Move extension data into sub-structs

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
diff --git a/ssl/statem/extensions.c b/ssl/statem/extensions.c
index 0c65525..2568ac6 100644
--- a/ssl/statem/extensions.c
+++ b/ssl/statem/extensions.c
@@ -457,11 +457,11 @@
     if (!currext->present)
         return 1;
 
-    if (s->tlsext_debug_cb)
-        s->tlsext_debug_cb(s, !s->server, currext->type,
-                           PACKET_data(&currext->data),
-                           PACKET_remaining(&currext->data),
-                           s->tlsext_debug_arg);
+    if (s->ext.debug_cb)
+        s->ext.debug_cb(s, !s->server, currext->type,
+                        PACKET_data(&currext->data),
+                        PACKET_remaining(&currext->data),
+                        s->ext.debug_arg);
 
     /* Skip if we've already parsed this extension */
     if (currext->parsed)
@@ -714,13 +714,13 @@
     int ret = SSL_TLSEXT_ERR_NOACK;
     int altmp = SSL_AD_UNRECOGNIZED_NAME;
 
-    if (s->ctx != NULL && s->ctx->tlsext_servername_callback != 0)
-        ret = s->ctx->tlsext_servername_callback(s, &altmp,
-                                                 s->ctx->tlsext_servername_arg);
+    if (s->ctx != NULL && s->ctx->ext.servername_cb != 0)
+        ret = s->ctx->ext.servername_cb(s, &altmp,
+                                        s->ctx->ext.servername_arg);
     else if (s->initial_ctx != NULL
-             && s->initial_ctx->tlsext_servername_callback != 0)
-        ret = s->initial_ctx->tlsext_servername_callback(s, &altmp,
-                                       s->initial_ctx->tlsext_servername_arg);
+             && s->initial_ctx->ext.servername_cb != 0)
+        ret = s->initial_ctx->ext.servername_cb(s, &altmp,
+                                       s->initial_ctx->ext.servername_arg);
 
     switch (ret) {
     case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -757,20 +757,20 @@
      * suite, then if server returns an EC point formats lists extension it
      * must contain uncompressed.
      */
-    if (s->tlsext_ecpointformatlist != NULL
-            && s->tlsext_ecpointformatlist_length > 0
-            && s->session->tlsext_ecpointformatlist != NULL
-            && s->session->tlsext_ecpointformatlist_length > 0
+    if (s->ext.ecpointformats != NULL
+            && s->ext.ecpointformats_len > 0
+            && s->session->ext.ecpointformats != NULL
+            && s->session->ext.ecpointformats_len > 0
             && ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))) {
         /* we are using an ECC cipher */
         size_t i;
-        unsigned char *list = s->session->tlsext_ecpointformatlist;
+        unsigned char *list = s->session->ext.ecpointformats;
 
-        for (i = 0; i < s->session->tlsext_ecpointformatlist_length; i++) {
+        for (i = 0; i < s->session->ext.ecpointformats_len; i++) {
             if (*list++ == TLSEXT_ECPOINTFORMAT_uncompressed)
                 break;
         }
-        if (i == s->session->tlsext_ecpointformatlist_length) {
+        if (i == s->session->ext.ecpointformats_len) {
             SSLerr(SSL_F_FINAL_EC_PT_FORMATS,
                    SSL_R_TLS_INVALID_ECPOINTFORMAT_LIST);
             return 0;
@@ -784,7 +784,7 @@
 static int init_session_ticket(SSL *s, unsigned int context)
 {
     if (!s->server)
-        s->tlsext_ticket_expected = 0;
+        s->ext.ticket_expected = 0;
 
     return 1;
 }
@@ -793,25 +793,43 @@
 static int init_status_request(SSL *s, unsigned int context)
 {
     if (s->server) {
-        s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
+        s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
     } else {
         /*
          * Ensure we get sensible values passed to tlsext_status_cb in the event
          * that we don't receive a status message
          */
         OPENSSL_free(s->tlsext_ocsp_resp);
-        s->tlsext_ocsp_resp = NULL;
-        s->tlsext_ocsp_resplen = 0;
+        s->ext.ocsp_resp = NULL;
+        s->ext.ocsp_resplen = 0;
     }
 
     return 1;
 }
+
+static int final_status_request(SSL *s, unsigned int context, int sent,
+                                        int *al)
+{
+    if (s->server)
+        return 1;
+
+    /*
+     * Ensure we get sensible values passed to ext.status_cb in the event
+     * that we don't receive a status message
+     */
+    OPENSSL_free(s->ext.ocsp.resp);
+    s->ext.ocsp.resp = NULL;
+    s->ext.ocsp.resp_len = 0;
+>>>>>>> Move extension data into sub-structs
+
+    return 1;
+}
 #endif
 
 #ifndef OPENSSL_NO_NEXTPROTONEG
 static int init_npn(SSL *s, unsigned int context)
 {
-    s->s3->next_proto_neg_seen = 0;
+    s->s3->npn_seen = 0;
 
     return 1;
 }
@@ -838,11 +856,11 @@
     if (!s->server)
         return 1;
 
-    if (s->ctx->alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
-        int r = s->ctx->alpn_select_cb(s, &selected, &selected_len,
-                                       s->s3->alpn_proposed,
-                                       (unsigned int)s->s3->alpn_proposed_len,
-                                       s->ctx->alpn_select_cb_arg);
+    if (s->ctx->ext.alpn_select_cb != NULL && s->s3->alpn_proposed != NULL) {
+        int r = s->ctx->ext.alpn_select_cb(s, &selected, &selected_len,
+                                           s->s3->alpn_proposed,
+                                           (unsigned int)s->s3->alpn_proposed_len,
+                                           s->ctx->ext.alpn_select_cb_arg);
 
         if (r == SSL_TLSEXT_ERR_OK) {
             OPENSSL_free(s->s3->alpn_selected);
@@ -854,7 +872,7 @@
             s->s3->alpn_selected_len = selected_len;
 #ifndef OPENSSL_NO_NEXTPROTONEG
             /* ALPN takes precedence over NPN. */
-            s->s3->next_proto_neg_seen = 0;
+            s->s3->npn_seen = 0;
 #endif
         } else {
             *al = SSL_AD_NO_APPLICATION_PROTOCOL;
diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c
index 277e062..be0c979 100644
--- a/ssl/statem/extensions_clnt.c
+++ b/ssl/statem/extensions_clnt.c
@@ -34,7 +34,7 @@
 int tls_construct_ctos_server_name(SSL *s, WPACKET *pkt, X509 *x,
                                    size_t chainidx, int *al)
 {
-    if (s->tlsext_hostname == NULL)
+    if (s->ext.hostname == NULL)
         return 1;
 
     /* Add TLS extension servername to the Client Hello message */
@@ -44,8 +44,8 @@
                /* Sub-packet for servername list (always 1 hostname)*/
             || !WPACKET_start_sub_packet_u16(pkt)
             || !WPACKET_put_bytes_u8(pkt, TLSEXT_NAMETYPE_host_name)
-            || !WPACKET_sub_memcpy_u16(pkt, s->tlsext_hostname,
-                                       strlen(s->tlsext_hostname))
+            || !WPACKET_sub_memcpy_u16(pkt, s->ext.hostname,
+                                       strlen(s->ext.hostname))
             || !WPACKET_close(pkt)
             || !WPACKET_close(pkt)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SERVER_NAME, ERR_R_INTERNAL_ERROR);
@@ -145,7 +145,7 @@
      * Add TLS extension supported_groups to the ClientHello message
      */
     /* TODO(TLS1.3): Add support for DHE groups */
-    pcurves = s->tlsext_supportedgroupslist;
+    pcurves = s->ext.supportedgroups;
     if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SUPPORTED_GROUPS,
                ERR_R_INTERNAL_ERROR);
@@ -191,30 +191,30 @@
         return 1;
 
     if (!s->new_session && s->session != NULL
-            && s->session->tlsext_tick != NULL) {
-        ticklen = s->session->tlsext_ticklen;
-    } else if (s->session && s->tlsext_session_ticket != NULL
-               && s->tlsext_session_ticket->data != NULL) {
-        ticklen = s->tlsext_session_ticket->length;
-        s->session->tlsext_tick = OPENSSL_malloc(ticklen);
-        if (s->session->tlsext_tick == NULL) {
+            && s->session->ext.tick != NULL) {
+        ticklen = s->session->ext.ticklen;
+    } else if (s->session && s->ext.session_ticket != NULL
+               && s->ext.session_ticket->data != NULL) {
+        ticklen = s->ext.session_ticket->length;
+        s->session->ext.tick = OPENSSL_malloc(ticklen);
+        if (s->session->ext.tick == NULL) {
             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET,
                    ERR_R_INTERNAL_ERROR);
             return 0;
         }
-        memcpy(s->session->tlsext_tick,
-               s->tlsext_session_ticket->data, ticklen);
-        s->session->tlsext_ticklen = ticklen;
+        memcpy(s->session->ext.tick,
+               s->ext.session_ticket->data, ticklen);
+        s->session->ext.ticklen = ticklen;
     } else {
         ticklen = 0;
     }
 
-    if (ticklen == 0 && s->tlsext_session_ticket != NULL &&
-            s->tlsext_session_ticket->data == NULL)
+    if (ticklen == 0 && s->ext.session_ticket != NULL &&
+            s->ext.session_ticket->data == NULL)
         return 1;
 
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_session_ticket)
-            || !WPACKET_sub_memcpy_u16(pkt, s->session->tlsext_tick, ticklen)) {
+            || !WPACKET_sub_memcpy_u16(pkt, s->session->ext.tick, ticklen)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_SESSION_TICKET, ERR_R_INTERNAL_ERROR);
         return 0;
     }
@@ -257,7 +257,7 @@
     if (x != NULL)
         return 1;
 
-    if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp)
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp)
         return 1;
 
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_status_request)
@@ -269,9 +269,9 @@
         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
         return 0;
     }
-    for (i = 0; i < sk_OCSP_RESPID_num(s->tlsext_ocsp_ids); i++) {
+    for (i = 0; i < sk_OCSP_RESPID_num(s->ext.ocsp.ids); i++) {
         unsigned char *idbytes;
-        OCSP_RESPID *id = sk_OCSP_RESPID_value(s->tlsext_ocsp_ids, i);
+        OCSP_RESPID *id = sk_OCSP_RESPID_value(s->ext.ocsp.ids, i);
         int idlen = i2d_OCSP_RESPID(id, NULL);
 
         if (idlen <= 0
@@ -288,9 +288,9 @@
         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST, ERR_R_INTERNAL_ERROR);
         return 0;
     }
-    if (s->tlsext_ocsp_exts) {
+    if (s->ext.ocsp.exts) {
         unsigned char *extbytes;
-        int extlen = i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, NULL);
+        int extlen = i2d_X509_EXTENSIONS(s->ext.ocsp.exts, NULL);
 
         if (extlen < 0) {
             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
@@ -298,7 +298,7 @@
             return 0;
         }
         if (!WPACKET_allocate_bytes(pkt, extlen, &extbytes)
-                || i2d_X509_EXTENSIONS(s->tlsext_ocsp_exts, &extbytes)
+                || i2d_X509_EXTENSIONS(s->ext.ocsp.exts, &extbytes)
                    != extlen) {
             SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_STATUS_REQUEST,
                    ERR_R_INTERNAL_ERROR);
@@ -318,7 +318,7 @@
 int tls_construct_ctos_npn(SSL *s, WPACKET *pkt, X509 *x, size_t chainidx,
                            int *al)
 {
-    if (s->ctx->next_proto_select_cb == NULL || s->s3->tmp.finish_md_len != 0)
+    if (s->ctx->ext.npn_select_cb == NULL || s->s3->tmp.finish_md_len != 0)
         return 1;
 
     /*
@@ -344,15 +344,14 @@
      * finish_md_len is non-zero during a renegotiation, so
      * this avoids sending ALPN during the renegotiation
      */
-    if (s->alpn_client_proto_list == NULL || s->s3->tmp.finish_md_len != 0)
+    if (s->ext.alpn == NULL || s->s3->tmp.finish_md_len != 0)
         return 1;
 
     if (!WPACKET_put_bytes_u16(pkt,
                 TLSEXT_TYPE_application_layer_protocol_negotiation)
                /* Sub-packet ALPN extension */
             || !WPACKET_start_sub_packet_u16(pkt)
-            || !WPACKET_sub_memcpy_u16(pkt, s->alpn_client_proto_list,
-                                       s->alpn_client_proto_list_len)
+            || !WPACKET_sub_memcpy_u16(pkt, s->ext.alpn, s->ext.alpn_len)
             || !WPACKET_close(pkt)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_ALPN, ERR_R_INTERNAL_ERROR);
         return 0;
@@ -516,7 +515,7 @@
         return 0;
     }
 
-    pcurves = s->tlsext_supportedgroupslist;
+    pcurves = s->ext.supportedgroups;
     if (!tls1_get_curvelist(s, 0, &pcurves, &num_curves)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_CTOS_KEY_SHARE, ERR_R_INTERNAL_ERROR);
         return 0;
@@ -698,18 +697,18 @@
 int tls_parse_stoc_server_name(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
                                int *al)
 {
-    if (s->tlsext_hostname == NULL || PACKET_remaining(pkt) > 0) {
+    if (s->ext.hostname == NULL || PACKET_remaining(pkt) > 0) {
         *al = SSL_AD_UNRECOGNIZED_NAME;
         return 0;
     }
 
     if (!s->hit) {
-        if (s->session->tlsext_hostname != NULL) {
+        if (s->session->ext.hostname != NULL) {
             *al = SSL_AD_INTERNAL_ERROR;
             return 0;
         }
-        s->session->tlsext_hostname = OPENSSL_strdup(s->tlsext_hostname);
-        if (s->session->tlsext_hostname == NULL) {
+        s->session->ext.hostname = OPENSSL_strdup(s->ext.hostname);
+        if (s->session->ext.hostname == NULL) {
             *al = SSL_AD_INTERNAL_ERROR;
             return 0;
         }
@@ -722,7 +721,7 @@
 int tls_parse_stoc_ec_pt_formats(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
                                  int *al)
 {
-    unsigned int ecpointformatlist_length;
+    unsigned int ecpointformats_len;
     PACKET ecptformatlist;
 
     if (!PACKET_as_length_prefixed_1(pkt, &ecptformatlist)) {
@@ -730,22 +729,21 @@
         return 0;
     }
     if (!s->hit) {
-        ecpointformatlist_length = PACKET_remaining(&ecptformatlist);
-        s->session->tlsext_ecpointformatlist_length = 0;
+        ecpointformats_len = PACKET_remaining(&ecptformatlist);
+        s->session->ext.ecpointformats_len = 0;
 
-        OPENSSL_free(s->session->tlsext_ecpointformatlist);
-        s->session->tlsext_ecpointformatlist =
-             OPENSSL_malloc(ecpointformatlist_length);
-        if (s->session->tlsext_ecpointformatlist == NULL) {
+        OPENSSL_free(s->session->ext.ecpointformats);
+        s->session->ext.ecpointformats = OPENSSL_malloc(ecpointformats_len);
+        if (s->session->ext.ecpointformats == NULL) {
             *al = SSL_AD_INTERNAL_ERROR;
             return 0;
         }
 
-        s->session->tlsext_ecpointformatlist_length = ecpointformatlist_length;
+        s->session->ext.ecpointformats_len = ecpointformats_len;
 
         if (!PACKET_copy_bytes(&ecptformatlist,
-                               s->session->tlsext_ecpointformatlist,
-                               ecpointformatlist_length)) {
+                               s->session->ext.ecpointformats,
+                               ecpointformats_len)) {
             *al = SSL_AD_INTERNAL_ERROR;
             return 0;
         }
@@ -758,10 +756,10 @@
 int tls_parse_stoc_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
                                   int *al)
 {
-    if (s->tls_session_ticket_ext_cb != NULL &&
-        !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
-                                      PACKET_remaining(pkt),
-                                      s->tls_session_ticket_ext_cb_arg)) {
+    if (s->ext.session_ticket_cb != NULL &&
+        !s->ext.session_ticket_cb(s, PACKET_data(pkt),
+                              PACKET_remaining(pkt),
+                              s->ext.session_ticket_cb_arg)) {
         *al = SSL_AD_INTERNAL_ERROR;
         return 0;
     }
@@ -771,7 +769,7 @@
         return 0;
     }
 
-    s->tlsext_ticket_expected = 1;
+    s->ext.ticket_expected = 1;
 
     return 1;
 }
@@ -784,7 +782,7 @@
      * MUST only be sent if we've requested a status
      * request message. In TLS <= 1.2 it must also be empty.
      */
-    if (s->tlsext_status_type == TLSEXT_STATUSTYPE_nothing
+    if (s->ext.status_type == TLSEXT_STATUSTYPE_nothing
             || (!SSL_IS_TLS13(s) && PACKET_remaining(pkt) > 0)) {
         *al = SSL_AD_UNSUPPORTED_EXTENSION;
         return 0;
@@ -800,7 +798,7 @@
     }
 
     /* Set flag to expect CertificateStatus message */
-    s->tlsext_status_expected = 1;
+    s->ext.status_expected = 1;
 
     return 1;
 }
@@ -819,14 +817,14 @@
         size_t size = PACKET_remaining(pkt);
 
         /* Simply copy it off for later processing */
-        OPENSSL_free(s->tlsext_scts);
-        s->tlsext_scts = NULL;
+        OPENSSL_free(s->ext.scts);
+        s->ext.scts = NULL;
 
-        s->tlsext_scts_len = size;
+        s->ext.scts_len = size;
         if (size > 0) {
-            s->tlsext_scts = OPENSSL_malloc(size);
-            if (s->tlsext_scts == NULL
-                    || !PACKET_copy_bytes(pkt, s->tlsext_scts, size)) {
+            s->ext.scts = OPENSSL_malloc(size);
+            if (s->ext.scts == NULL
+                    || !PACKET_copy_bytes(pkt, s->ext.scts, size)) {
                 *al = SSL_AD_INTERNAL_ERROR;
                 return 0;
             }
@@ -872,7 +870,7 @@
         return 1;
 
     /* We must have requested it. */
-    if (s->ctx->next_proto_select_cb == NULL) {
+    if (s->ctx->ext.npn_select_cb == NULL) {
         *al = SSL_AD_UNSUPPORTED_EXTENSION;
         return 0;
     }
@@ -883,10 +881,10 @@
         *al = SSL_AD_DECODE_ERROR;
         return 0;
     }
-    if (s->ctx->next_proto_select_cb(s, &selected, &selected_len,
-                                     PACKET_data(pkt),
-                                     PACKET_remaining(pkt),
-                                     s->ctx->next_proto_select_cb_arg) !=
+    if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len,
+                                  PACKET_data(pkt),
+                                  PACKET_remaining(pkt),
+                                  s->ctx->ext.npn_select_cb_arg) !=
              SSL_TLSEXT_ERR_OK) {
         *al = SSL_AD_INTERNAL_ERROR;
         return 0;
@@ -896,16 +894,16 @@
      * Could be non-NULL if server has sent multiple NPN extensions in
      * a single Serverhello
      */
-    OPENSSL_free(s->next_proto_negotiated);
-    s->next_proto_negotiated = OPENSSL_malloc(selected_len);
-    if (s->next_proto_negotiated == NULL) {
+    OPENSSL_free(s->ext.npn);
+    s->ext.npn = OPENSSL_malloc(selected_len);
+    if (s->ext.npn == NULL) {
         *al = SSL_AD_INTERNAL_ERROR;
         return 0;
     }
 
-    memcpy(s->next_proto_negotiated, selected, selected_len);
-    s->next_proto_negotiated_len = selected_len;
-    s->s3->next_proto_neg_seen = 1;
+    memcpy(s->ext.npn, selected, selected_len);
+    s->ext.npn_len = selected_len;
+    s->s3->npn_seen = 1;
 
     return 1;
 }
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index dfe5fc5..c868bb9 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -116,7 +116,7 @@
             return 0;
         }
 
-        if (!PACKET_strndup(&hostname, &s->session->tlsext_hostname)) {
+        if (!PACKET_strndup(&hostname, &s->session->ext.hostname)) {
             *al = TLS1_AD_INTERNAL_ERROR;
             return 0;
         }
@@ -127,9 +127,9 @@
          * TODO(openssl-team): if the SNI doesn't match, we MUST
          * fall back to a full handshake.
          */
-        s->servername_done = s->session->tlsext_hostname
-            && PACKET_equal(&hostname, s->session->tlsext_hostname,
-                            strlen(s->session->tlsext_hostname));
+        s->servername_done = s->session->ext.hostname
+            && PACKET_equal(&hostname, s->session->ext.hostname,
+                            strlen(s->session->ext.hostname));
     }
 
     return 1;
@@ -173,8 +173,8 @@
 
     if (!s->hit) {
         if (!PACKET_memdup(&ec_point_format_list,
-                           &s->session->tlsext_ecpointformatlist,
-                           &s->session->tlsext_ecpointformatlist_length)) {
+                           &s->session->ext.ecpointformats,
+                           &s->session->ext.ecpointformats_len)) {
             *al = TLS1_AD_INTERNAL_ERROR;
             return 0;
         }
@@ -187,10 +187,10 @@
 int tls_parse_ctos_session_ticket(SSL *s, PACKET *pkt, X509 *x, size_t chainidx,
                                   int *al)
 {
-    if (s->tls_session_ticket_ext_cb &&
-            !s->tls_session_ticket_ext_cb(s, PACKET_data(pkt),
-                                          PACKET_remaining(pkt),
-                                          s->tls_session_ticket_ext_cb_arg)) {
+    if (s->ext.session_ticket_cb &&
+            !s->ext.session_ticket_cb(s, PACKET_data(pkt),
+                                  PACKET_remaining(pkt),
+                                  s->ext.session_ticket_cb_arg)) {
         *al = TLS1_AD_INTERNAL_ERROR;
         return 0;
     }
@@ -229,16 +229,16 @@
     if (x != NULL)
         return 1;
 
-    if (!PACKET_get_1(pkt, (unsigned int *)&s->tlsext_status_type)) {
+    if (!PACKET_get_1(pkt, (unsigned int *)&s->ext.status_type)) {
         *al = SSL_AD_DECODE_ERROR;
         return 0;
     }
 
-    if (s->tlsext_status_type != TLSEXT_STATUSTYPE_ocsp) {
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_ocsp) {
         /*
          * We don't know what to do with any other type so ignore it.
          */
-        s->tlsext_status_type = TLSEXT_STATUSTYPE_nothing;
+        s->ext.status_type = TLSEXT_STATUSTYPE_nothing;
         return 1;
     }
 
@@ -251,15 +251,15 @@
      * We remove any OCSP_RESPIDs from a previous handshake
      * to prevent unbounded memory growth - CVE-2016-6304
      */
-    sk_OCSP_RESPID_pop_free(s->tlsext_ocsp_ids, OCSP_RESPID_free);
+    sk_OCSP_RESPID_pop_free(s->ext.ocsp.ids, OCSP_RESPID_free);
     if (PACKET_remaining(&responder_id_list) > 0) {
-        s->tlsext_ocsp_ids = sk_OCSP_RESPID_new_null();
-        if (s->tlsext_ocsp_ids == NULL) {
+        s->ext.ocsp.ids = sk_OCSP_RESPID_new_null();
+        if (s->ext.ocsp.ids == NULL) {
             *al = SSL_AD_INTERNAL_ERROR;
             return 0;
         }
     } else {
-        s->tlsext_ocsp_ids = NULL;
+        s->ext.ocsp.ids = NULL;
     }
 
     while (PACKET_remaining(&responder_id_list) > 0) {
@@ -288,7 +288,7 @@
             return 0;
         }
 
-        if (!sk_OCSP_RESPID_push(s->tlsext_ocsp_ids, id)) {
+        if (!sk_OCSP_RESPID_push(s->ext.ocsp.ids, id)) {
             OCSP_RESPID_free(id);
             *al = SSL_AD_INTERNAL_ERROR;
             return 0;
@@ -304,11 +304,11 @@
     if (PACKET_remaining(&exts) > 0) {
         const unsigned char *ext_data = PACKET_data(&exts);
 
-        sk_X509_EXTENSION_pop_free(s->tlsext_ocsp_exts,
+        sk_X509_EXTENSION_pop_free(s->ext.ocsp.exts,
                                    X509_EXTENSION_free);
-        s->tlsext_ocsp_exts =
+        s->ext.ocsp.exts =
             d2i_X509_EXTENSIONS(NULL, &ext_data, (int)PACKET_remaining(&exts));
-        if (s->tlsext_ocsp_exts == NULL || ext_data != PACKET_end(&exts)) {
+        if (s->ext.ocsp.exts == NULL || ext_data != PACKET_end(&exts)) {
             *al = SSL_AD_DECODE_ERROR;
             return 0;
         }
@@ -339,7 +339,7 @@
      * Finished message could have been computed.)
      */
     if (s->s3->tmp.finish_md_len == 0)
-        s->s3->next_proto_neg_seen = 1;
+        s->s3->npn_seen = 1;
 
     return 1;
 }
@@ -643,8 +643,8 @@
 
     if (!s->hit
             && !PACKET_memdup(&supported_groups_list,
-                              &s->session->tlsext_supportedgroupslist,
-                              &s->session->tlsext_supportedgroupslist_length)) {
+                              &s->session->ext.supportedgroups,
+                              &s->session->ext.supportedgroups_len)) {
         *al = SSL_AD_DECODE_ERROR;
         return 0;
     }
@@ -695,7 +695,7 @@
                                    size_t chainidx, int *al)
 {
     if (s->hit || s->servername_done != 1
-            || s->session->tlsext_hostname == NULL)
+            || s->session->ext.hostname == NULL)
         return 1;
 
     if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_server_name)
@@ -714,7 +714,7 @@
     unsigned long alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
     unsigned long alg_a = s->s3->tmp.new_cipher->algorithm_auth;
     int using_ecc = ((alg_k & SSL_kECDHE) || (alg_a & SSL_aECDSA))
-                    && (s->session->tlsext_ecpointformatlist != NULL);
+                    && (s->session->ext.ecpointformats != NULL);
     const unsigned char *plist;
     size_t plistlen;
 
@@ -737,8 +737,8 @@
 int tls_construct_stoc_session_ticket(SSL *s, WPACKET *pkt, X509 *x,
                                       size_t chainidx, int *al)
 {
-    if (!s->tlsext_ticket_expected || !tls_use_ticket(s)) {
-        s->tlsext_ticket_expected = 0;
+    if (!s->ext.ticket_expected || !tls_use_ticket(s)) {
+        s->ext.ticket_expected = 0;
         return 1;
     }
 
@@ -755,7 +755,7 @@
 int tls_construct_stoc_status_request(SSL *s, WPACKET *pkt, X509 *x,
                                      size_t chainidx, int *al)
 {
-    if (!s->tlsext_status_expected)
+    if (!s->ext.status_expected)
         return 1;
 
     if (SSL_IS_TLS13(s) && chainidx != 0)
@@ -789,14 +789,14 @@
     const unsigned char *npa;
     unsigned int npalen;
     int ret;
-    int next_proto_neg_seen = s->s3->next_proto_neg_seen;
+    int npn_seen = s->s3->npn_seen;
 
-    s->s3->next_proto_neg_seen = 0;
-    if (!next_proto_neg_seen || s->ctx->next_protos_advertised_cb == NULL)
+    s->s3->npn_seen = 0;
+    if (!npn_seen || s->ctx->ext.npn_advertised_cb == NULL)
         return 1;
 
-    ret = s->ctx->next_protos_advertised_cb(s, &npa, &npalen,
-                                      s->ctx->next_protos_advertised_cb_arg);
+    ret = s->ctx->ext.npn_advertised_cb(s, &npa, &npalen,
+                                        s->ctx->ext.npn_advertised_cb_arg);
     if (ret == SSL_TLSEXT_ERR_OK) {
         if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_next_proto_neg)
                 || !WPACKET_sub_memcpy_u16(pkt, npa, npalen)) {
@@ -804,7 +804,7 @@
                    ERR_R_INTERNAL_ERROR);
             return 0;
         }
-        s->s3->next_proto_neg_seen = 1;
+        s->s3->npn_seen = 1;
     }
 
     return 1;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index a3133ad..82713d2 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -225,7 +225,7 @@
 
     case TLS_ST_CR_SRVR_HELLO:
         if (s->hit) {
-            if (s->tlsext_ticket_expected) {
+            if (s->ext.ticket_expected) {
                 if (mt == SSL3_MT_NEWSESSION_TICKET) {
                     st->hand_state = TLS_ST_CR_SESSION_TICKET;
                     return 1;
@@ -239,8 +239,8 @@
                 st->hand_state = DTLS_ST_CR_HELLO_VERIFY_REQUEST;
                 return 1;
             } else if (s->version >= TLS1_VERSION
-                       && s->tls_session_secret_cb != NULL
-                       && s->session->tlsext_tick != NULL
+                       && s->ext.session_secret_cb != NULL
+                       && s->session->ext.tick != NULL
                        && mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
                 /*
                  * Normally, we can tell if the server is resuming the session
@@ -282,9 +282,9 @@
     case TLS_ST_CR_CERT:
         /*
          * The CertificateStatus message is optional even if
-         * |tlsext_status_expected| is set
+         * |ext.status_expected| is set
          */
-        if (s->tlsext_status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
+        if (s->ext.status_expected && mt == SSL3_MT_CERTIFICATE_STATUS) {
             st->hand_state = TLS_ST_CR_CERT_STATUS;
             return 1;
         }
@@ -321,7 +321,7 @@
         break;
 
     case TLS_ST_CW_FINISHED:
-        if (s->tlsext_ticket_expected) {
+        if (s->ext.ticket_expected) {
             if (mt == SSL3_MT_NEWSESSION_TICKET) {
                 st->hand_state = TLS_ST_CR_SESSION_TICKET;
                 return 1;
@@ -478,7 +478,7 @@
 #if defined(OPENSSL_NO_NEXTPROTONEG)
         st->hand_state = TLS_ST_CW_FINISHED;
 #else
-        if (!SSL_IS_DTLS(s) && s->s3->next_proto_neg_seen)
+        if (!SSL_IS_DTLS(s) && s->s3->npn_seen)
             st->hand_state = TLS_ST_CW_NEXT_PROTO;
         else
             st->hand_state = TLS_ST_CW_FINISHED;
@@ -872,7 +872,7 @@
          * In the case of EAP-FAST, we can have a pre-shared
          * "ticket" without a session ID.
          */
-        (!sess->session_id_length && !sess->tlsext_tick) ||
+        (!sess->session_id_length && !sess->ext.tick) ||
         (sess->not_resumable)) {
         if (!ssl_get_new_session(s, 0))
             return 0;
@@ -1122,7 +1122,7 @@
      * server wants to resume.
      */
     if (s->version >= TLS1_VERSION && !SSL_IS_TLS13(s)
-            && s->tls_session_secret_cb != NULL && s->session->tlsext_tick) {
+            && s->ext.session_secret_cb != NULL && s->session->ext.tick) {
         const SSL_CIPHER *pref_cipher = NULL;
         /*
          * s->session->master_key_length is a size_t, but this is an int for
@@ -1130,10 +1130,10 @@
          */
         int master_key_length;
         master_key_length = sizeof(s->session->master_key);
-        if (s->tls_session_secret_cb(s, s->session->master_key,
+        if (s->ext.session_secret_cb(s, s->session->master_key,
                                      &master_key_length,
                                      NULL, &pref_cipher,
-                                     s->tls_session_secret_cb_arg)
+                                     s->ext.session_secret_cb_arg)
                  && master_key_length > 0) {
             s->session->master_key_length = master_key_length;
             s->session->cipher = pref_cipher ?
@@ -2134,22 +2134,23 @@
         s->session = new_sess;
     }
 
-    OPENSSL_free(s->session->tlsext_tick);
-    s->session->tlsext_ticklen = 0;
+    OPENSSL_free(s->session->ext.tick);
+    s->session->ext.tick = NULL;
+    s->session->ext.ticklen = 0;
 
-    s->session->tlsext_tick = OPENSSL_malloc(ticklen);
-    if (s->session->tlsext_tick == NULL) {
+    s->session->ext.tick = OPENSSL_malloc(ticklen);
+    if (s->session->ext.tick == NULL) {
         SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_MALLOC_FAILURE);
         goto err;
     }
-    if (!PACKET_copy_bytes(pkt, s->session->tlsext_tick, ticklen)) {
+    if (!PACKET_copy_bytes(pkt, s->session->ext.tick, ticklen)) {
         al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, SSL_R_LENGTH_MISMATCH);
         goto f_err;
     }
 
-    s->session->tlsext_tick_lifetime_hint = ticket_lifetime_hint;
-    s->session->tlsext_ticklen = ticklen;
+    s->session->ext.tick_lifetime_hint = ticket_lifetime_hint;
+    s->session->ext.ticklen = ticklen;
     /*
      * There are two ways to detect a resumed ticket session. One is to set
      * an appropriate session ID and then the server must return a match in
@@ -2165,7 +2166,7 @@
      * TODO(size_t): we use sess_len here because EVP_Digest expects an int
      * but s->session->session_id_length is a size_t
      */
-    if (!EVP_Digest(s->session->tlsext_tick, ticklen,
+    if (!EVP_Digest(s->session->ext.tick, ticklen,
                     s->session->session_id, &sess_len,
                     EVP_sha256(), NULL)) {
         SSLerr(SSL_F_TLS_PROCESS_NEW_SESSION_TICKET, ERR_R_EVP_LIB);
@@ -2204,17 +2205,17 @@
         return 0;
     }
     s->tlsext_ocsp_resp = OPENSSL_malloc(resplen);
-    if (s->tlsext_ocsp_resp == NULL) {
+    if (s->ext.ocsp_resp == NULL) {
         *al = SSL_AD_INTERNAL_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, ERR_R_MALLOC_FAILURE);
         return 0;
     }
-    if (!PACKET_copy_bytes(pkt, s->tlsext_ocsp_resp, resplen)) {
+    if (!PACKET_copy_bytes(pkt, s->ext.ocsp_resp, resplen)) {
         *al = SSL_AD_DECODE_ERROR;
         SSLerr(SSL_F_TLS_PROCESS_CERT_STATUS_BODY, SSL_R_LENGTH_MISMATCH);
         return 0;
     }
-    s->tlsext_ocsp_resplen = resplen;
+    s->ext.ocsp_resplen = resplen;
 
     return 1;
 }
@@ -2251,14 +2252,14 @@
     }
 
     /*
-     * Call the ocsp status callback if needed. The |tlsext_ocsp_resp| and
-     * |tlsext_ocsp_resplen| values will be set if we actually received a status
+     * Call the ocsp status callback if needed. The |ext.ocsp.resp| and
+     * |ext.ocsp.resp_len| values will be set if we actually received a status
      * message, or NULL and -1 otherwise
      */
-    if (s->tlsext_status_type != TLSEXT_STATUSTYPE_nothing
-            && s->ctx->tlsext_status_cb != NULL) {
-        int ret;
-        ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing
+            && s->ctx->ext.status_cb != NULL) {
+        int ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
+
         if (ret == 0) {
             *al = SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE;
             SSLerr(SSL_F_TLS_PROCESS_INITIAL_SERVER_FLIGHT,
@@ -3112,10 +3113,10 @@
     size_t len, padding_len;
     unsigned char *padding = NULL;
 
-    len = s->next_proto_negotiated_len;
+    len = s->ext.npn_len;
     padding_len = 32 - ((len + 2) % 32);
 
-    if (!WPACKET_sub_memcpy_u8(pkt, s->next_proto_negotiated, len)
+    if (!WPACKET_sub_memcpy_u8(pkt, s->ext.npn, len)
             || !WPACKET_sub_allocate_bytes_u8(pkt, padding_len, &padding)) {
         SSLerr(SSL_F_TLS_CONSTRUCT_NEXT_PROTO, ERR_R_INTERNAL_ERROR);
         goto err;
diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index b3d6419..475f405 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -255,7 +255,7 @@
 
     case TLS_ST_SR_CHANGE:
 #ifndef OPENSSL_NO_NEXTPROTONEG
-        if (s->s3->next_proto_neg_seen) {
+        if (s->s3->npn_seen) {
             if (mt == SSL3_MT_NEXT_PROTO) {
                 st->hand_state = TLS_ST_SR_NEXT_PROTO;
                 return 1;
@@ -488,7 +488,7 @@
 
     case TLS_ST_SW_SRVR_HELLO:
         if (s->hit) {
-            if (s->tlsext_ticket_expected)
+            if (s->ext.ticket_expected)
                 st->hand_state = TLS_ST_SW_SESSION_TICKET;
             else
                 st->hand_state = TLS_ST_SW_CHANGE;
@@ -509,7 +509,7 @@
         return WRITE_TRAN_CONTINUE;
 
     case TLS_ST_SW_CERT:
-        if (s->tlsext_status_expected) {
+        if (s->ext.status_expected) {
             st->hand_state = TLS_ST_SW_CERT_STATUS;
             return WRITE_TRAN_CONTINUE;
         }
@@ -541,7 +541,7 @@
             st->hand_state = TLS_ST_OK;
             ossl_statem_set_in_init(s, 0);
             return WRITE_TRAN_CONTINUE;
-        } else if (s->tlsext_ticket_expected) {
+        } else if (s->ext.ticket_expected) {
             st->hand_state = TLS_ST_SW_SESSION_TICKET;
         } else {
             st->hand_state = TLS_ST_SW_CHANGE;
@@ -1527,7 +1527,7 @@
         }
     }
 
-    if (!s->hit && s->version >= TLS1_VERSION && s->tls_session_secret_cb) {
+    if (!s->hit && s->version >= TLS1_VERSION && s->ext.session_secret_cb) {
         const SSL_CIPHER *pref_cipher = NULL;
         /*
          * s->session->master_key_length is a size_t, but this is an int for
@@ -1536,10 +1536,10 @@
         int master_key_length;
 
         master_key_length = sizeof(s->session->master_key);
-        if (s->tls_session_secret_cb(s, s->session->master_key,
+        if (s->ext.session_secret_cb(s, s->session->master_key,
                                      &master_key_length, ciphers,
                                      &pref_cipher,
-                                     s->tls_session_secret_cb_arg)
+                                     s->ext.session_secret_cb_arg)
                 && master_key_length > 0) {
             s->session->master_key_length = master_key_length;
             s->hit = 1;
@@ -1691,7 +1691,7 @@
  */
 static int tls_handle_status_request(SSL *s, int *al)
 {
-    s->tlsext_status_expected = 0;
+    s->ext.status_expected = 0;
 
     /*
      * If status request then ask callback what to do. Note: this must be
@@ -1699,8 +1699,8 @@
      * and must be called after the cipher has been chosen because this may
      * influence which certificate is sent
      */
-    if (s->tlsext_status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
-            && s->ctx->tlsext_status_cb != NULL) {
+    if (s->ext.status_type != TLSEXT_STATUSTYPE_nothing && s->ctx != NULL
+            && s->ctx->ext.status_cb != NULL) {
         int ret;
         CERT_PKEY *certpkey = ssl_get_server_send_pkey(s);
 
@@ -1711,16 +1711,16 @@
              * et al can pick it up.
              */
             s->cert->key = certpkey;
-            ret = s->ctx->tlsext_status_cb(s, s->ctx->tlsext_status_arg);
+            ret = s->ctx->ext.status_cb(s, s->ctx->ext.status_arg);
             switch (ret) {
                 /* We don't want to send a status request response */
             case SSL_TLSEXT_ERR_NOACK:
-                s->tlsext_status_expected = 0;
+                s->ext.status_expected = 0;
                 break;
                 /* status request response should be sent */
             case SSL_TLSEXT_ERR_OK:
-                if (s->tlsext_ocsp_resp)
-                    s->tlsext_status_expected = 1;
+                if (s->ext.ocsp.resp)
+                    s->ext.status_expected = 1;
                 break;
                 /* something bad happened */
             case SSL_TLSEXT_ERR_ALERT_FATAL:
@@ -1773,7 +1773,7 @@
                                                    != 0));
             if (s->session->not_resumable)
                 /* do not send a session ticket */
-                s->tlsext_ticket_expected = 0;
+                s->ext.ticket_expected = 0;
         } else {
             /* Session-id reuse */
             s->s3->tmp.new_cipher = s->session->cipher;
@@ -3371,9 +3371,9 @@
      * Initialize HMAC and cipher contexts. If callback present it does
      * all the work otherwise use generated values from parent ctx.
      */
-    if (tctx->tlsext_ticket_key_cb) {
+    if (tctx->ext.ticket_key_cb) {
         /* if 0 is returned, write an empty ticket */
-        int ret = tctx->tlsext_ticket_key_cb(s, key_name, iv, ctx,
+        int ret = tctx->ext.ticket_key_cb(s, key_name, iv, ctx,
                                              hctx, 1);
 
         if (ret == 0) {
@@ -3400,14 +3400,14 @@
         if (RAND_bytes(iv, iv_len) <= 0)
             goto err;
         if (!EVP_EncryptInit_ex(ctx, cipher, NULL,
-                                tctx->tlsext_tick_aes_key, iv))
+                                tctx->ext.tick_aes_key, iv))
             goto err;
-        if (!HMAC_Init_ex(hctx, tctx->tlsext_tick_hmac_key,
-                          sizeof(tctx->tlsext_tick_hmac_key),
+        if (!HMAC_Init_ex(hctx, tctx->ext.tick_hmac_key,
+                          sizeof(tctx->ext.tick_hmac_key),
                           EVP_sha256(), NULL))
             goto err;
-        memcpy(key_name, tctx->tlsext_tick_key_name,
-               sizeof(tctx->tlsext_tick_key_name));
+        memcpy(key_name, tctx->ext.tick_key_name,
+               sizeof(tctx->ext.tick_key_name));
     }
 
     /*
@@ -3465,6 +3465,7 @@
  */
 int tls_construct_cert_status_body(SSL *s, WPACKET *pkt)
 {
+<<<<<<< 3b72dcd5fb4d2c756a830dba1fc34f4a7ae61b73
     if (!WPACKET_put_bytes_u8(pkt, s->tlsext_status_type)
             || !WPACKET_sub_memcpy_u24(pkt, s->tlsext_ocsp_resp,
                                        s->tlsext_ocsp_resplen)) {
@@ -3478,6 +3479,12 @@
 int tls_construct_cert_status(SSL *s, WPACKET *pkt)
 {
     if (!tls_construct_cert_status_body(s, pkt)) {
+=======
+    if (!WPACKET_put_bytes_u8(pkt, s->ext.status_type)
+            || !WPACKET_sub_memcpy_u24(pkt, s->ext.ocsp.resp,
+                                       s->ext.ocsp.resp_len)) {
+        SSLerr(SSL_F_TLS_CONSTRUCT_CERT_STATUS, ERR_R_INTERNAL_ERROR);
+>>>>>>> Move extension data into sub-structs
         ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
         return 0;
     }
@@ -3509,12 +3516,12 @@
         goto err;
     }
 
-    if (!PACKET_memdup(&next_proto, &s->next_proto_negotiated, &next_proto_len)) {
-        s->next_proto_negotiated_len = 0;
+    if (!PACKET_memdup(&next_proto, &s->ext.npn, &next_proto_len)) {
+        s->ext.npn_len = 0;
         goto err;
     }
 
-    s->next_proto_negotiated_len = (unsigned char)next_proto_len;
+    s->ext.npn_len = (unsigned char)next_proto_len;
 
     return MSG_PROCESS_CONTINUE_READING;
  err: