fs: Prevent invalid directory links

A file with a name like "gemini:example" would previously result in the following invalid link: => gemini:example gemini:example Fix by prepending a "./" before each filename, so that the resulting link looks like: => ./gemini:example gemini:example
Fix parsing of list item lines
2022-05-07 13:54:56 -04:00 · 2022-03-15 11:07:04 -04:00 · 2022-02-16 12:01:55 -05:00 · 2021-12-18 12:51:04 -05:00 · 2021-06-26 20:26:30 -04:00 · 2021-06-26 20:16:38 -04:00
25 changed files with 817 additions and 1069 deletions
--- a/64
+++ b/64
@@ -1,51 +1,19 @@
-go-gemini is available under the terms of the MIT license:
+Copyright (c) 2020 Adnan Maolood
-	Copyright (c) 2020 Adnan Maolood
+Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
-	Permission is hereby granted, free of charge, to any person obtaining a copy
+The above copyright notice and this permission notice shall be included in all
-	of this software and associated documentation files (the "Software"), to deal
+copies or substantial portions of the Software.
 	in the Software without restriction, including without limitation the rights
 	to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 	copies of the Software, and to permit persons to whom the Software is
 	furnished to do so, subject to the following conditions:
-	The above copyright notice and this permission notice shall be included in all
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-	copies or substantial portions of the Software.
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-	THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-	IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-	FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-	AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+SOFTWARE.
 	LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 	OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 	SOFTWARE.
 Portions of this program were taken from Go:
 	Copyright (c) 2009 The Go Authors. All rights reserved.
 	Redistribution and use in source and binary forms, with or without
 	modification, are permitted provided that the following conditions are
 	met:
 	   * Redistributions of source code must retain the above copyright
 	notice, this list of conditions and the following disclaimer.
 	   * Redistributions in binary form must reproduce the above
 	copyright notice, this list of conditions and the following disclaimer
 	in the documentation and/or other materials provided with the
 	distribution.
 	   * Neither the name of Google Inc. nor the names of its
 	contributors may be used to endorse or promote products derived from
 	this software without specific prior written permission.
 	THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 	"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 	LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 	A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 	OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 	SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 	LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 	DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 	THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 	(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 	OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/27
+++ b/27
@@ -0,0 +1,27 @@
 Copyright (c) 2009 The Go Authors. All rights reserved.
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are
 met:
   * Redistributions of source code must retain the above copyright
 notice, this list of conditions and the following disclaimer.
   * Redistributions in binary form must reproduce the above
 copyright notice, this list of conditions and the following disclaimer
 in the documentation and/or other materials provided with the
 distribution.
   * Neither the name of Google Inc. nor the names of its
 contributors may be used to endorse or promote products derived from
 this software without specific prior written permission.
 THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- a/README.md
+++ b/README.md
@@ -2,16 +2,19 @@
 [![godocs.io](https://godocs.io/git.sr.ht/~adnano/go-gemini?status.svg)](https://godocs.io/git.sr.ht/~adnano/go-gemini) [![builds.sr.ht status](https://builds.sr.ht/~adnano/go-gemini.svg)](https://builds.sr.ht/~adnano/go-gemini?)
-Package gemini implements the [Gemini protocol](https://gemini.circumlunar.space) in Go.
+Package gemini implements the [Gemini protocol](https://gemini.circumlunar.space)
 in Go. It provides an API similar to that of net/http to facilitate the
 development of Gemini clients and servers.
-It provides an API similar to that of net/http to make it easy to develop Gemini clients and servers.
+Compatible with version v0.16.0 of the Gemini specification.
 Compatible with version v0.14.3 of the Gemini specification.
 ## Usage
 	import "git.sr.ht/~adnano/go-gemini"
 Note that some filesystem-related functionality is only available on Go 1.16
 or later as it relies on the io/fs package.
 ## Examples
 There are a few examples provided in the examples directory.
@@ -24,3 +27,9 @@ To run an example:
 Send patches and questions to [~adnano/go-gemini-devel](https://lists.sr.ht/~adnano/go-gemini-devel).
 Subscribe to release announcements on [~adnano/go-gemini-announce](https://lists.sr.ht/~adnano/go-gemini-announce).
 ## License
 go-gemini is licensed under the terms of the MIT license (see LICENSE).
 Portions of this library were adapted from Go and are governed by a BSD-style
 license (see LICENSE-GO). Those files are marked accordingly.
--- a/certificate/store.go
+++ b/certificate/store.go
@@ -6,53 +6,55 @@ import (
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
 	"strings"
 	"sync"
 	"time"
 )
-// A Store represents a certificate store.
+// A Store represents a TLS certificate store.
 // It generates certificates as needed and automatically rotates expired certificates.
 // The zero value for Store is an empty store ready to use.
 //
-// Certificate scopes must be registered with Register before calling Get or Load.
+// Store can be used to store server certificates.
-// This prevents the Store from creating or loading unnecessary certificates.
+// Servers should provide a hostname or wildcard pattern as a certificate scope.
 // Servers will most likely use the methods Register, Load and Get.
 //
 // Store can also be used to store client certificates.
 // Clients should provide a hostname as a certificate scope.
 // Clients will most likely use the methods Add, Load, and Lookup.
 //
 // Store is safe for concurrent use by multiple goroutines.
 type Store struct {
-	// CreateCertificate, if not nil, is called to create a new certificate
+	// CreateCertificate, if not nil, is called by Get to create a new
-	// to replace a missing or expired certificate. If CreateCertificate
+	// certificate to replace a missing or expired certificate.
 	// is nil, a certificate with a duration of 1 year will be created.
 	// The provided scope is suitable for use in a certificate's DNSNames.
 	CreateCertificate func(scope string) (tls.Certificate, error)
-	certs map[string]tls.Certificate
+	scopes map[string]struct{}
-	path  string
+	certs  map[string]tls.Certificate
-	mu    sync.RWMutex
+	path   string
 	mu     sync.RWMutex
 }
 // Register registers the provided scope with the certificate store.
 // The scope can either be a hostname or a wildcard pattern (e.g. "*.example.com").
 // To accept all hostnames, use the special pattern "*".
 //
 // Calls to Get will only succeed for registered scopes.
 // Other methods are not affected.
 func (s *Store) Register(scope string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if s.certs == nil {
+	if s.scopes == nil {
-		s.certs = make(map[string]tls.Certificate)
+		s.scopes = make(map[string]struct{})
 	}
-	s.certs[scope] = tls.Certificate{}
+	s.scopes[scope] = struct{}{}
 }
-// Add adds a certificate with the given scope to the certificate store.
+// Add registers the certificate for the given scope.
-// If a certificate for the given scope already exists, Add will overwrite it.
+// If a certificate already exists for scope, Add will overwrite it.
 func (s *Store) Add(scope string, cert tls.Certificate) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if s.certs == nil {
 		s.certs = make(map[string]tls.Certificate)
 	}
 	// Parse certificate if not already parsed
 	if cert.Leaf == nil {
 		parsed, err := x509.ParseCertificate(cert.Certificate[0])
@@ -62,6 +64,22 @@ func (s *Store) Add(scope string, cert tls.Certificate) error {
 		cert.Leaf = parsed
 	}
 	if err := s.write(scope, cert); err != nil {
 		return err
 	}
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if s.certs == nil {
 		s.certs = make(map[string]tls.Certificate)
 	}
 	s.certs[scope] = cert
 	return nil
 }
 func (s *Store) write(scope string, cert tls.Certificate) error {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	if s.path != "" {
 		certPath := filepath.Join(s.path, scope+".crt")
 		keyPath := filepath.Join(s.path, scope+".key")
@@ -69,35 +87,37 @@ func (s *Store) Add(scope string, cert tls.Certificate) error {
 			return err
 		}
 	}
 	s.certs[scope] = cert
 	return nil
 }
 // Get retrieves a certificate for the given hostname.
 // If no matching scope has been registered, Get returns an error.
 // Get generates new certificates as needed and rotates expired certificates.
 // It calls CreateCertificate to create a new certificate if it is not nil,
 // otherwise it creates certificates with a duration of 100 years.
 //
 // Get is suitable for use in a gemini.Server's GetCertificate field.
 func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 	s.mu.RLock()
-	defer s.mu.RUnlock()
+	_, ok := s.scopes[hostname]
 	cert, ok := s.certs[hostname]
 	if !ok {
 		// Try wildcard
 		wildcard := strings.SplitN(hostname, ".", 2)
 		if len(wildcard) == 2 {
 			hostname = "*." + wildcard[1]
-			cert, ok = s.certs[hostname]
+			_, ok = s.scopes[hostname]
 		}
 	}
 	if !ok {
 		// Try "*"
-		cert, ok = s.certs["*"]
+		_, ok = s.scopes["*"]
 	}
 	if !ok {
 		s.mu.RUnlock()
 		return nil, errors.New("unrecognized scope")
 	}
 	cert := s.certs[hostname]
 	s.mu.RUnlock()
 	// If the certificate is empty or expired, generate a new one.
 	if cert.Leaf == nil || cert.Leaf.NotAfter.Before(time.Now()) {
@@ -114,6 +134,14 @@ func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 	return &cert, nil
 }
 // Lookup returns the certificate for the provided scope.
 func (s *Store) Lookup(scope string) (tls.Certificate, bool) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	cert, ok := s.certs[scope]
 	return cert, ok
 }
 func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 	if s.CreateCertificate != nil {
 		return s.CreateCertificate(scope)
@@ -123,7 +151,7 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 		Subject: pkix.Name{
 			CommonName: scope,
 		},
-		Duration: 365 * 24 * time.Hour,
+		Duration: 100 * 365 * 24 * time.Hour,
 	})
 }
@@ -132,26 +160,31 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 // The path should lead to a directory containing certificates
 // and private keys named "scope.crt" and "scope.key" respectively,
 // where "scope" is the scope of the certificate.
 // Certificates with scopes that have not been registered will be ignored.
 func (s *Store) Load(path string) error {
 	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
 		return err
 	}
 	path = filepath.Clean(path)
 	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
 	if err != nil {
 		return err
 	}
 	for _, crtPath := range matches {
 		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
 		if _, ok := s.certs[scope]; !ok {
 			continue
 		}
 		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
 		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
 		if err != nil {
 			continue
 		}
 		scope := strings.TrimPrefix(crtPath, path)
 		scope = strings.TrimPrefix(scope, "/")
 		scope = strings.TrimSuffix(scope, ".crt")
 		s.Add(scope, cert)
 	}
-	s.SetPath(path)
+	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.path = path
 	return nil
 }
@@ -170,5 +203,5 @@ func (s *Store) Entries() map[string]tls.Certificate {
 func (s *Store) SetPath(path string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	s.path = path
+	s.path = filepath.Clean(path)
 }
--- a/client.go
+++ b/client.go
@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"net"
 	"net/url"
 	"time"
 	"unicode/utf8"
 	"golang.org/x/net/idna"
@@ -132,6 +131,9 @@ func (c *Client) Do(ctx context.Context, req *Request) (*Response, error) {
 		conn.Close()
 		return nil, ctx.Err()
 	case r := <-res:
 		if r.err != nil {
 			conn.Close()
 		}
 		return r.resp, r.err
 	}
 }
@@ -153,7 +155,7 @@ func (c *Client) do(ctx context.Context, conn net.Conn, req *Request) (*Response
 	}
 	// Write the request
-	if err := req.Write(w); err != nil {
+	if _, err := req.WriteTo(w); err != nil {
 		return nil, err
 	}
@@ -175,17 +177,9 @@ func (c *Client) dialContext(ctx context.Context, network, addr string) (net.Con
 }
 func (c *Client) verifyConnection(cs tls.ConnectionState, hostname string) error {
 	cert := cs.PeerCertificates[0]
 	// Verify hostname
 	if err := verifyHostname(cert, hostname); err != nil {
 		return err
 	}
 	// Check expiration date
 	if !time.Now().Before(cert.NotAfter) {
 		return ErrCertificateExpired
 	}
 	// See if the client trusts the certificate
 	if c.TrustCertificate != nil {
 		cert := cs.PeerCertificates[0]
 		return c.TrustCertificate(hostname, cert)
 	}
 	return nil
--- a/doc.go
+++ b/doc.go
@@ -9,7 +9,7 @@ Client is a Gemini client.
 	if err != nil {
 		// handle error
 	}
-	defer resp.Close()
+	defer resp.Body.Close()
 	// ...
 Server is a Gemini server.
@@ -29,18 +29,18 @@ Servers should be configured with certificates:
 	}
 	server.GetCertificate = certificates.Get
-ServeMux is a Gemini request multiplexer.
+Mux is a Gemini request multiplexer.
-ServeMux can handle requests for multiple hosts and schemes.
+Mux can handle requests for multiple hosts and paths.
-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("example.com", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 		fmt.Fprint(w, "Welcome to example.com")
 	})
 	mux.HandleFunc("example.org/about.gmi", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 		fmt.Fprint(w, "About example.org")
 	})
-	mux.HandleFunc("http://example.net", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
+	mux.HandleFunc("/images/", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-		fmt.Fprint(w, "Proxied content from http://example.net")
+		w.WriteHeader(gemini.StatusGone, "Gone forever")
 	})
 	server.Handler = mux
--- a/examples/auth.go
+++ b/examples/auth.go
@@ -30,7 +30,7 @@ func main() {
 		log.Fatal(err)
 	}
-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("/", profile)
 	mux.HandleFunc("/username", changeUsername)
--- a/examples/client.go
+++ b/examples/client.go
@@ -6,7 +6,6 @@ package main
 import (
 	"bufio"
 	"bytes"
 	"context"
 	"crypto/x509"
 	"errors"
@@ -16,7 +15,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
 	"time"
 	"git.sr.ht/~adnano/go-gemini"
 	"git.sr.ht/~adnano/go-gemini/tofu"
@@ -61,15 +59,14 @@ Otherwise, this should be safe to trust.
 => `
 func trustCertificate(hostname string, cert *x509.Certificate) error {
-	host := tofu.NewHost(hostname, cert.Raw, cert.NotAfter)
+	host := tofu.NewHost(hostname, cert.Raw)
 	knownHost, ok := hosts.Lookup(hostname)
-	if ok && time.Now().Before(knownHost.Expires) {
+	if ok {
 		// Check fingerprint
-		if bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+		if knownHost.Fingerprint != host.Fingerprint {
-			return nil
+			return errors.New("error: fingerprint does not match!")
 		}
-		return errors.New("error: fingerprint does not match!")
+		return nil
 	}
 	fmt.Printf(trustPrompt, hostname, host.Fingerprint)
@@ -87,7 +84,7 @@ func trustCertificate(hostname string, cert *x509.Certificate) error {
 	}
 }
-func getInput(prompt string, sensitive bool) (input string, ok bool) {
+func getInput(prompt string) (input string, ok bool) {
 	fmt.Printf("%s ", prompt)
 	scanner.Scan()
 	return scanner.Text(), true
@@ -103,9 +100,9 @@ func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
 		return resp, err
 	}
-	switch resp.Status().Class() {
+	switch resp.Status.Class() {
 	case gemini.StatusInput:
-		input, ok := getInput(resp.Meta(), resp.Status() == gemini.StatusSensitiveInput)
+		input, ok := getInput(resp.Meta)
 		if !ok {
 			break
 		}
@@ -119,7 +116,7 @@ func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
 			return resp, errors.New("too many redirects")
 		}
-		target, err := url.Parse(resp.Meta())
+		target, err := url.Parse(resp.Meta)
 		if err != nil {
 			return resp, err
 		}
@@ -153,11 +150,11 @@ func main() {
 		fmt.Println(err)
 		os.Exit(1)
 	}
-	defer resp.Close()
+	defer resp.Body.Close()
 	// Handle response
-	if resp.Status().Class() == gemini.StatusSuccess {
+	if resp.Status.Class() == gemini.StatusSuccess {
-		_, err := io.Copy(os.Stdout, resp)
+		_, err := io.Copy(os.Stdout, resp.Body)
 		if err != nil {
 			log.Fatal(err)
 		}
--- a/examples/server.go
+++ b/examples/server.go
@@ -22,11 +22,11 @@ func main() {
 		log.Fatal(err)
 	}
-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.Handle("/", gemini.FileServer(os.DirFS("/var/www")))
 	server := &gemini.Server{
-		Handler:        logMiddleware(mux),
+		Handler:        gemini.LoggingMiddleware(mux),
 		ReadTimeout:    30 * time.Second,
 		WriteTimeout:   1 * time.Minute,
 		GetCertificate: certificates.Get,
@@ -56,53 +56,3 @@ func main() {
 		}
 	}
 }
 func logMiddleware(h gemini.Handler) gemini.Handler {
 	return gemini.HandlerFunc(func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 		lw := &logResponseWriter{rw: w}
 		h.ServeGemini(ctx, lw, r)
 		host := r.TLS().ServerName
 		log.Printf("gemini: %s %q %d %d", host, r.URL, lw.status, lw.wrote)
 	})
 }
 type logResponseWriter struct {
 	rw          gemini.ResponseWriter
 	status      gemini.Status
 	meta        string
 	mediatype   string
 	wroteHeader bool
 	wrote       int
 }
 func (w *logResponseWriter) SetMediaType(mediatype string) {
 	w.mediatype = mediatype
 }
 func (w *logResponseWriter) Write(b []byte) (int, error) {
 	if !w.wroteHeader {
 		w.WriteHeader(gemini.StatusSuccess, w.mediatype)
 	}
 	n, err := w.rw.Write(b)
 	w.wrote += n
 	return n, err
 }
 func (w *logResponseWriter) WriteHeader(status gemini.Status, meta string) {
 	if w.wroteHeader {
 		return
 	}
 	w.status = status
 	w.meta = meta
 	w.wroteHeader = true
 	w.rw.WriteHeader(status, meta)
 	w.wrote += len(meta) + 5
 }
 func (w *logResponseWriter) Flush() error {
 	return nil
 }
 func (w *logResponseWriter) Close() error {
 	return nil
 }
--- a/examples/stream.go
+++ b/examples/stream.go
@@ -21,7 +21,7 @@ func main() {
 		log.Fatal(err)
 	}
-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("/", stream)
 	server := &gemini.Server{
--- a/fs.go
+++ b/fs.go
@@ -29,88 +29,22 @@ type fileServer struct {
 	fs.FS
 }
-func (fs fileServer) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
+func (fsys fileServer) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
 	serveFile(w, r, fs, path.Clean(r.URL.Path), true)
 }
 // ServeContent replies to the request using the content in the
 // provided Reader. The main benefit of ServeContent over io.Copy
 // is that it sets the MIME type of the response.
 //
 // ServeContent tries to deduce the type from name's file extension.
 // The name is otherwise unused; it is never sent in the response.
 func ServeContent(w ResponseWriter, r *Request, name string, content io.Reader) {
 	serveContent(w, name, content)
 }
 func serveContent(w ResponseWriter, name string, content io.Reader) {
 	// Detect mimetype from file extension
 	ext := path.Ext(name)
 	mimetype := mime.TypeByExtension(ext)
 	w.SetMediaType(mimetype)
 	io.Copy(w, content)
 }
 // ServeFile responds to the request with the contents of the named file
 // or directory.
 //
 // If the provided file or directory name is a relative path, it is interpreted
 // relative to the current directory and may ascend to parent directories. If
 // the provided name is constructed from user input, it should be sanitized
 // before calling ServeFile.
 //
 // As a precaution, ServeFile will reject requests where r.URL.Path contains a
 // ".." path element; this protects against callers who might unsafely use
 // path.Join on r.URL.Path without sanitizing it and then use that
 // path.Join result as the name argument.
 //
 // As another special case, ServeFile redirects any request where r.URL.Path
 // ends in "/index.gmi" to the same path, without the final "index.gmi". To
 // avoid such redirects either modify the path or use ServeContent.
 //
 // Outside of those two special cases, ServeFile does not use r.URL.Path for
 // selecting the file or directory to serve; only the file or directory
 // provided in the name argument is used.
 func ServeFile(w ResponseWriter, r *Request, fsys fs.FS, name string) {
 	if containsDotDot(r.URL.Path) {
 		// Too many programs use r.URL.Path to construct the argument to
 		// serveFile. Reject the request under the assumption that happened
 		// here and ".." may not be wanted.
 		// Note that name might not contain "..", for example if code (still
 		// incorrectly) used path.Join(myDir, r.URL.Path).
 		w.WriteHeader(StatusBadRequest, "invalid URL path")
 		return
 	}
 	serveFile(w, r, fsys, name, false)
 }
 func containsDotDot(v string) bool {
 	if !strings.Contains(v, "..") {
 		return false
 	}
 	for _, ent := range strings.FieldsFunc(v, isSlashRune) {
 		if ent == ".." {
 			return true
 		}
 	}
 	return false
 }
 func isSlashRune(r rune) bool { return r == '/' || r == '\\' }
 func serveFile(w ResponseWriter, r *Request, fsys fs.FS, name string, redirect bool) {
 	const indexPage = "/index.gmi"
 	url := path.Clean(r.URL.Path)
 	// Redirect .../index.gmi to .../
-	if strings.HasSuffix(r.URL.Path, indexPage) {
+	if strings.HasSuffix(url, indexPage) {
-		w.WriteHeader(StatusPermanentRedirect, "./")
+		w.WriteHeader(StatusPermanentRedirect, strings.TrimSuffix(url, "index.gmi"))
 		return
 	}
 	name := url
 	if name == "/" {
 		name = "."
 	} else {
-		name = strings.Trim(name, "/")
+		name = strings.TrimPrefix(name, "/")
 	}
 	f, err := fsys.Open(name)
@@ -127,50 +61,89 @@ func serveFile(w ResponseWriter, r *Request, fsys fs.FS, name string, redirect b
 	}
 	// Redirect to canonical path
-	if redirect {
+	if len(r.URL.Path) != 0 {
 		url := r.URL.Path
 		if stat.IsDir() {
-			// Add trailing slash
+			target := url
-			if url[len(url)-1] != '/' {
+			if target != "/" {
-				w.WriteHeader(StatusPermanentRedirect, path.Base(url)+"/")
+				target += "/"
 			}
 			if len(r.URL.Path) != len(target) || r.URL.Path != target {
 				w.WriteHeader(StatusPermanentRedirect, target)
 				return
 			}
-		} else {
+		} else if r.URL.Path[len(r.URL.Path)-1] == '/' {
 			// Remove trailing slash
-			if url[len(url)-1] == '/' {
+			w.WriteHeader(StatusPermanentRedirect, url)
 				w.WriteHeader(StatusPermanentRedirect, "../"+path.Base(url))
 				return
 			}
 		}
 	}
 	if stat.IsDir() {
 		// Redirect if the directory name doesn't end in a slash
 		url := r.URL.Path
 		if url[len(url)-1] != '/' {
 			w.WriteHeader(StatusRedirect, path.Base(url)+"/")
 			return
 		}
 		// Use contents of index.gmi if present
 		index, err := fsys.Open(path.Join(name, indexPage))
 		if err == nil {
 			defer index.Close()
 			istat, err := index.Stat()
 			if err == nil {
 				f = index
 				stat = istat
 			}
 		}
 	}
 	if stat.IsDir() {
-		// Failed to find index file
+		// Use contents of index.gmi if present
-		dirList(w, f)
+		name = path.Join(name, indexPage)
 		index, err := fsys.Open(name)
 		if err == nil {
 			defer index.Close()
 			f = index
 		} else {
 			// Failed to find index file
 			dirList(w, f)
 			return
 		}
 	}
 	// Detect mimetype from file extension
 	ext := path.Ext(name)
 	mimetype := mime.TypeByExtension(ext)
 	w.SetMediaType(mimetype)
 	io.Copy(w, f)
 }
 // ServeFile responds to the request with the contents of the named file
 // or directory. If the provided name is constructed from user input, it
 // should be sanitized before calling ServeFile.
 func ServeFile(w ResponseWriter, fsys fs.FS, name string) {
 	const indexPage = "/index.gmi"
 	// Ensure name is relative
 	if name == "/" {
 		name = "."
 	} else {
 		name = strings.TrimLeft(name, "/")
 	}
 	f, err := fsys.Open(name)
 	if err != nil {
 		w.WriteHeader(toGeminiError(err))
 		return
 	}
 	defer f.Close()
 	stat, err := f.Stat()
 	if err != nil {
 		w.WriteHeader(toGeminiError(err))
 		return
 	}
-	serveContent(w, name, f)
+	if stat.IsDir() {
 		// Use contents of index file if present
 		name = path.Join(name, indexPage)
 		index, err := fsys.Open(name)
 		if err == nil {
 			defer index.Close()
 			f = index
 		} else {
 			// Failed to find index file
 			dirList(w, f)
 			return
 		}
 	}
 	// Detect mimetype from file extension
 	ext := path.Ext(name)
 	mimetype := mime.TypeByExtension(ext)
 	w.SetMediaType(mimetype)
 	io.Copy(w, f)
 }
 func dirList(w ResponseWriter, f fs.File) {
@@ -196,7 +169,7 @@ func dirList(w ResponseWriter, f fs.File) {
 		}
 		link := LineLink{
 			Name: name,
-			URL:  (&url.URL{Path: name}).EscapedPath(),
+			URL:  "./" + url.PathEscape(name),
 		}
 		fmt.Fprintln(w, link.String())
 	}
--- a/gemini.go
+++ b/gemini.go
@@ -11,16 +11,24 @@ func init() {
 	mime.AddExtensionType(".gemini", "text/gemini")
 }
 var crlf = []byte("\r\n")
 // Errors.
 var (
 	ErrInvalidRequest  = errors.New("gemini: invalid request")
 	ErrInvalidResponse = errors.New("gemini: invalid response")
 	ErrCertificateExpired = errors.New("gemini: certificate expired")
 	// ErrBodyNotAllowed is returned by ResponseWriter.Write calls
 	// when the response status code does not permit a body.
 	ErrBodyNotAllowed = errors.New("gemini: response status code does not allow body")
 )
 var crlf = []byte("\r\n")
 func trimCRLF(b []byte) ([]byte, bool) {
 	// Check for CR
 	if len(b) < 2 || b[len(b)-2] != '\r' {
 		return nil, false
 	}
 	// Trim CRLF
 	b = b[:len(b)-2]
 	return b, true
 }
--- a/handler.go
+++ b/handler.go
@@ -14,11 +14,10 @@ import (
 // ServeGemini should write the response header and data to the ResponseWriter
 // and then return. Returning signals that the request is finished; it is not
 // valid to use the ResponseWriter after or concurrently with the completion
-// of the ServeGemini call. Handlers may also call ResponseWriter.Close to
+// of the ServeGemini call.
 // manually close the connection.
 //
-// The provided context is canceled when the client's connection is closed,
+// The provided context is canceled when the client's connection is closed
-// when ResponseWriter.Close is called, or when the ServeGemini method returns.
+// or the ServeGemini method returns.
 //
 // Handlers should not modify the provided Request.
 type Handler interface {
@@ -80,18 +79,21 @@ func StripPrefix(prefix string, h Handler) Handler {
 //
 // The new Handler calls h.ServeGemini to handle each request, but
 // if a call runs for longer than its time limit, the handler responds with a
-// 40 Temporary Failure error.  After such a timeout, writes by h to
+// 40 Temporary Failure status code and the given message in its response meta.
-// its ResponseWriter will return context.DeadlineExceeded.
+// After such a timeout, writes by h to its ResponseWriter will return
-func TimeoutHandler(h Handler, dt time.Duration) Handler {
+// context.DeadlineExceeded.
 func TimeoutHandler(h Handler, dt time.Duration, message string) Handler {
 	return &timeoutHandler{
-		h:  h,
+		h:   h,
-		dt: dt,
+		dt:  dt,
 		msg: message,
 	}
 }
 type timeoutHandler struct {
-	h  Handler
+	h   Handler
-	dt time.Duration
+	dt  time.Duration
 	msg string
 }
 func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
@@ -100,7 +102,7 @@ func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *R
 	buf := &bytes.Buffer{}
 	tw := &timeoutWriter{
-		wc: &contextWriter{
+		wr: &contextWriter{
 			ctx:    ctx,
 			cancel: cancel,
 			done:   ctx.Done(),
@@ -119,12 +121,12 @@ func (t *timeoutHandler) ServeGemini(ctx context.Context, w ResponseWriter, r *R
 		w.WriteHeader(tw.status, tw.meta)
 		w.Write(buf.Bytes())
 	case <-ctx.Done():
-		w.WriteHeader(StatusTemporaryFailure, "Timeout")
+		w.WriteHeader(StatusTemporaryFailure, t.msg)
 	}
 }
 type timeoutWriter struct {
-	wc          io.WriteCloser
+	wr          io.Writer
 	status      Status
 	meta        string
 	mediatype   string
@@ -139,7 +141,7 @@ func (w *timeoutWriter) Write(b []byte) (int, error) {
 	if !w.wroteHeader {
 		w.WriteHeader(StatusSuccess, w.mediatype)
 	}
-	return w.wc.Write(b)
+	return w.wr.Write(b)
 }
 func (w *timeoutWriter) WriteHeader(status Status, meta string) {
@@ -154,7 +156,3 @@ func (w *timeoutWriter) WriteHeader(status Status, meta string) {
 func (w *timeoutWriter) Flush() error {
 	return nil
 }
 func (w *timeoutWriter) Close() error {
 	return w.wc.Close()
 }
--- a/io.go
+++ b/io.go
@@ -1,7 +1,6 @@
 package gemini
 import (
 	"bufio"
 	"context"
 	"io"
 )
@@ -75,30 +74,3 @@ func (nopReadCloser) Read(p []byte) (int, error) {
 func (nopReadCloser) Close() error {
 	return nil
 }
 type bufReadCloser struct {
 	br *bufio.Reader // used until empty
 	io.ReadCloser
 }
 func newBufReadCloser(br *bufio.Reader, rc io.ReadCloser) io.ReadCloser {
 	body := &bufReadCloser{ReadCloser: rc}
 	if br.Buffered() != 0 {
 		body.br = br
 	}
 	return body
 }
 func (b *bufReadCloser) Read(p []byte) (n int, err error) {
 	if b.br != nil {
 		if n := b.br.Buffered(); len(p) > n {
 			p = p[:n]
 		}
 		n, err = b.br.Read(p)
 		if b.br.Buffered() == 0 {
 			b.br = nil
 		}
 		return n, err
 	}
 	return b.ReadCloser.Read(p)
 }
--- a/middleware.go
+++ b/middleware.go
@@ -0,0 +1,58 @@
 package gemini
 import (
 	"context"
 	"log"
 )
 // LoggingMiddleware returns a handler that wraps h and logs Gemini requests
 // and their responses to the log package's standard logger.
 // Requests are logged with the format "gemini: {host} {URL} {status code} {bytes written}".
 func LoggingMiddleware(h Handler) Handler {
 	return HandlerFunc(func(ctx context.Context, w ResponseWriter, r *Request) {
 		lw := &logResponseWriter{rw: w}
 		h.ServeGemini(ctx, lw, r)
 		host := r.ServerName()
 		log.Printf("gemini: %s %q %d %d", host, r.URL, lw.Status, lw.Wrote)
 	})
 }
 type logResponseWriter struct {
 	Status      Status
 	Wrote       int
 	rw          ResponseWriter
 	mediatype   string
 	wroteHeader bool
 }
 func (w *logResponseWriter) SetMediaType(mediatype string) {
 	w.mediatype = mediatype
 }
 func (w *logResponseWriter) Write(b []byte) (int, error) {
 	if !w.wroteHeader {
 		meta := w.mediatype
 		if meta == "" {
 			// Use default media type
 			meta = defaultMediaType
 		}
 		w.WriteHeader(StatusSuccess, meta)
 	}
 	n, err := w.rw.Write(b)
 	w.Wrote += n
 	return n, err
 }
 func (w *logResponseWriter) WriteHeader(status Status, meta string) {
 	if w.wroteHeader {
 		return
 	}
 	w.wroteHeader = true
 	w.Status = status
 	w.Wrote += len(meta) + 5
 	w.rw.WriteHeader(status, meta)
 }
 func (w *logResponseWriter) Flush() error {
 	return nil
 }
--- a/mux.go
+++ b/mux.go
@@ -1,3 +1,7 @@
 // Copyright 2009 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE-GO file.
 package gemini
 import (
@@ -10,7 +14,7 @@ import (
 	"sync"
 )
-// ServeMux is a Gemini request multiplexer.
+// Mux is a Gemini request multiplexer.
 // It matches the URL of each incoming request against a list of registered
 // patterns and calls the handler for the pattern that
 // most closely matches the URL.
@@ -28,58 +32,42 @@ import (
 // the pattern "/" matches all paths not matched by other registered
 // patterns, not just the URL with Path == "/".
 //
-// Patterns may also contain schemes and hostnames.
+// Patterns may optionally begin with a host name, restricting matches to
-// Wildcard patterns can be used to match multiple hostnames (e.g. "*.example.com").
+// URLs on that host only. Host-specific patterns take precedence over
 // general patterns, so that a handler might register for the two patterns
 // "/search" and "search.example.com/" without also taking over requests
 // for "gemini://example.com/".
 //
-// The following are examples of valid patterns, along with the scheme,
+// Wildcard patterns can be used to match multiple hostnames. For example,
-// hostname, and path that they match.
+// the pattern "*.example.com" will match requests for "blog.example.com"
-//
+// and "gemini.example.com", but not "example.org".
 //     Pattern                      │ Scheme │ Hostname │ Path
 //     ─────────────────────────────┼────────┼──────────┼─────────────
 //     /file                        │ gemini │ *        │ /file
 //     /directory/                  │ gemini │ *        │ /directory/*
 //     hostname/file                │ gemini │ hostname │ /file
 //     hostname/directory/          │ gemini │ hostname │ /directory/*
 //     scheme://hostname/file       │ scheme │ hostname │ /file
 //     scheme://hostname/directory/ │ scheme │ hostname │ /directory/*
 //     //hostname/file              │ *      │ hostname │ /file
 //     //hostname/directory/        │ *      │ hostname │ /directory/*
 //     scheme:///file               │ scheme │ *        │ /file
 //     scheme:///directory/         │ scheme │ *        │ /directory/*
 //     ///file                      │ *      │ *        │ /file
 //     ///directory/                │ *      │ *        │ /directory/*
 //
 // A pattern without a hostname will match any hostname.
 // If a pattern begins with "//", it will match any scheme.
 // Otherwise, a pattern with no scheme is treated as though it has a
 // scheme of "gemini".
 //
 // If a subtree has been registered and a request is received naming the
-// subtree root without its trailing slash, ServeMux redirects that
+// subtree root without its trailing slash, Mux redirects that
 // request to the subtree root (adding the trailing slash). This behavior can
 // be overridden with a separate registration for the path without
-// the trailing slash. For example, registering "/images/" causes ServeMux
+// the trailing slash. For example, registering "/images/" causes Mux
 // to redirect a request for "/images" to "/images/", unless "/images" has
 // been registered separately.
 //
-// ServeMux also takes care of sanitizing the URL request path and
+// Mux also takes care of sanitizing the URL request path and
 // redirecting any request containing . or .. elements or repeated slashes
 // to an equivalent, cleaner URL.
-type ServeMux struct {
+type Mux struct {
 	mu sync.RWMutex
-	m  map[muxKey]Handler
+	m  map[hostpath]Handler
 	es []muxEntry // slice of entries sorted from longest to shortest
 }
-type muxKey struct {
+type hostpath struct {
-	scheme string
+	host string
-	host   string
+	path string
 	path   string
 }
 type muxEntry struct {
 	handler Handler
-	key     muxKey
+	host    string
 	path    string
 }
 // cleanPath returns the canonical path for p, eliminating . and .. elements.
@@ -106,24 +94,17 @@ func cleanPath(p string) string {
 // Find a handler on a handler map given a path string.
 // Most-specific (longest) pattern wins.
-func (mux *ServeMux) match(key muxKey) Handler {
+func (mux *Mux) match(host, path string) Handler {
 	// Check for exact match first.
-	if r, ok := mux.m[key]; ok {
+	if h, ok := mux.m[hostpath{host, path}]; ok {
-		return r
+		return h
 	} else if r, ok := mux.m[muxKey{"", key.host, key.path}]; ok {
 		return r
 	} else if r, ok := mux.m[muxKey{key.scheme, "", key.path}]; ok {
 		return r
 	} else if r, ok := mux.m[muxKey{"", "", key.path}]; ok {
 		return r
 	}
 	// Check for longest valid match.  mux.es contains all patterns
 	// that end in / sorted from longest to shortest.
 	for _, e := range mux.es {
-		if (e.key.scheme == "" || key.scheme == e.key.scheme) &&
+		if len(e.host) == len(host) && e.host == host &&
-			(e.key.host == "" || key.host == e.key.host) &&
+			strings.HasPrefix(path, e.path) {
 			strings.HasPrefix(key.path, e.key.path) {
 			return e.handler
 		}
 	}
@@ -134,31 +115,32 @@ func (mux *ServeMux) match(key muxKey) Handler {
 // This occurs when a handler for path + "/" was already registered, but
 // not for path itself. If the path needs appending to, it creates a new
 // URL, setting the path to u.Path + "/" and returning true to indicate so.
-func (mux *ServeMux) redirectToPathSlash(key muxKey, u *url.URL) (*url.URL, bool) {
+func (mux *Mux) redirectToPathSlash(host, path string, u *url.URL) (*url.URL, bool) {
 	mux.mu.RLock()
-	shouldRedirect := mux.shouldRedirectRLocked(key)
+	shouldRedirect := mux.shouldRedirectRLocked(host, path)
 	mux.mu.RUnlock()
 	if !shouldRedirect {
 		return u, false
 	}
-	return u.ResolveReference(&url.URL{Path: key.path + "/"}), true
+	return u.ResolveReference(&url.URL{Path: path + "/"}), true
 }
 // shouldRedirectRLocked reports whether the given path and host should be redirected to
 // path+"/". This should happen if a handler is registered for path+"/" but
-// not path -- see comments at ServeMux.
+// not path -- see comments at Mux.
-func (mux *ServeMux) shouldRedirectRLocked(key muxKey) bool {
+func (mux *Mux) shouldRedirectRLocked(host, path string) bool {
-	if _, exist := mux.m[key]; exist {
+	if _, exist := mux.m[hostpath{host, path}]; exist {
 		return false
 	}
-	n := len(key.path)
+	n := len(path)
 	if n == 0 {
 		return false
 	}
-	if _, exist := mux.m[muxKey{key.scheme, key.host, key.path + "/"}]; exist {
+	if _, exist := mux.m[hostpath{host, path + "/"}]; exist {
-		return key.path[n-1] != '/'
+		return path[n-1] != '/'
 	}
 	return false
 }
@@ -177,14 +159,18 @@ func getWildcard(hostname string) (string, bool) {
 // the path is not in its canonical form, the handler will be an
 // internally-generated handler that redirects to the canonical path. If the
 // host contains a port, it is ignored when matching handlers.
-func (mux *ServeMux) Handler(r *Request) Handler {
+func (mux *Mux) Handler(r *Request) Handler {
-	scheme := r.URL.Scheme
+	// Disallow non-Gemini schemes
 	if r.URL.Scheme != "gemini" {
 		return NotFoundHandler()
 	}
 	host := r.URL.Hostname()
 	path := cleanPath(r.URL.Path)
 	// If the given path is /tree and its handler is not registered,
 	// redirect for /tree/.
-	if u, ok := mux.redirectToPathSlash(muxKey{scheme, host, path}, r.URL); ok {
+	if u, ok := mux.redirectToPathSlash(host, path, r.URL); ok {
 		return StatusHandler(StatusPermanentRedirect, u.String())
 	}
@@ -197,29 +183,43 @@ func (mux *ServeMux) Handler(r *Request) Handler {
 	mux.mu.RLock()
 	defer mux.mu.RUnlock()
-	h := mux.match(muxKey{scheme, host, path})
+	h := mux.match(host, path)
 	if h == nil {
 		// Try wildcard
 		if wildcard, ok := getWildcard(host); ok {
-			h = mux.match(muxKey{scheme, wildcard, path})
+			if u, ok := mux.redirectToPathSlash(wildcard, path, r.URL); ok {
 				return StatusHandler(StatusPermanentRedirect, u.String())
 			}
 			h = mux.match(wildcard, path)
 		}
 	}
 	if h == nil {
 		// Try empty host
 		if u, ok := mux.redirectToPathSlash("", path, r.URL); ok {
 			return StatusHandler(StatusPermanentRedirect, u.String())
 		}
 		h = mux.match("", path)
 	}
 	if h == nil {
 		h = NotFoundHandler()
 	}
 	return h
 }
 // ServeGemini dispatches the request to the handler whose
 // pattern most closely matches the request URL.
-func (mux *ServeMux) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
+func (mux *Mux) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
 	h := mux.Handler(r)
 	h.ServeGemini(ctx, w, r)
 }
 // Handle registers the handler for the given pattern.
 // If a handler already exists for pattern, Handle panics.
-func (mux *ServeMux) Handle(pattern string, handler Handler) {
+func (mux *Mux) Handle(pattern string, handler Handler) {
 	if pattern == "" {
 		panic("gemini: invalid pattern")
 	}
@@ -230,48 +230,32 @@ func (mux *ServeMux) Handle(pattern string, handler Handler) {
 	mux.mu.Lock()
 	defer mux.mu.Unlock()
-	var key muxKey
+	var host, path string
 	if strings.HasPrefix(pattern, "//") {
 		// match any scheme
 		key.scheme = ""
 		pattern = pattern[2:]
 	} else {
 		// extract scheme
 		cut := strings.Index(pattern, "://")
 		if cut == -1 {
 			// default scheme of gemini
 			key.scheme = "gemini"
 		} else {
 			key.scheme = pattern[:cut]
 			pattern = pattern[cut+3:]
 		}
 	}
 	// extract hostname and path
 	cut := strings.Index(pattern, "/")
 	if cut == -1 {
-		key.host = pattern
+		host = pattern
-		key.path = "/"
+		path = "/"
 	} else {
-		key.host = pattern[:cut]
+		host = pattern[:cut]
-		key.path = pattern[cut:]
+		path = pattern[cut:]
 	}
 	// strip port from hostname
-	if hostname, _, err := net.SplitHostPort(key.host); err == nil {
+	if hostname, _, err := net.SplitHostPort(host); err == nil {
-		key.host = hostname
+		host = hostname
 	}
-	if _, exist := mux.m[key]; exist {
+	if _, exist := mux.m[hostpath{host, path}]; exist {
 		panic("gemini: multiple registrations for " + pattern)
 	}
 	if mux.m == nil {
-		mux.m = make(map[muxKey]Handler)
+		mux.m = make(map[hostpath]Handler)
 	}
-	mux.m[key] = handler
+	mux.m[hostpath{host, path}] = handler
-	e := muxEntry{handler, key}
+	e := muxEntry{handler, host, path}
-	if key.path[len(key.path)-1] == '/' {
+	if path[len(path)-1] == '/' {
 		mux.es = appendSorted(mux.es, e)
 	}
 }
@@ -279,9 +263,7 @@ func (mux *ServeMux) Handle(pattern string, handler Handler) {
 func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
 	n := len(es)
 	i := sort.Search(n, func(i int) bool {
-		return len(es[i].key.scheme) < len(e.key.scheme) ||
+		return len(es[i].path) < len(e.path)
 			len(es[i].key.host) < len(es[i].key.host) ||
 			len(es[i].key.path) < len(e.key.path)
 	})
 	if i == n {
 		return append(es, e)
@@ -294,6 +276,6 @@ func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
 }
 // HandleFunc registers the handler function for the given pattern.
-func (mux *ServeMux) HandleFunc(pattern string, handler HandlerFunc) {
+func (mux *Mux) HandleFunc(pattern string, handler HandlerFunc) {
 	mux.Handle(pattern, handler)
 }
--- a/mux_test.go
+++ b/mux_test.go
@@ -2,6 +2,7 @@ package gemini
 import (
 	"context"
 	"io"
 	"net/url"
 	"testing"
 )
@@ -10,7 +11,222 @@ type nopHandler struct{}
 func (*nopHandler) ServeGemini(context.Context, ResponseWriter, *Request) {}
-func TestServeMuxMatch(t *testing.T) {
+type nopResponseWriter struct {
 	Status Status
 	Meta   string
 }
 func (w *nopResponseWriter) WriteHeader(status Status, meta string) {
 	w.Status = status
 	w.Meta = meta
 }
 func (nopResponseWriter) SetMediaType(mediatype string) {}
 func (nopResponseWriter) Write(b []byte) (int, error)   { return 0, io.EOF }
 func (nopResponseWriter) Flush() error                  { return nil }
 func TestMux(t *testing.T) {
 	type Test struct {
 		URL      string
 		Pattern  string
 		Redirect string
 		NotFound bool
 	}
 	tests := []struct {
 		Patterns []string
 		Tests    []Test
 	}{
 		{
 			Patterns: []string{"/a", "/b/", "/b/c/d", "/b/c/d/"},
 			Tests: []Test{
 				{
 					URL:      "gemini://example.com",
 					Redirect: "gemini://example.com/",
 				},
 				{
 					URL:      "gemini://example.com/",
 					NotFound: true,
 				},
 				{
 					URL:      "gemini://example.com/c",
 					NotFound: true,
 				},
 				{
 					URL:     "gemini://example.com/a",
 					Pattern: "/a",
 				},
 				{
 					URL:      "gemini://example.com/a/",
 					NotFound: true,
 				},
 				{
 					URL:      "gemini://example.com/b",
 					Redirect: "gemini://example.com/b/",
 				},
 				{
 					URL:     "gemini://example.com/b/",
 					Pattern: "/b/",
 				},
 				{
 					URL:     "gemini://example.com/b/c",
 					Pattern: "/b/",
 				},
 				{
 					URL:     "gemini://example.com/b/c/d",
 					Pattern: "/b/c/d",
 				},
 				{
 					URL:     "gemini://example.com/b/c/d/e/",
 					Pattern: "/b/c/d/",
 				},
 			},
 		},
 		{
 			Patterns: []string{
 				"/", "/a", "/b/",
 				"example.com", "example.com/a", "example.com/b/",
 				"*.example.com", "*.example.com/a", "*.example.com/b/",
 			},
 			Tests: []Test{
 				{
 					URL:     "gemini://example.net/",
 					Pattern: "/",
 				},
 				{
 					URL:     "gemini://example.net/a",
 					Pattern: "/a",
 				},
 				{
 					URL:      "gemini://example.net/b",
 					Redirect: "gemini://example.net/b/",
 				},
 				{
 					URL:     "gemini://example.net/b/",
 					Pattern: "/b/",
 				},
 				{
 					URL:     "gemini://example.com/",
 					Pattern: "example.com",
 				},
 				{
 					URL:      "gemini://example.com/b",
 					Redirect: "gemini://example.com/b/",
 				},
 				{
 					URL:     "gemini://example.com/b/",
 					Pattern: "example.com/b/",
 				},
 				{
 					URL:     "gemini://a.example.com/",
 					Pattern: "*.example.com",
 				},
 				{
 					URL:     "gemini://b.example.com/a",
 					Pattern: "*.example.com/a",
 				},
 				{
 					URL:      "gemini://c.example.com/b",
 					Redirect: "gemini://c.example.com/b/",
 				},
 				{
 					URL:     "gemini://d.example.com/b/",
 					Pattern: "*.example.com/b/",
 				},
 			},
 		},
 		{
 			Patterns: []string{"example.net", "*.example.org"},
 			Tests: []Test{
 				{
 					// The following redirect occurs as a result of cleaning
 					// the path provided to the Mux. This happens even if there
 					// are no matching handlers.
 					URL:      "gemini://example.com",
 					Redirect: "gemini://example.com/",
 				},
 				{
 					URL:      "gemini://example.com/",
 					NotFound: true,
 				},
 				{
 					URL:      "gemini://example.net",
 					Redirect: "gemini://example.net/",
 				},
 				{
 					URL:      "gemini://example.org/",
 					NotFound: true,
 				},
 				{
 					URL:      "gemini://gemini.example.org",
 					Redirect: "gemini://gemini.example.org/",
 				},
 			},
 		},
 	}
 	for _, test := range tests {
 		type handler struct {
 			nopHandler
 			Pattern string
 		}
 		mux := &Mux{}
 		for _, pattern := range test.Patterns {
 			mux.Handle(pattern, &handler{
 				Pattern: pattern,
 			})
 		}
 		for _, test := range test.Tests {
 			u, err := url.Parse(test.URL)
 			if err != nil {
 				panic(err)
 			}
 			req := &Request{URL: u}
 			h := mux.Handler(req)
 			if h, ok := h.(*handler); ok {
 				if h.Pattern != test.Pattern {
 					t.Errorf("wrong pattern for %q: expected %q, got %q", test.URL, test.Pattern, h.Pattern)
 				}
 				continue
 			}
 			// Check redirects and NotFounds
 			w := &nopResponseWriter{}
 			h.ServeGemini(context.Background(), w, req)
 			switch w.Status {
 			case StatusNotFound:
 				if !test.NotFound {
 					t.Errorf("expected pattern for %q, got NotFound", test.URL)
 				}
 			case StatusPermanentRedirect:
 				if test.Redirect == "" {
 					t.Errorf("expected pattern for %q, got redirect to %q", test.URL, w.Meta)
 					break
 				}
 				res, err := url.Parse(test.Redirect)
 				if err != nil {
 					panic(err)
 				}
 				if w.Meta != res.String() {
 					t.Errorf("bad redirect for %q: expected %q, got %q", test.URL, res.String(), w.Meta)
 				}
 			default:
 				t.Errorf("unexpected response for %q: %d %s", test.URL, w.Status, w.Meta)
 			}
 		}
 	}
 }
 func TestMuxMatch(t *testing.T) {
 	type Match struct {
 		URL string
 		Ok  bool
@@ -21,7 +237,7 @@ func TestServeMuxMatch(t *testing.T) {
 		Matches []Match
 	}{
 		{
-			// scheme: gemini, hostname: *, path: /*
+			// hostname: *, path: /*
 			Pattern: "/",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
@@ -34,7 +250,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: *, path: /path
+			// hostname: *, path: /path
 			Pattern: "/path",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
@@ -47,7 +263,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: *, path: /subtree/*
+			// hostname: *, path: /subtree/*
 			Pattern: "/subtree/",
 			Matches: []Match{
 				{"gemini://example.com/subtree/", true},
@@ -62,7 +278,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: example.com, path: /*
+			// hostname: example.com, path: /*
 			Pattern: "example.com",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
@@ -75,7 +291,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: example.com, path: /path
+			// hostname: example.com, path: /path
 			Pattern: "example.com/path",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
@@ -88,7 +304,7 @@ func TestServeMuxMatch(t *testing.T) {
 			},
 		},
 		{
-			// scheme: gemini, hostname: example.com, path: /subtree/*
+			// hostname: example.com, path: /subtree/*
 			Pattern: "example.com/subtree/",
 			Matches: []Match{
 				{"gemini://example.com/subtree/", true},
@@ -102,170 +318,6 @@ func TestServeMuxMatch(t *testing.T) {
 				{"http://example.com/subtree/", false},
 			},
 		},
 		{
 			// scheme: http, hostname: example.com, path: /*
 			Pattern: "http://example.com",
 			Matches: []Match{
 				{"http://example.com/path", true},
 				{"http://example.com/", true},
 				{"http://example.com/path.gmi", true},
 				{"http://example.com/path/", true},
 				{"http://example.org/path", false},
 				{"gemini://example.com/path", false},
 				{"gemini://example.org/path", false},
 			},
 		},
 		{
 			// scheme: http, hostname: example.com, path: /path
 			Pattern: "http://example.com/path",
 			Matches: []Match{
 				{"http://example.com/path", true},
 				{"http://example.com/", false},
 				{"http://example.com/path.gmi", false},
 				{"http://example.com/path/", false},
 				{"http://example.org/path", false},
 				{"gemini://example.com/path", false},
 				{"gemini://example.org/path", false},
 			},
 		},
 		{
 			// scheme: http, hostname: example.com, path: /subtree/*
 			Pattern: "http://example.com/subtree/",
 			Matches: []Match{
 				{"http://example.com/subtree/", true},
 				{"http://example.com/subtree/nested/", true},
 				{"http://example.com/subtree/nested/file", true},
 				{"http://example.org/subtree/", false},
 				{"http://example.org/subtree/nested/", false},
 				{"http://example.org/subtree/nested/file", false},
 				{"http://example.com/subtree", false},
 				{"http://www.example.com/subtree/", false},
 				{"gemini://example.com/subtree/", false},
 			},
 		},
 		{
 			// scheme: *, hostname: example.com, path: /*
 			Pattern: "//example.com",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
 				{"gemini://example.com/", true},
 				{"gemini://example.com/path.gmi", true},
 				{"gemini://example.com/path/", true},
 				{"gemini://example.org/path", false},
 				{"http://example.com/path", true},
 				{"http://example.org/path", false},
 			},
 		},
 		{
 			// scheme: *, hostname: example.com, path: /path
 			Pattern: "//example.com/path",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
 				{"gemini://example.com/", false},
 				{"gemini://example.com/path.gmi", false},
 				{"gemini://example.com/path/", false},
 				{"gemini://example.org/path", false},
 				{"http://example.com/path", true},
 				{"http://example.org/path", false},
 			},
 		},
 		{
 			// scheme: *, hostname: example.com, path: /subtree/*
 			Pattern: "//example.com/subtree/",
 			Matches: []Match{
 				{"gemini://example.com/subtree/", true},
 				{"gemini://example.com/subtree/nested/", true},
 				{"gemini://example.com/subtree/nested/file", true},
 				{"gemini://example.org/subtree/", false},
 				{"gemini://example.org/subtree/nested/", false},
 				{"gemini://example.org/subtree/nested/file", false},
 				{"gemini://example.com/subtree", false},
 				{"gemini://www.example.com/subtree/", false},
 				{"http://example.com/subtree/", true},
 			},
 		},
 		{
 			// scheme: http, hostname: *, path: /*
 			Pattern: "http://",
 			Matches: []Match{
 				{"http://example.com/path", true},
 				{"http://example.com/", true},
 				{"http://example.com/path.gmi", true},
 				{"http://example.com/path/", true},
 				{"http://example.org/path", true},
 				{"gemini://example.com/path", false},
 				{"gemini://example.org/path", false},
 			},
 		},
 		{
 			// scheme: http, hostname: *, path: /path
 			Pattern: "http:///path",
 			Matches: []Match{
 				{"http://example.com/path", true},
 				{"http://example.com/", false},
 				{"http://example.com/path.gmi", false},
 				{"http://example.com/path/", false},
 				{"http://example.org/path", true},
 				{"gemini://example.com/path", false},
 				{"gemini://example.org/path", false},
 			},
 		},
 		{
 			// scheme: http, hostname: *, path: /subtree/*
 			Pattern: "http:///subtree/",
 			Matches: []Match{
 				{"http://example.com/subtree/", true},
 				{"http://example.com/subtree/nested/", true},
 				{"http://example.com/subtree/nested/file", true},
 				{"http://example.org/subtree/", true},
 				{"http://example.org/subtree/nested/", true},
 				{"http://example.org/subtree/nested/file", true},
 				{"http://example.com/subtree", false},
 				{"http://www.example.com/subtree/", true},
 				{"gemini://example.com/subtree/", false},
 			},
 		},
 		{
 			// scheme: *, hostname: *, path: /*
 			Pattern: "//",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
 				{"gemini://example.com/", true},
 				{"gemini://example.com/path.gmi", true},
 				{"gemini://example.com/path/", true},
 				{"gemini://example.org/path", true},
 				{"http://example.com/path", true},
 				{"http://example.org/path", true},
 			},
 		},
 		{
 			// scheme: *, hostname: *, path: /path
 			Pattern: "///path",
 			Matches: []Match{
 				{"gemini://example.com/path", true},
 				{"gemini://example.com/", false},
 				{"gemini://example.com/path.gmi", false},
 				{"gemini://example.com/path/", false},
 				{"gemini://example.org/path", true},
 				{"http://example.com/path", true},
 				{"http://example.org/path", true},
 			},
 		},
 		{
 			// scheme: *, hostname: *, path: /subtree/*
 			Pattern: "///subtree/",
 			Matches: []Match{
 				{"gemini://example.com/subtree/", true},
 				{"gemini://example.com/subtree/nested/", true},
 				{"gemini://example.com/subtree/nested/file", true},
 				{"gemini://example.org/subtree/", true},
 				{"gemini://example.org/subtree/nested/", true},
 				{"gemini://example.org/subtree/nested/file", true},
 				{"gemini://example.com/subtree", false},
 				{"gemini://www.example.com/subtree/", true},
 				{"http://example.com/subtree/", true},
 			},
 		},
 		{
 			// scheme: gemini, hostname: *.example.com, path: /*
 			Pattern: "*.example.com",
@@ -277,25 +329,14 @@ func TestServeMuxMatch(t *testing.T) {
 				{"http://www.example.com/", false},
 			},
 		},
 		{
 			// scheme: http, hostname: *.example.com, path: /*
 			Pattern: "http://*.example.com",
 			Matches: []Match{
 				{"http://mail.example.com/", true},
 				{"http://www.example.com/index.gmi", true},
 				{"http://example.com/", false},
 				{"http://a.b.example.com/", false},
 				{"gemini://www.example.com/", false},
 			},
 		},
 	}
-	for i, test := range tests {
+	for _, test := range tests {
 		h := &nopHandler{}
-		var mux ServeMux
+		var mux Mux
 		mux.Handle(test.Pattern, h)
-		for _, match := range tests[i].Matches {
+		for _, match := range test.Matches {
 			u, err := url.Parse(match.URL)
 			if err != nil {
 				panic(err)
--- a/request.go
+++ b/request.go
@@ -29,6 +29,7 @@ type Request struct {
 	Certificate *tls.Certificate
 	conn net.Conn
 	tls  *tls.ConnectionState
 }
 // NewRequest returns a new request.
@@ -50,60 +51,78 @@ func NewRequest(rawurl string) (*Request, error) {
 // for specialized applications; most code should use the Server
 // to read requests and handle them via the Handler interface.
 func ReadRequest(r io.Reader) (*Request, error) {
-	// Read URL
+	// Limit request size
 	r = io.LimitReader(r, 1026)
 	br := bufio.NewReaderSize(r, 1026)
-	rawurl, err := br.ReadString('\r')
+	b, err := br.ReadBytes('\n')
 	if err != nil {
 		if err == io.EOF {
 			return nil, ErrInvalidRequest
 		}
 		return nil, err
 	}
-	// Read terminating line feed
+	// Read URL
-	if b, err := br.ReadByte(); err != nil {
+	rawurl, ok := trimCRLF(b)
-		return nil, err
+	if !ok {
 	} else if b != '\n' {
 		return nil, ErrInvalidRequest
 	}
-	// Trim carriage return
+	if len(rawurl) == 0 {
 	rawurl = rawurl[:len(rawurl)-1]
 	// Validate URL
 	if len(rawurl) > 1024 {
 		return nil, ErrInvalidRequest
 	}
-	u, err := url.Parse(rawurl)
+	u, err := url.Parse(string(rawurl))
 	if err != nil {
 		return nil, err
 	}
 	return &Request{URL: u}, nil
 }
-// Write writes a Gemini request in wire format.
+// WriteTo writes r to w in the Gemini request format.
 // This method consults the request URL only.
-func (r *Request) Write(w io.Writer) error {
+func (r *Request) WriteTo(w io.Writer) (int64, error) {
 	bw := bufio.NewWriterSize(w, 1026)
 	url := r.URL.String()
 	if len(url) > 1024 {
-		return ErrInvalidRequest
+		return 0, ErrInvalidRequest
 	}
-	if _, err := bw.WriteString(url); err != nil {
+	var wrote int64
-		return err
+	n, err := bw.WriteString(url)
 	wrote += int64(n)
 	if err != nil {
 		return wrote, err
 	}
-	if _, err := bw.Write(crlf); err != nil {
+	n, err = bw.Write(crlf)
-		return err
+	wrote += int64(n)
 	if err != nil {
 		return wrote, err
 	}
-	return bw.Flush()
+	return wrote, bw.Flush()
 }
 // Conn returns the network connection on which the request was received.
 // Conn returns nil for client requests.
 func (r *Request) Conn() net.Conn {
 	return r.conn
 }
 // TLS returns information about the TLS connection on which the
 // request was received.
 // TLS returns nil for client requests.
 func (r *Request) TLS() *tls.ConnectionState {
-	if tlsConn, ok := r.conn.(*tls.Conn); ok {
+	if r.tls == nil {
-		state := tlsConn.ConnectionState()
+		if tlsConn, ok := r.conn.(*tls.Conn); ok {
-		return &state
+			state := tlsConn.ConnectionState()
 			r.tls = &state
 		}
 	}
-	return nil
+	return r.tls
 }
 // ServerName returns the value of the TLS Server Name Indication extension
 // sent by the client.
 // ServerName returns an empty string for client requests.
 func (r *Request) ServerName() string {
 	if tls := r.TLS(); tls != nil {
 		return tls.ServerName
 	}
 	return ""
 }
--- a/request_test.go
+++ b/request_test.go
@@ -2,7 +2,6 @@ package gemini
 import (
 	"bufio"
 	"io"
 	"net/url"
 	"strings"
 	"testing"
@@ -36,25 +35,25 @@ func TestReadRequest(t *testing.T) {
 		},
 		{
 			Raw: "\r\n",
-			URL: &url.URL{},
+			Err: ErrInvalidRequest,
 		},
 		{
 			Raw: "gemini://example.com\n",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			Raw: "gemini://example.com",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1030 bytes
 			Raw: maxURL + "xxxxxx",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1027 bytes
 			Raw: maxURL + "x" + "\r\n",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1024 bytes
@@ -119,7 +118,7 @@ func TestWriteRequest(t *testing.T) {
 		t.Logf("%s", test.Req.URL)
 		var b strings.Builder
 		bw := bufio.NewWriter(&b)
-		err := test.Req.Write(bw)
+		_, err := test.Req.WriteTo(bw)
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}
--- a/response.go
+++ b/response.go
@@ -3,117 +3,104 @@ package gemini
 import (
 	"bufio"
 	"crypto/tls"
 	"fmt"
 	"io"
 	"net"
 	"strconv"
 )
 // The default media type for responses.
-const defaultMediaType = "text/gemini; charset=utf-8"
+const defaultMediaType = "text/gemini"
 // Response represents the response from a Gemini request.
 //
 // The Client returns Responses from servers once the response
 // header has been received. The response body is streamed on demand
-// as the response is read. If the network connection fails or the server
+// as the Body field is read.
 // terminates the response, Read calls return an error.
 //
 // It is the caller's responsibility to close the response.
 type Response struct {
-	status Status
+	// Status is the response status code.
-	meta   string
+	Status Status
 	body   io.ReadCloser
 	conn   net.Conn
 }
-// NewResponse returns a new response with the provided status, meta, and body.
+	// Meta returns the response meta.
-func NewResponse(status Status, meta string, body io.ReadCloser) *Response {
+	// For successful responses, the meta should contain the media type of the response.
-	return &Response{
+	// For failure responses, the meta should contain a short description of the failure.
-		status: status,
+	Meta string
-		meta:   meta,
+
-		body:   body,
+	// Body represents the response body.
-	}
+	//
 	// The response body is streamed on demand as the Body field
 	// is read. If the network connection fails or the server
 	// terminates the response, Body.Read calls return an error.
 	//
 	// The Gemini client guarantees that Body is always
 	// non-nil, even on responses without a body or responses with
 	// a zero-length body. It is the caller's responsibility to
 	// close Body.
 	Body io.ReadCloser
 	conn net.Conn
 }
 // ReadResponse reads a Gemini response from the provided io.ReadCloser.
 func ReadResponse(r io.ReadCloser) (*Response, error) {
 	resp := &Response{}
 	br := bufio.NewReader(r)
-	// Read the status
+	// Limit response header size
-	statusB := make([]byte, 2)
+	lr := io.LimitReader(r, 1029)
-	if _, err := br.Read(statusB); err != nil {
+	// Wrap the reader to remove the limit later on
 	wr := &struct{ io.Reader }{lr}
 	br := bufio.NewReader(wr)
 	// Read response header
 	b, err := br.ReadBytes('\n')
 	if err != nil {
 		if err == io.EOF {
 			return nil, ErrInvalidResponse
 		}
 		return nil, err
 	}
-	status, err := strconv.Atoi(string(statusB))
+	if len(b) < 3 {
 		return nil, ErrInvalidResponse
 	}
 	// Read the status
 	status, err := strconv.Atoi(string(b[:2]))
 	if err != nil {
 		return nil, ErrInvalidResponse
 	}
-	resp.status = Status(status)
+	resp.Status = Status(status)
 	// Read one space
-	if b, err := br.ReadByte(); err != nil {
+	if b[2] != ' ' {
 		return nil, err
 	} else if b != ' ' {
 		return nil, ErrInvalidResponse
 	}
 	// Read the meta
-	meta, err := br.ReadString('\r')
+	meta, ok := trimCRLF(b[3:])
-	if err != nil {
+	if !ok {
 		return nil, err
 	}
 	// Trim carriage return
 	meta = meta[:len(meta)-1]
 	// Ensure meta is less than or equal to 1024 bytes
 	if len(meta) > 1024 {
 		return nil, ErrInvalidResponse
 	}
-	if resp.status.Class() == StatusSuccess && meta == "" {
+	if len(meta) == 0 {
 		// Use default media type
 		meta = defaultMediaType
 	}
 	resp.meta = meta
 	// Read terminating newline
 	if b, err := br.ReadByte(); err != nil {
 		return nil, err
 	} else if b != '\n' {
 		return nil, ErrInvalidResponse
 	}
 	resp.Meta = string(meta)
-	if resp.status.Class() == StatusSuccess {
+	if resp.Status.Class() == StatusSuccess {
-		resp.body = newBufReadCloser(br, r)
+		// Use unlimited reader
 		wr.Reader = r
 		type readCloser struct {
 			io.Reader
 			io.Closer
 		}
 		resp.Body = readCloser{br, r}
 	} else {
-		resp.body = nopReadCloser{}
+		resp.Body = nopReadCloser{}
 		r.Close()
 	}
 	return resp, nil
 }
 // Status returns the response status code.
 func (r *Response) Status() Status {
 	return r.status
 }
 // Meta returns the response meta.
 // For successful responses, the meta should contain the media type of the response.
 // For failure responses, the meta should contain a short description of the failure.
 func (r *Response) Meta() string {
 	return r.meta
 }
 // Read reads data from the response body.
 // The response body is streamed on demand as Read is called.
 func (r *Response) Read(p []byte) (n int, err error) {
 	return r.body.Read(p)
 }
 // Close closes the response body.
 func (r *Response) Close() error {
 	return r.body.Close()
 }
 // Conn returns the network connection on which the response was received.
 func (r *Response) Conn() net.Conn {
 	return r.conn
@@ -129,6 +116,29 @@ func (r *Response) TLS() *tls.ConnectionState {
 	return nil
 }
 // WriteTo writes r to w in the Gemini response format, including the
 // header and body.
 //
 // This method consults the Status, Meta, and Body fields of the response.
 // The Response Body is closed after it is sent.
 func (r *Response) WriteTo(w io.Writer) (int64, error) {
 	var wrote int64
 	n, err := fmt.Fprintf(w, "%02d %s\r\n", r.Status, r.Meta)
 	wrote += int64(n)
 	if err != nil {
 		return wrote, err
 	}
 	if r.Body != nil {
 		defer r.Body.Close()
 		n, err := io.Copy(w, r.Body)
 		wrote += n
 		if err != nil {
 			return wrote, err
 		}
 	}
 	return wrote, nil
 }
 // A ResponseWriter interface is used by a Gemini handler to construct
 // a Gemini response.
 //
@@ -136,8 +146,8 @@ func (r *Response) TLS() *tls.ConnectionState {
 // has returned.
 type ResponseWriter interface {
 	// SetMediaType sets the media type that will be sent by Write for a
-	// successful response. If no media type is set, a default of
+	// successful response. If no media type is set, a default media type of
-	// "text/gemini; charset=utf-8" will be used.
+	// "text/gemini" will be used.
 	//
 	// Setting the media type after a call to Write or WriteHeader has
 	// no effect.
@@ -148,7 +158,7 @@ type ResponseWriter interface {
 	// If WriteHeader has not yet been called, Write calls WriteHeader with
 	// StatusSuccess and the media type set in SetMediaType before writing the data.
 	// If no media type was set, Write uses a default media type of
-	// "text/gemini; charset=utf-8".
+	// "text/gemini".
 	Write([]byte) (int, error)
 	// WriteHeader sends a Gemini response header with the provided
@@ -165,24 +175,18 @@ type ResponseWriter interface {
 	// Flush sends any buffered data to the client.
 	Flush() error
 	// Close closes the connection.
 	// Any blocked Write operations will be unblocked and return errors.
 	Close() error
 }
 type responseWriter struct {
 	bw          *bufio.Writer
 	cl          io.Closer
 	mediatype   string
 	wroteHeader bool
 	bodyAllowed bool
 }
-func newResponseWriter(w io.WriteCloser) *responseWriter {
+func newResponseWriter(w io.Writer) *responseWriter {
 	return &responseWriter{
 		bw: bufio.NewWriter(w),
 		cl: w,
 	}
 }
@@ -228,7 +232,3 @@ func (w *responseWriter) Flush() error {
 	// Write errors from WriteHeader will be returned here.
 	return w.bw.Flush()
 }
 func (w *responseWriter) Close() error {
 	return w.cl.Close()
 }
--- a/response_test.go
+++ b/response_test.go
@@ -38,6 +38,15 @@ func TestReadWriteResponse(t *testing.T) {
 			Meta:      "/redirect",
 			SkipWrite: true, // skip write test since result won't match Raw
 		},
 		{
 			Raw:    "32 " + maxURL + "\r\n",
 			Status: 32,
 			Meta:   maxURL,
 		},
 		{
 			Raw: "33 " + maxURL + "xxxx" + "\r\n",
 			Err: ErrInvalidResponse,
 		},
 		{
 			Raw:    "99 Unknown status code\r\n",
 			Status: 99,
@@ -57,15 +66,15 @@ func TestReadWriteResponse(t *testing.T) {
 		},
 		{
 			Raw: "",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "10 Search query",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\nHello, world!",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\rHello, world!",
@@ -73,7 +82,7 @@ func TestReadWriteResponse(t *testing.T) {
 		},
 		{
 			Raw: "20 text/gemini\r",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "abcdefghijklmnopqrstuvwxyz",
@@ -87,17 +96,17 @@ func TestReadWriteResponse(t *testing.T) {
 		if err != test.Err {
 			t.Errorf("expected err = %v, got %v", test.Err, err)
 		}
-		if test.Err != nil {
+		if err != nil {
 			// No response
 			continue
 		}
-		if resp.status != test.Status {
+		if resp.Status != test.Status {
-			t.Errorf("expected status = %d, got %d", test.Status, resp.status)
+			t.Errorf("expected status = %d, got %d", test.Status, resp.Status)
 		}
-		if resp.meta != test.Meta {
+		if resp.Meta != test.Meta {
-			t.Errorf("expected meta = %s, got %s", test.Meta, resp.meta)
+			t.Errorf("expected meta = %s, got %s", test.Meta, resp.Meta)
 		}
-		b, _ := ioutil.ReadAll(resp.body)
+		b, _ := ioutil.ReadAll(resp.Body)
 		body := string(b)
 		if body != test.Body {
 			t.Errorf("expected body = %#v, got %#v", test.Body, body)
--- a/server.go
+++ b/server.go
@@ -282,14 +282,17 @@ func (srv *Server) serve(ctx context.Context, l net.Listener) error {
 			return err
 		}
 		tempDelay = 0
-		go srv.ServeConn(ctx, rw)
+		go srv.serveConn(ctx, rw, false)
 	}
 }
-func (srv *Server) trackConn(conn *net.Conn, cancel context.CancelFunc) bool {
+func (srv *Server) trackConn(conn *net.Conn, cancel context.CancelFunc, external bool) bool {
 	srv.mu.Lock()
 	defer srv.mu.Unlock()
-	if srv.closed && !srv.shutdown {
+	// Reject the connection under the following conditions:
 	// - Shutdown or Close has been called and conn is external (from ServeConn)
 	// - Close (not Shutdown) has been called and conn is internal (from Serve)
 	if srv.closed && (external || !srv.shutdown) {
 		return false
 	}
 	if srv.conns == nil {
@@ -309,15 +312,17 @@ func (srv *Server) deleteConn(conn *net.Conn) {
 // It closes the connection when the response has been completed.
 // If the provided context expires before the response has completed,
 // ServeConn closes the connection and returns the context's error.
 //
 // Note that ServeConn can be used during a Shutdown.
 func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
 	return srv.serveConn(ctx, conn, true)
 }
 func (srv *Server) serveConn(ctx context.Context, conn net.Conn, external bool) error {
 	defer conn.Close()
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
-	if !srv.trackConn(&conn, cancel) {
+	if !srv.trackConn(&conn, cancel, external) {
 		return context.Canceled
 	}
 	defer srv.tryCloseDone()
@@ -332,7 +337,7 @@ func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
 	errch := make(chan error, 1)
 	go func() {
-		errch <- srv.serveConn(ctx, conn)
+		errch <- srv.goServeConn(ctx, conn)
 	}()
 	select {
@@ -343,7 +348,7 @@ func (srv *Server) ServeConn(ctx context.Context, conn net.Conn) error {
 	}
 }
-func (srv *Server) serveConn(ctx context.Context, conn net.Conn) error {
+func (srv *Server) goServeConn(ctx context.Context, conn net.Conn) error {
 	ctx, cancel := context.WithCancel(ctx)
 	done := ctx.Done()
 	cw := &contextWriter{
--- a/text.go
+++ b/text.go
@@ -125,8 +125,8 @@ func ParseLines(r io.Reader, handler func(Line)) error {
 				name = strings.TrimLeft(name, spacetab)
 				line = LineLink{url, name}
 			}
-		} else if strings.HasPrefix(text, "*") {
+		} else if strings.HasPrefix(text, "* ") {
-			text = text[1:]
+			text = text[2:]
 			text = strings.TrimLeft(text, spacetab)
 			line = LineListItem(text)
 		} else if strings.HasPrefix(text, "###") {
--- a/tofu/tofu.go
+++ b/tofu/tofu.go
@@ -4,17 +4,16 @@ package tofu
 import (
 	"bufio"
 	"bytes"
-	"crypto/sha512"
+	"crypto/sha256"
 	"crypto/x509"
-	"errors"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
 	"path/filepath"
 	"sort"
 	"strconv"
 	"strings"
 	"sync"
 	"time"
 )
 // KnownHosts represents a list of known hosts.
@@ -84,7 +83,11 @@ func (k *KnownHosts) WriteTo(w io.Writer) (int64, error) {
 // Load loads the known hosts entries from the provided path.
 func (k *KnownHosts) Load(path string) error {
-	f, err := os.Open(path)
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
 		return err
 	}
 	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
 	if err != nil {
 		return err
 	}
@@ -133,6 +136,9 @@ func (k *KnownHosts) Parse(r io.Reader) error {
 		if err != nil {
 			continue
 		}
 		if h.Algorithm != "sha256" {
 			continue
 		}
 		k.hosts[h.Hostname] = h
 	}
@@ -143,22 +149,17 @@ func (k *KnownHosts) Parse(r io.Reader) error {
 // TOFU implements basic trust on first use.
 //
 // If the host is not on file, it is added to the list.
 // If the host on file is expired, a new entry is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (k *KnownHosts) TOFU(hostname string, cert *x509.Certificate) error {
-	host := NewHost(hostname, cert.Raw, cert.NotAfter)
+	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := k.Lookup(hostname)
-	if !ok || time.Now().After(knownHost.Expires) {
+	if !ok {
 		k.Add(host)
 		return nil
 	}
-
+	if host.Fingerprint != knownHost.Fingerprint {
 	// Check fingerprint
 	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
 	return nil
 }
@@ -266,21 +267,16 @@ func (p *PersistentHosts) Entries() []Host {
 // TOFU implements trust on first use with a persistent set of known hosts.
 //
 // If the host is not on file, it is added to the list.
 // If the host on file is expired, a new entry is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (p *PersistentHosts) TOFU(hostname string, cert *x509.Certificate) error {
-	host := NewHost(hostname, cert.Raw, cert.NotAfter)
+	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := p.Lookup(hostname)
-	if !ok || time.Now().After(knownHost.Expires) {
+	if !ok {
 		return p.Add(host)
 	}
-
+	if host.Fingerprint != knownHost.Fingerprint {
 	// Check fingerprint
 	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
 	return nil
 }
@@ -291,22 +287,20 @@ func (p *PersistentHosts) Close() error {
 // Host represents a host entry with a fingerprint using a certain algorithm.
 type Host struct {
-	Hostname    string      // hostname
+	Hostname    string // hostname
-	Algorithm   string      // fingerprint algorithm e.g. SHA-512
+	Algorithm   string // fingerprint algorithm e.g. sha256
-	Fingerprint Fingerprint // fingerprint
+	Fingerprint string // fingerprint
 	Expires     time.Time   // unix time of the fingerprint expiration date
 }
-// NewHost returns a new host with a SHA-512 fingerprint of
+// NewHost returns a new host with a SHA256 fingerprint of
 // the provided raw data.
-func NewHost(hostname string, raw []byte, expires time.Time) Host {
+func NewHost(hostname string, raw []byte) Host {
-	sum := sha512.Sum512(raw)
+	sum := sha256.Sum256(raw)
 	return Host{
 		Hostname:    hostname,
-		Algorithm:   "SHA-512",
+		Algorithm:   "sha256",
-		Fingerprint: sum[:],
+		Fingerprint: base64.StdEncoding.EncodeToString(sum[:]),
 		Expires:     expires,
 	}
 }
@@ -324,95 +318,19 @@ func (h Host) String() string {
 	b.WriteByte(' ')
 	b.WriteString(h.Algorithm)
 	b.WriteByte(' ')
-	b.WriteString(h.Fingerprint.String())
+	b.WriteString(h.Fingerprint)
 	b.WriteByte(' ')
 	b.WriteString(strconv.FormatInt(h.Expires.Unix(), 10))
 	return b.String()
 }
 // UnmarshalText unmarshals the host from the provided text.
 func (h *Host) UnmarshalText(text []byte) error {
 	const format = "hostname algorithm hex-fingerprint expiry-unix-ts"
 	parts := bytes.Split(text, []byte(" "))
-	if len(parts) != 4 {
+	if len(parts) != 3 {
-		return fmt.Errorf("expected the format %q", format)
+		return fmt.Errorf("expected the format 'hostname algorithm fingerprint'")
 	}
 	if len(parts[0]) == 0 {
 		return errors.New("empty hostname")
 	}
 	h.Hostname = string(parts[0])
-
+	h.Algorithm = string(parts[1])
-	algorithm := string(parts[1])
+	h.Fingerprint = string(parts[2])
 	if algorithm != "SHA-512" {
 		return fmt.Errorf("unsupported algorithm %q", algorithm)
 	}
 	h.Algorithm = algorithm
 	fingerprint := make([]byte, 0, sha512.Size)
 	scanner := bufio.NewScanner(bytes.NewReader(parts[2]))
 	scanner.Split(scanFingerprint)
 	for scanner.Scan() {
 		b, err := strconv.ParseUint(scanner.Text(), 16, 8)
 		if err != nil {
 			return fmt.Errorf("failed to parse fingerprint hash: %w", err)
 		}
 		fingerprint = append(fingerprint, byte(b))
 	}
 	if len(fingerprint) != sha512.Size {
 		return fmt.Errorf("invalid fingerprint size %d, expected %d",
 			len(fingerprint), sha512.Size)
 	}
 	h.Fingerprint = fingerprint
 	unix, err := strconv.ParseInt(string(parts[3]), 10, 0)
 	if err != nil {
 		return fmt.Errorf("invalid unix timestamp: %w", err)
 	}
 	h.Expires = time.Unix(unix, 0)
 	return nil
 }
 func scanFingerprint(data []byte, atEOF bool) (advance int, token []byte, err error) {
 	if atEOF && len(data) == 0 {
 		return 0, nil, nil
 	}
 	if i := bytes.IndexByte(data, ':'); i >= 0 {
 		// We have a full newline-terminated line.
 		return i + 1, data[0:i], nil
 	}
 	// If we're at EOF, we have a final, non-terminated hex byte
 	if atEOF {
 		return len(data), data, nil
 	}
 	// Request more data.
 	return 0, nil, nil
 }
 // Fingerprint represents a fingerprint.
 type Fingerprint []byte
 // String returns a string representation of the fingerprint.
 func (f Fingerprint) String() string {
 	var sb strings.Builder
 	for i, b := range f {
 		if i > 0 {
 			sb.WriteByte(':')
 		}
 		fmt.Fprintf(&sb, "%02X", b)
 	}
 	return sb.String()
 }
--- a/vendor.go
+++ b/vendor.go
@@ -1,212 +0,0 @@
 // Hostname verification code from the crypto/x509 package.
 // Modified to allow Common Names in the short term, until new certificates
 // can be issued with SANs.
 // Copyright 2011 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 package gemini
 import (
 	"crypto/x509"
 	"net"
 	"strings"
 	"unicode/utf8"
 )
 var oidExtensionSubjectAltName = []int{2, 5, 29, 17}
 func hasSANExtension(c *x509.Certificate) bool {
 	for _, e := range c.Extensions {
 		if e.Id.Equal(oidExtensionSubjectAltName) {
 			return true
 		}
 	}
 	return false
 }
 func validHostnamePattern(host string) bool { return validHostname(host, true) }
 func validHostnameInput(host string) bool   { return validHostname(host, false) }
 // validHostname reports whether host is a valid hostname that can be matched or
 // matched against according to RFC 6125 2.2, with some leniency to accommodate
 // legacy values.
 func validHostname(host string, isPattern bool) bool {
 	if !isPattern {
 		host = strings.TrimSuffix(host, ".")
 	}
 	if len(host) == 0 {
 		return false
 	}
 	for i, part := range strings.Split(host, ".") {
 		if part == "" {
 			// Empty label.
 			return false
 		}
 		if isPattern && i == 0 && part == "*" {
 			// Only allow full left-most wildcards, as those are the only ones
 			// we match, and matching literal '*' characters is probably never
 			// the expected behavior.
 			continue
 		}
 		for j, c := range part {
 			if 'a' <= c && c <= 'z' {
 				continue
 			}
 			if '0' <= c && c <= '9' {
 				continue
 			}
 			if 'A' <= c && c <= 'Z' {
 				continue
 			}
 			if c == '-' && j != 0 {
 				continue
 			}
 			if c == '_' {
 				// Not a valid character in hostnames, but commonly
 				// found in deployments outside the WebPKI.
 				continue
 			}
 			return false
 		}
 	}
 	return true
 }
 // commonNameAsHostname reports whether the Common Name field should be
 // considered the hostname that the certificate is valid for. This is a legacy
 // behavior, disabled by default or if the Subject Alt Name extension is present.
 //
 // It applies the strict validHostname check to the Common Name field, so that
 // certificates without SANs can still be validated against CAs with name
 // constraints if there is no risk the CN would be matched as a hostname.
 // See NameConstraintsWithoutSANs and issue 24151.
 func commonNameAsHostname(c *x509.Certificate) bool {
 	return !hasSANExtension(c) && validHostnamePattern(c.Subject.CommonName)
 }
 func matchExactly(hostA, hostB string) bool {
 	if hostA == "" || hostA == "." || hostB == "" || hostB == "." {
 		return false
 	}
 	return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB)
 }
 func matchHostnames(pattern, host string) bool {
 	pattern = toLowerCaseASCII(pattern)
 	host = toLowerCaseASCII(strings.TrimSuffix(host, "."))
 	if len(pattern) == 0 || len(host) == 0 {
 		return false
 	}
 	patternParts := strings.Split(pattern, ".")
 	hostParts := strings.Split(host, ".")
 	if len(patternParts) != len(hostParts) {
 		return false
 	}
 	for i, patternPart := range patternParts {
 		if i == 0 && patternPart == "*" {
 			continue
 		}
 		if patternPart != hostParts[i] {
 			return false
 		}
 	}
 	return true
 }
 // toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
 // an explicitly ASCII function to avoid any sharp corners resulting from
 // performing Unicode operations on DNS labels.
 func toLowerCaseASCII(in string) string {
 	// If the string is already lower-case then there's nothing to do.
 	isAlreadyLowerCase := true
 	for _, c := range in {
 		if c == utf8.RuneError {
 			// If we get a UTF-8 error then there might be
 			// upper-case ASCII bytes in the invalid sequence.
 			isAlreadyLowerCase = false
 			break
 		}
 		if 'A' <= c && c <= 'Z' {
 			isAlreadyLowerCase = false
 			break
 		}
 	}
 	if isAlreadyLowerCase {
 		return in
 	}
 	out := []byte(in)
 	for i, c := range out {
 		if 'A' <= c && c <= 'Z' {
 			out[i] += 'a' - 'A'
 		}
 	}
 	return string(out)
 }
 // verifyHostname returns nil if c is a valid certificate for the named host.
 // Otherwise it returns an error describing the mismatch.
 //
 // IP addresses can be optionally enclosed in square brackets and are checked
 // against the IPAddresses field. Other names are checked case insensitively
 // against the DNSNames field. If the names are valid hostnames, the certificate
 // fields can have a wildcard as the left-most label.
 //
 // The legacy Common Name field is ignored unless it's a valid hostname, the
 // certificate doesn't have any Subject Alternative Names, and the GODEBUG
 // environment variable is set to "x509ignoreCN=0". Support for Common Name is
 // deprecated will be entirely removed in the future.
 func verifyHostname(c *x509.Certificate, h string) error {
 	// IP addresses may be written in [ ].
 	candidateIP := h
 	if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' {
 		candidateIP = h[1 : len(h)-1]
 	}
 	if ip := net.ParseIP(candidateIP); ip != nil {
 		// We only match IP addresses against IP SANs.
 		// See RFC 6125, Appendix B.2.
 		for _, candidate := range c.IPAddresses {
 			if ip.Equal(candidate) {
 				return nil
 			}
 		}
 		return x509.HostnameError{c, candidateIP}
 	}
 	names := c.DNSNames
 	if commonNameAsHostname(c) {
 		names = []string{c.Subject.CommonName}
 	}
 	candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
 	validCandidateName := validHostnameInput(candidateName)
 	for _, match := range names {
 		// Ideally, we'd only match valid hostnames according to RFC 6125 like
 		// browsers (more or less) do, but in practice Go is used in a wider
 		// array of contexts and can't even assume DNS resolution. Instead,
 		// always allow perfect matches, and only apply wildcard and trailing
 		// dot processing to valid hostnames.
 		if validCandidateName && validHostnamePattern(match) {
 			if matchHostnames(match, candidateName) {
 				return nil
 			}
 		} else {
 			if matchExactly(match, candidateName) {
 				return nil
 			}
 		}
 	}
 	return x509.HostnameError{c, h}
 }
Author	SHA1	Message	Date
Adnan Maolood	b0f27c6f74	fs: Prevent invalid directory links A file with a name like "gemini:example" would previously result in the following invalid link: => gemini:example gemini:example Fix by prepending a "./" before each filename, so that the resulting link looks like: => ./gemini:example gemini:example	2022-05-07 13:54:56 -04:00
Yujiri	8c0af18617	Fix parsing of list item lines According to section 5.5.2 of the Gemini specification (v0.16.1), the space is mandatory.	2022-03-15 11:07:04 -04:00
Adnan Maolood	353416685a	doc: Fix Mux documentation	2022-02-16 12:01:55 -05:00
Adnan Maolood	0ceec22705	readme: Update Gemini specification version	2021-12-18 12:51:04 -05:00
Adnan Maolood	3d2110d90f	mux: Tweak documentation	2021-06-26 20:26:30 -04:00
Adnan Maolood	b5c47a5ef0	mux: Add more tests	2021-06-26 20:16:38 -04:00
Adnan Maolood	fb0d4d24bd	mux: Remove support for handling schemes Also fix redirection to subtree roots for wildcard patterns and patterns without a host name.	2021-06-26 18:50:09 -04:00
Adnan Maolood	1170e007d4	fs: Avoid equality check if lengths don't match	2021-04-21 12:48:27 -04:00
Adnan Maolood	c85759d777	fs: Improve redirect behavior	2021-04-21 12:41:56 -04:00
Adnan Maolood	507773618b	fs: Refactor	2021-04-21 12:18:52 -04:00
Adnan Maolood	3bc243dd66	fs: Remove ServeContent function	2021-04-21 11:41:40 -04:00
Adnan Maolood	de93d44786	LoggingMiddleware: Prevent writing empty meta	2021-04-21 11:38:34 -04:00
Adnan Maolood	eb32c32063	fs: Fix panic on indexing URL of zero length	2021-04-21 11:36:43 -04:00
Adnan Maolood	e5cf345273	Update README.md	2021-03-24 13:30:46 -04:00
Adnan Maolood	c68ce57488	mux: Add copyright notice	2021-03-24 13:09:53 -04:00
Adnan Maolood	2b161650fe	Split LICENSE into two files	2021-03-24 13:08:32 -04:00
Adnan Maolood	dbbef1fb6d	Revert "Require Go 1.16" This reverts commit `0e87d64ffc`.	2021-03-23 22:05:12 -04:00
Adnan Maolood	90518a01a8	Revert "Replace uses of ioutil with io" This reverts commit `19f1d6693e`.	2021-03-23 22:02:32 -04:00
Adnan Maolood	056e55abbb	response: Remove unnecessary length check	2021-03-20 18:29:40 -04:00
Adnan Maolood	72d437c82e	response: Limit response header size	2021-03-20 14:01:45 -04:00
Adnan Maolood	3dca29eb41	response: Don't use bufReadCloser	2021-03-20 13:41:53 -04:00
Adnan Maolood	a40b5dcd0b	fs: Fix empty media type for directory index pages	2021-03-20 13:33:15 -04:00
Adnan Maolood	fffe86680e	client: Only get cert if TrustCertificate is set	2021-03-20 12:54:41 -04:00
Adnan Maolood	d5af32e121	client: Close connection on error	2021-03-20 12:49:27 -04:00
Adnan Maolood	5141eaafaa	Tweak request and response parsing	2021-03-20 12:27:20 -04:00
Adnan Maolood	e5c0afa013	response: Treat empty meta as invalid	2021-03-20 12:07:24 -04:00
Adnan Maolood	4c7c200f92	Remove unused field	2021-03-20 12:05:21 -04:00
Adnan Maolood	0a709da439	Remove charset=utf-8 from default media type	2021-03-20 12:04:42 -04:00
Adnan Maolood	1fdef9b608	Rename ServeMux to Mux	2021-03-15 15:44:35 -04:00
Adnan Maolood	2144e2c2f2	status: Reintroduce StatusSensitiveInput	2021-03-15 15:19:43 -04:00
Adnan Maolood	93a606b591	certificate.Store: Call os.MkdirAll on Load	2021-03-09 08:59:28 -05:00
Adnan Maolood	b00794f236	tofu: Use stricter file permissions	2021-03-09 08:58:36 -05:00
Noah Kleiner	3da7fe7cee	tofu: Create path if not exists This commit is a follow-up to `56774408` which does not take into account the case that the parent directory of the known_hosts file does not already exist.	2021-03-09 08:50:42 -05:00
Adnan Maolood	dea7600f29	Remove StatusSensitiveInput	2021-03-08 14:08:45 -05:00
Adnan Maolood	7d958a4798	examples/client: Fix certificate trust check	2021-03-08 14:07:18 -05:00
Adnan Maolood	a5493b708a	tofu: Fix known host unmarshaling	2021-03-06 15:49:11 -05:00
Adnan Maolood	6e5c2473e7	tofu: Use base64-encoded sha256 fingerprints	2021-03-06 15:24:15 -05:00
Adnan Maolood	c639233ea1	tofu: Fix format in error message	2021-03-06 15:13:06 -05:00
Adnan Maolood	5677440876	tofu: Automatically create file in KnownHosts.Load	2021-03-06 15:11:30 -05:00
Adnan Maolood	be3d09d7f4	certificate.Store: Don't call os.MkdirAll	2021-03-06 13:11:11 -05:00
Adnan Maolood	504da9afd8	certificate.Store: Don't check parent scopes in Lookup Limit the scopes of client certificates to hostnames only instead of hostnames and paths.	2021-03-06 12:59:33 -05:00
Adnan Maolood	d1cb8967b6	certificate.Store: Make 100 years the default duration	2021-03-05 23:29:56 -05:00
Adnan Maolood	107b3a1785	Move LoggingMiddleware out of examples/server.go	2021-03-05 11:35:01 -05:00
Adnan Maolood	e7a06a12bf	certificate.Store: Clean scope path in Load Clean the scope path so that trimming the path from the scope works for relative paths.	2021-03-05 10:51:55 -05:00
Adnan Maolood	649b20659b	Revert "certificate: Remove Subject from CreateOptions" This reverts commit `ce649ecc66`.	2021-03-04 20:04:46 -05:00
Adnan Maolood	c9e2af98f3	Revert "certificate.Store: Allow using '*' in DNSNames" This reverts commit `de0b93a4f6`.	2021-03-04 19:26:13 -05:00
Adnan Maolood	d6d02e398e	certificate.Store: Bump default duration to 250 years	2021-03-04 16:55:09 -05:00
Adnan Maolood	de0b93a4f6	certificate.Store: Allow using '*' in DNSNames This isn't exactly a valid DNSName, but it reduces the number of certificates that need to be created. Clients should either accept it or skip checking DNSNames.	2021-03-04 16:40:25 -05:00
Adnan Maolood	ce649ecc66	certificate: Remove Subject from CreateOptions	2021-03-04 16:27:16 -05:00
Adnan Maolood	688e7e2823	certificate: Fix deadlock in Store.Get	2021-03-04 16:20:57 -05:00
Adnan Maolood	b38311da00	certificate.Store: Fix hostname registration check	2021-03-04 16:12:36 -05:00
Adnan Maolood	8e2ac24830	tofu: Remove expiration timestamp from known hosts	2021-03-04 15:37:02 -05:00
Adnan Maolood	bfa3356d3a	client: Remove hostname verification check	2021-03-04 14:36:31 -05:00
Adnan Maolood	9f3564936e	client: Ignore certificate expiration time	2021-03-04 14:35:51 -05:00
Adnan Maolood	d8fb072826	Rename vendor.go to verify_hostname.go	2021-02-28 23:21:10 -05:00
Adnan Maolood	69f0913b3d	Make Response implement io.WriterTo	2021-02-28 22:21:54 -05:00
Adnan Maolood	f7012b38da	Request.WriteTo: return int64	2021-02-28 22:20:59 -05:00
Adnan Maolood	768ec6c17b	Make Request implement io.WriterTo	2021-02-28 22:16:38 -05:00
Adnan Maolood	ae7d58549d	Add message argument to TimeoutHandler	2021-02-28 22:07:24 -05:00
Adnan Maolood	ad5d78f08f	Mention that Request methods don't work for clients	2021-02-28 21:59:19 -05:00
Adnan Maolood	4b92c71839	Remove Request.RemoteAddr helper method	2021-02-28 21:52:41 -05:00
Adnan Maolood	19f1d6693e	Replace uses of ioutil with io	2021-02-28 21:38:36 -05:00
Adnan Maolood	0e87d64ffc	Require Go 1.16	2021-02-28 21:38:17 -05:00
Adnan Maolood	845f8e9bd1	Reintroduce Response.Write method	2021-02-28 20:50:18 -05:00
Adnan Maolood	cf9ab18c1f	certificate.Store: Check parent scopes in Lookup	2021-02-28 20:23:32 -05:00
Adnan Maolood	ada42ff427	certificate.Store: Support client certificates	2021-02-28 19:29:25 -05:00
Adnan Maolood	fcc71b76d9	examples/server: Clean up LoggingMiddleware	2021-02-27 14:53:37 -05:00
Adnan Maolood	6a1ccdc644	response: Add tests for maximum-length META	2021-02-27 14:08:31 -05:00
Adnan Maolood	f156be19b4	request: Add RemoteAddr helper function	2021-02-27 14:03:33 -05:00
Adnan Maolood	82bdffc1eb	request: Add ServerName helper method	2021-02-27 14:02:30 -05:00
Adnan Maolood	a396ec77e4	request: Cache calls to TLS	2021-02-27 13:59:45 -05:00
Adnan Maolood	21ad3a2ded	server: Disallow ServeConn usage after Shutdown	2021-02-24 19:25:52 -05:00
Adnan Maolood	2d7f28e152	Update examples/client.go	2021-02-24 19:21:31 -05:00
Adnan Maolood	1764e02d1e	Remove ResponseWriter.Close method	2021-02-24 19:00:09 -05:00
Adnan Maolood	1bc5c68c3f	response: Revert to using fields instead of methods	2021-02-24 18:50:40 -05:00
Adnan Maolood	867074d81b	examples/client: Fix display of response status	2021-02-24 16:16:42 -05:00