response: Limit response header size

This commit is a follow-up to 56774408 which does not take into account
the case that the parent directory of the known_hosts file does not already exist.

certificate/store.go

@@ -6,9 +6,7 @@ import (
 	"crypto/x509/pkix"
 	"errors"
 	"fmt"
-	"io/fs"
 	"os"
-	"path"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -23,8 +21,7 @@ import (
 // Servers will most likely use the methods Register, Load and Get.
 //
 // Store can also be used to store client certificates.
-// Clients should provide the hostname and path of a URL as a certificate scope
-// (without a trailing slash).
+// Clients should provide a hostname as a certificate scope.
 // Clients will most likely use the methods Add, Load, and Lookup.
 //
 // Store is safe for concurrent use by multiple goroutines.
@@ -86,10 +83,6 @@ func (s *Store) write(scope string, cert tls.Certificate) error {
 	if s.path != "" {
 		certPath := filepath.Join(s.path, scope+".crt")
 		keyPath := filepath.Join(s.path, scope+".key")
-
-		dir := filepath.Dir(certPath)
-		os.MkdirAll(dir, 0755)
-
 		if err := Write(cert, certPath, keyPath); err != nil {
 			return err
 		}
@@ -101,13 +94,12 @@ func (s *Store) write(scope string, cert tls.Certificate) error {
 // If no matching scope has been registered, Get returns an error.
 // Get generates new certificates as needed and rotates expired certificates.
 // It calls CreateCertificate to create a new certificate if it is not nil,
-// otherwise it creates certificates with a duration of 1 year.
+// otherwise it creates certificates with a duration of 100 years.
 //
 // Get is suitable for use in a gemini.Server's GetCertificate field.
 func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 	s.mu.RLock()
-	defer s.mu.RUnlock()
-	_, ok := s.certs[hostname]
+	_, ok := s.scopes[hostname]
 	if !ok {
 		// Try wildcard
 		wildcard := strings.SplitN(hostname, ".", 2)
@@ -121,10 +113,11 @@ func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 		_, ok = s.scopes["*"]
 	}
 	if !ok {
+		s.mu.RUnlock()
 		return nil, errors.New("unrecognized scope")
 	}
-
 	cert := s.certs[hostname]
+	s.mu.RUnlock()
 
 	// If the certificate is empty or expired, generate a new one.
 	if cert.Leaf == nil || cert.Leaf.NotAfter.Before(time.Now()) {
@@ -142,25 +135,10 @@ func (s *Store) Get(hostname string) (*tls.Certificate, error) {
 }
 
 // Lookup returns the certificate for the provided scope.
-// Lookup also checks for certificates in parent scopes.
-// For example, given the scope "example.com/a/b/c", Lookup will first check
-// "example.com/a/b/c", then "example.com/a/b", then "example.com/a", and
-// finally "example.com" for a certificate. As a result, a certificate with
-// scope "example.com" will match all scopes beginning with "example.com".
 func (s *Store) Lookup(scope string) (tls.Certificate, bool) {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 	cert, ok := s.certs[scope]
-	if !ok {
-		scope = path.Dir(scope)
-		for scope != "." {
-			cert, ok = s.certs[scope]
-			if ok {
-				break
-			}
-			scope = path.Dir(scope)
-		}
-	}
 	return cert, ok
 }
 
@@ -173,7 +151,7 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 		Subject: pkix.Name{
 			CommonName: scope,
 		},
-		Duration: 365 * 24 * time.Hour,
+		Duration: 100 * 365 * 24 * time.Hour,
 	})
 }
 
@@ -183,7 +161,15 @@ func (s *Store) createCertificate(scope string) (tls.Certificate, error) {
 // and private keys named "scope.crt" and "scope.key" respectively,
 // where "scope" is the scope of the certificate.
 func (s *Store) Load(path string) error {
-	matches := findCertificates(path)
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
+		return err
+	}
+
+	path = filepath.Clean(path)
+	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
+	if err != nil {
+		return err
+	}
 	for _, crtPath := range matches {
 		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
 		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
@@ -196,20 +182,12 @@ func (s *Store) Load(path string) error {
 		scope = strings.TrimSuffix(scope, ".crt")
 		s.Add(scope, cert)
 	}
-	s.SetPath(path)
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	s.path = path
 	return nil
 }
 
-func findCertificates(path string) (matches []string) {
-	filepath.Walk(path, func(path string, _ fs.FileInfo, err error) error {
-		if filepath.Ext(path) == ".crt" {
-			matches = append(matches, path)
-		}
-		return nil
-	})
-	return
-}
-
 // Entries returns a map of scopes to certificates.
 func (s *Store) Entries() map[string]tls.Certificate {
 	s.mu.RLock()
@@ -225,5 +203,5 @@ func (s *Store) Entries() map[string]tls.Certificate {
 func (s *Store) SetPath(path string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	s.path = path
+	s.path = filepath.Clean(path)
 }

client.go

@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"net"
 	"net/url"
-	"time"
 	"unicode/utf8"
 
 	"golang.org/x/net/idna"
@@ -132,6 +131,9 @@ func (c *Client) Do(ctx context.Context, req *Request) (*Response, error) {
 		conn.Close()
 		return nil, ctx.Err()
 	case r := <-res:
+		if r.err != nil {
+			conn.Close()
+		}
 		return r.resp, r.err
 	}
 }
@@ -175,17 +177,9 @@ func (c *Client) dialContext(ctx context.Context, network, addr string) (net.Con
 }
 
 func (c *Client) verifyConnection(cs tls.ConnectionState, hostname string) error {
-	cert := cs.PeerCertificates[0]
-	// Verify hostname
-	if err := verifyHostname(cert, hostname); err != nil {
-		return err
-	}
-	// Check expiration date
-	if !time.Now().Before(cert.NotAfter) {
-		return ErrCertificateExpired
-	}
 	// See if the client trusts the certificate
 	if c.TrustCertificate != nil {
+		cert := cs.PeerCertificates[0]
 		return c.TrustCertificate(hostname, cert)
 	}
 	return nil

doc.go

@@ -29,10 +29,10 @@ Servers should be configured with certificates:
 	}
 	server.GetCertificate = certificates.Get
 
-ServeMux is a Gemini request multiplexer.
-ServeMux can handle requests for multiple hosts and schemes.
+Mux is a Gemini request multiplexer.
+Mux can handle requests for multiple hosts and schemes.
 
-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("example.com", func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
 		fmt.Fprint(w, "Welcome to example.com")
 	})

examples/auth.go

@@ -30,7 +30,7 @@ func main() {
 		log.Fatal(err)
 	}
 
-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("/", profile)
 	mux.HandleFunc("/username", changeUsername)
 

examples/client.go

@@ -6,7 +6,6 @@ package main
 
 import (
 	"bufio"
-	"bytes"
 	"context"
 	"crypto/x509"
 	"errors"
@@ -16,7 +15,6 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
-	"time"
 
 	"git.sr.ht/~adnano/go-gemini"
 	"git.sr.ht/~adnano/go-gemini/tofu"
@@ -61,16 +59,15 @@ Otherwise, this should be safe to trust.
 => `
 
 func trustCertificate(hostname string, cert *x509.Certificate) error {
-	host := tofu.NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := tofu.NewHost(hostname, cert.Raw)
 	knownHost, ok := hosts.Lookup(hostname)
-	if ok && time.Now().Before(knownHost.Expires) {
+	if ok {
 		// Check fingerprint
-		if bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
-			return nil
-		}
+		if knownHost.Fingerprint != host.Fingerprint {
 			return errors.New("error: fingerprint does not match!")
 		}
+		return nil
+	}
 
 	fmt.Printf(trustPrompt, hostname, host.Fingerprint)
 	scanner.Scan()
@@ -87,7 +84,7 @@ func trustCertificate(hostname string, cert *x509.Certificate) error {
 	}
 }
 
-func getInput(prompt string, sensitive bool) (input string, ok bool) {
+func getInput(prompt string) (input string, ok bool) {
 	fmt.Printf("%s ", prompt)
 	scanner.Scan()
 	return scanner.Text(), true
@@ -105,7 +102,7 @@ func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
 
 	switch resp.Status.Class() {
 	case gemini.StatusInput:
-		input, ok := getInput(resp.Meta, resp.Status == gemini.StatusSensitiveInput)
+		input, ok := getInput(resp.Meta)
 		if !ok {
 			break
 		}

examples/server.go

@@ -22,11 +22,11 @@ func main() {
 		log.Fatal(err)
 	}
 
-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.Handle("/", gemini.FileServer(os.DirFS("/var/www")))
 
 	server := &gemini.Server{
-		Handler:        LoggingMiddleware(mux),
+		Handler:        gemini.LoggingMiddleware(mux),
 		ReadTimeout:    30 * time.Second,
 		WriteTimeout:   1 * time.Minute,
 		GetCertificate: certificates.Get,
@@ -56,47 +56,3 @@ func main() {
 		}
 	}
 }
-
-func LoggingMiddleware(h gemini.Handler) gemini.Handler {
-	return gemini.HandlerFunc(func(ctx context.Context, w gemini.ResponseWriter, r *gemini.Request) {
-		lw := &logResponseWriter{rw: w}
-		h.ServeGemini(ctx, lw, r)
-		host := r.TLS().ServerName
-		log.Printf("gemini: %s %q %d %d", host, r.URL, lw.Status, lw.Wrote)
-	})
-}
-
-type logResponseWriter struct {
-	Status      gemini.Status
-	Wrote       int
-	rw          gemini.ResponseWriter
-	mediatype   string
-	wroteHeader bool
-}
-
-func (w *logResponseWriter) SetMediaType(mediatype string) {
-	w.mediatype = mediatype
-}
-
-func (w *logResponseWriter) Write(b []byte) (int, error) {
-	if !w.wroteHeader {
-		w.WriteHeader(gemini.StatusSuccess, w.mediatype)
-	}
-	n, err := w.rw.Write(b)
-	w.Wrote += n
-	return n, err
-}
-
-func (w *logResponseWriter) WriteHeader(status gemini.Status, meta string) {
-	if w.wroteHeader {
-		return
-	}
-	w.wroteHeader = true
-	w.Status = status
-	w.Wrote += len(meta) + 5
-	w.rw.WriteHeader(status, meta)
-}
-
-func (w *logResponseWriter) Flush() error {
-	return nil
-}

examples/stream.go

@@ -21,7 +21,7 @@ func main() {
 		log.Fatal(err)
 	}
 
-	mux := &gemini.ServeMux{}
+	mux := &gemini.Mux{}
 	mux.HandleFunc("/", stream)
 
 	server := &gemini.Server{

fs.go

@@ -151,7 +151,8 @@ func serveFile(w ResponseWriter, r *Request, fsys fs.FS, name string, redirect b
 		}
 
 		// Use contents of index.gmi if present
-		index, err := fsys.Open(path.Join(name, indexPage))
+		name = path.Join(name, indexPage)
+		index, err := fsys.Open(name)
 		if err == nil {
 			defer index.Close()
 			istat, err := index.Stat()

gemini.go

@@ -11,16 +11,24 @@ func init() {
 	mime.AddExtensionType(".gemini", "text/gemini")
 }
 
-var crlf = []byte("\r\n")
-
 // Errors.
 var (
 	ErrInvalidRequest  = errors.New("gemini: invalid request")
 	ErrInvalidResponse = errors.New("gemini: invalid response")
 
-	ErrCertificateExpired = errors.New("gemini: certificate expired")
-
 	// ErrBodyNotAllowed is returned by ResponseWriter.Write calls
 	// when the response status code does not permit a body.
 	ErrBodyNotAllowed = errors.New("gemini: response status code does not allow body")
 )
+
+var crlf = []byte("\r\n")
+
+func trimCRLF(b []byte) ([]byte, bool) {
+	// Check for CR
+	if len(b) < 2 || b[len(b)-2] != '\r' {
+		return nil, false
+	}
+	// Trim CRLF
+	b = b[:len(b)-2]
+	return b, true
+}

io.go

@@ -1,7 +1,6 @@
 package gemini
 
 import (
-	"bufio"
 	"context"
 	"io"
 )
@@ -75,30 +74,3 @@ func (nopReadCloser) Read(p []byte) (int, error) {
 func (nopReadCloser) Close() error {
 	return nil
 }
-
-type bufReadCloser struct {
-	br *bufio.Reader // used until empty
-	io.ReadCloser
-}
-
-func newBufReadCloser(br *bufio.Reader, rc io.ReadCloser) io.ReadCloser {
-	body := &bufReadCloser{ReadCloser: rc}
-	if br.Buffered() != 0 {
-		body.br = br
-	}
-	return body
-}
-
-func (b *bufReadCloser) Read(p []byte) (n int, err error) {
-	if b.br != nil {
-		if n := b.br.Buffered(); len(p) > n {
-			p = p[:n]
-		}
-		n, err = b.br.Read(p)
-		if b.br.Buffered() == 0 {
-			b.br = nil
-		}
-		return n, err
-	}
-	return b.ReadCloser.Read(p)
-}

middleware.go

@@ -0,0 +1,53 @@
+package gemini
+
+import (
+	"context"
+	"log"
+)
+
+// LoggingMiddleware returns a handler that wraps h and logs Gemini requests
+// and their responses to the log package's standard logger.
+// Requests are logged with the format "gemini: {host} {URL} {status code} {bytes written}".
+func LoggingMiddleware(h Handler) Handler {
+	return HandlerFunc(func(ctx context.Context, w ResponseWriter, r *Request) {
+		lw := &logResponseWriter{rw: w}
+		h.ServeGemini(ctx, lw, r)
+		host := r.ServerName()
+		log.Printf("gemini: %s %q %d %d", host, r.URL, lw.Status, lw.Wrote)
+	})
+}
+
+type logResponseWriter struct {
+	Status      Status
+	Wrote       int
+	rw          ResponseWriter
+	mediatype   string
+	wroteHeader bool
+}
+
+func (w *logResponseWriter) SetMediaType(mediatype string) {
+	w.mediatype = mediatype
+}
+
+func (w *logResponseWriter) Write(b []byte) (int, error) {
+	if !w.wroteHeader {
+		w.WriteHeader(StatusSuccess, w.mediatype)
+	}
+	n, err := w.rw.Write(b)
+	w.Wrote += n
+	return n, err
+}
+
+func (w *logResponseWriter) WriteHeader(status Status, meta string) {
+	if w.wroteHeader {
+		return
+	}
+	w.wroteHeader = true
+	w.Status = status
+	w.Wrote += len(meta) + 5
+	w.rw.WriteHeader(status, meta)
+}
+
+func (w *logResponseWriter) Flush() error {
+	return nil
+}

mux.go

@@ -10,7 +10,7 @@ import (
 	"sync"
 )
 
-// ServeMux is a Gemini request multiplexer.
+// Mux is a Gemini request multiplexer.
 // It matches the URL of each incoming request against a list of registered
 // patterns and calls the handler for the pattern that
 // most closely matches the URL.
@@ -55,17 +55,17 @@ import (
 // scheme of "gemini".
 //
 // If a subtree has been registered and a request is received naming the
-// subtree root without its trailing slash, ServeMux redirects that
+// subtree root without its trailing slash, Mux redirects that
 // request to the subtree root (adding the trailing slash). This behavior can
 // be overridden with a separate registration for the path without
-// the trailing slash. For example, registering "/images/" causes ServeMux
+// the trailing slash. For example, registering "/images/" causes Mux
 // to redirect a request for "/images" to "/images/", unless "/images" has
 // been registered separately.
 //
-// ServeMux also takes care of sanitizing the URL request path and
+// Mux also takes care of sanitizing the URL request path and
 // redirecting any request containing . or .. elements or repeated slashes
 // to an equivalent, cleaner URL.
-type ServeMux struct {
+type Mux struct {
 	mu sync.RWMutex
 	m  map[muxKey]Handler
 	es []muxEntry // slice of entries sorted from longest to shortest
@@ -106,7 +106,7 @@ func cleanPath(p string) string {
 
 // Find a handler on a handler map given a path string.
 // Most-specific (longest) pattern wins.
-func (mux *ServeMux) match(key muxKey) Handler {
+func (mux *Mux) match(key muxKey) Handler {
 	// Check for exact match first.
 	if r, ok := mux.m[key]; ok {
 		return r
@@ -134,7 +134,7 @@ func (mux *ServeMux) match(key muxKey) Handler {
 // This occurs when a handler for path + "/" was already registered, but
 // not for path itself. If the path needs appending to, it creates a new
 // URL, setting the path to u.Path + "/" and returning true to indicate so.
-func (mux *ServeMux) redirectToPathSlash(key muxKey, u *url.URL) (*url.URL, bool) {
+func (mux *Mux) redirectToPathSlash(key muxKey, u *url.URL) (*url.URL, bool) {
 	mux.mu.RLock()
 	shouldRedirect := mux.shouldRedirectRLocked(key)
 	mux.mu.RUnlock()
@@ -146,8 +146,8 @@ func (mux *ServeMux) redirectToPathSlash(key muxKey, u *url.URL) (*url.URL, bool
 
 // shouldRedirectRLocked reports whether the given path and host should be redirected to
 // path+"/". This should happen if a handler is registered for path+"/" but
-// not path -- see comments at ServeMux.
-func (mux *ServeMux) shouldRedirectRLocked(key muxKey) bool {
+// not path -- see comments at Mux.
+func (mux *Mux) shouldRedirectRLocked(key muxKey) bool {
 	if _, exist := mux.m[key]; exist {
 		return false
 	}
@@ -177,7 +177,7 @@ func getWildcard(hostname string) (string, bool) {
 // the path is not in its canonical form, the handler will be an
 // internally-generated handler that redirects to the canonical path. If the
 // host contains a port, it is ignored when matching handlers.
-func (mux *ServeMux) Handler(r *Request) Handler {
+func (mux *Mux) Handler(r *Request) Handler {
 	scheme := r.URL.Scheme
 	host := r.URL.Hostname()
 	path := cleanPath(r.URL.Path)
@@ -212,14 +212,14 @@ func (mux *ServeMux) Handler(r *Request) Handler {
 
 // ServeGemini dispatches the request to the handler whose
 // pattern most closely matches the request URL.
-func (mux *ServeMux) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
+func (mux *Mux) ServeGemini(ctx context.Context, w ResponseWriter, r *Request) {
 	h := mux.Handler(r)
 	h.ServeGemini(ctx, w, r)
 }
 
 // Handle registers the handler for the given pattern.
 // If a handler already exists for pattern, Handle panics.
-func (mux *ServeMux) Handle(pattern string, handler Handler) {
+func (mux *Mux) Handle(pattern string, handler Handler) {
 	if pattern == "" {
 		panic("gemini: invalid pattern")
 	}
@@ -294,6 +294,6 @@ func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
 }
 
 // HandleFunc registers the handler function for the given pattern.
-func (mux *ServeMux) HandleFunc(pattern string, handler HandlerFunc) {
+func (mux *Mux) HandleFunc(pattern string, handler HandlerFunc) {
 	mux.Handle(pattern, handler)
 }

mux_test.go

@@ -10,7 +10,7 @@ type nopHandler struct{}
 
 func (*nopHandler) ServeGemini(context.Context, ResponseWriter, *Request) {}
 
-func TestServeMuxMatch(t *testing.T) {
+func TestMuxMatch(t *testing.T) {
 	type Match struct {
 		URL string
 		Ok  bool
@@ -292,7 +292,7 @@ func TestServeMuxMatch(t *testing.T) {
 
 	for i, test := range tests {
 		h := &nopHandler{}
-		var mux ServeMux
+		var mux Mux
 		mux.Handle(test.Pattern, h)
 
 		for _, match := range tests[i].Matches {

request.go

@@ -51,26 +51,25 @@ func NewRequest(rawurl string) (*Request, error) {
 // for specialized applications; most code should use the Server
 // to read requests and handle them via the Handler interface.
 func ReadRequest(r io.Reader) (*Request, error) {
-	// Read URL
+	// Limit request size
 	r = io.LimitReader(r, 1026)
 	br := bufio.NewReaderSize(r, 1026)
-	rawurl, err := br.ReadString('\r')
+	b, err := br.ReadBytes('\n')
 	if err != nil {
-		return nil, err
-	}
-	// Read terminating line feed
-	if b, err := br.ReadByte(); err != nil {
-		return nil, err
-	} else if b != '\n' {
+		if err == io.EOF {
 			return nil, ErrInvalidRequest
 		}
-	// Trim carriage return
-	rawurl = rawurl[:len(rawurl)-1]
-	// Validate URL
-	if len(rawurl) > 1024 {
+		return nil, err
+	}
+	// Read URL
+	rawurl, ok := trimCRLF(b)
+	if !ok {
 		return nil, ErrInvalidRequest
 	}
-	u, err := url.Parse(rawurl)
+	if len(rawurl) == 0 {
+		return nil, ErrInvalidRequest
+	}
+	u, err := url.Parse(string(rawurl))
 	if err != nil {
 		return nil, err
 	}

request_test.go

@@ -2,7 +2,6 @@ package gemini
 
 import (
 	"bufio"
-	"io"
 	"net/url"
 	"strings"
 	"testing"
@@ -36,25 +35,25 @@ func TestReadRequest(t *testing.T) {
 		},
 		{
 			Raw: "\r\n",
-			URL: &url.URL{},
+			Err: ErrInvalidRequest,
 		},
 		{
 			Raw: "gemini://example.com\n",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			Raw: "gemini://example.com",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1030 bytes
 			Raw: maxURL + "xxxxxx",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1027 bytes
 			Raw: maxURL + "x" + "\r\n",
-			Err: io.EOF,
+			Err: ErrInvalidRequest,
 		},
 		{
 			// 1024 bytes

response.go

@@ -10,7 +10,7 @@ import (
 )
 
 // The default media type for responses.
-const defaultMediaType = "text/gemini; charset=utf-8"
+const defaultMediaType = "text/gemini"
 
 // Response represents the response from a Gemini request.
 //
@@ -44,52 +44,56 @@ type Response struct {
 // ReadResponse reads a Gemini response from the provided io.ReadCloser.
 func ReadResponse(r io.ReadCloser) (*Response, error) {
 	resp := &Response{}
-	br := bufio.NewReader(r)
 
-	// Read the status
-	statusB := make([]byte, 2)
-	if _, err := br.Read(statusB); err != nil {
+	// Limit response header size
+	lr := io.LimitReader(r, 1029)
+	// Wrap the reader to remove the limit later on
+	wr := &struct{ io.Reader }{lr}
+	br := bufio.NewReader(wr)
+
+	// Read response header
+	b, err := br.ReadBytes('\n')
+	if err != nil {
+		if err == io.EOF {
+			return nil, ErrInvalidResponse
+		}
 		return nil, err
 	}
-	status, err := strconv.Atoi(string(statusB))
+	if len(b) < 3 {
+		return nil, ErrInvalidResponse
+	}
+
+	// Read the status
+	status, err := strconv.Atoi(string(b[:2]))
 	if err != nil {
 		return nil, ErrInvalidResponse
 	}
 	resp.Status = Status(status)
 
 	// Read one space
-	if b, err := br.ReadByte(); err != nil {
-		return nil, err
-	} else if b != ' ' {
+	if b[2] != ' ' {
 		return nil, ErrInvalidResponse
 	}
 
 	// Read the meta
-	meta, err := br.ReadString('\r')
-	if err != nil {
-		return nil, err
-	}
-	// Trim carriage return
-	meta = meta[:len(meta)-1]
-	// Ensure meta is less than or equal to 1024 bytes
-	if len(meta) > 1024 {
+	meta, ok := trimCRLF(b[3:])
+	if !ok {
 		return nil, ErrInvalidResponse
 	}
-	if resp.Status.Class() == StatusSuccess && meta == "" {
-		// Use default media type
-		meta = defaultMediaType
-	}
-	resp.Meta = meta
-
-	// Read terminating newline
-	if b, err := br.ReadByte(); err != nil {
-		return nil, err
-	} else if b != '\n' {
+	if len(meta) == 0 || len(meta) > 1024 {
 		return nil, ErrInvalidResponse
 	}
+	resp.Meta = string(meta)
 
 	if resp.Status.Class() == StatusSuccess {
-		resp.Body = newBufReadCloser(br, r)
+		// Use unlimited reader
+		wr.Reader = r
+
+		type readCloser struct {
+			io.Reader
+			io.Closer
+		}
+		resp.Body = readCloser{br, r}
 	} else {
 		resp.Body = nopReadCloser{}
 		r.Close()
@@ -142,8 +146,8 @@ func (r *Response) WriteTo(w io.Writer) (int64, error) {
 // has returned.
 type ResponseWriter interface {
 	// SetMediaType sets the media type that will be sent by Write for a
-	// successful response. If no media type is set, a default of
-	// "text/gemini; charset=utf-8" will be used.
+	// successful response. If no media type is set, a default media type of
+	// "text/gemini" will be used.
 	//
 	// Setting the media type after a call to Write or WriteHeader has
 	// no effect.
@@ -154,7 +158,7 @@ type ResponseWriter interface {
 	// If WriteHeader has not yet been called, Write calls WriteHeader with
 	// StatusSuccess and the media type set in SetMediaType before writing the data.
 	// If no media type was set, Write uses a default media type of
-	// "text/gemini; charset=utf-8".
+	// "text/gemini".
 	Write([]byte) (int, error)
 
 	// WriteHeader sends a Gemini response header with the provided
@@ -175,7 +179,6 @@ type ResponseWriter interface {
 
 type responseWriter struct {
 	bw          *bufio.Writer
-	cl          io.Closer
 	mediatype   string
 	wroteHeader bool
 	bodyAllowed bool

response_test.go

@@ -65,15 +65,15 @@ func TestReadWriteResponse(t *testing.T) {
 		},
 		{
 			Raw: "",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "10 Search query",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\nHello, world!",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "20 text/gemini\rHello, world!",
@@ -81,7 +81,7 @@ func TestReadWriteResponse(t *testing.T) {
 		},
 		{
 			Raw: "20 text/gemini\r",
-			Err: io.EOF,
+			Err: ErrInvalidResponse,
 		},
 		{
 			Raw: "abcdefghijklmnopqrstuvwxyz",

tofu/tofu.go

@@ -4,17 +4,16 @@ package tofu
 import (
 	"bufio"
 	"bytes"
-	"crypto/sha512"
+	"crypto/sha256"
 	"crypto/x509"
-	"errors"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"os"
+	"path/filepath"
 	"sort"
-	"strconv"
 	"strings"
 	"sync"
-	"time"
 )
 
 // KnownHosts represents a list of known hosts.
@@ -84,7 +83,11 @@ func (k *KnownHosts) WriteTo(w io.Writer) (int64, error) {
 
 // Load loads the known hosts entries from the provided path.
 func (k *KnownHosts) Load(path string) error {
-	f, err := os.Open(path)
+	if err := os.MkdirAll(filepath.Dir(path), 0700); err != nil {
+		return err
+	}
+
+	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
 	if err != nil {
 		return err
 	}
@@ -133,6 +136,9 @@ func (k *KnownHosts) Parse(r io.Reader) error {
 		if err != nil {
 			continue
 		}
+		if h.Algorithm != "sha256" {
+			continue
+		}
 
 		k.hosts[h.Hostname] = h
 	}
@@ -143,22 +149,17 @@ func (k *KnownHosts) Parse(r io.Reader) error {
 // TOFU implements basic trust on first use.
 //
 // If the host is not on file, it is added to the list.
-// If the host on file is expired, a new entry is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (k *KnownHosts) TOFU(hostname string, cert *x509.Certificate) error {
-	host := NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := k.Lookup(hostname)
-	if !ok || time.Now().After(knownHost.Expires) {
+	if !ok {
 		k.Add(host)
 		return nil
 	}
-
-	// Check fingerprint
-	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+	if host.Fingerprint != knownHost.Fingerprint {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
-
 	return nil
 }
 
@@ -266,21 +267,16 @@ func (p *PersistentHosts) Entries() []Host {
 // TOFU implements trust on first use with a persistent set of known hosts.
 //
 // If the host is not on file, it is added to the list.
-// If the host on file is expired, a new entry is added to the list.
 // If the fingerprint does not match the one on file, an error is returned.
 func (p *PersistentHosts) TOFU(hostname string, cert *x509.Certificate) error {
-	host := NewHost(hostname, cert.Raw, cert.NotAfter)
-
+	host := NewHost(hostname, cert.Raw)
 	knownHost, ok := p.Lookup(hostname)
-	if !ok || time.Now().After(knownHost.Expires) {
+	if !ok {
 		return p.Add(host)
 	}
-
-	// Check fingerprint
-	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+	if host.Fingerprint != knownHost.Fingerprint {
 		return fmt.Errorf("fingerprint for %q does not match", hostname)
 	}
-
 	return nil
 }
 
@@ -292,21 +288,19 @@ func (p *PersistentHosts) Close() error {
 // Host represents a host entry with a fingerprint using a certain algorithm.
 type Host struct {
 	Hostname    string // hostname
-	Algorithm   string      // fingerprint algorithm e.g. SHA-512
-	Fingerprint Fingerprint // fingerprint
-	Expires     time.Time   // unix time of the fingerprint expiration date
+	Algorithm   string // fingerprint algorithm e.g. sha256
+	Fingerprint string // fingerprint
 }
 
-// NewHost returns a new host with a SHA-512 fingerprint of
+// NewHost returns a new host with a SHA256 fingerprint of
 // the provided raw data.
-func NewHost(hostname string, raw []byte, expires time.Time) Host {
-	sum := sha512.Sum512(raw)
+func NewHost(hostname string, raw []byte) Host {
+	sum := sha256.Sum256(raw)
 
 	return Host{
 		Hostname:    hostname,
-		Algorithm:   "SHA-512",
-		Fingerprint: sum[:],
-		Expires:     expires,
+		Algorithm:   "sha256",
+		Fingerprint: base64.StdEncoding.EncodeToString(sum[:]),
 	}
 }
 
@@ -324,95 +318,19 @@ func (h Host) String() string {
 	b.WriteByte(' ')
 	b.WriteString(h.Algorithm)
 	b.WriteByte(' ')
-	b.WriteString(h.Fingerprint.String())
-	b.WriteByte(' ')
-	b.WriteString(strconv.FormatInt(h.Expires.Unix(), 10))
+	b.WriteString(h.Fingerprint)
 	return b.String()
 }
 
 // UnmarshalText unmarshals the host from the provided text.
 func (h *Host) UnmarshalText(text []byte) error {
-	const format = "hostname algorithm hex-fingerprint expiry-unix-ts"
-
 	parts := bytes.Split(text, []byte(" "))
-	if len(parts) != 4 {
-		return fmt.Errorf("expected the format %q", format)
-	}
-
-	if len(parts[0]) == 0 {
-		return errors.New("empty hostname")
+	if len(parts) != 3 {
+		return fmt.Errorf("expected the format 'hostname algorithm fingerprint'")
 	}
 
 	h.Hostname = string(parts[0])
-
-	algorithm := string(parts[1])
-	if algorithm != "SHA-512" {
-		return fmt.Errorf("unsupported algorithm %q", algorithm)
-	}
-
-	h.Algorithm = algorithm
-
-	fingerprint := make([]byte, 0, sha512.Size)
-	scanner := bufio.NewScanner(bytes.NewReader(parts[2]))
-	scanner.Split(scanFingerprint)
-
-	for scanner.Scan() {
-		b, err := strconv.ParseUint(scanner.Text(), 16, 8)
-		if err != nil {
-			return fmt.Errorf("failed to parse fingerprint hash: %w", err)
-		}
-		fingerprint = append(fingerprint, byte(b))
-	}
-
-	if len(fingerprint) != sha512.Size {
-		return fmt.Errorf("invalid fingerprint size %d, expected %d",
-			len(fingerprint), sha512.Size)
-	}
-
-	h.Fingerprint = fingerprint
-
-	unix, err := strconv.ParseInt(string(parts[3]), 10, 0)
-	if err != nil {
-		return fmt.Errorf("invalid unix timestamp: %w", err)
-	}
-
-	h.Expires = time.Unix(unix, 0)
-
+	h.Algorithm = string(parts[1])
+	h.Fingerprint = string(parts[2])
 	return nil
 }
-
-func scanFingerprint(data []byte, atEOF bool) (advance int, token []byte, err error) {
-	if atEOF && len(data) == 0 {
-		return 0, nil, nil
-	}
-	if i := bytes.IndexByte(data, ':'); i >= 0 {
-		// We have a full newline-terminated line.
-		return i + 1, data[0:i], nil
-	}
-
-	// If we're at EOF, we have a final, non-terminated hex byte
-	if atEOF {
-		return len(data), data, nil
-	}
-
-	// Request more data.
-	return 0, nil, nil
-}
-
-// Fingerprint represents a fingerprint.
-type Fingerprint []byte
-
-// String returns a string representation of the fingerprint.
-func (f Fingerprint) String() string {
-	var sb strings.Builder
-
-	for i, b := range f {
-		if i > 0 {
-			sb.WriteByte(':')
-		}
-
-		fmt.Fprintf(&sb, "%02X", b)
-	}
-
-	return sb.String()
-}

vendor.go

@@ -1,212 +0,0 @@
-// Hostname verification code from the crypto/x509 package.
-// Modified to allow Common Names in the short term, until new certificates
-// can be issued with SANs.
-
-// Copyright 2011 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-package gemini
-
-import (
-	"crypto/x509"
-	"net"
-	"strings"
-	"unicode/utf8"
-)
-
-var oidExtensionSubjectAltName = []int{2, 5, 29, 17}
-
-func hasSANExtension(c *x509.Certificate) bool {
-	for _, e := range c.Extensions {
-		if e.Id.Equal(oidExtensionSubjectAltName) {
-			return true
-		}
-	}
-	return false
-}
-
-func validHostnamePattern(host string) bool { return validHostname(host, true) }
-func validHostnameInput(host string) bool   { return validHostname(host, false) }
-
-// validHostname reports whether host is a valid hostname that can be matched or
-// matched against according to RFC 6125 2.2, with some leniency to accommodate
-// legacy values.
-func validHostname(host string, isPattern bool) bool {
-	if !isPattern {
-		host = strings.TrimSuffix(host, ".")
-	}
-	if len(host) == 0 {
-		return false
-	}
-
-	for i, part := range strings.Split(host, ".") {
-		if part == "" {
-			// Empty label.
-			return false
-		}
-		if isPattern && i == 0 && part == "*" {
-			// Only allow full left-most wildcards, as those are the only ones
-			// we match, and matching literal '*' characters is probably never
-			// the expected behavior.
-			continue
-		}
-		for j, c := range part {
-			if 'a' <= c && c <= 'z' {
-				continue
-			}
-			if '0' <= c && c <= '9' {
-				continue
-			}
-			if 'A' <= c && c <= 'Z' {
-				continue
-			}
-			if c == '-' && j != 0 {
-				continue
-			}
-			if c == '_' {
-				// Not a valid character in hostnames, but commonly
-				// found in deployments outside the WebPKI.
-				continue
-			}
-			return false
-		}
-	}
-
-	return true
-}
-
-// commonNameAsHostname reports whether the Common Name field should be
-// considered the hostname that the certificate is valid for. This is a legacy
-// behavior, disabled by default or if the Subject Alt Name extension is present.
-//
-// It applies the strict validHostname check to the Common Name field, so that
-// certificates without SANs can still be validated against CAs with name
-// constraints if there is no risk the CN would be matched as a hostname.
-// See NameConstraintsWithoutSANs and issue 24151.
-func commonNameAsHostname(c *x509.Certificate) bool {
-	return !hasSANExtension(c) && validHostnamePattern(c.Subject.CommonName)
-}
-
-func matchExactly(hostA, hostB string) bool {
-	if hostA == "" || hostA == "." || hostB == "" || hostB == "." {
-		return false
-	}
-	return toLowerCaseASCII(hostA) == toLowerCaseASCII(hostB)
-}
-
-func matchHostnames(pattern, host string) bool {
-	pattern = toLowerCaseASCII(pattern)
-	host = toLowerCaseASCII(strings.TrimSuffix(host, "."))
-
-	if len(pattern) == 0 || len(host) == 0 {
-		return false
-	}
-
-	patternParts := strings.Split(pattern, ".")
-	hostParts := strings.Split(host, ".")
-
-	if len(patternParts) != len(hostParts) {
-		return false
-	}
-
-	for i, patternPart := range patternParts {
-		if i == 0 && patternPart == "*" {
-			continue
-		}
-		if patternPart != hostParts[i] {
-			return false
-		}
-	}
-
-	return true
-}
-
-// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
-// an explicitly ASCII function to avoid any sharp corners resulting from
-// performing Unicode operations on DNS labels.
-func toLowerCaseASCII(in string) string {
-	// If the string is already lower-case then there's nothing to do.
-	isAlreadyLowerCase := true
-	for _, c := range in {
-		if c == utf8.RuneError {
-			// If we get a UTF-8 error then there might be
-			// upper-case ASCII bytes in the invalid sequence.
-			isAlreadyLowerCase = false
-			break
-		}
-		if 'A' <= c && c <= 'Z' {
-			isAlreadyLowerCase = false
-			break
-		}
-	}
-
-	if isAlreadyLowerCase {
-		return in
-	}
-
-	out := []byte(in)
-	for i, c := range out {
-		if 'A' <= c && c <= 'Z' {
-			out[i] += 'a' - 'A'
-		}
-	}
-	return string(out)
-}
-
-// verifyHostname returns nil if c is a valid certificate for the named host.
-// Otherwise it returns an error describing the mismatch.
-//
-// IP addresses can be optionally enclosed in square brackets and are checked
-// against the IPAddresses field. Other names are checked case insensitively
-// against the DNSNames field. If the names are valid hostnames, the certificate
-// fields can have a wildcard as the left-most label.
-//
-// The legacy Common Name field is ignored unless it's a valid hostname, the
-// certificate doesn't have any Subject Alternative Names, and the GODEBUG
-// environment variable is set to "x509ignoreCN=0". Support for Common Name is
-// deprecated will be entirely removed in the future.
-func verifyHostname(c *x509.Certificate, h string) error {
-	// IP addresses may be written in [ ].
-	candidateIP := h
-	if len(h) >= 3 && h[0] == '[' && h[len(h)-1] == ']' {
-		candidateIP = h[1 : len(h)-1]
-	}
-	if ip := net.ParseIP(candidateIP); ip != nil {
-		// We only match IP addresses against IP SANs.
-		// See RFC 6125, Appendix B.2.
-		for _, candidate := range c.IPAddresses {
-			if ip.Equal(candidate) {
-				return nil
-			}
-		}
-		return x509.HostnameError{c, candidateIP}
-	}
-
-	names := c.DNSNames
-	if commonNameAsHostname(c) {
-		names = []string{c.Subject.CommonName}
-	}
-
-	candidateName := toLowerCaseASCII(h) // Save allocations inside the loop.
-	validCandidateName := validHostnameInput(candidateName)
-
-	for _, match := range names {
-		// Ideally, we'd only match valid hostnames according to RFC 6125 like
-		// browsers (more or less) do, but in practice Go is used in a wider
-		// array of contexts and can't even assume DNS resolution. Instead,
-		// always allow perfect matches, and only apply wildcard and trailing
-		// dot processing to valid hostnames.
-		if validCandidateName && validHostnamePattern(match) {
-			if matchHostnames(match, candidateName) {
-				return nil
-			}
-		} else {
-			if matchExactly(match, candidateName) {
-				return nil
-			}
-		}
-	}
-
-	return x509.HostnameError{c, h}
-}