Switch to using modular TLS code, single-implementation version

libraries/libldap/Makefile.in

@@ -25,7 +25,8 @@ SRCS	= bind.c open.c result.c error.c compare.c search.c \
 	getdn.c getentry.c getattr.c getvalues.c addentry.c \
 	request.c os-ip.c url.c pagectrl.c sortctrl.c vlvctrl.c \
 	init.c options.c print.c string.c util-int.c schema.c \
-	charray.c tls.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
+	charray.c os-local.c dnssrv.c utf-8.c utf-8-conv.c \
+	tls2.c tls_o.c tls_g.c tls_m.c \
 	turn.c ppolicy.c dds.c txn.c ldap_sync.c stctrl.c \
 	assertion.c deref.c
 
@@ -37,7 +38,8 @@ OBJS	= bind.lo open.lo result.lo error.lo compare.lo search.lo \
 	getdn.lo getentry.lo getattr.lo getvalues.lo addentry.lo \
 	request.lo os-ip.lo url.lo pagectrl.lo sortctrl.lo vlvctrl.lo \
 	init.lo options.lo print.lo string.lo util-int.lo schema.lo \
-	charray.lo tls.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
+	charray.lo os-local.lo dnssrv.lo utf-8.lo utf-8-conv.lo \
+	tls2.lo tls_o.lo tls_g.lo tls_m.lo \
 	turn.lo ppolicy.lo dds.lo txn.lo ldap_sync.lo stctrl.lo \
 	assertion.lo deref.lo
 

libraries/libldap/ldap-tls.h

@@ -19,14 +19,11 @@
 
 struct tls_impl;
 
-typedef struct tls_ctx {
-	struct tls_impl *tc_impl;
-} tls_ctx;
+struct tls_ctx;
+struct tls_session;
 
-typedef struct tls_session {
-	struct tls_impl *ts_impl;
-	void *ts_session;
-} tls_session;
+typedef struct tls_ctx tls_ctx;
+typedef struct tls_session tls_session;
 
 typedef int (TI_tls_init)(void);
 typedef void (TI_tls_destroy)(void);
@@ -75,4 +72,6 @@ typedef struct tls_impl {
 	int ti_inited;
 } tls_impl;
 
+extern tls_impl ldap_int_tls_impl;
+
 #endif /* _LDAP_TLS_H */

libraries/libldap/tls2.c

@@ -41,30 +41,7 @@
 #include <ldap_pvt_thread.h>
 #endif
 
-#ifdef HAVE_GNUTLS
-extern tls_impl ldap_int_gnutls_impl;
-#endif
-
-#ifdef HAVE_OPENSSL
-extern tls_impl ldap_int_openssl_impl;
-#endif
-
-#ifdef HAVE_MOZNSS
-extern tls_impl ldap_int_moznss_impl;
-#endif
-
-static tls_impl *tls_impls[] = {
-#ifdef HAVE_OPENSSL
-	&ldap_int_openssl_impl,
-#endif
-#ifdef HAVE_GNUTLS
-	&ldap_int_gnutls_impl,
-#endif
-#ifdef HAVE_MOZNSS
-	&ldap_int_moznss_impl,
-#endif
-	NULL
-};
+static tls_impl *tls_imp = &ldap_int_tls_impl;
 
 #endif /* HAVE_TLS */
 
@@ -98,11 +75,8 @@ static oid_name oids[] = {
 void
 ldap_pvt_tls_ctx_free ( void *c )
 {
-	tls_ctx *ctx = c;
-
-	if ( !ctx ) return;
-
-	ctx->tc_impl->ti_ctx_free( ctx );
+	if ( !c ) return;
+	tls_imp->ti_ctx_free( c );
 }
 
 static void
@@ -110,7 +84,7 @@ tls_ctx_ref( tls_ctx *ctx )
 {
 	if ( !ctx ) return;
 
-	ctx->tc_impl->ti_ctx_ref( ctx );
+	tls_imp->ti_ctx_ref( ctx );
 }
 
 #ifdef LDAP_R_COMPILE
@@ -169,11 +143,7 @@ ldap_pvt_tls_destroy( void )
 
 	ldap_int_tls_destroy( lo );
 
-	for ( i=0; tls_impls[i]; i++ ) {
-		if ( tls_impls[i]->ti_inited ) {
-			tls_impls[i]->ti_tls_destroy();
-		}
-	}
+	tls_imp->ti_tls_destroy();
 }
 
 /*
@@ -207,7 +177,7 @@ ldap_pvt_tls_init( void )
 {
 	struct ldapoptions *lo = LDAP_INT_GLOBAL_OPT();   
 
-	return tls_init( tls_impls[lo->ldo_tls_impl] );
+	return tls_init( tls_imp );
 }
 
 /*
@@ -217,7 +187,7 @@ static int
 ldap_int_tls_init_ctx( struct ldapoptions *lo, int is_server )
 {
 	int i, rc = 0;
-	tls_impl *ti = tls_impls[lo->ldo_tls_impl];
+	tls_impl *ti = tls_imp;
 	struct ldaptls lts = lo->ldo_tls_info;
 
 	if ( lo->ldo_tls_ctx )
@@ -322,7 +292,7 @@ alloc_handle( void *ctx_arg, int is_server )
 		ctx = lo->ldo_tls_ctx;
 	}
 
-	ssl = ctx->tc_impl->ti_session_new( ctx, is_server );
+	ssl = tls_imp->ti_session_new( ctx, is_server );
 	if ( ssl == NULL ) {
 		Debug( LDAP_DEBUG_ANY,"TLS: can't create ssl handle.\n",0,0,0);
 		return NULL;
@@ -336,7 +306,7 @@ update_flags( Sockbuf *sb, tls_session * ssl, int rc )
 	sb->sb_trans_needs_read  = 0;
 	sb->sb_trans_needs_write = 0;
 
-	return ssl->ts_impl->ti_session_upflags( sb, ssl, rc );
+	return tls_imp->ti_session_upflags( sb, ssl, rc );
 }
 
 /*
@@ -374,7 +344,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 		ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
 			LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
 #endif
-		ber_sockbuf_add_io( sb, ssl->ts_impl->ti_sbio,
+		ber_sockbuf_add_io( sb, tls_imp->ti_sbio,
 			LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl );
 
 		lo = LDAP_INT_GLOBAL_OPT();   
@@ -391,7 +361,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 			lo->ldo_tls_connect_cb( ld, ssl, ctx, lo->ldo_tls_connect_arg );
 	}
 
-	err = ssl->ts_impl->ti_session_connect( ld, ssl );
+	err = tls_imp->ti_session_connect( ld, ssl );
 
 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
@@ -404,7 +374,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 			return 1;
 		}
 
-		msg = ssl->ts_impl->ti_session_errmsg( err, buf, sizeof(buf) );
+		msg = tls_imp->ti_session_errmsg( err, buf, sizeof(buf) );
 		if ( msg ) {
 			if ( ld->ld_error ) {
 				LDAP_FREE( ld->ld_error );
@@ -418,7 +388,7 @@ ldap_int_tls_connect( LDAP *ld, LDAPConn *conn )
 		Debug( LDAP_DEBUG_ANY,"TLS: can't connect: %s.\n",
 			ld->ld_error ? ld->ld_error : "" ,0,0);
 
-		ber_sockbuf_remove_io( sb, ssl->ts_impl->ti_sbio,
+		ber_sockbuf_remove_io( sb, tls_imp->ti_sbio,
 			LBER_SBIOD_LEVEL_TRANSPORT );
 #ifdef LDAP_DEBUG
 		ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
@@ -449,11 +419,11 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
 		ber_sockbuf_add_io( sb, &ber_sockbuf_io_debug,
 			LBER_SBIOD_LEVEL_TRANSPORT, (void *)"tls_" );
 #endif
-		ber_sockbuf_add_io( sb, ssl->ts_impl->ti_sbio,
+		ber_sockbuf_add_io( sb, tls_imp->ti_sbio,
 			LBER_SBIOD_LEVEL_TRANSPORT, (void *)ssl );
 	}
 
-	err = ssl->ts_impl->ti_session_accept( ssl );
+	err = tls_imp->ti_session_accept( ssl );
 
 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
@@ -465,9 +435,9 @@ ldap_pvt_tls_accept( Sockbuf *sb, void *ctx_arg )
 		if ( update_flags( sb, ssl, err )) return 1;
 
 		Debug( LDAP_DEBUG_ANY,"TLS: can't accept: %s.\n",
-			ssl->ts_impl->ti_session_errmsg( err, buf, sizeof(buf) ),0,0 );
+			tls_imp->ti_session_errmsg( err, buf, sizeof(buf) ),0,0 );
 
-		ber_sockbuf_remove_io( sb, ssl->ts_impl->ti_sbio,
+		ber_sockbuf_remove_io( sb, tls_imp->ti_sbio,
 			LBER_SBIOD_LEVEL_TRANSPORT );
 #ifdef LDAP_DEBUG
 		ber_sockbuf_remove_io( sb, &ber_sockbuf_io_debug,
@@ -513,7 +483,7 @@ ldap_pvt_tls_get_peer_dn( void *s, struct berval *dn,
 	struct berval bvdn;
 	int rc;
 
-	rc = session->ts_impl->ti_session_peer_dn( session, &bvdn );
+	rc = tls_imp->ti_session_peer_dn( session, &bvdn );
 	if ( rc ) return rc;
 
 	rc = ldap_X509dn2bv( &bvdn, dn, 
@@ -526,7 +496,7 @@ ldap_pvt_tls_check_hostname( LDAP *ld, void *s, const char *name_in )
 {
 	tls_session *session = s;
 
-	return session->ts_impl->ti_session_chkhost( ld, session, name_in );
+	return tls_imp->ti_session_chkhost( ld, session, name_in );
 }
 
 int
@@ -823,7 +793,7 @@ ldap_int_tls_start ( LDAP *ld, LDAPConn *conn, LDAPURLDesc *srv )
 		host = "localhost";
 	}
 
-	(void) tls_init( tls_impls[ld->ld_options.ldo_tls_impl] );
+	(void) tls_init( tls_imp );
 
 	/*
 	 * Fortunately, the lib uses blocking io...
@@ -866,7 +836,7 @@ ldap_pvt_tls_get_strength( void *s )
 {
 	tls_session *session = s;
 
-	return session->ts_impl->ti_session_strength( session );
+	return tls_imp->ti_session_strength( session );
 }
 
 
@@ -878,7 +848,7 @@ ldap_pvt_tls_get_my_dn( void *s, struct berval *dn, LDAPDN_rewrite_dummy *func,
 	struct berval der_dn;
 	int rc;
 
-	session->ts_impl->ti_session_my_dn( session, &der_dn );
+	tls_imp->ti_session_my_dn( session, &der_dn );
 	rc = ldap_X509dn2bv(&der_dn, dn, (LDAPDN_rewrite_func *)func, flags );
 	return rc;
 #else /* !HAVE_TLS */

libraries/libldap/tls_g.c

@@ -58,7 +58,6 @@ typedef struct tls_cipher_suite {
 } tls_cipher_suite;
 
 typedef struct tlsg_ctx {
-	tls_impl *tc_impl;
 	struct ldapoptions *lo;
 	gnutls_certificate_credentials_t cred;
 	gnutls_dh_params_t dh_params;
@@ -73,7 +72,6 @@ typedef struct tlsg_ctx {
 } tlsg_ctx;
 
 typedef struct tlsg_session {
-	tls_impl *ts_impl;
 	gnutls_session_t session;
 	tlsg_ctx *ctx;
 	struct berval peer_der_dn;
@@ -84,7 +82,6 @@ static int tlsg_n_ciphers;
 
 static int tlsg_parse_ciphers( tlsg_ctx *ctx, char *suites );
 static int tlsg_cert_verify( tlsg_session *s );
-extern tls_impl ldap_int_gnutls_impl;
 
 #ifdef LDAP_R_COMPILE
 
@@ -205,7 +202,6 @@ tlsg_ctx_new ( struct ldapoptions *lo )
 			ber_memfree( ctx );
 			return NULL;
 		}
-		ctx->tc_impl = &ldap_int_gnutls_impl;
 		ctx->refcount = 1;
 #ifdef LDAP_R_COMPILE
 		ldap_pvt_thread_mutex_init( &ctx->ref_mutex );
@@ -326,7 +322,6 @@ tlsg_session_new ( tls_ctx * ctx, int is_server )
 		return NULL;
 
 	session->ctx = c;
-	session->ts_impl = &ldap_int_gnutls_impl;
 	gnutls_init( &session->session, is_server ? GNUTLS_SERVER : GNUTLS_CLIENT );
 	gnutls_set_default_priority( session->session );
 	if ( c->kx_list ) {
@@ -940,7 +935,7 @@ tlsg_cert_verify( tlsg_session *ssl )
 	return 0;
 }
 
-tls_impl ldap_int_gnutls_impl = {
+tls_impl ldap_int_tls_impl = {
 	"GnuTLS",
 
 	tlsg_init,

libraries/libldap/tls_m.c

@@ -46,7 +46,6 @@
 #include <ssl.h>
 
 typedef struct tlsm_ctx {
-	tls_impl *tc_impl;
 	PRFileDesc *tc_model;
 	int tc_refcnt;
 #ifdef LDAP_R_COMPILE
@@ -54,16 +53,13 @@ typedef struct tlsm_ctx {
 #endif
 } tlsm_ctx;
 
-typedef struct tlsm_session {
-	tls_impl *ts_impl;
-	PRFileDesc *ts_session;
-} tlsm_session;
+typedef PRFileDesc tlsm_session;
 
 static PRDescIdentity	tlsm_layer_id;
 
 static const PRIOMethods tlsm_PR_methods;
 
-extern tls_impl ldap_int_moznss_impl;
+extern tls_impl ldap_int_tls_impl;
 
 #ifdef LDAP_R_COMPILE
 
@@ -117,7 +113,6 @@ tlsm_ctx_new ( struct ldapoptions *lo )
 		if ( fd ) {
 			ctx->tc_model = SSL_ImportFD( NULL, fd );
 			if ( ctx->tc_model ) {
-				ctx->tc_impl = &ldap_int_moznss_impl;
 				ctx->tc_refcnt = 1;
 #ifdef LDAP_R_COMPILE
 				ldap_pvt_thread_mutex_init( &ctx->tc_refmutex );
@@ -252,26 +247,18 @@ tlsm_session_new ( tls_ctx * ctx, int is_server )
 	tlsm_session *session;
 	PRFileDesc *fd;
 
-	session = LDAP_MALLOC( sizeof (*session) );
-	if ( !session )
-		return NULL;
-
 	fd = PR_CreateIOLayerStub(tlsm_layer_id, &tlsm_PR_methods);
 	if ( !fd ) {
-		LDAP_FREE( session );
 		return NULL;
 	}
 
-	session->ts_session = SSL_ImportFD( c->tc_model, fd );
-	if ( !session->ts_session ) {
+	session = SSL_ImportFD( c->tc_model, fd );
+	if ( !session ) {
 		PR_DELETE( fd );
-		LDAP_FREE( session );
 		return NULL;
 	}
 
-	session->ts_impl = &ldap_int_moznss_impl;
-
-	SSL_ResetHandshake( session->ts_session, is_server );
+	SSL_ResetHandshake( session, is_server );
 
 	return (tls_session *)session;
 } 
@@ -281,7 +268,7 @@ tlsm_session_accept( tls_session *session )
 {
 	tlsm_session *s = (tlsm_session *)session;
 
-	return SSL_ForceHandshake( s->ts_session );
+	return SSL_ForceHandshake( s );
 }
 
 static int
@@ -291,8 +278,8 @@ tlsm_session_connect( LDAP *ld, tls_session *session )
 	int rc;
 
 	/* By default, NSS checks the cert hostname for us */
-	rc = SSL_SetURL( s->ts_session, ld->ld_options.ldo_defludp->lud_host );
-	return SSL_ForceHandshake( s->ts_session );
+	rc = SSL_SetURL( s, ld->ld_options.ldo_defludp->lud_host );
+	return SSL_ForceHandshake( s );
 }
 
 static int
@@ -331,7 +318,7 @@ tlsm_session_my_dn( tls_session *session, struct berval *der_dn )
 	tlsm_session *s = (tlsm_session *)session;
 	CERTCertificate *cert;
 
-	cert = SSL_LocalCertificate( s->ts_session );
+	cert = SSL_LocalCertificate( s );
 	if (!cert) return LDAP_INVALID_CREDENTIALS;
 
 	der_dn->bv_val = cert->derSubject.data;
@@ -346,7 +333,7 @@ tlsm_session_peer_dn( tls_session *session, struct berval *der_dn )
 	tlsm_session *s = (tlsm_session *)session;
 	CERTCertificate *cert;
 
-	cert = SSL_PeerCertificate( s->ts_session );
+	cert = SSL_PeerCertificate( s );
 	if (!cert) return LDAP_INVALID_CREDENTIALS;
 	
 	der_dn->bv_val = cert->derSubject.data;
@@ -529,7 +516,7 @@ tlsm_session_strength( tls_session *session )
 	tlsm_session *s = (tlsm_session *)session;
 	int rc, keySize;
 
-	rc = SSL_SecurityStatus( s->ts_session, NULL, NULL, NULL, &keySize,
+	rc = SSL_SecurityStatus( s, NULL, NULL, NULL, &keySize,
 		NULL, NULL );
 	return rc ? 0 : keySize;
 }
@@ -703,7 +690,7 @@ tlsm_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
 		return -1;
 	}
 
-	fd = PR_GetIdentitiesLayer( session->ts_session, tlsm_layer_id );
+	fd = PR_GetIdentitiesLayer( session, tlsm_layer_id );
 	if ( !fd ) {
 		LBER_FREE( p );
 		return -1;
@@ -725,8 +712,7 @@ tlsm_sb_remove( Sockbuf_IO_Desc *sbiod )
 	assert( sbiod->sbiod_pvt != NULL );
 
 	p = (struct tls_data *)sbiod->sbiod_pvt;
-	PR_Close( p->session->ts_session );
-	LBER_FREE( p->session );
+	PR_Close( p->session );
 	LBER_FREE( sbiod->sbiod_pvt );
 	sbiod->sbiod_pvt = NULL;
 	return 0;
@@ -741,7 +727,7 @@ tlsm_sb_close( Sockbuf_IO_Desc *sbiod )
 	assert( sbiod->sbiod_pvt != NULL );
 
 	p = (struct tls_data *)sbiod->sbiod_pvt;
-	PR_Shutdown( p->session->ts_session, PR_SHUTDOWN_BOTH );
+	PR_Shutdown( p->session, PR_SHUTDOWN_BOTH );
 	return 0;
 }
 
@@ -760,7 +746,7 @@ tlsm_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
 		return 1;
 		
 	} else if ( opt == LBER_SB_OPT_DATA_READY ) {
-        PRPollDesc pd = { p->session->ts_session, PR_POLL_READ, 0 };
+        PRPollDesc pd = { p->session, PR_POLL_READ, 0 };
         if( PR_Poll( &pd, 1, 1 ) > 0 ) {
             return 1;
 		}
@@ -781,7 +767,7 @@ tlsm_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 
 	p = (struct tls_data *)sbiod->sbiod_pvt;
 
-	ret = PR_Recv( p->session->ts_session, buf, len, 0, PR_INTERVAL_NO_TIMEOUT );
+	ret = PR_Recv( p->session, buf, len, 0, PR_INTERVAL_NO_TIMEOUT );
 	if ( ret < 0 ) {
 		err = PR_GetError();
 		if ( err == PR_PENDING_INTERRUPT_ERROR || err == PR_WOULD_BLOCK_ERROR ) {
@@ -806,7 +792,7 @@ tlsm_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 
 	p = (struct tls_data *)sbiod->sbiod_pvt;
 
-	ret = PR_Send( p->session->ts_session, (char *)buf, len, 0, PR_INTERVAL_NO_TIMEOUT );
+	ret = PR_Send( p->session, (char *)buf, len, 0, PR_INTERVAL_NO_TIMEOUT );
 	if ( ret < 0 ) {
 		err = PR_GetError();
 		if ( err == PR_PENDING_INTERRUPT_ERROR || err == PR_WOULD_BLOCK_ERROR ) {

libraries/libldap/tls_o.c

@@ -51,18 +51,8 @@
 #include <ssl.h>
 #endif
 
-typedef struct tlso_ctx {
-	tls_impl *tc_impl;
-	SSL_CTX *tc_ctx;
-	int tc_refcnt;
-} tlso_ctx;
-
-typedef struct tlso_session {
-	tls_impl *ts_impl;
-	SSL *ts_session;
-} tlso_session;
-
-extern tls_impl ldap_int_openssl_impl;
+typedef SSL_CTX tlso_ctx;
+typedef SSL tlso_session;
 
 static int  tlso_opt_trace = 1;
 
@@ -201,36 +191,21 @@ tlso_destroy( void )
 static tls_ctx *
 tlso_ctx_new( struct ldapoptions *lo )
 {
-	tlso_ctx *ctx = LDAP_MALLOC( sizeof(tlso_ctx) );
-	if ( ctx ) {
-		ctx->tc_ctx = SSL_CTX_new( SSLv23_method() );
-		if ( ctx->tc_ctx ) {
-			ctx->tc_impl = &ldap_int_openssl_impl;
-			ctx->tc_refcnt = 1;
-		} else {
-			LDAP_FREE( ctx );
-			ctx = NULL;
-		}
-	}
-	return (tls_ctx *)ctx;
+	return (tls_ctx *) SSL_CTX_new( SSLv23_method() );
 }
 
 static void
 tlso_ctx_ref( tls_ctx *ctx )
 {
 	tlso_ctx *c = (tlso_ctx *)ctx;
-	c->tc_refcnt++;
+	CRYPTO_add( &c->references, 1, CRYPTO_LOCK_SSL_CTX );
 }
 
 static void
 tlso_ctx_free ( tls_ctx *ctx )
 {
 	tlso_ctx *c = (tlso_ctx *)ctx;
-	c->tc_refcnt--;
-	if ( c->tc_refcnt < 1 ) {
-		SSL_CTX_free( c->tc_ctx );
-		LDAP_FREE( c );
-	}
+	SSL_CTX_free( c );
 }
 
 /*
@@ -239,8 +214,7 @@ tlso_ctx_free ( tls_ctx *ctx )
 static int
 tlso_ctx_init( struct ldapoptions *lo, struct ldaptls *lt, int is_server )
 {
-	tlso_ctx *tc = (tlso_ctx *)lo->ldo_tls_ctx;
-	SSL_CTX *ctx = tc->tc_ctx;
+	tlso_ctx *ctx = (tlso_ctx *)lo->ldo_tls_ctx;
 	int i;
 
 	if ( is_server ) {
@@ -375,17 +349,7 @@ static tls_session *
 tlso_session_new( tls_ctx *ctx, int is_server )
 {
 	tlso_ctx *c = (tlso_ctx *)ctx;
-	tlso_session *s = LDAP_MALLOC( sizeof(tlso_session));
-	if ( s ) {
-		s->ts_session = SSL_new( c->tc_ctx );
-		if ( s->ts_session ) {
-			s->ts_impl = &ldap_int_openssl_impl;
-		} else {
-			LDAP_FREE( s );
-			s = NULL;
-		}
-	}
-	return (tls_session *)s;
+	return (tls_session *)SSL_new( c );
 }
 
 static int
@@ -394,7 +358,7 @@ tlso_session_connect( LDAP *ld, tls_session *sess )
 	tlso_session *s = (tlso_session *)sess;
 
 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
-	return SSL_connect( s->ts_session ) - 1;
+	return SSL_connect( s ) - 1;
 }
 
 static int
@@ -403,7 +367,7 @@ tlso_session_accept( tls_session *sess )
 	tlso_session *s = (tlso_session *)sess;
 
 	/* Caller expects 0 = success, OpenSSL returns 1 = success */
-	return SSL_accept( s->ts_session ) - 1;
+	return SSL_accept( s ) - 1;
 }
 
 static int
@@ -412,7 +376,7 @@ tlso_session_upflags( Sockbuf *sb, tls_session *sess, int rc )
 	tlso_session *s = (tlso_session *)sess;
 
 	/* 1 was subtracted above, offset it back now */
-	rc = SSL_get_error(s->ts_session, rc+1);
+	rc = SSL_get_error(s, rc+1);
 	if (rc == SSL_ERROR_WANT_READ) {
 		sb->sb_trans_needs_read  = 1;
 		return 1;
@@ -445,7 +409,7 @@ tlso_session_my_dn( tls_session *sess, struct berval *der_dn )
 	X509 *x;
 	X509_NAME *xn;
 
-	x = SSL_get_certificate( s->ts_session );
+	x = SSL_get_certificate( s );
 
 	if (!x) return LDAP_INVALID_CREDENTIALS;
 	
@@ -470,7 +434,7 @@ static int
 tlso_session_peer_dn( tls_session *sess, struct berval *der_dn )
 {
 	tlso_session *s = (tlso_session *)sess;
-	X509 *x = tlso_get_cert( s->ts_session );
+	X509 *x = tlso_get_cert( s );
 	X509_NAME *xn;
 
 	if ( !x )
@@ -511,7 +475,7 @@ tlso_session_chkhost( LDAP *ld, tls_session *sess, const char *name_in )
 		name = name_in;
 	}
 
-	x = tlso_get_cert(s->ts_session);
+	x = tlso_get_cert(s);
 	if (!x) {
 		Debug( LDAP_DEBUG_ANY,
 			"TLS: unable to get peer certificate.\n",
@@ -668,7 +632,7 @@ tlso_session_strength( tls_session *sess )
 	tlso_session *s = (tlso_session *)sess;
 	SSL_CIPHER *c;
 
-	c = SSL_get_current_cipher(s->ts_session);
+	c = SSL_get_current_cipher(s);
 	return SSL_CIPHER_get_bits(c, NULL);
 }
 
@@ -807,7 +771,7 @@ tlso_sb_setup( Sockbuf_IO_Desc *sbiod, void *arg )
 	p->sbiod = sbiod;
 	bio = BIO_new( &tlso_bio_method );
 	bio->ptr = (void *)p;
-	SSL_set_bio( p->session->ts_session, bio, bio );
+	SSL_set_bio( p->session, bio, bio );
 	sbiod->sbiod_pvt = p;
 	return 0;
 }
@@ -821,8 +785,7 @@ tlso_sb_remove( Sockbuf_IO_Desc *sbiod )
 	assert( sbiod->sbiod_pvt != NULL );
 
 	p = (struct tls_data *)sbiod->sbiod_pvt;
-	SSL_free( p->session->ts_session );
-	LDAP_FREE( p->session );
+	SSL_free( p->session );
 	LBER_FREE( sbiod->sbiod_pvt );
 	sbiod->sbiod_pvt = NULL;
 	return 0;
@@ -837,7 +800,7 @@ tlso_sb_close( Sockbuf_IO_Desc *sbiod )
 	assert( sbiod->sbiod_pvt != NULL );
 
 	p = (struct tls_data *)sbiod->sbiod_pvt;
-	SSL_shutdown( p->session->ts_session );
+	SSL_shutdown( p->session );
 	return 0;
 }
 
@@ -856,7 +819,7 @@ tlso_sb_ctrl( Sockbuf_IO_Desc *sbiod, int opt, void *arg )
 		return 1;
 
 	} else if ( opt == LBER_SB_OPT_DATA_READY ) {
-		if( SSL_pending( p->session->ts_session ) > 0 ) {
+		if( SSL_pending( p->session ) > 0 ) {
 			return 1;
 		}
 	}
@@ -876,11 +839,11 @@ tlso_sb_read( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 
 	p = (struct tls_data *)sbiod->sbiod_pvt;
 
-	ret = SSL_read( p->session->ts_session, (char *)buf, len );
+	ret = SSL_read( p->session, (char *)buf, len );
 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
 #endif
-	err = SSL_get_error( p->session->ts_session, ret );
+	err = SSL_get_error( p->session, ret );
 	if (err == SSL_ERROR_WANT_READ ) {
 		sbiod->sbiod_sb->sb_trans_needs_read = 1;
 		sock_errset(EWOULDBLOCK);
@@ -902,11 +865,11 @@ tlso_sb_write( Sockbuf_IO_Desc *sbiod, void *buf, ber_len_t len)
 
 	p = (struct tls_data *)sbiod->sbiod_pvt;
 
-	ret = SSL_write( p->session->ts_session, (char *)buf, len );
+	ret = SSL_write( p->session, (char *)buf, len );
 #ifdef HAVE_WINSOCK
 	errno = WSAGetLastError();
 #endif
-	err = SSL_get_error( p->session->ts_session, ret );
+	err = SSL_get_error( p->session, ret );
 	if (err == SSL_ERROR_WANT_WRITE ) {
 		sbiod->sbiod_sb->sb_trans_needs_write = 1;
 		sock_errset(EWOULDBLOCK);
@@ -1253,7 +1216,7 @@ tlso_tmp_dh_cb( SSL *ssl, int is_export, int key_length )
 	return dh;
 }
 
-tls_impl ldap_int_openssl_impl = {
+tls_impl ldap_int_tls_impl = {
 	"OpenSSL",
 
 	tlso_init,