 if the server will have to issue
+ *   Sets s->ext.ticket_expected to 1 if the server will have to issue
 *   a new session ticket to the client because the client indicated support
 *   (and s->tls_session_secret_cb is NULL) but the client either doesn't have
 *   a session ticket or we couldn't use the one it gave us, or if
- *   s->ctx->tlsext_ticket_key_cb asked to renew the client's ticket.
- *   Otherwise, s->tlsext_ticket_expected is set to 0.
+ *   s->ctx->ext.ticket_key_cb asked to renew the client's ticket.
+ *   Otherwise, s->ext.ticket_expected is set to 0.
 */
 int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
                               SSL_SESSION **ret)
@ -1066,7 +1067,7 @@ int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
    RAW_EXTENSION *ticketext;

    *ret = NULL;
-    s->tlsext_ticket_expected = 0;
+    s->ext.ticket_expected = 0;

    /*
     * If tickets disabled or not supported by the protocol version
@ -1086,10 +1087,10 @@ int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
         * The client will accept a ticket but doesn't currently have
         * one.
         */
-        s->tlsext_ticket_expected = 1;
+        s->ext.ticket_expected = 1;
        return 1;
    }
-    if (s->tls_session_secret_cb) {
+    if (s->ext.session_secret_cb) {
        /*
         * Indicate that the ticket couldn't be decrypted rather than
         * generating the session from ticket now, trigger
@ -1103,14 +1104,14 @@ int tls_get_ticket_from_client(SSL *s, CLIENTHELLO_MSG *hello,
                              hello->session_id, hello->session_id_len, ret);
    switch (retv) {
    case 2:            /* ticket couldn't be decrypted */
-        s->tlsext_ticket_expected = 1;
+        s->ext.ticket_expected = 1;
        return 2;

    case 3:            /* ticket was decrypted */
        return 3;

    case 4:            /* ticket decrypted but need to renew */
-        s->tlsext_ticket_expected = 1;
+        s->ext.ticket_expected = 1;
        return 3;

    default:           /* fatal error */
@ -1158,9 +1159,9 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
        ret = -2;
        goto err;
    }
-    if (tctx->tlsext_ticket_key_cb) {
+    if (tctx->ext.ticket_key_cb) {
        unsigned char *nctick = (unsigned char *)etick;
-        int rv = tctx->tlsext_ticket_key_cb(s, nctick, nctick + 16,
+        int rv = tctx->ext.ticket_key_cb(s, nctick, nctick + 16,
                                            ctx, hctx, 0);
        if (rv < 0)
            goto err;
@ -1172,17 +1173,17 @@ static int tls_decrypt_ticket(SSL *s, const unsigned char *etick,
            renew_ticket = 1;
    } else {
        /* Check key name matches */
-        if (memcmp(etick, tctx->tlsext_tick_key_name,
-                   sizeof(tctx->tlsext_tick_key_name)) != 0) {
+        if (memcmp(etick, tctx->ext.tick_key_name,
+                   sizeof(tctx->ext.tick_key_name)) != 0) {
            ret = 2;
            goto err;
        }
-        if (HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
-                         sizeof(tctx->tlsext_tick_hmac_key),
+        if (HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
+                         sizeof(tctx->ext.tick_hmac_key),
                         EVP_sha256(), NULL) <= 0
            || EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL,
-                                  tctx->tlsext_tick_aes_key,
-                                  etick + sizeof(tctx->tlsext_tick_key_name)) <=
+                                  tctx->ext.tick_aes_key,
+                                  etick + sizeof(tctx->ext.tick_key_name)) <=
            0) {
            goto err;
        }
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@ -378,16 +378,16 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
        parse_protos(extra->server.npn_protocols,
                     &server_ctx_data->npn_protocols,
                     &server_ctx_data->npn_protocols_len);
-        SSL_CTX_set_next_protos_advertised_cb(server_ctx, server_npn_cb,
-                                              server_ctx_data);
+        SSL_CTX_set_npn_advertised_cb(server_ctx, server_npn_cb,
+                                      server_ctx_data);
    }
    if (extra->server2.npn_protocols != NULL) {
        parse_protos(extra->server2.npn_protocols,
                     &server2_ctx_data->npn_protocols,
                     &server2_ctx_data->npn_protocols_len);
        TEST_check(server2_ctx != NULL);
-        SSL_CTX_set_next_protos_advertised_cb(server2_ctx, server_npn_cb,
-                                              server2_ctx_data);
+        SSL_CTX_set_npn_advertised_cb(server2_ctx, server_npn_cb,
+                                      server2_ctx_data);
    }
    if (extra->client.npn_protocols != NULL) {
        parse_protos(extra->client.npn_protocols,
--- a/test/ossl_shim/ossl_shim.cc
+++ b/test/ossl_shim/ossl_shim.cc
@ -589,7 +589,7 @@ static bssl::UniquePtr<SSL_CTX> SetupCtx(const TestConfig *config) {
    SSL_CTX_set_client_cert_cb(ssl_ctx.get(), ClientCertCallback);
  }

-  SSL_CTX_set_next_protos_advertised_cb(
+  SSL_CTX_set_npn_advertised_cb(
      ssl_ctx.get(), NextProtosAdvertisedCallback, NULL);
  if (!config->select_next_proto.empty()) {
    SSL_CTX_set_next_proto_select_cb(ssl_ctx.get(), NextProtoSelectCallback,
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@ -1662,14 +1662,12 @@ int main(int argc, char *argv[])
                       "Can't have both -npn_server and -npn_server_reject\n");
            goto end;
        }
-        SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
-        SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL);
+        SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL);
+        SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL);
    }
    if (npn_server_reject) {
-        SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn,
-                                              NULL);
-        SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn,
-                                              NULL);
+        SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
+        SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL);
    }
 #endif