Revise for S3I removal.

1 files changed, 81 insertions, 81 deletions

diff --git a/regress/lib/libssl/tlsext/tlsexttest.c b/regress/lib/libssl/tlsext/tlsexttest.c
index 69460740383..03ce7a95e94 100644
--- a/regress/lib/libssl/tlsext/tlsexttest.c
+++ b/regress/lib/libssl/tlsext/tlsexttest.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tlsexttest.c,v 1.58 2022/01/11 18:29:10 jsing Exp $ */
+/* $OpenBSD: tlsexttest.c,v 1.59 2022/02/05 14:54:40 jsing Exp $ */
 /*
  * Copyright (c) 2017 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2017 Doug Hogan <doug@openbsd.org>
@@ -150,7 +150,7 @@ test_tlsext_alpn_client(void)
 	 * 1) Set s->internal->alpn_client_proto_list
 	 *    - Using SSL_set_alpn_protos()
 	 * 2) We have not finished or renegotiated.
-	 *    - S3I(s)->tmp.finish_md_len == 0
+	 *    - s->s3->tmp.finish_md_len == 0
 	 */
 	if (SSL_set_alpn_protos(ssl, tlsext_alpn_single_proto_val,
 	    sizeof(tlsext_alpn_single_proto_val)) != 0) {
@@ -345,12 +345,12 @@ test_tlsext_alpn_server(void)
 	 *
 	 * This will be a plain name and separate length.
 	 */
-	if ((S3I(ssl)->alpn_selected = malloc(sizeof(tlsext_alpn_single_proto_name))) == NULL) {
+	if ((ssl->s3->alpn_selected = malloc(sizeof(tlsext_alpn_single_proto_name))) == NULL) {
 		errx(1, "failed to malloc");
 	}
-	memcpy(S3I(ssl)->alpn_selected, tlsext_alpn_single_proto_name,
+	memcpy(ssl->s3->alpn_selected, tlsext_alpn_single_proto_name,
 	    sizeof(tlsext_alpn_single_proto_name));
-	S3I(ssl)->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name);
+	ssl->s3->alpn_selected_len = sizeof(tlsext_alpn_single_proto_name);
 
 	if (!tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should need ALPN after a protocol is selected\n");
@@ -412,23 +412,23 @@ test_tlsext_alpn_server(void)
 		goto err;
 	}
 
-	if (S3I(ssl)->alpn_selected_len !=
+	if (ssl->s3->alpn_selected_len !=
 	    sizeof(tlsext_alpn_single_proto_name)) {
 		FAIL("got server ALPN with length %zu, "
 		    "want length %zu\n", dlen,
 		    sizeof(tlsext_alpn_single_proto_name));
-		compare_data(S3I(ssl)->alpn_selected,
-		    S3I(ssl)->alpn_selected_len,
+		compare_data(ssl->s3->alpn_selected,
+		    ssl->s3->alpn_selected_len,
 		    tlsext_alpn_single_proto_name,
 		    sizeof(tlsext_alpn_single_proto_name));
 		goto err;
 	}
-	if (memcmp(S3I(ssl)->alpn_selected,
+	if (memcmp(ssl->s3->alpn_selected,
 	    tlsext_alpn_single_proto_name,
 	    sizeof(tlsext_alpn_single_proto_name)) != 0) {
 		FAIL("server ALPN differs:\n");
-		compare_data(S3I(ssl)->alpn_selected,
-		    S3I(ssl)->alpn_selected_len,
+		compare_data(ssl->s3->alpn_selected,
+		    ssl->s3->alpn_selected_len,
 		    tlsext_alpn_single_proto_name,
 		    sizeof(tlsext_alpn_single_proto_name));
 		goto err;
@@ -442,9 +442,9 @@ test_tlsext_alpn_server(void)
 
 	/* Make sure we can remove the list and avoid ALPN */
 
-	free(S3I(ssl)->alpn_selected);
-	S3I(ssl)->alpn_selected = NULL;
-	S3I(ssl)->alpn_selected_len = 0;
+	free(ssl->s3->alpn_selected);
+	ssl->s3->alpn_selected = NULL;
+	ssl->s3->alpn_selected_len = 0;
 
 	if (tlsext_alpn_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should need ALPN by default\n");
@@ -1064,7 +1064,7 @@ test_tlsext_ecpf_server(void)
 		errx(1, "failed to create session");
 
 	/* Setup the state so we can call needs. */
-	if ((S3I(ssl)->hs.cipher =
+	if ((ssl->s3->hs.cipher =
 	    ssl3_get_cipher_by_id(TLS1_CK_ECDHE_ECDSA_CHACHA20_POLY1305))
 	    == NULL) {
 		FAIL("server cannot find cipher\n");
@@ -1311,11 +1311,11 @@ test_tlsext_ri_client(void)
 		goto err;
 	}
 
-	memcpy(S3I(ssl)->previous_client_finished, tlsext_ri_prev_client,
+	memcpy(ssl->s3->previous_client_finished, tlsext_ri_prev_client,
 	    sizeof(tlsext_ri_prev_client));
-	S3I(ssl)->previous_client_finished_len = sizeof(tlsext_ri_prev_client);
+	ssl->s3->previous_client_finished_len = sizeof(tlsext_ri_prev_client);
 
-	S3I(ssl)->renegotiate_seen = 0;
+	ssl->s3->renegotiate_seen = 0;
 
 	if (!tlsext_ri_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
 		FAIL("client failed to build RI\n");
@@ -1350,19 +1350,19 @@ test_tlsext_ri_client(void)
 		goto err;
 	}
 
-	if (S3I(ssl)->renegotiate_seen != 1) {
+	if (ssl->s3->renegotiate_seen != 1) {
 		FAIL("renegotiate seen not set\n");
 		goto err;
 	}
-	if (S3I(ssl)->send_connection_binding != 1) {
+	if (ssl->s3->send_connection_binding != 1) {
 		FAIL("send connection binding not set\n");
 		goto err;
 	}
 
-	memset(S3I(ssl)->previous_client_finished, 0,
-	    sizeof(S3I(ssl)->previous_client_finished));
+	memset(ssl->s3->previous_client_finished, 0,
+	    sizeof(ssl->s3->previous_client_finished));
 
-	S3I(ssl)->renegotiate_seen = 0;
+	ssl->s3->renegotiate_seen = 0;
 
 	CBS_init(&cbs, tlsext_ri_client, sizeof(tlsext_ri_client));
 	if (tlsext_ri_server_parse(ssl, SSL_TLSEXT_MSG_CH, &cbs, &alert)) {
@@ -1371,7 +1371,7 @@ test_tlsext_ri_client(void)
 		goto err;
 	}
 
-	if (S3I(ssl)->renegotiate_seen == 1) {
+	if (ssl->s3->renegotiate_seen == 1) {
 		FAIL("renegotiate seen set\n");
 		goto err;
 	}
@@ -1414,22 +1414,22 @@ test_tlsext_ri_server(void)
 		goto err;
 	}
 
-	S3I(ssl)->send_connection_binding = 1;
+	ssl->s3->send_connection_binding = 1;
 
 	if (!tlsext_ri_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should need RI\n");
 		goto err;
 	}
 
-	memcpy(S3I(ssl)->previous_client_finished, tlsext_ri_prev_client,
+	memcpy(ssl->s3->previous_client_finished, tlsext_ri_prev_client,
 	    sizeof(tlsext_ri_prev_client));
-	S3I(ssl)->previous_client_finished_len = sizeof(tlsext_ri_prev_client);
+	ssl->s3->previous_client_finished_len = sizeof(tlsext_ri_prev_client);
 
-	memcpy(S3I(ssl)->previous_server_finished, tlsext_ri_prev_server,
+	memcpy(ssl->s3->previous_server_finished, tlsext_ri_prev_server,
 	    sizeof(tlsext_ri_prev_server));
-	S3I(ssl)->previous_server_finished_len = sizeof(tlsext_ri_prev_server);
+	ssl->s3->previous_server_finished_len = sizeof(tlsext_ri_prev_server);
 
-	S3I(ssl)->renegotiate_seen = 0;
+	ssl->s3->renegotiate_seen = 0;
 
 	if (!tlsext_ri_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
 		FAIL("server failed to build RI\n");
@@ -1464,21 +1464,21 @@ test_tlsext_ri_server(void)
 		goto err;
 	}
 
-	if (S3I(ssl)->renegotiate_seen != 1) {
+	if (ssl->s3->renegotiate_seen != 1) {
 		FAIL("renegotiate seen not set\n");
 		goto err;
 	}
-	if (S3I(ssl)->send_connection_binding != 1) {
+	if (ssl->s3->send_connection_binding != 1) {
 		FAIL("send connection binding not set\n");
 		goto err;
 	}
 
-	memset(S3I(ssl)->previous_client_finished, 0,
-	    sizeof(S3I(ssl)->previous_client_finished));
-	memset(S3I(ssl)->previous_server_finished, 0,
-	    sizeof(S3I(ssl)->previous_server_finished));
+	memset(ssl->s3->previous_client_finished, 0,
+	    sizeof(ssl->s3->previous_client_finished));
+	memset(ssl->s3->previous_server_finished, 0,
+	    sizeof(ssl->s3->previous_server_finished));
 
-	S3I(ssl)->renegotiate_seen = 0;
+	ssl->s3->renegotiate_seen = 0;
 
 	CBS_init(&cbs, tlsext_ri_server, sizeof(tlsext_ri_server));
 	if (tlsext_ri_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
@@ -1486,7 +1486,7 @@ test_tlsext_ri_server(void)
 		goto err;
 	}
 
-	if (S3I(ssl)->renegotiate_seen == 1) {
+	if (ssl->s3->renegotiate_seen == 1) {
 		FAIL("renegotiate seen set\n");
 		goto err;
 	}
@@ -1531,7 +1531,7 @@ test_tlsext_sigalgs_client(void)
 	if ((ssl = SSL_new(ssl_ctx)) == NULL)
 		errx(1, "failed to create SSL");
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
 
 	if (tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		fprintf(stderr, "FAIL: client should not need sigalgs\n");
@@ -1539,7 +1539,7 @@ test_tlsext_sigalgs_client(void)
 		goto done;
 	}
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
 
 	if (!tlsext_sigalgs_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		fprintf(stderr, "FAIL: client should need sigalgs\n");
@@ -2773,8 +2773,8 @@ test_tlsext_clienthello_build(void)
 		goto err;
 	}
 
-	S3I(ssl)->hs.our_min_tls_version = TLS1_VERSION;
-	S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
+	ssl->s3->hs.our_min_tls_version = TLS1_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
 
 	if (!tlsext_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
 		FAIL("failed to build clienthello extensions\n");
@@ -2804,7 +2804,7 @@ test_tlsext_clienthello_build(void)
 	CBB_init(&cbb, 0);
 
 	/* Switch to TLSv1.1, disable EC ciphers and session tickets. */
-	S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
 	if (!SSL_set_cipher_list(ssl, "TLSv1.2:!ECDHE:!ECDSA")) {
 		FAIL("failed to set cipher list\n");
 		goto err;
@@ -2887,9 +2887,9 @@ test_tlsext_serverhello_build(void)
 		goto err;
 	}
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
-	S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION;
-	S3I(ssl)->hs.cipher =
+	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.cipher =
 	    ssl3_get_cipher_by_id(TLS1_CK_RSA_WITH_AES_128_SHA256);
 
 	if (!tlsext_server_build(ssl, SSL_TLSEXT_MSG_SH, &cbb)) {
@@ -2920,8 +2920,8 @@ test_tlsext_serverhello_build(void)
 	CBB_init(&cbb, 0);
 
 	/* Turn a few things on so we get extensions... */
-	S3I(ssl)->send_connection_binding = 1;
-	S3I(ssl)->hs.cipher =
+	ssl->s3->send_connection_binding = 1;
+	ssl->s3->hs.cipher =
 	    ssl3_get_cipher_by_id(TLS1_CK_ECDHE_RSA_WITH_AES_128_SHA256);
 	ssl->internal->tlsext_status_expected = 1;
 	ssl->internal->tlsext_ticket_expected = 1;
@@ -2996,7 +2996,7 @@ test_tlsext_versions_client(void)
 	if ((ssl = SSL_new(ssl_ctx)) == NULL)
 		errx(1, "failed to create SSL");
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_1_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_1_VERSION;
 
 	if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		FAIL("client should not need versions\n");
@@ -3004,7 +3004,7 @@ test_tlsext_versions_client(void)
 		goto done;
 	}
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
 
 	if (tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		FAIL("client should not need versions\n");
@@ -3012,7 +3012,7 @@ test_tlsext_versions_client(void)
 		goto done;
 	}
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
 
 	if (!tlsext_versions_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		FAIL("client should need versions\n");
@@ -3020,8 +3020,8 @@ test_tlsext_versions_client(void)
 		goto done;
 	}
 
-	S3I(ssl)->hs.our_min_tls_version = TLS1_VERSION;
-	S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.our_min_tls_version = TLS1_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
 
 	if (!tlsext_versions_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
 		FAIL("client should have built versions\n");
@@ -3082,7 +3082,7 @@ test_tlsext_versions_server(void)
 	if ((ssl = SSL_new(ssl_ctx)) == NULL)
 		errx(1, "failed to create SSL");
 
-	S3I(ssl)->hs.negotiated_tls_version = TLS1_2_VERSION;
+	ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION;
 
 	if (tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should not need versions\n");
@@ -3090,7 +3090,7 @@ test_tlsext_versions_server(void)
 		goto done;
 	}
 
-	S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
 
 	if (!tlsext_versions_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should need versions\n");
@@ -3172,27 +3172,27 @@ test_tlsext_keyshare_client(void)
 	if ((ssl = SSL_new(ssl_ctx)) == NULL)
 		errx(1, "failed to create SSL");
 
-	if ((S3I(ssl)->hs.key_share =
+	if ((ssl->s3->hs.key_share =
 	    tls_key_share_new_nid(NID_X25519)) == NULL)
 		errx(1, "failed to create key share");
-	if (!tls_key_share_generate(S3I(ssl)->hs.key_share))
+	if (!tls_key_share_generate(ssl->s3->hs.key_share))
 		errx(1, "failed to generate key share");
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
 	if (tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		FAIL("client should not need keyshare\n");
 		failure = 1;
 		goto done;
 	}
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
 	if (!tlsext_keyshare_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		FAIL("client should need keyshare\n");
 		failure = 1;
 		goto done;
 	}
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
 	if (!tlsext_keyshare_client_build(ssl, SSL_TLSEXT_MSG_CH, &cbb)) {
 		FAIL("client should have built keyshare\n");
 		failure = 1;
@@ -3263,13 +3263,13 @@ test_tlsext_keyshare_server(void)
 
 	CBB_init(&cbb, 0);
 
-	S3I(ssl)->hs.negotiated_tls_version = TLS1_2_VERSION;
+	ssl->s3->hs.negotiated_tls_version = TLS1_2_VERSION;
 	if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should not need keyshare\n");
 		goto done;
 	}
 
-	S3I(ssl)->hs.negotiated_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.negotiated_tls_version = TLS1_3_VERSION;
 	if (tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("client should not need keyshare\n");
 		goto done;
@@ -3279,7 +3279,7 @@ test_tlsext_keyshare_server(void)
 		FAIL("failed to find keyshare extension\n");
 		goto done;
 	}
-	S3I(ssl)->hs.extensions_seen |= (1 << idx);
+	ssl->s3->hs.extensions_seen |= (1 << idx);
 
 	if (!tlsext_keyshare_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should need keyshare\n");
@@ -3291,20 +3291,20 @@ test_tlsext_keyshare_server(void)
 		goto done;
 	}
 
-	if ((S3I(ssl)->hs.key_share =
+	if ((ssl->s3->hs.key_share =
 		tls_key_share_new_nid(NID_X25519)) == NULL) {
 		FAIL("failed to create key share");
 		goto done;
 	}
 
-	if (!tls_key_share_generate(S3I(ssl)->hs.key_share)) {
+	if (!tls_key_share_generate(ssl->s3->hs.key_share)) {
 		FAIL("failed to generate key share");
 		goto done;
 	}
 
 	CBS_init(&cbs, bogokey, sizeof(bogokey));
 
-	if (!tls_key_share_peer_public(S3I(ssl)->hs.key_share, &cbs,
+	if (!tls_key_share_peer_public(ssl->s3->hs.key_share, &cbs,
 	    &decode_error, NULL)) {
 		FAIL("failed to load peer public key\n");
 		goto done;
@@ -3326,12 +3326,12 @@ test_tlsext_keyshare_server(void)
 		goto done;
 	}
 
-	if ((S3I(ssl)->hs.key_share =
+	if ((ssl->s3->hs.key_share =
 	    tls_key_share_new_nid(NID_X25519)) == NULL) {
 		FAIL("failed to create key share");
 		goto done;
 	}
-	if (!tls_key_share_generate(S3I(ssl)->hs.key_share)) {
+	if (!tls_key_share_generate(ssl->s3->hs.key_share)) {
 		FAIL("failed to generate key share");
 		goto done;
 	}
@@ -3386,7 +3386,7 @@ test_tlsext_cookie_client(void)
 	if ((ssl = SSL_new(ssl_ctx)) == NULL)
 		errx(1, "failed to create SSL");
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
 	if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		FAIL("client should not need cookie\n");
 		failure = 1;
@@ -3394,7 +3394,7 @@ test_tlsext_cookie_client(void)
 	}
 
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
 	if (tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		FAIL("client should not need cookie\n");
 		failure = 1;
@@ -3402,8 +3402,8 @@ test_tlsext_cookie_client(void)
 	}
 
 	/* Normally would be set by receiving a server cookie in an HRR */
-	S3I(ssl)->hs.tls13.cookie = strdup(cookie);
-	S3I(ssl)->hs.tls13.cookie_len = strlen(cookie);
+	ssl->s3->hs.tls13.cookie = strdup(cookie);
+	ssl->s3->hs.tls13.cookie_len = strlen(cookie);
 
 	if (!tlsext_cookie_client_needs(ssl, SSL_TLSEXT_MSG_CH)) {
 		FAIL("client should need cookie\n");
@@ -3474,14 +3474,14 @@ test_tlsext_cookie_server(void)
 	if ((ssl = SSL_new(ssl_ctx)) == NULL)
 		errx(1, "failed to create SSL");
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_2_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_2_VERSION;
 	if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should not need cookie\n");
 		failure = 1;
 		goto done;
 	}
 
-	S3I(ssl)->hs.our_max_tls_version = TLS1_3_VERSION;
+	ssl->s3->hs.our_max_tls_version = TLS1_3_VERSION;
 	if (tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_SH)) {
 		FAIL("server should not need cookie\n");
 		failure = 1;
@@ -3489,8 +3489,8 @@ test_tlsext_cookie_server(void)
 	}
 
 	/* Normally would be set by server before sending HRR */
-	S3I(ssl)->hs.tls13.cookie = strdup(cookie);
-	S3I(ssl)->hs.tls13.cookie_len = strlen(cookie);
+	ssl->s3->hs.tls13.cookie = strdup(cookie);
+	ssl->s3->hs.tls13.cookie_len = strlen(cookie);
 
 	if (!tlsext_cookie_server_needs(ssl, SSL_TLSEXT_MSG_HRR)) {
 		FAIL("server should need cookie\n");
@@ -3526,9 +3526,9 @@ test_tlsext_cookie_server(void)
 		goto done;
 	}
 
-	freezero(S3I(ssl)->hs.tls13.cookie, S3I(ssl)->hs.tls13.cookie_len);
-	S3I(ssl)->hs.tls13.cookie = NULL;
-	S3I(ssl)->hs.tls13.cookie_len = 0;
+	freezero(ssl->s3->hs.tls13.cookie, ssl->s3->hs.tls13.cookie_len);
+	ssl->s3->hs.tls13.cookie = NULL;
+	ssl->s3->hs.tls13.cookie_len = 0;
 
 	if (!tlsext_cookie_client_parse(ssl, SSL_TLSEXT_MSG_SH, &cbs, &alert)) {
 		FAIL("failed to parse server cookie\n");
@@ -3536,8 +3536,8 @@ test_tlsext_cookie_server(void)
 		goto done;
 	}
 
-	if (memcmp(cookie, S3I(ssl)->hs.tls13.cookie,
-		S3I(ssl)->hs.tls13.cookie_len) != 0) {
+	if (memcmp(cookie, ssl->s3->hs.tls13.cookie,
+		ssl->s3->hs.tls13.cookie_len) != 0) {
 		FAIL("parsed server cookie does not match sent cookie\n");
 		failure = 1;
 		goto done;