2 files changed, 126 insertions, 27 deletions

diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index d33403aba..df676a252 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -92,6 +92,10 @@ typedef unsigned int inspircd_gnutls_session_init_flags_t;
 typedef gnutls_connection_end_t inspircd_gnutls_session_init_flags_t;
 #endif
 
+#if INSPIRCD_GNUTLS_HAS_VERSION(3, 1, 9)
+#define INSPIRCD_GNUTLS_HAS_CORK
+#endif
+
 class RandGen : public HandlerBase2<void, char*, size_t>
 {
  public:
@@ -531,14 +535,20 @@ namespace GnuTLS
 		 */
 		Priority priority;
 
+		/** Rough max size of records to send
+		 */
+		const unsigned int outrecsize;
+
 		Profile(const std::string& profilename, const std::string& certstr, const std::string& keystr,
 				std::auto_ptr<DHParams>& DH, unsigned int mindh, const std::string& hashstr,
-				const std::string& priostr, std::auto_ptr<X509CertList>& CA, std::auto_ptr<X509CRL>& CRL)
+				const std::string& priostr, std::auto_ptr<X509CertList>& CA, std::auto_ptr<X509CRL>& CRL,
+				unsigned int recsize)
 			: name(profilename)
 			, x509cred(certstr, keystr)
 			, min_dh_bits(mindh)
 			, hash(hashstr)
 			, priority(priostr)
+			, outrecsize(recsize)
 		{
 			x509cred.SetDH(DH);
 			x509cred.SetCA(CA, CRL);
@@ -587,7 +597,13 @@ namespace GnuTLS
 					crl.reset(new X509CRL(ReadFile(filename)));
 			}
 
-			return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl);
+#ifdef INSPIRCD_GNUTLS_HAS_CORK
+			// If cork support is available outrecsize represents the (rough) max amount of data we give GnuTLS while corked
+			unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512);
+#else
+			unsigned int outrecsize = tag->getInt("outrecsize", 2048, 512, 16384);
+#endif
+			return new Profile(profilename, certstr, keystr, dh, mindh, hashstr, priostr, ca, crl, outrecsize);
 		}
 
 		/** Set up the given session with the settings in this profile
@@ -605,6 +621,7 @@ namespace GnuTLS
 		const std::string& GetName() const { return name; }
 		X509Credentials& GetX509Credentials() { return x509cred; }
 		gnutls_digest_algorithm_t GetHash() const { return hash.get(); }
+		unsigned int GetOutgoingRecordSize() const { return outrecsize; }
 	};
 }
 
@@ -614,6 +631,9 @@ class GnuTLSIOHook : public SSLIOHook
 	gnutls_session_t sess;
 	issl_status status;
 	reference<GnuTLS::Profile> profile;
+#ifdef INSPIRCD_GNUTLS_HAS_CORK
+	size_t gbuffersize;
+#endif
 
 	void CloseSession()
 	{
@@ -793,6 +813,43 @@ info_done_dealloc:
 		return -1;
 	}
 
+#ifdef INSPIRCD_GNUTLS_HAS_CORK
+	int FlushBuffer(StreamSocket* sock)
+	{
+		// If GnuTLS has some data buffered, write it
+		if (gbuffersize)
+			return HandleWriteRet(sock, gnutls_record_uncork(this->sess, 0));
+		return 1;
+	}
+#endif
+
+	int HandleWriteRet(StreamSocket* sock, int ret)
+	{
+		if (ret > 0)
+		{
+#ifdef INSPIRCD_GNUTLS_HAS_CORK
+			gbuffersize -= ret;
+			if (gbuffersize)
+			{
+				SocketEngine::ChangeEventMask(sock, FD_WANT_SINGLE_WRITE);
+				return 0;
+			}
+#endif
+			return ret;
+		}
+		else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED || ret == 0)
+		{
+			SocketEngine::ChangeEventMask(sock, FD_WANT_SINGLE_WRITE);
+			return 0;
+		}
+		else // (ret < 0)
+		{
+			sock->SetError(gnutls_strerror(ret));
+			CloseSession();
+			return -1;
+		}
+	}
+
 	static const char* UnknownIfNULL(const char* str)
 	{
 		return str ? str : "UNKNOWN";
@@ -913,6 +970,9 @@ info_done_dealloc:
 		, sess(NULL)
 		, status(ISSL_NONE)
 		, profile(sslprofile)
+#ifdef INSPIRCD_GNUTLS_HAS_CORK
+		, gbuffersize(0)
+#endif
 	{
 		gnutls_init(&sess, flags);
 		gnutls_transport_set_ptr(sess, reinterpret_cast<gnutls_transport_ptr_t>(sock));
@@ -968,7 +1028,7 @@ info_done_dealloc:
 		}
 	}
 
-	int OnStreamSocketWrite(StreamSocket* user, std::string& sendq) CXX11_OVERRIDE
+	int OnStreamSocketWrite(StreamSocket* user) CXX11_OVERRIDE
 	{
 		// Finish handshake if needed
 		int prepret = PrepareIO(user);
@@ -976,34 +1036,60 @@ info_done_dealloc:
 			return prepret;
 
 		// Session is ready for transferring application data
-		int ret = 0;
+		StreamSocket::SendQueue& sendq = user->GetSendQ();
 
+#ifdef INSPIRCD_GNUTLS_HAS_CORK
+		while (true)
 		{
-			ret = gnutls_record_send(this->sess, sendq.data(), sendq.length());
-
-			if (ret == (int)sendq.length())
-			{
-				SocketEngine::ChangeEventMask(user, FD_WANT_NO_WRITE);
-				return 1;
-			}
-			else if (ret > 0)
+			// If there is something in the GnuTLS buffer try to send() it
+			int ret = FlushBuffer(user);
+			if (ret <= 0)
+				return ret; // Couldn't flush entire buffer, retry later (or close on error)
+
+			// GnuTLS buffer is empty, if the sendq is empty as well then break to set FD_WANT_NO_WRITE
+			if (sendq.empty())
+				break;
+
+			// GnuTLS buffer is empty but sendq is not, begin sending data from the sendq
+			gnutls_record_cork(this->sess);
+			while ((!sendq.empty()) && (gbuffersize < profile->GetOutgoingRecordSize()))
 			{
-				sendq.erase(0, ret);
-				SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
-				return 0;
+				const StreamSocket::SendQueue::Element& elem = sendq.front();
+				gbuffersize += elem.length();
+				ret = gnutls_record_send(this->sess, elem.data(), elem.length());
+				if (ret < 0)
+				{
+					CloseSession();
+					return -1;
+				}
+				sendq.pop_front();
 			}
-			else if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED || ret == 0)
+		}
+#else
+		int ret = 0;
+
+		while (!sendq.empty())
+		{
+			FlattenSendQueue(sendq, profile->GetOutgoingRecordSize());
+			const StreamSocket::SendQueue::Element& buffer = sendq.front();
+			ret = HandleWriteRet(user, gnutls_record_send(this->sess, buffer.data(), buffer.length()));
+
+			if (ret <= 0)
+				return ret;
+			else if (ret < (int)buffer.length())
 			{
+				sendq.erase_front(ret);
 				SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 				return 0;
 			}
-			else // (ret < 0)
-			{
-				user->SetError(gnutls_strerror(ret));
-				CloseSession();
-				return -1;
-			}
+
+			// Wrote entire record, continue sending
+			sendq.pop_front();
 		}
+#endif
+
+		SocketEngine::ChangeEventMask(user, FD_WANT_NO_WRITE);
+		return 1;
 	}
 
 	void TellCiphersAndFingerprint(LocalUser* user)
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index c8a035fac..b037347f1 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -238,6 +238,10 @@ namespace OpenSSL
 		 */
 		const bool allowrenego;
 
+		/** Rough max size of records to send
+		 */
+		const unsigned int outrecsize;
+
 		static int error_callback(const char* str, size_t len, void* u)
 		{
 			Profile* profile = reinterpret_cast<Profile*>(u);
@@ -278,6 +282,7 @@ namespace OpenSSL
 			, ctx(SSL_CTX_new(SSLv23_server_method()))
 			, clictx(SSL_CTX_new(SSLv23_client_method()))
 			, allowrenego(tag->getBool("renegotiation", true))
+			, outrecsize(tag->getInt("outrecsize", 2048, 512, 16384))
 		{
 			if ((!ctx.SetDH(dh)) || (!clictx.SetDH(dh)))
 				throw Exception("Couldn't set DH parameters");
@@ -337,6 +342,7 @@ namespace OpenSSL
 		SSL* CreateClientSession() { return clictx.CreateClientSession(); }
 		const EVP_MD* GetDigest() { return digest; }
 		bool AllowRenegotiation() const { return allowrenego; }
+		unsigned int GetOutgoingRecordSize() const { return outrecsize; }
 	};
 }
 
@@ -601,7 +607,7 @@ class OpenSSLIOHook : public SSLIOHook
 		}
 	}
 
-	int OnStreamSocketWrite(StreamSocket* user, std::string& buffer) CXX11_OVERRIDE
+	int OnStreamSocketWrite(StreamSocket* user) CXX11_OVERRIDE
 	{
 		// Finish handshake if needed
 		int prepret = PrepareIO(user);
@@ -611,8 +617,12 @@ class OpenSSLIOHook : public SSLIOHook
 		data_to_write = true;
 
 		// Session is ready for transferring application data
+		StreamSocket::SendQueue& sendq = user->GetSendQ();
+		while (!sendq.empty())
 		{
 			ERR_clear_error();
+			FlattenSendQueue(sendq, profile->GetOutgoingRecordSize());
+			const StreamSocket::SendQueue::Element& buffer = sendq.front();
 			int ret = SSL_write(sess, buffer.data(), buffer.size());
 
 #ifdef INSPIRCD_OPENSSL_ENABLE_RENEGO_DETECTION
@@ -622,13 +632,12 @@ class OpenSSLIOHook : public SSLIOHook
 
 			if (ret == (int)buffer.length())
 			{
-				data_to_write = false;
-				SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
-				return 1;
+				// Wrote entire record, continue sending
+				sendq.pop_front();
 			}
 			else if (ret > 0)
 			{
-				buffer.erase(0, ret);
+				sendq.erase_front(ret);
 				SocketEngine::ChangeEventMask(user, FD_WANT_SINGLE_WRITE);
 				return 0;
 			}
@@ -658,6 +667,10 @@ class OpenSSLIOHook : public SSLIOHook
 				}
 			}
 		}
+
+		data_to_write = false;
+		SocketEngine::ChangeEventMask(user, FD_WANT_POLL_READ | FD_WANT_NO_WRITE);
+		return 1;
 	}
 
 	void TellCiphersAndFingerprint(LocalUser* user)