view release on metacpan or  search on metacpan

lib/Net/mbedTLS.pm  view on Meta::CPAN

    # Throws if the error is an “unexpected” one:
    my $input = "\0" x 23;
    my $got = $client->read($input) // do {

        # We get here if, e.g., the socket is non-blocking and we
        # weren’t ready to read.
    };

    # Similar to read(); throws on “unexpected” errors:
    my $wrote = $tls->write($byte_string) // do {
        # ...
    };

=head1 DESCRIPTION

L<OpenSSL|https://openssl.org> is great but rather large.

This distribution allows use of mbedTLS, a smaller, simpler TLS library,
from Perl.

=head1 BENEFITS & LIABILITIES

This library, like mbedTLS itself, minimizes memory usage at
the cost of performance. After a simple TLS handshake with this library
Perl’s memory usage is about 6.5 MiB lower than when using
L<IO::Socket::SSL> for the same. On the other hand, OpenSSL does the
handshake (as of this writing) about 18 times faster.

=head1 AVAILABLE FUNCTIONALITY

For now this module largely just exposes the ability to do TLS. mbedTLS
itself exposes a good deal more functionality like raw crypto and
configurable ciphers; if you want that stuff, file a feature request.
(A patch with a test is highly desirable!)

=head1 BUILDING/LINKING

This library can link to mbedTLS in several ways:

=over

=item * Dynamic, to system library (default): This assumes that
mbedTLS is available from some system-default location (e.g.,
F</usr>).

=item * Dynamic, to a specific path: To do this set
C<NET_MBEDTLS_MBEDTLS_BASE> in your environment to whatever directory
contains mbedTLS’s F<include> and F<lib> (or F<library>) directories.

=item * Static, to a specific path: Like the previous one, but
also set C<NET_MBEDTLS_LINKING> to C<static> in your environment.

=back

Dynamic linking allows Net::mbedTLS to use the most recent
(compatible) mbedTLS but requires you to have a shared mbedTLS
available, whereas static linking alleviates that dependency at the
cost of always using the same library version.

mbedTLS, alas, as of this writing does not support
L<pkg-config|https://www.freedesktop.org/wiki/Software/pkg-config/>.
(L<GitHub issue|https://github.com/ARMmbed/mbedtls/issues/228>) If that
changes then dynamic linking may become more reliable.

NB: mbedTLS B<MUST> be built with I<position-independent> code. If you’re
building your own mbedTLS then you’ll need to configure that manually.
GCC’s C<-fPIC> flag does this; see this distribution’s CI tests for an example.

=cut

#----------------------------------------------------------------------

use Net::mbedTLS::X ();

our $DEBUG;

#----------------------------------------------------------------------

=head1 METHODS

=head2 $obj = I<CLASS>->new( %OPTS )

Instantiates this class. %OPTS are:

=over

=item * C<trust_store_path> (optional) - Filesystem path to the trust
store (i.e., root certificates). If not given this module will use
L<Mozilla::CA>’s trust store.

The trust store isn’t loaded until it’s needed, so if you don’t need
to verify certificate chains (e.g., you’re only serving without
TLS client authentication) you can safely omit this.

=back

=cut

sub new {
    my ($classname, %opts) = @_;

    return _new($classname, $opts{'trust_store_path'});
}

=head2 $client = I<OBJ>->create_client( $SOCKET, %OPTS )

Initializes a client session on $SOCKET. Returns a
L<Net::mbedTLS::Client> instance.

%OPTS are:

=over

=item * C<servername> (optional) - The SNI string to send in the handshake.

=item * C<authmode> (optional) - One of this module’s C<SSL_VERIFY_*> constants. Defaults as in mbedTLS.

=back

=cut