tls: make tls engines pluggable

- add infra for pluggable tls "engines"
- makes mbedtls specific code a plugin

Change-Id: I2c5b099e2b69d2be0038e3ef02b208ff907727e7
Signed-off-by: Florin Coras <fcoras@cisco.com>
diff --git a/src/vnet/session-apps/tls.c b/src/vnet/tls/tls.c
similarity index 60%
rename from src/vnet/session-apps/tls.c
rename to src/vnet/tls/tls.c
index d71dfb4..65900c8 100644
--- a/src/vnet/session-apps/tls.c
+++ b/src/vnet/tls/tls.c
@@ -15,110 +15,15 @@
 
 #include <vnet/session/application_interface.h>
 #include <vppinfra/lock.h>
-#include <mbedtls/ssl.h>
-#include <mbedtls/certs.h>
-#include <mbedtls/entropy.h>
-#include <mbedtls/ctr_drbg.h>
-#include <mbedtls/timing.h>
-#include <mbedtls/debug.h>
-
-#define TLS_DEBUG 		0
-#define TLS_DEBUG_LEVEL_CLIENT 	0
-#define TLS_DEBUG_LEVEL_SERVER 	0
-
-#define TLS_CHUNK_SIZE 		(1 << 14)
-#define TLS_USE_OUR_MEM_FUNCS	0
-#define TLS_CA_CERT_PATH	"/etc/ssl/certs/ca-certificates.crt"
-
-#if TLS_DEBUG
-#define TLS_DBG(_lvl, _fmt, _args...) 			\
-  if (_lvl <= TLS_DEBUG) 				\
-    clib_warning (_fmt, ##_args)
-#else
-#define TLS_DBG(_fmt, _args...)
-#endif
-
-#if TLS_USE_OUR_MEM_FUNCS
-#include <mbedtls/platform.h>
-
-void *
-mbedtls_calloc_fn (size_t n, size_t size)
-{
-  void *ptr;
-  ptr = clib_mem_alloc (n * size);
-  memset (ptr, 0, sizeof (*ptr));
-  return ptr;
-}
-
-void
-mbedtls_free_fn (void *ptr)
-{
-  if (ptr)
-    clib_mem_free (ptr);
-}
-#endif
-
-/* *INDENT-OFF* */
-typedef CLIB_PACKED (struct tls_cxt_id_
-{
-  u32 parent_app_index;
-  session_handle_t app_session_handle;
-  session_handle_t tls_session_handle;
-  u32 listener_ctx_index;
-  u8 tcp_is_ip4;
-}) tls_ctx_id_t;
-/* *INDENT-ON* */
-
-STATIC_ASSERT (sizeof (tls_ctx_id_t) <= 42, "ctx id must be less than 42");
-
-typedef struct tls_ctx_
-{
-  union
-  {
-    transport_connection_t connection;
-    tls_ctx_id_t c_tls_ctx_id;
-  };
-#define parent_app_index c_tls_ctx_id.parent_app_index
-#define app_session_handle c_tls_ctx_id.app_session_handle
-#define tls_session_handle c_tls_ctx_id.tls_session_handle
-#define listener_ctx_index c_tls_ctx_id.listener_ctx_index
-#define tcp_is_ip4 c_tls_ctx_id.tcp_is_ip4
-#define tls_ctx_idx c_c_index
-  /* Temporary storage for session open opaque. Overwritten once
-   * underlying tcp connection is established */
-#define parent_app_api_context c_s_index
-
-  u8 is_passive_close;
-  u8 *srv_hostname;
-  mbedtls_ssl_context ssl;
-  mbedtls_ssl_config conf;
-  mbedtls_x509_crt srvcert;
-  mbedtls_pk_context pkey;
-} tls_ctx_t;
-
-typedef struct tls_main_
-{
-  u32 app_index;
-  tls_ctx_t ***ctx_pool;
-  mbedtls_ctr_drbg_context *ctr_drbgs;
-  mbedtls_entropy_context *entropy_pools;
-  tls_ctx_t *listener_ctx_pool;
-  tls_ctx_t *half_open_ctx_pool;
-  clib_rwlock_t half_open_rwlock;
-  mbedtls_x509_crt cacert;
-
-  /*
-   * Config
-   */
-  u8 use_test_cert_in_ca;
-  char *ca_cert_path;
-} tls_main_t;
+#include <vnet/tls/tls.h>
 
 static tls_main_t tls_main;
+static tls_engine_vft_t *tls_vfts;
 
+#define DEFAULT_ENGINE 0
 void tls_disconnect (u32 ctx_index, u32 thread_index);
 
-static inline int
+int
 tls_add_vpp_q_evt (svm_fifo_t * f, u8 evt_type)
 {
   session_fifo_event_t evt;
@@ -181,47 +86,6 @@
 }
 
 u32
-tls_ctx_alloc (void)
-{
-  u8 thread_index = vlib_get_thread_index ();
-  tls_main_t *tm = &tls_main;
-  tls_ctx_t **ctx;
-
-  pool_get (tm->ctx_pool[thread_index], ctx);
-  if (!(*ctx))
-    *ctx = clib_mem_alloc (sizeof (tls_ctx_t));
-
-  memset (*ctx, 0, sizeof (tls_ctx_t));
-  (*ctx)->c_thread_index = thread_index;
-  return ctx - tm->ctx_pool[thread_index];
-}
-
-void
-tls_ctx_free (tls_ctx_t * ctx)
-{
-  vec_free (ctx->srv_hostname);
-  pool_put_index (tls_main.ctx_pool[vlib_get_thread_index ()],
-		  ctx->tls_ctx_idx);
-}
-
-tls_ctx_t *
-tls_ctx_get (u32 ctx_index)
-{
-  tls_ctx_t **ctx;
-  ctx = pool_elt_at_index (tls_main.ctx_pool[vlib_get_thread_index ()],
-			   ctx_index);
-  return (*ctx);
-}
-
-tls_ctx_t *
-tls_ctx_get_w_thread (u32 ctx_index, u8 thread_index)
-{
-  tls_ctx_t **ctx;
-  ctx = pool_elt_at_index (tls_main.ctx_pool[thread_index], ctx_index);
-  return (*ctx);
-}
-
-u32
 tls_listener_ctx_alloc (void)
 {
   tls_main_t *tm = &tls_main;
@@ -306,259 +170,6 @@
 }
 
 static int
-tls_init_ctr_drbgs_and_entropy (u32 num_threads)
-{
-  tls_main_t *tm = &tls_main;
-  int i;
-
-  vec_validate (tm->ctr_drbgs, num_threads - 1);
-  vec_validate (tm->entropy_pools, num_threads - 1);
-  for (i = 0; i < num_threads; i++)
-    tls_main.ctr_drbgs[i].f_entropy = 0;
-
-  return 0;
-}
-
-static int
-tls_init_ctr_seed_drbgs (void)
-{
-  u32 thread_index = vlib_get_thread_index ();
-  tls_main_t *tm = &tls_main;
-  u8 *pers;
-  int rv;
-  pers = format (0, "vpp thread %u", thread_index);
-
-  mbedtls_entropy_init (&tm->entropy_pools[thread_index]);
-  mbedtls_ctr_drbg_init (&tls_main.ctr_drbgs[thread_index]);
-  if ((rv = mbedtls_ctr_drbg_seed (&tm->ctr_drbgs[thread_index],
-				   mbedtls_entropy_func,
-				   &tm->entropy_pools[thread_index],
-				   (const unsigned char *) pers,
-				   vec_len (pers))) != 0)
-    {
-      vec_free (pers);
-      TLS_DBG (1, " failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", rv);
-      return -1;
-    }
-  vec_free (pers);
-  return 0;
-}
-
-mbedtls_ctr_drbg_context *
-tls_get_ctr_drbg ()
-{
-  u8 thread_index = vlib_get_thread_index ();
-  if (PREDICT_FALSE (!tls_main.ctr_drbgs[thread_index].f_entropy))
-    tls_init_ctr_seed_drbgs ();
-  return &tls_main.ctr_drbgs[thread_index];
-}
-
-static int
-tls_net_send (void *ctx_indexp, const unsigned char *buf, size_t len)
-{
-  stream_session_t *tls_session;
-  uword ctx_index;
-  tls_ctx_t *ctx;
-  int rv;
-
-  ctx_index = pointer_to_uword (ctx_indexp);
-  ctx = tls_ctx_get (ctx_index);
-  tls_session = session_get_from_handle (ctx->tls_session_handle);
-  rv = svm_fifo_enqueue_nowait (tls_session->server_tx_fifo, len, buf);
-  if (rv < 0)
-    return MBEDTLS_ERR_SSL_WANT_WRITE;
-  tls_add_vpp_q_evt (tls_session->server_tx_fifo, FIFO_EVENT_APP_TX);
-  return rv;
-}
-
-static int
-tls_net_recv (void *ctx_indexp, unsigned char *buf, size_t len)
-{
-  stream_session_t *tls_session;
-  uword ctx_index;
-  tls_ctx_t *ctx;
-  int rv;
-
-  ctx_index = pointer_to_uword (ctx_indexp);
-  ctx = tls_ctx_get (ctx_index);
-  tls_session = session_get_from_handle (ctx->tls_session_handle);
-  rv = svm_fifo_dequeue_nowait (tls_session->server_rx_fifo, len, buf);
-  return (rv < 0) ? 0 : rv;
-}
-
-static void
-mbedtls_debug (void *ctx, int level, const char *file, int line,
-	       const char *str)
-{
-  ((void) level);
-  fprintf ((FILE *) ctx, "%s:%04d: %s", file, line, str);
-  fflush ((FILE *) ctx);
-}
-
-static int
-tls_ctx_init_client (tls_ctx_t * ctx)
-{
-  tls_main_t *tm = &tls_main;
-  void *ctx_ptr;
-  int rv;
-
-  /*
-   * 1. Setup SSL
-   */
-  mbedtls_ssl_init (&ctx->ssl);
-  mbedtls_ssl_config_init (&ctx->conf);
-  if ((rv = mbedtls_ssl_config_defaults (&ctx->conf, MBEDTLS_SSL_IS_CLIENT,
-					 MBEDTLS_SSL_TRANSPORT_STREAM,
-					 MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
-    {
-      TLS_DBG (1, "failed\n  ! mbedtls_ssl_config_defaults returned %d\n\n",
-	       rv);
-      return -1;
-    }
-
-  mbedtls_ssl_conf_authmode (&ctx->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
-  mbedtls_ssl_conf_ca_chain (&ctx->conf, &tm->cacert, NULL);
-  mbedtls_ssl_conf_rng (&ctx->conf, mbedtls_ctr_drbg_random,
-			tls_get_ctr_drbg ());
-  mbedtls_ssl_conf_dbg (&ctx->conf, mbedtls_debug, stdout);
-
-  if ((rv = mbedtls_ssl_setup (&ctx->ssl, &ctx->conf)) != 0)
-    {
-      TLS_DBG (1, "failed\n  ! mbedtls_ssl_setup returned %d\n", rv);
-      return -1;
-    }
-
-  if ((rv = mbedtls_ssl_set_hostname (&ctx->ssl,
-				      (const char *) ctx->srv_hostname)) != 0)
-    {
-      TLS_DBG (1, "failed\n  ! mbedtls_ssl_set_hostname returned %d\n", rv);
-      return -1;
-    }
-
-  ctx_ptr = uword_to_pointer (ctx->tls_ctx_idx, void *);
-  mbedtls_ssl_set_bio (&ctx->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL);
-  mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_CLIENT);
-
-  /*
-   * 2. Do the first 2 steps in the handshake.
-   */
-  TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
-	   ctx->tls_ctx_idx);
-  while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
-    {
-      rv = mbedtls_ssl_handshake_step (&ctx->ssl);
-      if (rv != 0)
-	break;
-    }
-  TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
-	   ctx->tls_ctx_idx, ctx->ssl.state);
-  return 0;
-}
-
-static int
-tls_ctx_init_server (tls_ctx_t * ctx)
-{
-  tls_main_t *tm = &tls_main;
-  application_t *app;
-  void *ctx_ptr;
-  int rv;
-
-  mbedtls_ssl_init (&ctx->ssl);
-  mbedtls_ssl_config_init (&ctx->conf);
-  mbedtls_x509_crt_init (&ctx->srvcert);
-  mbedtls_pk_init (&ctx->pkey);
-
-  /*
-   * 1. Cert
-   */
-  app = application_get (ctx->parent_app_index);
-  if (!app->tls_cert || !app->tls_key)
-    {
-      TLS_DBG (1, " failed\n  ! tls cert and/or key not configured %d",
-	       ctx->parent_app_index);
-      return -1;
-    }
-
-  rv = mbedtls_x509_crt_parse (&ctx->srvcert,
-			       (const unsigned char *) app->tls_cert,
-			       vec_len (app->tls_cert));
-  if (rv != 0)
-    {
-      TLS_DBG (1, " failed\n  !  mbedtls_x509_crt_parse returned %d", rv);
-      goto exit;
-    }
-
-  rv = mbedtls_pk_parse_key (&ctx->pkey,
-			     (const unsigned char *) app->tls_key,
-			     vec_len (app->tls_key), NULL, 0);
-  if (rv != 0)
-    {
-      TLS_DBG (1, " failed\n  !  mbedtls_pk_parse_key returned %d", rv);
-      goto exit;
-    }
-
-  /*
-   * 2. SSL context config
-   */
-  if ((rv = mbedtls_ssl_config_defaults (&ctx->conf, MBEDTLS_SSL_IS_SERVER,
-					 MBEDTLS_SSL_TRANSPORT_STREAM,
-					 MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
-    {
-      TLS_DBG (1, " failed\n  ! mbedtls_ssl_config_defaults returned %d", rv);
-      goto exit;
-    }
-
-  mbedtls_ssl_conf_rng (&ctx->conf, mbedtls_ctr_drbg_random,
-			tls_get_ctr_drbg ());
-  mbedtls_ssl_conf_dbg (&ctx->conf, mbedtls_debug, stdout);
-
-  /* TODO CACHE
-     mbedtls_ssl_conf_session_cache( &ctx->conf, &cache,
-     mbedtls_ssl_cache_get,
-     mbedtls_ssl_cache_set );
-   */
-
-  mbedtls_ssl_conf_ca_chain (&ctx->conf, &tm->cacert, NULL);
-  if ((rv = mbedtls_ssl_conf_own_cert (&ctx->conf, &ctx->srvcert, &ctx->pkey))
-      != 0)
-    {
-      TLS_DBG (1, " failed\n  ! mbedtls_ssl_conf_own_cert returned %d", rv);
-      goto exit;
-    }
-
-  if ((rv = mbedtls_ssl_setup (&ctx->ssl, &ctx->conf)) != 0)
-    {
-      TLS_DBG (1, " failed\n  ! mbedtls_ssl_setup returned %d", rv);
-      goto exit;
-    }
-
-  mbedtls_ssl_session_reset (&ctx->ssl);
-  ctx_ptr = uword_to_pointer (ctx->tls_ctx_idx, void *);
-  mbedtls_ssl_set_bio (&ctx->ssl, ctx_ptr, tls_net_send, tls_net_recv, NULL);
-
-  mbedtls_debug_set_threshold (TLS_DEBUG_LEVEL_SERVER);
-
-  /*
-   * 3. Start handshake state machine
-   */
-  TLS_DBG (1, "Initiating handshake for [%u]%u", ctx->c_thread_index,
-	   ctx->tls_ctx_idx);
-  while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
-    {
-      rv = mbedtls_ssl_handshake_step (&ctx->ssl);
-      if (rv != 0)
-	break;
-    }
-
-  TLS_DBG (2, "tls state for [%u]%u is %u", ctx->c_thread_index,
-	   ctx->tls_ctx_idx, ctx->ssl.state);
-  return 0;
-
-exit:
-  return -1;
-}
-
-static int
 tls_notify_app_accept (tls_ctx_t * ctx)
 {
   stream_session_t *app_listener, *app_session;
@@ -627,56 +238,82 @@
 		1 /* failed */ );
 }
 
-static int
+static inline u32
+tls_ctx_alloc (void)
+{
+  return tls_vfts[DEFAULT_ENGINE].ctx_alloc ();
+}
+
+static inline void
+tls_ctx_free (tls_ctx_t * ctx)
+{
+  vec_free (ctx->srv_hostname);
+  tls_vfts[DEFAULT_ENGINE].ctx_free (ctx);
+}
+
+static inline tls_ctx_t *
+tls_ctx_get (u32 ctx_index)
+{
+  return tls_vfts[DEFAULT_ENGINE].ctx_get (ctx_index);
+}
+
+static inline tls_ctx_t *
+tls_ctx_get_w_thread (u32 ctx_index, u8 thread_index)
+{
+  return tls_vfts[DEFAULT_ENGINE].ctx_get_w_thread (ctx_index, thread_index);
+}
+
+static inline int
+tls_ctx_init_server (tls_ctx_t * ctx)
+{
+  return tls_vfts[DEFAULT_ENGINE].ctx_init_server (ctx);
+}
+
+static inline int
+tls_ctx_init_client (tls_ctx_t * ctx)
+{
+  return tls_vfts[DEFAULT_ENGINE].ctx_init_client (ctx);
+}
+
+static inline int
+tls_ctx_write (tls_ctx_t * ctx, u8 * buf, u32 len)
+{
+  return tls_vfts[DEFAULT_ENGINE].ctx_write (ctx, buf, len);
+}
+
+static inline int
+tls_ctx_read (tls_ctx_t * ctx, u8 * buf, u32 len)
+{
+  return tls_vfts[DEFAULT_ENGINE].ctx_read (ctx, buf, len);
+}
+
+static inline u8
+tls_ctx_handshake_is_over (tls_ctx_t * ctx)
+{
+  return tls_vfts[DEFAULT_ENGINE].ctx_handshake_is_over (ctx);
+}
+
+static inline int
 tls_handshake_rx (tls_ctx_t * ctx)
 {
-  u32 flags;
   int rv;
-  while (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
+  rv = tls_vfts[DEFAULT_ENGINE].ctx_handshake_rx (ctx);
+
+  switch (rv)
     {
-      rv = mbedtls_ssl_handshake_step (&ctx->ssl);
-      if (rv != 0)
-	break;
-    }
-  TLS_DBG (2, "tls state for %u is %u", ctx->tls_ctx_idx, ctx->ssl.state);
-
-  if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
-    return 0;
-
-  /*
-   * Handshake complete
-   */
-  if (ctx->ssl.conf->endpoint == MBEDTLS_SSL_IS_CLIENT)
-    {
-      /*
-       * Verify server certificate
-       */
-      if ((flags = mbedtls_ssl_get_verify_result (&ctx->ssl)) != 0)
-	{
-	  char buf[512];
-	  TLS_DBG (1, " failed\n");
-	  mbedtls_x509_crt_verify_info (buf, sizeof (buf), "  ! ", flags);
-	  TLS_DBG (1, "%s\n", buf);
-
-	  /*
-	   * Presence of hostname enforces strict certificate verification
-	   */
-	  if (ctx->srv_hostname)
-	    {
-	      tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ());
-	      tls_notify_app_connected (ctx, /* is failed */ 1);
-	      return -1;
-	    }
-	}
+    case CLIENT_HANDSHAKE_OK:
       tls_notify_app_connected (ctx, /* is failed */ 0);
-    }
-  else
-    {
+      break;
+    case CLIENT_HANDSHAKE_FAIL:
+      tls_disconnect (ctx->tls_ctx_idx, vlib_get_thread_index ());
+      tls_notify_app_connected (ctx, /* is failed */ 1);
+      break;
+    case SERVER_HANDSHAKE_OK:
       tls_notify_app_accept (ctx);
+      break;
+    default:
+      return 0;
     }
-
-  TLS_DBG (1, "Handshake for %u complete. TLS cipher is %x",
-	   ctx->tls_ctx_idx, ctx->ssl.session->ciphersuite);
   return 0;
 }
 
@@ -707,7 +344,7 @@
   application_t *app;
 
   ctx = tls_ctx_get (tls_session->opaque);
-  if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
+  if (!tls_ctx_handshake_is_over (ctx))
     {
       stream_session_disconnect (tls_session);
       return;
@@ -754,7 +391,7 @@
   int wrote;
 
   ctx = tls_ctx_get (app_session->connection_index);
-  if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
+  if (!tls_ctx_handshake_is_over (ctx))
     tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX);
 
   deq_max = svm_fifo_max_dequeue (app_session->server_tx_fifo);
@@ -773,7 +410,7 @@
 
   vec_validate (tmp_buf, deq_now);
   svm_fifo_peek (app_session->server_tx_fifo, 0, deq_now, tmp_buf);
-  wrote = mbedtls_ssl_write (&ctx->ssl, tmp_buf, deq_now);
+  wrote = tls_ctx_write (ctx, tmp_buf, deq_now);
   if (wrote <= 0)
     {
       tls_add_vpp_q_evt (app_session->server_tx_fifo, FIFO_EVENT_APP_TX);
@@ -802,7 +439,7 @@
   int read, enq;
 
   ctx = tls_ctx_get (tls_session->opaque);
-  if (ctx->ssl.state != MBEDTLS_SSL_HANDSHAKE_OVER)
+  if (!tls_ctx_handshake_is_over (ctx))
     return tls_handshake_rx (ctx);
 
   deq_max = svm_fifo_max_dequeue (tls_session->server_rx_fifo);
@@ -820,7 +457,7 @@
     }
 
   vec_validate (tmp_buf, enq_now);
-  read = mbedtls_ssl_read (&ctx->ssl, tmp_buf, enq_now);
+  read = tls_ctx_read (ctx, tmp_buf, enq_now);
   if (read <= 0)
     {
       tls_add_vpp_q_evt (tls_session->server_rx_fifo, FIFO_EVENT_BUILTIN_RX);
@@ -938,9 +575,6 @@
   TLS_DBG (1, "Disconnecting %u", ctx_index);
 
   ctx = tls_ctx_get (ctx_index);
-  if (ctx->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER && !ctx->is_passive_close)
-    mbedtls_ssl_close_notify (&ctx->ssl);
-
   tls_session = session_get_from_handle (ctx->tls_session_handle);
   stream_session_disconnect (tls_session);
 
@@ -952,13 +586,6 @@
 				     app_session->server_tx_fifo);
       session_free (app_session);
     }
-  if (ctx->ssl.conf->endpoint == MBEDTLS_SSL_IS_SERVER)
-    {
-      mbedtls_x509_crt_free (&ctx->srvcert);
-      mbedtls_pk_free (&ctx->pkey);
-    }
-  mbedtls_ssl_free (&ctx->ssl);
-  mbedtls_ssl_config_free (&ctx->conf);
   tls_ctx_free (ctx);
 }
 
@@ -1102,78 +729,21 @@
 };
 /* *INDENT-ON* */
 
-int
-tls_init_mem (void)
+void
+tls_register_engine (const tls_engine_vft_t * vft, tls_engine_type_t type)
 {
-#if TLS_USE_OUR_MEM_FUNCS
-  mbedtls_platform_set_calloc_free (mbedtls_calloc_fn, mbedtls_free_fn);
-#endif
-  return 0;
-}
-
-int
-tls_init_ca_chain (void)
-{
-  tls_main_t *tm = &tls_main;
-  int rv;
-
-  if (!tm->ca_cert_path)
-    tm->ca_cert_path = TLS_CA_CERT_PATH;
-
-  if (access (tm->ca_cert_path, F_OK | R_OK) == -1)
-    {
-      clib_warning ("Could not initialize TLS CA certificates");
-      return -1;
-    }
-
-  mbedtls_x509_crt_init (&tm->cacert);
-  rv = mbedtls_x509_crt_parse_file (&tm->cacert, tm->ca_cert_path);
-  if (rv < 0)
-    {
-      clib_warning ("Couldn't parse system CA certificates: -0x%x", -rv);
-    }
-  if (tm->use_test_cert_in_ca)
-    {
-      rv = mbedtls_x509_crt_parse (&tm->cacert,
-				   (const unsigned char *) test_srv_crt_rsa,
-				   test_srv_crt_rsa_len);
-      if (rv < 0)
-	{
-	  clib_warning ("Couldn't parse test certificate: -0x%x", -rv);
-	  return -1;
-	}
-    }
-  return (rv < 0 ? -1 : 0);
+  vec_validate (tls_vfts, type);
+  tls_vfts[type] = *vft;
 }
 
 clib_error_t *
 tls_init (vlib_main_t * vm)
 {
-  vlib_thread_main_t *vtm = vlib_get_thread_main ();
-  u32 fifo_size = 64 << 10, num_threads;
   vnet_app_attach_args_t _a, *a = &_a;
   u64 options[APP_OPTIONS_N_OPTIONS];
   u32 segment_size = 512 << 20;
   tls_main_t *tm = &tls_main;
-
-  num_threads = 1 /* main thread */  + vtm->n_threads;
-
-  if (tls_init_mem ())
-    {
-      clib_warning ("failed to initialize mem");
-      return clib_error_return (0, "failed to initalize mem");
-    }
-  if (tls_init_ca_chain ())
-    {
-      clib_warning ("failed to initialize TLS CA chain");
-      return clib_error_return (0, "failed to initalize TLS CA chain");
-    }
-  if (tls_init_ctr_drbgs_and_entropy (num_threads))
-    {
-      clib_warning ("failed to initialize entropy and random generators");
-      return clib_error_return (0, "failed to initialize entropy and random "
-				"generators");
-    }
+  u32 fifo_size = 64 << 10;
 
   memset (a, 0, sizeof (*a));
   memset (options, 0, sizeof (options));
@@ -1193,8 +763,10 @@
       return clib_error_return (0, "failed to attach tls app");
     }
 
+  if (!tm->ca_cert_path)
+    tm->ca_cert_path = TLS_CA_CERT_PATH;
+
   tm->app_index = a->app_index;
-  vec_validate (tm->ctx_pool, num_threads - 1);
   clib_rwlock_init (&tm->half_open_rwlock);
 
   transport_register_protocol (TRANSPORT_PROTO_TLS, &tls_proto,
@@ -1225,6 +797,13 @@
 }
 
 VLIB_EARLY_CONFIG_FUNCTION (tls_config_fn, "tls");
+
+tls_main_t *
+vnet_tls_get_main (void)
+{
+  return &tls_main;
+}
+
 /*
  * fd.io coding-style-patch-verification: ON
  *
diff --git a/src/vnet/tls/tls.h b/src/vnet/tls/tls.h
new file mode 100644
index 0000000..0dfc48b
--- /dev/null
+++ b/src/vnet/tls/tls.h
@@ -0,0 +1,127 @@
+/*
+ * Copyright (c) 2018 Cisco and/or its affiliates.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at:
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+
+#include <vnet/session/application_interface.h>
+#include <vppinfra/lock.h>
+
+#ifndef SRC_VNET_TLS_TLS_H_
+#define SRC_VNET_TLS_TLS_H_
+
+#define TLS_DEBUG 		0
+#define TLS_DEBUG_LEVEL_CLIENT 	0
+#define TLS_DEBUG_LEVEL_SERVER 	0
+
+#define TLS_CHUNK_SIZE 		(1 << 14)
+#define TLS_CA_CERT_PATH	"/etc/ssl/certs/ca-certificates.crt"
+
+#if TLS_DEBUG
+#define TLS_DBG(_lvl, _fmt, _args...) 			\
+  if (_lvl <= TLS_DEBUG) 				\
+    clib_warning (_fmt, ##_args)
+#else
+#define TLS_DBG(_fmt, _args...)
+#endif
+
+/* *INDENT-OFF* */
+typedef CLIB_PACKED (struct tls_cxt_id_
+{
+  u32 parent_app_index;
+  session_handle_t app_session_handle;
+  session_handle_t tls_session_handle;
+  u32 listener_ctx_index;
+  u8 tcp_is_ip4;
+}) tls_ctx_id_t;
+/* *INDENT-ON* */
+
+STATIC_ASSERT (sizeof (tls_ctx_id_t) <= 42, "ctx id must be less than 42");
+
+typedef struct tls_ctx_
+{
+  union
+  {
+    transport_connection_t connection;
+    tls_ctx_id_t c_tls_ctx_id;
+  };
+#define parent_app_index c_tls_ctx_id.parent_app_index
+#define app_session_handle c_tls_ctx_id.app_session_handle
+#define tls_session_handle c_tls_ctx_id.tls_session_handle
+#define listener_ctx_index c_tls_ctx_id.listener_ctx_index
+#define tcp_is_ip4 c_tls_ctx_id.tcp_is_ip4
+#define tls_ctx_idx c_c_index
+  /* Temporary storage for session open opaque. Overwritten once
+   * underlying tcp connection is established */
+#define parent_app_api_context c_s_index
+
+  u8 is_passive_close;
+  u8 *srv_hostname;
+} tls_ctx_t;
+
+typedef struct tls_main_
+{
+  u32 app_index;
+  tls_ctx_t *listener_ctx_pool;
+  tls_ctx_t *half_open_ctx_pool;
+  clib_rwlock_t half_open_rwlock;
+
+  /*
+   * Config
+   */
+  u8 use_test_cert_in_ca;
+  char *ca_cert_path;
+} tls_main_t;
+
+typedef struct tls_engine_vft_
+{
+  u32 (*ctx_alloc) (void);
+  void (*ctx_free) (tls_ctx_t * ctx);
+  tls_ctx_t *(*ctx_get) (u32 ctx_index);
+  tls_ctx_t *(*ctx_get_w_thread) (u32 ctx_index, u8 thread_index);
+  int (*ctx_init_client) (tls_ctx_t * ctx);
+  int (*ctx_init_server) (tls_ctx_t * ctx);
+  int (*ctx_read) (tls_ctx_t * ctx, u8 * buf, u32 len);
+  int (*ctx_write) (tls_ctx_t * ctx, u8 * buf, u32 len);
+  int (*ctx_handshake_rx) (tls_ctx_t * ctx);
+    u8 (*ctx_handshake_is_over) (tls_ctx_t * ctx);
+} tls_engine_vft_t;
+
+enum tls_handshake_results_
+{
+  HANDSHAKE_NOT_OVER,
+  CLIENT_HANDSHAKE_OK,
+  CLIENT_HANDSHAKE_FAIL,
+  SERVER_HANDSHAKE_OK
+};
+
+typedef enum tls_engine_type_
+{
+  TLS_ENGINE_MBEDTLS,
+  TLS_ENGINE_OPENSSL,
+  TLS_N_ENGINES
+} tls_engine_type_t;
+
+tls_main_t *vnet_tls_get_main (void);
+void tls_register_engine (const tls_engine_vft_t * vft,
+			  tls_engine_type_t type);
+int tls_add_vpp_q_evt (svm_fifo_t * f, u8 evt_type);
+
+#endif /* SRC_VNET_TLS_TLS_H_ */
+/*
+ * fd.io coding-style-patch-verification: ON
+ *
+ * Local Variables:
+ * eval: (c-set-style "gnu")
+ * End:
+ */