client: Don't try to verify unicode hostname

Update examples/auth.go
request: Allow User in URLs
2021-02-16 11:27:53 -05:00 · 2021-02-16 11:26:09 -05:00 · 2021-02-16 00:55:56 -05:00 · 2021-02-16 00:07:01 -05:00 · 2021-02-16 00:05:10 -05:00 · 2021-02-15 20:19:44 -05:00
28 changed files with 2088 additions and 1209 deletions
--- a/.build.yml
+++ b/.build.yml
@@ -0,0 +1,9 @@
+image: alpine/edge
+packages:
+- go
+sources:
+- https://git.sr.ht/~adnano/go-gemini
+tasks:
+- test: |
+    cd go-gemini
+    go test ./...
--- a/README.md
+++ b/README.md
@@ -1,10 +1,12 @@
 # go-gemini

-[![GoDoc](https://godoc.org/git.sr.ht/~adnano/go-gemini?status.svg)](https://godoc.org/git.sr.ht/~adnano/go-gemini)
+[![godocs.io](https://godocs.io/git.sr.ht/~adnano/go-gemini?status.svg)](https://godocs.io/git.sr.ht/~adnano/go-gemini) [![builds.sr.ht status](https://builds.sr.ht/~adnano/go-gemini.svg)](https://builds.sr.ht/~adnano/go-gemini?)

 Package gemini implements the [Gemini protocol](https://gemini.circumlunar.space) in Go.

-It aims to provide an API similar to that of net/http to make it easy to develop Gemini clients and servers.
+It provides an API similar to that of net/http to make it easy to develop Gemini clients and servers.
+
+Compatible with version v0.14.3 of the Gemini specification.

 ## Usage

--- a/cert.go
+++ b/cert.go
@@ -1,179 +0,0 @@
-package gemini
-
-import (
-	"crypto"
-	"crypto/ed25519"
-	"crypto/rand"
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/pem"
-	"log"
-	"math/big"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-	"time"
-)
-
-// CertificateStore maps certificate scopes to certificates.
-// The zero value of CertificateStore is an empty store ready to use.
-type CertificateStore struct {
-	store map[string]tls.Certificate
-	dir   bool
-	path  string
-}
-
-// Add adds a certificate for the given scope to the store.
-// It tries to parse the certificate if it is not already parsed.
-func (c *CertificateStore) Add(scope string, cert tls.Certificate) {
-	if c.store == nil {
-		c.store = map[string]tls.Certificate{}
-	}
-	// Parse certificate if not already parsed
-	if cert.Leaf == nil {
-		parsed, err := x509.ParseCertificate(cert.Certificate[0])
-		if err == nil {
-			cert.Leaf = parsed
-		}
-	}
-	if c.dir {
-		// Write certificates
-		log.Printf("gemini: Writing certificate for %s to %s", scope, c.path)
-		certPath := filepath.Join(c.path, scope+".crt")
-		keyPath := filepath.Join(c.path, scope+".key")
-		if err := WriteCertificate(cert, certPath, keyPath); err != nil {
-			log.Printf("gemini: Failed to write certificate for %s: %s", scope, err)
-		}
-	}
-	c.store[scope] = cert
-}
-
-// Lookup returns the certificate for the given scope.
-func (c *CertificateStore) Lookup(scope string) (*tls.Certificate, error) {
-	cert, ok := c.store[scope]
-	if !ok {
-		return nil, ErrCertificateNotFound
-	}
-	// Ensure that the certificate is not expired
-	if cert.Leaf != nil && cert.Leaf.NotAfter.Before(time.Now()) {
-		return &cert, ErrCertificateExpired
-	}
-	return &cert, nil
-}
-
-// Load loads certificates from the given path.
-// The path should lead to a directory containing certificates and private keys
-// in the form scope.crt and scope.key.
-// For example, the hostname "localhost" would have the corresponding files
-// localhost.crt (certificate) and localhost.key (private key).
-// New certificates will be written to this directory.
-func (c *CertificateStore) Load(path string) error {
-	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
-	if err != nil {
-		return err
-	}
-	for _, crtPath := range matches {
-		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
-		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
-		if err != nil {
-			continue
-		}
-		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
-		c.Add(scope, cert)
-	}
-	c.dir = true
-	c.path = path
-	return nil
-}
-
-// CertificateOptions configures how a certificate is created.
-type CertificateOptions struct {
-	IPAddresses []net.IP
-	DNSNames    []string
-	Duration    time.Duration
-}
-
-// CreateCertificate creates a new TLS certificate.
-func CreateCertificate(options CertificateOptions) (tls.Certificate, error) {
-	crt, priv, err := newX509KeyPair(options)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-	var cert tls.Certificate
-	cert.Leaf = crt
-	cert.Certificate = append(cert.Certificate, crt.Raw)
-	cert.PrivateKey = priv
-	return cert, nil
-}
-
-// newX509KeyPair creates and returns a new certificate and private key.
-func newX509KeyPair(options CertificateOptions) (*x509.Certificate, crypto.PrivateKey, error) {
-	// Generate an ED25519 private key
-	_, priv, err := ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	public := priv.Public()
-
-	// ED25519 keys should have the DigitalSignature KeyUsage bits set
-	// in the x509.Certificate template
-	keyUsage := x509.KeyUsageDigitalSignature
-
-	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
-	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	notBefore := time.Now()
-	notAfter := notBefore.Add(options.Duration)
-
-	template := x509.Certificate{
-		SerialNumber:          serialNumber,
-		NotBefore:             notBefore,
-		NotAfter:              notAfter,
-		KeyUsage:              keyUsage,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-		IPAddresses:           options.IPAddresses,
-		DNSNames:              options.DNSNames,
-	}
-
-	crt, err := x509.CreateCertificate(rand.Reader, &template, &template, public, priv)
-	if err != nil {
-		return nil, nil, err
-	}
-	cert, err := x509.ParseCertificate(crt)
-	if err != nil {
-		return nil, nil, err
-	}
-	return cert, priv, nil
-}
-
-// WriteCertificate writes the provided certificate and private key
-// to certPath and keyPath respectively.
-func WriteCertificate(cert tls.Certificate, certPath, keyPath string) error {
-	certOut, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-	defer certOut.Close()
-	if err := pem.Encode(certOut, &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: cert.Leaf.Raw,
-	}); err != nil {
-		return err
-	}
-
-	keyOut, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
-	if err != nil {
-		return err
-	}
-	defer keyOut.Close()
-	privBytes, err := x509.MarshalPKCS8PrivateKey(cert.PrivateKey)
-	if err != nil {
-		return err
-	}
-	return pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
-}
--- a/certificate/certificate.go
+++ b/certificate/certificate.go
@@ -0,0 +1,236 @@
+// Package certificate provides utility functions for TLS certificates.
+package certificate
+
+import (
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/ed25519"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+)
+
+// Dir represents a directory of certificates.
+// The zero value for Dir is an empty directory ready to use.
+//
+// Dir is safe for concurrent use by multiple goroutines.
+type Dir struct {
+	certs map[string]tls.Certificate
+	path  *string
+	mu    sync.RWMutex
+}
+
+// Add adds a certificate for the given scope to the directory.
+// It tries to parse the certificate if it is not already parsed.
+func (d *Dir) Add(scope string, cert tls.Certificate) error {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	if d.certs == nil {
+		d.certs = map[string]tls.Certificate{}
+	}
+	// Parse certificate if not already parsed
+	if cert.Leaf == nil {
+		parsed, err := x509.ParseCertificate(cert.Certificate[0])
+		if err == nil {
+			cert.Leaf = parsed
+		}
+	}
+
+	if d.path != nil {
+		// Escape slash character
+		scope = strings.ReplaceAll(scope, "/", ":")
+		certPath := filepath.Join(*d.path, scope+".crt")
+		keyPath := filepath.Join(*d.path, scope+".key")
+		if err := Write(cert, certPath, keyPath); err != nil {
+			return err
+		}
+	}
+
+	d.certs[scope] = cert
+	return nil
+}
+
+// Lookup returns the certificate for the provided scope.
+func (d *Dir) Lookup(scope string) (tls.Certificate, bool) {
+	d.mu.RLock()
+	defer d.mu.RUnlock()
+	cert, ok := d.certs[scope]
+	return cert, ok
+}
+
+// Entries returns a map of hostnames to certificates.
+func (d *Dir) Entries() map[string]tls.Certificate {
+	certs := map[string]tls.Certificate{}
+	for key := range d.certs {
+		certs[key] = d.certs[key]
+	}
+	return certs
+}
+
+// Load loads certificates from the provided path.
+// Add will write certificates to this path.
+//
+// The directory should contain certificates and private keys
+// named scope.crt and scope.key respectively, where scope is
+// the scope of the certificate.
+func (d *Dir) Load(path string) error {
+	matches, err := filepath.Glob(filepath.Join(path, "*.crt"))
+	if err != nil {
+		return err
+	}
+	for _, crtPath := range matches {
+		keyPath := strings.TrimSuffix(crtPath, ".crt") + ".key"
+		cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
+		if err != nil {
+			continue
+		}
+		scope := strings.TrimSuffix(filepath.Base(crtPath), ".crt")
+		// Unescape slash character
+		scope = strings.ReplaceAll(scope, ":", "/")
+		d.Add(scope, cert)
+	}
+	d.SetPath(path)
+	return nil
+}
+
+// SetPath sets the directory path.
+// Add will write certificates to this path.
+func (d *Dir) SetPath(path string) {
+	d.mu.Lock()
+	defer d.mu.Unlock()
+	d.path = &path
+}
+
+// CreateOptions configures the creation of a TLS certificate.
+type CreateOptions struct {
+	// Subject Alternate Name values.
+	// Should contain the DNS names that this certificate is valid for.
+	// E.g. example.com, *.example.com
+	DNSNames []string
+
+	// Subject Alternate Name values.
+	// Should contain the IP addresses that the certificate is valid for.
+	IPAddresses []net.IP
+
+	// Subject specifies the certificate Subject.
+	//
+	// Subject.CommonName can contain the DNS name that this certificate
+	// is valid for. Server certificates should specify both a Subject
+	// and a Subject Alternate Name.
+	Subject pkix.Name
+
+	// Duration specifies the amount of time that the certificate is valid for.
+	Duration time.Duration
+
+	// Ed25519 specifies whether to generate an Ed25519 key pair.
+	// If false, an ECDSA key will be generated instead.
+	// Ed25519 is not as widely supported as ECDSA.
+	Ed25519 bool
+}
+
+// Create creates a new TLS certificate.
+func Create(options CreateOptions) (tls.Certificate, error) {
+	crt, priv, err := newX509KeyPair(options)
+	if err != nil {
+		return tls.Certificate{}, err
+	}
+	var cert tls.Certificate
+	cert.Leaf = crt
+	cert.Certificate = append(cert.Certificate, crt.Raw)
+	cert.PrivateKey = priv
+	return cert, nil
+}
+
+// newX509KeyPair creates and returns a new certificate and private key.
+func newX509KeyPair(options CreateOptions) (*x509.Certificate, crypto.PrivateKey, error) {
+	var pub crypto.PublicKey
+	var priv crypto.PrivateKey
+	if options.Ed25519 {
+		// Generate an Ed25519 private key
+		var err error
+		pub, priv, err = ed25519.GenerateKey(rand.Reader)
+		if err != nil {
+			return nil, nil, err
+		}
+	} else {
+		// Generate an ECDSA private key
+		private, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		if err != nil {
+			return nil, nil, err
+		}
+		priv = private
+		pub = &private.PublicKey
+	}
+
+	// ECDSA and Ed25519 keys should have the DigitalSignature KeyUsage bits
+	// set in the x509.Certificate template
+	keyUsage := x509.KeyUsageDigitalSignature
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(options.Duration)
+
+	template := x509.Certificate{
+		SerialNumber:          serialNumber,
+		NotBefore:             notBefore,
+		NotAfter:              notAfter,
+		KeyUsage:              keyUsage,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		IPAddresses:           options.IPAddresses,
+		DNSNames:              options.DNSNames,
+		Subject:               options.Subject,
+	}
+
+	crt, err := x509.CreateCertificate(rand.Reader, &template, &template, pub, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+	cert, err := x509.ParseCertificate(crt)
+	if err != nil {
+		return nil, nil, err
+	}
+	return cert, priv, nil
+}
+
+// Write writes the provided certificate and its private key
+// to certPath and keyPath respectively.
+func Write(cert tls.Certificate, certPath, keyPath string) error {
+	certOut, err := os.OpenFile(certPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer certOut.Close()
+	if err := pem.Encode(certOut, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: cert.Leaf.Raw,
+	}); err != nil {
+		return err
+	}
+
+	keyOut, err := os.OpenFile(keyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return err
+	}
+	defer keyOut.Close()
+	privBytes, err := x509.MarshalPKCS8PrivateKey(cert.PrivateKey)
+	if err != nil {
+		return err
+	}
+	return pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes})
+}
--- a/client.go
+++ b/client.go
@@ -2,66 +2,44 @@ package gemini

 import (
 	"bufio"
+	"context"
 	"crypto/tls"
 	"crypto/x509"
+	"errors"
+	"fmt"
 	"net"
-	"net/url"
-	"path"
-	"strings"
 	"time"
 )

-// Client is a Gemini client.
+// A Client is a Gemini client. Its zero value is a usable client.
 type Client struct {
-	// KnownHosts is a list of known hosts.
-	KnownHosts KnownHosts
-
-	// Certificates stores client-side certificates.
-	Certificates CertificateStore
+	// TrustCertificate is called to determine whether the client
+	// should trust the certificate provided by the server.
+	// If TrustCertificate is nil, the client will accept any certificate.
+	// If the returned error is not nil, the certificate will not be trusted
+	// and the request will be aborted.
+	//
+	// See the tofu submodule for an implementation of trust on first use.
+	TrustCertificate func(hostname string, cert *x509.Certificate) error

 	// Timeout specifies a time limit for requests made by this
 	// Client. The timeout includes connection time and reading
 	// the response body. The timer remains running after
-	// Get and Do return and will interrupt reading of the Response.Body.
+	// Get or Do return and will interrupt reading of the Response.Body.
 	//
 	// A Timeout of zero means no timeout.
 	Timeout time.Duration
-
-	// InsecureSkipTrust specifies whether the client should trust
-	// any certificate it receives without checking KnownHosts
-	// or calling TrustCertificate.
-	// Use with caution.
-	InsecureSkipTrust bool
-
-	// GetInput is called to retrieve input when the server requests it.
-	// If GetInput is nil or returns false, no input will be sent and
-	// the response will be returned.
-	GetInput func(prompt string, sensitive bool) (input string, ok bool)
-
-	// CheckRedirect determines whether to follow a redirect.
-	// If CheckRedirect is nil, a default policy of no more than 5 consecutive
-	// redirects will be enforced.
-	CheckRedirect func(req *Request, via []*Request) error
-
-	// CreateCertificate is called to generate a certificate upon
-	// the request of a server.
-	// If CreateCertificate is nil or the returned error is not nil,
-	// the request will not be sent again and the response will be returned.
-	CreateCertificate func(hostname, path string) (tls.Certificate, error)
-
-	// TrustCertificate is called to determine whether the client
-	// should trust a certificate it has not seen before.
-	// If TrustCertificate is nil, the certificate will not be trusted
-	// and the connection will be aborted.
-	//
-	// If TrustCertificate returns TrustOnce, the certificate will be added
-	// to the client's list of known hosts.
-	// If TrustCertificate returns TrustAlways, the certificate will also be
-	// written to the known hosts file.
-	TrustCertificate func(hostname string, cert *x509.Certificate) Trust
 }

-// Get performs a Gemini request for the given url.
+// Get sends a Gemini request for the given URL.
+//
+// An error is returned if there was a Gemini protocol error.
+// A non-2x status code doesn't cause an error.
+//
+// If the returned error is nil, the Response will contain a non-nil Body
+// which the user is expected to close.
+//
+// For more control over requests, use NewRequest and Client.Do.
 func (c *Client) Get(url string) (*Response, error) {
 	req, err := NewRequest(url)
 	if err != nil {
@@ -70,165 +48,149 @@ func (c *Client) Get(url string) (*Response, error) {
 	return c.Do(req)
 }

-// Do performs a Gemini request and returns a Gemini response.
+// Do sends a Gemini request and returns a Gemini response, following
+// policy as configured on the client.
+//
+// An error is returned if there was a Gemini protocol error.
+// A non-2x status code doesn't cause an error.
+//
+// If the returned error is nil, the Response will contain a non-nil Body
+// which the user is expected to close.
+//
+// Generally Get will be used instead of Do.
 func (c *Client) Do(req *Request) (*Response, error) {
-	return c.do(req, nil)
-}
+	// Punycode request URL host
+	hostname, port, err := net.SplitHostPort(req.URL.Host)
+	if err != nil {
+		// Likely no port
+		hostname = req.URL.Host
+		port = "1965"
+	}
+	punycode, err := punycodeHostname(hostname)
+	if err != nil {
+		return nil, err
+	}
+	if hostname != punycode {
+		hostname = punycode
+
+		// Make a copy of the request
+		_req := *req
+		req = &_req
+		_url := *req.URL
+		req.URL = &_url
+
+		// Set the host
+		req.URL.Host = net.JoinHostPort(hostname, port)
+	}
+
+	// Use request host if provided
+	if req.Host != "" {
+		hostname, port, err = net.SplitHostPort(req.Host)
+		if err != nil {
+			// Port is required
+			return nil, err
+		}
+		// Punycode hostname
+		hostname, err = punycodeHostname(hostname)
+		if err != nil {
+			return nil, err
+		}
+	}

-func (c *Client) do(req *Request, via []*Request) (*Response, error) {
 	// Connect to the host
 	config := &tls.Config{
 		InsecureSkipVerify: true,
 		MinVersion:         tls.VersionTLS12,
 		GetClientCertificate: func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
-			return c.getClientCertificate(req)
+			if req.Certificate != nil {
+				return req.Certificate, nil
+			}
+			return &tls.Certificate{}, nil
 		},
 		VerifyConnection: func(cs tls.ConnectionState) error {
-			return c.verifyConnection(req, cs)
+			return c.verifyConnection(hostname, punycode, cs)
 		},
+		ServerName: hostname,
 	}
-	conn, err := tls.Dial("tcp", req.Host, config)
+
+	ctx := req.Context
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
+	start := time.Now()
+	dialer := net.Dialer{
+		Timeout: c.Timeout,
+	}
+
+	address := net.JoinHostPort(hostname, port)
+	netConn, err := dialer.DialContext(ctx, "tcp", address)
 	if err != nil {
 		return nil, err
 	}
+
+	conn := tls.Client(netConn, config)
+
 	// Set connection deadline
-	if d := c.Timeout; d != 0 {
-		conn.SetDeadline(time.Now().Add(d))
+	if c.Timeout != 0 {
+		err := conn.SetDeadline(start.Add(c.Timeout))
+		if err != nil {
+			return nil, fmt.Errorf("failed to set connection deadline: %w", err)
+		}
 	}

+	resp, err := c.do(conn, req)
+	if err != nil {
+		// If we fail to perform the request/response we have
+		// to take responsibility for closing the connection.
+		_ = conn.Close()
+
+		return nil, err
+	}
+
+	// Store connection state
+	state := conn.ConnectionState()
+	resp.TLS = &state
+
+	return resp, nil
+}
+
+func (c *Client) do(conn *tls.Conn, req *Request) (*Response, error) {
 	// Write the request
 	w := bufio.NewWriter(conn)
-	req.write(w)
+
+	err := req.Write(w)
+	if err != nil {
+		return nil, fmt.Errorf("failed to write request: %w", err)
+	}
+
 	if err := w.Flush(); err != nil {
 		return nil, err
 	}

 	// Read the response
-	resp := &Response{}
-	if err := resp.read(conn); err != nil {
+	resp, err := ReadResponse(conn)
+	if err != nil {
 		return nil, err
 	}
-	// Store connection state
-	resp.TLS = conn.ConnectionState()

-	switch {
-	case resp.Status == StatusCertificateRequired:
-		// Check to see if a certificate was already provided to prevent an infinite loop
-		if req.Certificate != nil {
-			return resp, nil
-		}
-
-		hostname, path := req.URL.Hostname(), strings.TrimSuffix(req.URL.Path, "/")
-		if c.CreateCertificate != nil {
-			cert, err := c.CreateCertificate(hostname, path)
-			if err != nil {
-				return resp, err
-			}
-			c.Certificates.Add(hostname+path, cert)
-			return c.do(req, via)
-		}
-		return resp, ErrCertificateRequired
-
-	case resp.Status.Class() == StatusClassInput:
-		if c.GetInput != nil {
-			input, ok := c.GetInput(resp.Meta, resp.Status == StatusSensitiveInput)
-			if ok {
-				req.URL.ForceQuery = true
-				req.URL.RawQuery = url.QueryEscape(input)
-				return c.do(req, via)
-			}
-		}
-		return resp, ErrInputRequired
-
-	case resp.Status.Class() == StatusClassRedirect:
-		if via == nil {
-			via = []*Request{}
-		}
-		via = append(via, req)
-
-		target, err := url.Parse(resp.Meta)
-		if err != nil {
-			return resp, err
-		}
-		target = req.URL.ResolveReference(target)
-		redirect, err := NewRequestFromURL(target)
-		if err != nil {
-			return resp, err
-		}
-
-		if c.CheckRedirect != nil {
-			if err := c.CheckRedirect(redirect, via); err != nil {
-				return resp, err
-			}
-		} else if len(via) > 5 {
-			// Default policy of no more than 5 redirects
-			return resp, ErrTooManyRedirects
-		}
-		return c.do(redirect, via)
-	}
-
-	resp.Request = req
 	return resp, nil
 }

-func (c *Client) getClientCertificate(req *Request) (*tls.Certificate, error) {
-	// Request certificates have the highest precedence
-	if req.Certificate != nil {
-		return req.Certificate, nil
-	}
-
-	// Search recursively for the certificate
-	scope := req.URL.Hostname() + strings.TrimSuffix(req.URL.Path, "/")
-	for {
-		cert, err := c.Certificates.Lookup(scope)
-		if err == nil {
-			// Store the certificate
-			req.Certificate = cert
-			return cert, err
-		}
-		if err == ErrCertificateExpired {
-			break
-		}
-		scope = path.Dir(scope)
-		if scope == "." {
-			break
-		}
-	}
-
-	return &tls.Certificate{}, nil
-}
-
-func (c *Client) verifyConnection(req *Request, cs tls.ConnectionState) error {
-	// Verify the hostname
-	var hostname string
-	if host, _, err := net.SplitHostPort(req.Host); err == nil {
-		hostname = host
-	} else {
-		hostname = req.Host
-	}
+func (c *Client) verifyConnection(hostname, punycode string, cs tls.ConnectionState) error {
 	cert := cs.PeerCertificates[0]
-	if err := verifyHostname(cert, hostname); err != nil {
+	// Verify punycoded hostname
+	if err := verifyHostname(cert, punycode); err != nil {
 		return err
 	}
-	if c.InsecureSkipTrust {
-		return nil
+	// Check expiration date
+	if !time.Now().Before(cert.NotAfter) {
+		return errors.New("gemini: certificate expired")
 	}
-	// Check the known hosts
-	err := c.KnownHosts.Lookup(hostname, cert)
-	switch err {
-	case ErrCertificateExpired, ErrCertificateNotFound:
+
 	// See if the client trusts the certificate
 	if c.TrustCertificate != nil {
-			switch c.TrustCertificate(hostname, cert) {
-			case TrustOnce:
-				c.KnownHosts.AddTemporary(hostname, cert)
+		return c.TrustCertificate(hostname, cert)
+	}
 	return nil
-			case TrustAlways:
-				c.KnownHosts.Add(hostname, cert)
-				return nil
-			}
-		}
-		return ErrCertificateNotTrusted
-	}
-	return err
 }
--- a/doc.go
+++ b/doc.go
@@ -1,22 +1,14 @@
 /*
 Package gemini implements the Gemini protocol.

-Get makes a Gemini request:
-
-	resp, err := gemini.Get("gemini://example.com")
-	if err != nil {
-		// handle error
-	}
-	defer resp.Body.Close()
-	// ...
-
-For control over client behavior, create a Client:
+Client is a Gemini client.

 	client := &gemini.Client{}
 	resp, err := client.Get("gemini://example.com")
 	if err != nil {
 		// handle error
 	}
+	defer resp.Body.Close()
 	// ...

 Server is a Gemini server.
@@ -35,13 +27,13 @@ Servers should be configured with certificates:

 Servers can accept requests for multiple hosts and schemes:

-	server.RegisterFunc("example.com", func(w *gemini.ResponseWriter, r *gemini.Request) {
+	server.RegisterFunc("example.com", func(w gemini.ResponseWriter, r *gemini.Request) {
 		fmt.Fprint(w, "Welcome to example.com")
 	})
-	server.RegisterFunc("example.org", func(w *gemini.ResponseWriter, r *gemini.Request) {
+	server.RegisterFunc("example.org", func(w gemini.ResponseWriter, r *gemini.Request) {
 		fmt.Fprint(w, "Welcome to example.org")
 	})
-	server.RegisterFunc("http://example.net", func(w *gemini.ResponseWriter, r *gemini.Request) {
+	server.RegisterFunc("http://example.net", func(w gemini.ResponseWriter, r *gemini.Request) {
 		fmt.Fprint(w, "Proxied content from http://example.net")
 	})

--- a/examples/auth.go
+++ b/examples/auth.go
@@ -3,150 +3,89 @@
 package main

 import (
+	"crypto/sha512"
 	"crypto/tls"
 	"crypto/x509"
+	"crypto/x509/pkix"
 	"fmt"
 	"log"
 	"time"

 	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )

-type user struct {
-	password string // TODO: use hashes
-	admin    bool
-}
-
-type session struct {
-	username   string
-	authorized bool // whether or not the password was supplied
+type User struct {
+	Name string
 }

 var (
-	// Map of usernames to user data
-	logins = map[string]user{
-		"admin": {"p@ssw0rd", true}, // NOTE: These are bad passwords!
-		"user1": {"password1", false},
-		"user2": {"password2", false},
-	}
-
-	// Map of certificate fingerprints to sessions
-	sessions = map[string]*session{}
+	// Map of certificate hashes to users
+	users = map[string]*User{}
 )

 func main() {
 	var mux gemini.ServeMux
-	mux.HandleFunc("/", login)
-	mux.HandleFunc("/password", loginPassword)
-	mux.HandleFunc("/profile", profile)
-	mux.HandleFunc("/admin", admin)
-	mux.HandleFunc("/logout", logout)
+	mux.HandleFunc("/", profile)
+	mux.HandleFunc("/username", changeUsername)

 	var server gemini.Server
 	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
 		log.Fatal(err)
 	}
-	server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
-		return gemini.CreateCertificate(gemini.CertificateOptions{
+	server.GetCertificate = func(hostname string) (tls.Certificate, error) {
+		return certificate.Create(certificate.CreateOptions{
+			Subject: pkix.Name{
+				CommonName: hostname,
+			},
 			DNSNames: []string{hostname},
 			Duration: time.Hour,
 		})
 	}
-	server.Register("localhost", &mux)
+	server.Handle("localhost", &mux)

 	if err := server.ListenAndServe(); err != nil {
 		log.Fatal(err)
 	}
 }

-func getSession(cert *x509.Certificate) (*session, bool) {
-	fingerprint := gemini.Fingerprint(cert)
-	session, ok := sessions[fingerprint]
-	return session, ok
+func fingerprint(cert *x509.Certificate) string {
+	b := sha512.Sum512(cert.Raw)
+	return string(b[:])
 }

-func login(w *gemini.ResponseWriter, r *gemini.Request) {
-	if r.Certificate == nil {
-		w.WriteStatus(gemini.StatusCertificateRequired)
+func profile(w gemini.ResponseWriter, r *gemini.Request) {
+	if len(r.TLS.PeerCertificates) == 0 {
+		w.Status(gemini.StatusCertificateRequired)
 		return
 	}
-	username, ok := gemini.Input(r)
+	fingerprint := fingerprint(r.TLS.PeerCertificates[0])
+	user, ok := users[fingerprint]
 	if !ok {
-		w.WriteHeader(gemini.StatusInput, "Username")
-		return
+		user = &User{}
+		users[fingerprint] = user
 	}
-	fingerprint := gemini.Fingerprint(r.Certificate.Leaf)
-	sessions[fingerprint] = &session{
-		username: username,
-	}
-	w.WriteHeader(gemini.StatusRedirect, "/password")
+	fmt.Fprintln(w, "Username:", user.Name)
+	fmt.Fprintln(w, "=> /username Change username")
 }

-func loginPassword(w *gemini.ResponseWriter, r *gemini.Request) {
-	if r.Certificate == nil {
-		w.WriteStatus(gemini.StatusCertificateRequired)
+func changeUsername(w gemini.ResponseWriter, r *gemini.Request) {
+	if len(r.TLS.PeerCertificates) == 0 {
+		w.Status(gemini.StatusCertificateRequired)
 		return
 	}
-	session, ok := getSession(r.Certificate.Leaf)
+
+	username, err := gemini.QueryUnescape(r.URL.RawQuery)
+	if err != nil || username == "" {
+		w.Header(gemini.StatusInput, "Username")
+		return
+	}
+	fingerprint := fingerprint(r.TLS.PeerCertificates[0])
+	user, ok := users[fingerprint]
 	if !ok {
-		w.WriteStatus(gemini.StatusCertificateNotAuthorized)
-		return
-	}
-
-	password, ok := gemini.Input(r)
-	if !ok {
-		w.WriteHeader(gemini.StatusSensitiveInput, "Password")
-		return
-	}
-	expected := logins[session.username].password
-	if password == expected {
-		session.authorized = true
-		w.WriteHeader(gemini.StatusRedirect, "/profile")
-	} else {
-		w.WriteHeader(gemini.StatusSensitiveInput, "Wrong password. Try again")
+		user = &User{}
+		users[fingerprint] = user
 	}
-}
-
-func logout(w *gemini.ResponseWriter, r *gemini.Request) {
-	if r.Certificate == nil {
-		w.WriteStatus(gemini.StatusCertificateRequired)
-		return
-	}
-	fingerprint := gemini.Fingerprint(r.Certificate.Leaf)
-	delete(sessions, fingerprint)
-	fmt.Fprintln(w, "Successfully logged out.")
-}
-
-func profile(w *gemini.ResponseWriter, r *gemini.Request) {
-	if r.Certificate == nil {
-		w.WriteStatus(gemini.StatusCertificateRequired)
-		return
-	}
-	session, ok := getSession(r.Certificate.Leaf)
-	if !ok {
-		w.WriteStatus(gemini.StatusCertificateNotAuthorized)
-		return
-	}
-	user := logins[session.username]
-	fmt.Fprintln(w, "Username:", session.username)
-	fmt.Fprintln(w, "Admin:", user.admin)
-	fmt.Fprintln(w, "=> /logout Logout")
-}
-
-func admin(w *gemini.ResponseWriter, r *gemini.Request) {
-	if r.Certificate == nil {
-		w.WriteStatus(gemini.StatusCertificateRequired)
-		return
-	}
-	session, ok := getSession(r.Certificate.Leaf)
-	if !ok {
-		w.WriteStatus(gemini.StatusCertificateNotAuthorized)
-		return
-	}
-	user := logins[session.username]
-	if !user.admin {
-		w.WriteStatus(gemini.StatusCertificateNotAuthorized)
-		return
-	}
-	fmt.Fprintln(w, "Welcome to the admin portal.")
+	user.Name = username
+	w.Header(gemini.StatusRedirect, "/")
 }
--- a/examples/cert.go
+++ b/examples/cert.go
@@ -1,14 +1,17 @@
 // +build ignore

+// This example illustrates a certificate generation tool.
+
 package main

 import (
+	"crypto/x509/pkix"
 	"fmt"
 	"log"
 	"os"
 	"time"

-	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )

 func main() {
@@ -21,17 +24,20 @@ func main() {
 	if err != nil {
 		log.Fatal(err)
 	}
-	options := gemini.CertificateOptions{
+	options := certificate.CreateOptions{
+		Subject: pkix.Name{
+			CommonName: host,
+		},
 		DNSNames: []string{host},
 		Duration: duration,
 	}
-	cert, err := gemini.CreateCertificate(options)
+	cert, err := certificate.Create(options)
 	if err != nil {
 		log.Fatal(err)
 	}
 	certPath := host + ".crt"
 	keyPath := host + ".key"
-	if err := gemini.WriteCertificate(cert, certPath, keyPath); err != nil {
+	if err := certificate.Write(cert, certPath, keyPath); err != nil {
 		log.Fatal(err)
 	}
 }
--- a/examples/client.go
+++ b/examples/client.go
@@ -1,20 +1,49 @@
 // +build ignore

+// This example illustrates a Gemini client.
+
 package main

 import (
 	"bufio"
-	"crypto/tls"
+	"bytes"
 	"crypto/x509"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"log"
+	"net/url"
 	"os"
+	"path/filepath"
 	"time"

 	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/tofu"
+	"git.sr.ht/~adnano/go-xdg"
 )

+var (
+	hosts     tofu.KnownHosts
+	hostsfile *tofu.HostWriter
+	scanner   *bufio.Scanner
+)
+
+func init() {
+	// Load known hosts file
+	path := filepath.Join(xdg.DataHome(), "gemini", "known_hosts")
+	err := hosts.Load(path)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	hostsfile, err = tofu.OpenHostsFile(path)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	scanner = bufio.NewScanner(os.Stdin)
+}
+
 const trustPrompt = `The certificate offered by %s is of unknown trust. Its fingerprint is:
 %s

@@ -24,48 +53,86 @@ Otherwise, this should be safe to trust.
 [t]rust always; trust [o]nce; [a]bort
 => `

-var (
-	scanner = bufio.NewScanner(os.Stdin)
-	client  = &gemini.Client{}
-)
+func trustCertificate(hostname string, cert *x509.Certificate) error {
+	host := tofu.NewHost(hostname, cert.Raw, cert.NotAfter)

-func init() {
-	client.Timeout = 30 * time.Second
-	client.KnownHosts.LoadDefault()
-	client.TrustCertificate = func(hostname string, cert *x509.Certificate) gemini.Trust {
-		fmt.Printf(trustPrompt, hostname, gemini.Fingerprint(cert))
+	knownHost, ok := hosts.Lookup(hostname)
+	if ok && time.Now().Before(knownHost.Expires) {
+		// Check fingerprint
+		if bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+			return nil
+		}
+		return errors.New("error: fingerprint does not match!")
+	}
+
+	fmt.Printf(trustPrompt, hostname, host.Fingerprint)
 	scanner.Scan()
 	switch scanner.Text() {
 	case "t":
-			return gemini.TrustAlways
+		hosts.Add(host)
+		hostsfile.WriteHost(host)
+		return nil
 	case "o":
-			return gemini.TrustOnce
+		hosts.Add(host)
+		return nil
 	default:
-			return gemini.TrustNone
+		return errors.New("certificate not trusted")
 	}
-	}
-	client.CreateCertificate = func(hostname, path string) (tls.Certificate, error) {
-		fmt.Println("Generating client certificate for", hostname, path)
-		return gemini.CreateCertificate(gemini.CertificateOptions{
-			Duration: time.Hour,
-		})
-	}
-	client.GetInput = func(prompt string, sensitive bool) (string, bool) {
-		fmt.Printf("%s: ", prompt)
+}
+
+func getInput(prompt string, sensitive bool) (input string, ok bool) {
+	fmt.Printf("%s ", prompt)
 	scanner.Scan()
 	return scanner.Text(), true
+}
+
+func do(req *gemini.Request, via []*gemini.Request) (*gemini.Response, error) {
+	client := gemini.Client{
+		TrustCertificate: trustCertificate,
 	}
+	resp, err := client.Do(req)
+	if err != nil {
+		return resp, err
+	}
+
+	switch gemini.StatusClass(resp.Status) {
+	case gemini.StatusInput:
+		input, ok := getInput(resp.Meta, resp.Status == gemini.StatusSensitiveInput)
+		if !ok {
+			break
+		}
+		req.URL.ForceQuery = true
+		req.URL.RawQuery = gemini.QueryEscape(input)
+		return do(req, via)
+
+	case gemini.StatusRedirect:
+		via = append(via, req)
+		if len(via) > 5 {
+			return resp, errors.New("too many redirects")
+		}
+
+		target, err := url.Parse(resp.Meta)
+		if err != nil {
+			return resp, err
+		}
+		target = req.URL.ResolveReference(target)
+		redirect := *req
+		redirect.URL = target
+		return do(&redirect, via)
+	}
+
+	return resp, err
 }

 func main() {
 	if len(os.Args) < 2 {
-		fmt.Printf("usage: %s gemini://... [host]", os.Args[0])
+		fmt.Printf("usage: %s <url> [host]\n", os.Args[0])
 		os.Exit(1)
 	}

+	// Do the request
 	url := os.Args[1]
 	req, err := gemini.NewRequest(url)
-
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
@@ -73,21 +140,22 @@ func main() {
 	if len(os.Args) == 3 {
 		req.Host = os.Args[2]
 	}
-
-	resp, err := client.Do(req)
+	resp, err := do(req, nil)
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
 	}
 	defer resp.Body.Close()

-	if resp.Status.Class() == gemini.StatusClassSuccess {
+	// Handle response
+	if gemini.StatusClass(resp.Status) == gemini.StatusSuccess {
 		body, err := ioutil.ReadAll(resp.Body)
 		if err != nil {
 			log.Fatal(err)
 		}
 		fmt.Print(string(body))
 	} else {
-		fmt.Printf("request failed: %d %s: %s", resp.Status, resp.Status.Message(), resp.Meta)
+		fmt.Printf("%d %s\n", resp.Status, resp.Meta)
+		os.Exit(1)
 	}
 }
--- a/examples/html.go
+++ b/examples/html.go
@@ -7,76 +7,77 @@ package main
 import (
 	"fmt"
 	"html"
-	"strings"
+	"io"
+	"os"

 	"git.sr.ht/~adnano/go-gemini"
 )

 func main() {
-	text := gemini.Text{
-		gemini.LineHeading1("Hello, world!"),
-		gemini.LineText("This is a gemini text document."),
+	hw := HTMLWriter{
+		out: os.Stdout,
 	}
-
-	html := textToHTML(text)
-	fmt.Print(html)
+	gemini.ParseLines(os.Stdin, hw.Handle)
+	hw.Finish()
 }

-// textToHTML returns the Gemini text response as HTML.
-func textToHTML(text gemini.Text) string {
-	var b strings.Builder
-	var pre bool
-	var list bool
-	for _, l := range text {
-		if _, ok := l.(gemini.LineListItem); ok {
-			if !list {
-				list = true
-				fmt.Fprint(&b, "<ul>\n")
+type HTMLWriter struct {
+	out  io.Writer
+	pre  bool
+	list bool
+}
+
+func (h *HTMLWriter) Handle(line gemini.Line) {
+	if _, ok := line.(gemini.LineListItem); ok {
+		if !h.list {
+			h.list = true
+			fmt.Fprint(h.out, "<ul>\n")
 		}
-		} else if list {
-			list = false
-			fmt.Fprint(&b, "</ul>\n")
+	} else if h.list {
+		h.list = false
+		fmt.Fprint(h.out, "</ul>\n")
 	}
-		switch l := l.(type) {
+	switch line := line.(type) {
 	case gemini.LineLink:
-			url := html.EscapeString(l.URL)
-			name := html.EscapeString(l.Name)
+		url := html.EscapeString(line.URL)
+		name := html.EscapeString(line.Name)
 		if name == "" {
 			name = url
 		}
-			fmt.Fprintf(&b, "<p><a href='%s'>%s</a></p>\n", url, name)
+		fmt.Fprintf(h.out, "<p><a href='%s'>%s</a></p>\n", url, name)
 	case gemini.LinePreformattingToggle:
-			pre = !pre
-			if pre {
-				fmt.Fprint(&b, "<pre>\n")
+		h.pre = !h.pre
+		if h.pre {
+			fmt.Fprint(h.out, "<pre>\n")
 		} else {
-				fmt.Fprint(&b, "</pre>\n")
+			fmt.Fprint(h.out, "</pre>\n")
 		}
 	case gemini.LinePreformattedText:
-			fmt.Fprintf(&b, "%s\n", html.EscapeString(string(l)))
+		fmt.Fprintf(h.out, "%s\n", html.EscapeString(string(line)))
 	case gemini.LineHeading1:
-			fmt.Fprintf(&b, "<h1>%s</h1>\n", html.EscapeString(string(l)))
+		fmt.Fprintf(h.out, "<h1>%s</h1>\n", html.EscapeString(string(line)))
 	case gemini.LineHeading2:
-			fmt.Fprintf(&b, "<h2>%s</h2>\n", html.EscapeString(string(l)))
+		fmt.Fprintf(h.out, "<h2>%s</h2>\n", html.EscapeString(string(line)))
 	case gemini.LineHeading3:
-			fmt.Fprintf(&b, "<h3>%s</h3>\n", html.EscapeString(string(l)))
+		fmt.Fprintf(h.out, "<h3>%s</h3>\n", html.EscapeString(string(line)))
 	case gemini.LineListItem:
-			fmt.Fprintf(&b, "<li>%s</li>\n", html.EscapeString(string(l)))
+		fmt.Fprintf(h.out, "<li>%s</li>\n", html.EscapeString(string(line)))
 	case gemini.LineQuote:
-			fmt.Fprintf(&b, "<blockquote>%s</blockquote>\n", html.EscapeString(string(l)))
+		fmt.Fprintf(h.out, "<blockquote>%s</blockquote>\n", html.EscapeString(string(line)))
 	case gemini.LineText:
-			if l == "" {
-				fmt.Fprint(&b, "<br>\n")
+		if line == "" {
+			fmt.Fprint(h.out, "<br>\n")
 		} else {
-				fmt.Fprintf(&b, "<p>%s</p>\n", html.EscapeString(string(l)))
+			fmt.Fprintf(h.out, "<p>%s</p>\n", html.EscapeString(string(line)))
 		}
 	}
-	}
-	if pre {
-		fmt.Fprint(&b, "</pre>\n")
-	}
-	if list {
-		fmt.Fprint(&b, "</ul>\n")
-	}
-	return b.String()
+}
+
+func (h *HTMLWriter) Finish() {
+	if h.pre {
+		fmt.Fprint(h.out, "</pre>\n")
+	}
+	if h.list {
+		fmt.Fprint(h.out, "</ul>\n")
+	}
 }
--- a/examples/server.go
+++ b/examples/server.go
@@ -1,13 +1,17 @@
 // +build ignore

+// This example illustrates a Gemini server.
+
 package main

 import (
 	"crypto/tls"
+	"crypto/x509/pkix"
 	"log"
 	"time"

 	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )

 func main() {
@@ -17,17 +21,20 @@ func main() {
 	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
 		log.Fatal(err)
 	}
-	server.CreateCertificate = func(hostname string) (tls.Certificate, error) {
-		return gemini.CreateCertificate(gemini.CertificateOptions{
+	server.GetCertificate = func(hostname string) (tls.Certificate, error) {
+		return certificate.Create(certificate.CreateOptions{
+			Subject: pkix.Name{
+				CommonName: hostname,
+			},
 			DNSNames: []string{hostname},
-			Duration: time.Minute, // for testing purposes
+			Duration: 365 * 24 * time.Hour,
 		})
 	}

 	var mux gemini.ServeMux
 	mux.Handle("/", gemini.FileServer(gemini.Dir("/var/www")))

-	server.Register("localhost", &mux)
+	server.Handle("localhost", &mux)
 	if err := server.ListenAndServe(); err != nil {
 		log.Fatal(err)
 	}
--- a/examples/stream.go
+++ b/examples/stream.go
@@ -0,0 +1,71 @@
+// +build ignore
+
+// This example illustrates a streaming Gemini server.
+
+package main
+
+import (
+	"context"
+	"crypto/tls"
+	"crypto/x509/pkix"
+	"fmt"
+	"log"
+	"time"
+
+	"git.sr.ht/~adnano/go-gemini"
+	"git.sr.ht/~adnano/go-gemini/certificate"
+)
+
+func main() {
+	var server gemini.Server
+	if err := server.Certificates.Load("/var/lib/gemini/certs"); err != nil {
+		log.Fatal(err)
+	}
+	server.GetCertificate = func(hostname string) (tls.Certificate, error) {
+		return certificate.Create(certificate.CreateOptions{
+			Subject: pkix.Name{
+				CommonName: hostname,
+			},
+			DNSNames: []string{hostname},
+			Duration: 365 * 24 * time.Hour,
+		})
+	}
+
+	server.HandleFunc("localhost", stream)
+	if err := server.ListenAndServe(); err != nil {
+		log.Fatal(err)
+	}
+}
+
+// stream writes an infinite stream to w.
+func stream(w gemini.ResponseWriter, r *gemini.Request) {
+	ch := make(chan string)
+	ctx, cancel := context.WithCancel(context.Background())
+
+	go func(ctx context.Context) {
+		for {
+			select {
+			case <-ctx.Done():
+				return
+			default:
+				ch <- fmt.Sprint(time.Now().UTC())
+			}
+			time.Sleep(time.Second)
+		}
+		// Close channel when finished.
+		// In this example this will never be reached.
+		close(ch)
+	}(ctx)
+
+	for {
+		s, ok := <-ch
+		if !ok {
+			break
+		}
+		fmt.Fprintln(w, s)
+		if err := w.Flush(); err != nil {
+			cancel()
+			return
+		}
+	}
+}
--- a/fs.go
+++ b/fs.go
@@ -13,79 +13,104 @@ func init() {
 	mime.AddExtensionType(".gemini", "text/gemini")
 }

-// FileServer takes a filesystem and returns a Responder which uses that filesystem.
-// The returned Responder sanitizes paths before handling them.
-func FileServer(fsys FS) Responder {
-	return fsHandler{fsys}
-}
-
-type fsHandler struct {
-	FS
-}
-
-func (fsh fsHandler) Respond(w *ResponseWriter, r *Request) {
-	p := path.Clean(r.URL.Path)
-	f, err := fsh.Open(p)
-	if err != nil {
-		w.WriteStatus(StatusNotFound)
-		return
-	}
-	// Detect mimetype
-	ext := path.Ext(p)
-	mimetype := mime.TypeByExtension(ext)
-	w.SetMimetype(mimetype)
-	// Copy file to response writer
-	io.Copy(w, f)
-}
-
-// TODO: replace with io/fs.FS when available
-type FS interface {
+// A FileSystem implements access to a collection of named files. The elements
+// in a file path are separated by slash ('/', U+002F) characters, regardless
+// of host operating system convention.
+type FileSystem interface {
 	Open(name string) (File, error)
 }

-// TODO: replace with io/fs.File when available
+// A File is returned by a FileSystem's Open method and can be served by the
+// FileServer implementation.
+//
+// The methods should behave the same as those on an *os.File.
 type File interface {
 	Stat() (os.FileInfo, error)
 	Read([]byte) (int, error)
 	Close() error
 }

-// Dir implements FS using the native filesystem restricted to a specific directory.
+// A Dir implements FileSystem using the native file system restricted
+// to a specific directory tree.
+//
+// While the FileSystem.Open method takes '/'-separated paths, a Dir's string
+// value is a filename on the native file system, not a URL, so it is separated
+// by filepath.Separator, which isn't necessarily '/'.
+//
+// Note that Dir could expose sensitive files and directories. Dir will follow
+// symlinks pointing out of the directory tree, which can be especially
+// dangerous if serving from a directory in which users are able to create
+// arbitrary symlinks. Dir will also allow access to files and directories
+// starting with a period, which could expose sensitive directories like .git
+// or sensitive files like .htpasswd. To exclude files with a leading period,
+// remove the files/directories from the server or create a custom FileSystem
+// implementation.
+//
+// An empty Dir is treated as ".".
 type Dir string

-// Open tries to open the file with the given name.
-// If the file is a directory, it tries to open the index file in that directory.
+// Open implements FileSystem using os.Open, opening files for reading
+// rooted and relative to the directory d.
 func (d Dir) Open(name string) (File, error) {
-	p := path.Join(string(d), name)
-	return openFile(p)
+	return os.Open(path.Join(string(d), name))
+}
+
+// FileServer returns a handler that serves Gemini requests with the contents
+// of the provided file system.
+//
+// To use the operating system's file system implementation, use gemini.Dir:
+//
+//     gemini.FileServer(gemini.Dir("/tmp"))
+func FileServer(fsys FileSystem) Handler {
+	return fileServer{fsys}
+}
+
+type fileServer struct {
+	FileSystem
+}
+
+func (fs fileServer) ServeGemini(w ResponseWriter, r *Request) {
+	ServeFile(w, fs, r.URL.Path)
 }

 // ServeFile responds to the request with the contents of the named file
 // or directory.
-// TODO: Use io/fs.FS when available.
-func ServeFile(w *ResponseWriter, fs FS, name string) {
-	f, err := fs.Open(name)
+//
+// If the provided file or directory name is a relative path, it is interpreted
+// relative to the current directory and may ascend to parent directories. If
+// the provided name is constructed from user input, it should be sanitized
+// before calling ServeFile.
+func ServeFile(w ResponseWriter, fsys FileSystem, name string) {
+	f, err := openFile(fsys, name)
 	if err != nil {
-		w.WriteStatus(StatusNotFound)
+		w.Status(StatusNotFound)
 		return
 	}
 	// Detect mimetype
 	ext := path.Ext(name)
 	mimetype := mime.TypeByExtension(ext)
-	w.SetMimetype(mimetype)
+	w.Meta(mimetype)
 	// Copy file to response writer
-	io.Copy(w, f)
+	_, _ = io.Copy(w, f)
 }

-func openFile(p string) (File, error) {
-	f, err := os.OpenFile(p, os.O_RDONLY, 0644)
+func openFile(fsys FileSystem, name string) (File, error) {
+	f, err := fsys.Open(name)
 	if err != nil {
 		return nil, err
 	}

-	if stat, err := f.Stat(); err == nil {
+	stat, err := f.Stat()
+	if err != nil {
+		return nil, err
+	}
+	if stat.Mode().IsRegular() {
+		return f, nil
+	}
+
 	if stat.IsDir() {
-			f, err := os.Open(path.Join(p, "index.gmi"))
+		// Try opening index.gmi
+		f, err := fsys.Open(path.Join(name, "index.gmi"))
 		if err != nil {
 			return nil, err
 		}
@@ -96,10 +121,7 @@ func openFile(p string) (File, error) {
 		if stat.Mode().IsRegular() {
 			return f, nil
 		}
-			return nil, ErrNotAFile
-		} else if !stat.Mode().IsRegular() {
-			return nil, ErrNotAFile
 	}
-	}
-	return f, nil
+
+	return nil, os.ErrNotExist
 }
--- a/gemini.go
+++ b/gemini.go
@@ -2,7 +2,6 @@ package gemini

 import (
 	"errors"
-	"sync"
 )

 var crlf = []byte("\r\n")
@@ -10,37 +9,20 @@ var crlf = []byte("\r\n")
 // Errors.
 var (
 	ErrInvalidURL      = errors.New("gemini: invalid URL")
+	ErrInvalidRequest  = errors.New("gemini: invalid request")
 	ErrInvalidResponse = errors.New("gemini: invalid response")
-	ErrCertificateExpired    = errors.New("gemini: certificate expired")
-	ErrCertificateNotFound   = errors.New("gemini: certificate not found")
-	ErrCertificateNotTrusted = errors.New("gemini: certificate not trusted")
-	ErrCertificateRequired   = errors.New("gemini: certificate required")
-	ErrNotAFile              = errors.New("gemini: not a file")
-	ErrNotAGeminiURL         = errors.New("gemini: not a Gemini URL")
-	ErrBodyNotAllowed        = errors.New("gemini: response status code does not allow for body")
-	ErrTooManyRedirects      = errors.New("gemini: too many redirects")
-	ErrInputRequired         = errors.New("gemini: input required")
+
+	// ErrBodyNotAllowed is returned by ResponseWriter.Write calls
+	// when the response status code does not permit a body.
+	ErrBodyNotAllowed = errors.New("gemini: response status code does not allow body")
+
+	// ErrServerClosed is returned by the Server's Serve and ListenAndServe
+	// methods after a call to Shutdown or Close.
+	ErrServerClosed = errors.New("gemini: server closed")
+
+	// ErrAbortHandler is a sentinel panic value to abort a handler.
+	// While any panic from ServeGemini aborts the response to the client,
+	// panicking with ErrAbortHandler also suppresses logging of a stack
+	// trace to the server's error log.
+	ErrAbortHandler = errors.New("net/http: abort Handler")
 )
-
-// defaultClient is the default client. It is used by Get and Do.
-var defaultClient Client
-
-// Get performs a Gemini request for the given url.
-func Get(url string) (*Response, error) {
-	setupDefaultClientOnce()
-	return defaultClient.Get(url)
-}
-
-// Do performs a Gemini request and returns a Gemini response.
-func Do(req *Request) (*Response, error) {
-	setupDefaultClientOnce()
-	return defaultClient.Do(req)
-}
-
-var defaultClientOnce sync.Once
-
-func setupDefaultClientOnce() {
-	defaultClientOnce.Do(func() {
-		defaultClient.KnownHosts.LoadDefault()
-	})
-}
--- a/go.mod
+++ b/go.mod
@@ -1,3 +1,5 @@
 module git.sr.ht/~adnano/go-gemini

 go 1.15
+
+require golang.org/x/net v0.0.0-20210119194325-5f4716e94777
--- a/go.sum
+++ b/go.sum
@@ -0,0 +1,7 @@
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777 h1:003p0dJM77cxMSyCPFphvZf/Y5/NXf5fzg6ufd1/Oew=
+golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
--- a/mux.go
+++ b/mux.go
@@ -50,7 +50,7 @@ type ServeMux struct {
 }

 type muxEntry struct {
-	r       Responder
+	r       Handler
 	pattern string
 }

@@ -78,7 +78,7 @@ func cleanPath(p string) string {

 // Find a handler on a handler map given a path string.
 // Most-specific (longest) pattern wins.
-func (mux *ServeMux) match(path string) Responder {
+func (mux *ServeMux) match(path string) Handler {
 	// Check for exact match first.
 	v, ok := mux.m[path]
 	if ok {
@@ -130,22 +130,22 @@ func (mux *ServeMux) shouldRedirectRLocked(path string) bool {
 	return false
 }

-// Respond dispatches the request to the responder whose
+// ServeGemini dispatches the request to the handler whose
 // pattern most closely matches the request URL.
-func (mux *ServeMux) Respond(w *ResponseWriter, r *Request) {
+func (mux *ServeMux) ServeGemini(w ResponseWriter, r *Request) {
 	path := cleanPath(r.URL.Path)

 	// If the given path is /tree and its handler is not registered,
 	// redirect for /tree/.
 	if u, ok := mux.redirectToPathSlash(path, r.URL); ok {
-		w.WriteHeader(StatusRedirect, u.String())
+		w.Header(StatusRedirect, u.String())
 		return
 	}

 	if path != r.URL.Path {
 		u := *r.URL
 		u.Path = path
-		w.WriteHeader(StatusRedirect, u.String())
+		w.Header(StatusRedirect, u.String())
 		return
 	}

@@ -154,23 +154,23 @@ func (mux *ServeMux) Respond(w *ResponseWriter, r *Request) {

 	resp := mux.match(path)
 	if resp == nil {
-		w.WriteStatus(StatusNotFound)
+		w.Status(StatusNotFound)
 		return
 	}
-	resp.Respond(w, r)
+	resp.ServeGemini(w, r)
 }

-// Handle registers the responder for the given pattern.
-// If a responder already exists for pattern, Handle panics.
-func (mux *ServeMux) Handle(pattern string, responder Responder) {
+// Handle registers the handler for the given pattern.
+// If a handler already exists for pattern, Handle panics.
+func (mux *ServeMux) Handle(pattern string, handler Handler) {
 	mux.mu.Lock()
 	defer mux.mu.Unlock()

 	if pattern == "" {
 		panic("gemini: invalid pattern")
 	}
-	if responder == nil {
-		panic("gemini: nil responder")
+	if handler == nil {
+		panic("gemini: nil handler")
 	}
 	if _, exist := mux.m[pattern]; exist {
 		panic("gemini: multiple registrations for " + pattern)
@@ -179,7 +179,7 @@ func (mux *ServeMux) Handle(pattern string, responder Responder) {
 	if mux.m == nil {
 		mux.m = make(map[string]muxEntry)
 	}
-	e := muxEntry{responder, pattern}
+	e := muxEntry{handler, pattern}
 	mux.m[pattern] = e
 	if pattern[len(pattern)-1] == '/' {
 		mux.es = appendSorted(mux.es, e)
@@ -201,10 +201,10 @@ func appendSorted(es []muxEntry, e muxEntry) []muxEntry {
 	return es
 }

-// HandleFunc registers the responder function for the given pattern.
-func (mux *ServeMux) HandleFunc(pattern string, responder func(*ResponseWriter, *Request)) {
-	if responder == nil {
-		panic("gemini: nil responder")
+// HandleFunc registers the handler function for the given pattern.
+func (mux *ServeMux) HandleFunc(pattern string, handler func(ResponseWriter, *Request)) {
+	if handler == nil {
+		panic("gemini: nil handler")
 	}
-	mux.Handle(pattern, ResponderFunc(responder))
+	mux.Handle(pattern, HandlerFunc(handler))
 }
--- a/punycode.go
+++ b/punycode.go
@@ -0,0 +1,28 @@
+package gemini
+
+import (
+	"net"
+	"unicode/utf8"
+
+	"golang.org/x/net/idna"
+)
+
+func isASCII(s string) bool {
+	for i := 0; i < len(s); i++ {
+		if s[i] >= utf8.RuneSelf {
+			return false
+		}
+	}
+	return true
+}
+
+// punycodeHostname returns the punycoded version of hostname.
+func punycodeHostname(hostname string) (string, error) {
+	if net.ParseIP(hostname) != nil {
+		return hostname, nil
+	}
+	if isASCII(hostname) {
+		return hostname, nil
+	}
+	return idna.Lookup.ToASCII(hostname)
+}
--- a/query.go
+++ b/query.go
@@ -0,0 +1,18 @@
+package gemini
+
+import (
+	"net/url"
+	"strings"
+)
+
+// QueryEscape escapes a string for use in a Gemini URL query.
+// It is like url.PathEscape except that it also replaces plus signs
+// with their percent-encoded counterpart.
+func QueryEscape(query string) string {
+	return strings.ReplaceAll(url.PathEscape(query), "+", "%2B")
+}
+
+// QueryUnescape is identical to url.PathUnescape.
+func QueryUnescape(query string) (string, error) {
+	return url.PathUnescape(query)
+}
--- a/request.go
+++ b/request.go
@@ -2,70 +2,115 @@ package gemini

 import (
 	"bufio"
+	"context"
 	"crypto/tls"
+	"io"
 	"net"
 	"net/url"
 )

-// Request represents a Gemini request.
+// A Request represents a Gemini request received by a server or to be sent
+// by a client.
+//
+// The field semantics differ slightly between client and server usage.
 type Request struct {
-	// URL specifies the URL being requested.
+	// URL specifies the URL being requested (for server
+	// requests) or the URL to access (for client requests).
 	URL *url.URL

-	// For client requests, Host specifies the host on which the URL is sought.
-	// Host must contain a port.
-	// This field is ignored by the server.
+	// For client requests, Host optionally specifies the server to
+	// connect to. It must be of the form "host:port".
+	// If empty, the value of URL.Host is used.
+	// For international domain names, Host may be in Punycode or
+	// Unicode form. Use golang.org/x/net/idna to convert it to
+	// either format if needed.
+	// This field is ignored by the Gemini server.
 	Host string

-	// Certificate specifies the TLS certificate to use for the request.
-	// Request certificates take precedence over client certificates.
-	//
-	// On the server side, if the client provided a certificate then
-	// Certificate.Leaf is guaranteed to be non-nil.
+	// For client requests, Certificate optionally specifies the
+	// TLS certificate to present to the other side of the connection.
+	// This field is ignored by the Gemini server.
 	Certificate *tls.Certificate

-	// RemoteAddr allows servers and other software to record the network
-	// address that sent the request.
-	// This field is ignored by the client.
+	// RemoteAddr allows Gemini servers and other software to record
+	// the network address that sent the request, usually for
+	// logging. This field is not filled in by ReadRequest and
+	// has no defined format. The Gemini server in this package
+	// sets RemoteAddr to an "IP:port" address before invoking a
+	// handler.
+	// This field is ignored by the Gemini client.
 	RemoteAddr net.Addr

-	// TLS allows servers and other software to record information about the TLS
-	// connection on which the request was received.
-	// This field is ignored by the client.
-	TLS tls.ConnectionState
+	// TLS allows Gemini servers and other software to record
+	// information about the TLS connection on which the request
+	// was received. This field is not filled in by ReadRequest.
+	// The Gemini server in this package sets the field for
+	// TLS-enabled connections before invoking a handler;
+	// otherwise it leaves the field nil.
+	// This field is ignored by the Gemini client.
+	TLS *tls.ConnectionState
+
+	// Context specifies the context to use for outgoing requests.
+	// The context controls the entire lifetime of a request and its
+	// response: obtaining a connection, sending the request, and
+	// reading the response header and body.
+	// If Context is nil, the background context will be used.
+	// This field is ignored by the Gemini server.
+	Context context.Context
 }

-// NewRequest returns a new request. The host is inferred from the URL.
+// NewRequest returns a new request.
+//
+// The returned Request is suitable for use with Client.Do.
+//
+// Callers should be careful that the URL query is properly escaped.
+// See the documentation for QueryEscape for more information.
 func NewRequest(rawurl string) (*Request, error) {
 	u, err := url.Parse(rawurl)
 	if err != nil {
 		return nil, err
 	}
-	return NewRequestFromURL(u)
+	return &Request{URL: u}, nil
 }

-// NewRequestFromURL returns a new request for the given URL.
-// The host is inferred from the URL.
-func NewRequestFromURL(url *url.URL) (*Request, error) {
-	if url.Scheme != "" && url.Scheme != "gemini" {
-		return nil, ErrNotAGeminiURL
+// ReadRequest reads and parses an incoming request from r.
+//
+// ReadRequest is a low-level function and should only be used
+// for specialized applications; most code should use the Server
+// to read requests and handle them via the Handler interface.
+func ReadRequest(r io.Reader) (*Request, error) {
+	// Read URL
+	r = io.LimitReader(r, 1026)
+	br := bufio.NewReaderSize(r, 1026)
+	rawurl, err := br.ReadString('\r')
+	if err != nil {
+		return nil, err
 	}
-	host := url.Host
-	if url.Port() == "" {
-		host += ":1965"
+	// Read terminating line feed
+	if b, err := br.ReadByte(); err != nil {
+		return nil, err
+	} else if b != '\n' {
+		return nil, ErrInvalidRequest
 	}
-	return &Request{
-		URL:  url,
-		Host: host,
-	}, nil
+	// Trim carriage return
+	rawurl = rawurl[:len(rawurl)-1]
+	// Validate URL
+	if len(rawurl) > 1024 {
+		return nil, ErrInvalidRequest
+	}
+	u, err := url.Parse(rawurl)
+	if err != nil {
+		return nil, err
+	}
+	return &Request{URL: u}, nil
 }

-// write writes the Gemini request to the provided buffered writer.
-func (r *Request) write(w *bufio.Writer) error {
+// Write writes a Gemini request in wire format.
+// This method consults the request URL only.
+func (r *Request) Write(w *bufio.Writer) error {
 	url := r.URL.String()
-	// User is invalid
-	if r.URL.User != nil || len(url) > 1024 {
-		return ErrInvalidURL
+	if len(url) > 1024 {
+		return ErrInvalidRequest
 	}
 	if _, err := w.WriteString(url); err != nil {
 		return err
--- a/request_test.go
+++ b/request_test.go
@@ -0,0 +1,132 @@
+package gemini
+
+import (
+	"bufio"
+	"io"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+// 1024 bytes
+const maxURL = "gemini://example.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+
+func TestReadRequest(t *testing.T) {
+	tests := []struct {
+		Raw string
+		URL *url.URL
+		Err error
+	}{
+		{
+			Raw: "gemini://example.com\r\n",
+			URL: &url.URL{
+				Scheme: "gemini",
+				Host:   "example.com",
+			},
+		},
+		{
+			Raw: "http://example.org/path/?query#fragment\r\n",
+			URL: &url.URL{
+				Scheme:   "http",
+				Host:     "example.org",
+				Path:     "/path/",
+				RawQuery: "query",
+				Fragment: "fragment",
+			},
+		},
+		{
+			Raw: "\r\n",
+			URL: &url.URL{},
+		},
+		{
+			Raw: "gemini://example.com\n",
+			Err: io.EOF,
+		},
+		{
+			Raw: "gemini://example.com",
+			Err: io.EOF,
+		},
+		{
+			// 1030 bytes
+			Raw: maxURL + "xxxxxx",
+			Err: io.EOF,
+		},
+		{
+			// 1027 bytes
+			Raw: maxURL + "x" + "\r\n",
+			Err: io.EOF,
+		},
+		{
+			// 1024 bytes
+			Raw: maxURL[:len(maxURL)-2] + "\r\n",
+			URL: &url.URL{
+				Scheme: "gemini",
+				Host:   "example.net",
+				Path:   maxURL[len("gemini://example.net") : len(maxURL)-2],
+			},
+		},
+	}
+
+	for _, test := range tests {
+		t.Logf("%#v", test.Raw)
+		req, err := ReadRequest(strings.NewReader(test.Raw))
+		if err != test.Err {
+			t.Errorf("expected err = %v, got %v", test.Err, err)
+		}
+		if req == nil && test.URL != nil {
+			t.Errorf("expected url = %s, got nil", test.URL)
+		} else if req != nil && test.URL == nil {
+			t.Errorf("expected req = nil, got %v", req)
+		} else if req != nil && *req.URL != *test.URL {
+			t.Errorf("expected url = %v, got %v", *test.URL, *req.URL)
+		}
+	}
+}
+
+func newRequest(rawurl string) *Request {
+	req, err := NewRequest(rawurl)
+	if err != nil {
+		panic(err)
+	}
+	return req
+}
+
+func TestWriteRequest(t *testing.T) {
+	tests := []struct {
+		Req *Request
+		Raw string
+		Err error
+	}{
+		{
+			Req: newRequest("gemini://example.com"),
+			Raw: "gemini://example.com\r\n",
+		},
+		{
+			Req: newRequest("gemini://example.com/path/?query#fragment"),
+			Raw: "gemini://example.com/path/?query#fragment\r\n",
+		},
+		{
+			Req: newRequest(maxURL),
+			Raw: maxURL + "\r\n",
+		},
+		{
+			Req: newRequest(maxURL + "x"),
+			Err: ErrInvalidRequest,
+		},
+	}
+
+	for _, test := range tests {
+		t.Logf("%s", test.Req.URL)
+		var b strings.Builder
+		bw := bufio.NewWriter(&b)
+		err := test.Req.Write(bw)
+		if err != test.Err {
+			t.Errorf("expected err = %v, got %v", test.Err, err)
+		}
+		bw.Flush()
+		got := b.String()
+		if got != test.Raw {
+			t.Errorf("expected %#v, got %#v", test.Raw, got)
+		}
+	}
+}
--- a/response.go
+++ b/response.go
@@ -2,93 +2,106 @@ package gemini

 import (
 	"bufio"
-	"bytes"
 	"crypto/tls"
 	"io"
-	"io/ioutil"
 	"strconv"
 )

-// Response is a Gemini response.
+// Response represents the response from a Gemini request.
+//
+// The Client returns Responses from servers once the response
+// header has been received. The response body is streamed on demand
+// as the Body field is read.
 type Response struct {
 	// Status contains the response status code.
-	Status Status
+	Status int

 	// Meta contains more information related to the response status.
-	// For successful responses, Meta should contain the mimetype of the response.
+	// For successful responses, Meta should contain the media type of the response.
 	// For failure responses, Meta should contain a short description of the failure.
 	// Meta should not be longer than 1024 bytes.
 	Meta string

-	// Body contains the response body for successful responses.
-	// Body is guaranteed to be non-nil.
+	// Body represents the response body.
+	//
+	// The response body is streamed on demand as the Body field
+	// is read. If the network connection fails or the server
+	// terminates the response, Body.Read calls return an error.
+	//
+	// The Gemini client guarantees that Body is always
+	// non-nil, even on responses without a body or responses with
+	// a zero-length body. It is the caller's responsibility to
+	// close Body.
 	Body io.ReadCloser

-	// Request is the request that was sent to obtain this response.
-	Request *Request
-
-	// TLS contains information about the TLS connection on which the response
-	// was received.
-	TLS tls.ConnectionState
+	// TLS contains information about the TLS connection on which the
+	// response was received. It is nil for unencrypted responses.
+	TLS *tls.ConnectionState
 }

-// read reads a Gemini response from the provided io.ReadCloser.
-func (resp *Response) read(rc io.ReadCloser) error {
+// ReadResponse reads a Gemini response from the provided io.ReadCloser.
+func ReadResponse(rc io.ReadCloser) (*Response, error) {
+	resp := &Response{}
 	br := bufio.NewReader(rc)
+
 	// Read the status
 	statusB := make([]byte, 2)
 	if _, err := br.Read(statusB); err != nil {
-		return err
+		return nil, err
 	}
 	status, err := strconv.Atoi(string(statusB))
 	if err != nil {
-		return err
-	}
-	resp.Status = Status(status)
-
-	// Disregard invalid status codes
-	const minStatus, maxStatus = 1, 6
-	statusClass := resp.Status.Class()
-	if statusClass < minStatus || statusClass > maxStatus {
-		return ErrInvalidResponse
+		return nil, ErrInvalidResponse
 	}
+	resp.Status = status

 	// Read one space
 	if b, err := br.ReadByte(); err != nil {
-		return err
+		return nil, err
 	} else if b != ' ' {
-		return ErrInvalidResponse
+		return nil, ErrInvalidResponse
 	}

 	// Read the meta
 	meta, err := br.ReadString('\r')
 	if err != nil {
-		return err
+		return nil, err
 	}
 	// Trim carriage return
 	meta = meta[:len(meta)-1]
 	// Ensure meta is less than or equal to 1024 bytes
 	if len(meta) > 1024 {
-		return ErrInvalidResponse
+		return nil, ErrInvalidResponse
 	}
 	// Default mime type of text/gemini; charset=utf-8
-	if statusClass == StatusClassSuccess && meta == "" {
+	if StatusClass(status) == StatusSuccess && meta == "" {
 		meta = "text/gemini; charset=utf-8"
 	}
 	resp.Meta = meta

 	// Read terminating newline
 	if b, err := br.ReadByte(); err != nil {
-		return err
+		return nil, err
 	} else if b != '\n' {
-		return ErrInvalidResponse
+		return nil, ErrInvalidResponse
 	}

-	if resp.Status.Class() == StatusClassSuccess {
+	if StatusClass(status) == StatusSuccess {
 		resp.Body = newReadCloserBody(br, rc)
 	} else {
-		resp.Body = ioutil.NopCloser(bytes.NewReader([]byte{}))
+		resp.Body = nopReadCloser{}
+		rc.Close()
 	}
+	return resp, nil
+}
+
+type nopReadCloser struct{}
+
+func (nopReadCloser) Read(p []byte) (int, error) {
+	return 0, io.EOF
+}
+
+func (nopReadCloser) Close() error {
 	return nil
 }

@@ -118,3 +131,104 @@ func (b *readCloserBody) Read(p []byte) (n int, err error) {
 	}
 	return b.ReadCloser.Read(p)
 }
+
+// A ResponseWriter interface is used by a Gemini handler
+// to construct a Gemini response.
+type ResponseWriter interface {
+	// Header sets the response header.
+	Header(status int, meta string)
+
+	// Status sets the response status code.
+	// It also sets the response meta to Meta(status).
+	Status(status int)
+
+	// Meta sets the response meta.
+	//
+	// For successful responses, meta should contain the media type of the response.
+	// For failure responses, meta should contain a short description of the failure.
+	// The response meta should not be greater than 1024 bytes.
+	Meta(meta string)
+
+	// Write writes data to the connection as part of the response body.
+	// If the response status does not allow for a response body, Write returns
+	// ErrBodyNotAllowed.
+	//
+	// Write writes the response header if it has not already been written.
+	// It writes a successful status code if one is not set.
+	Write([]byte) (int, error)
+
+	// Flush writes any buffered data to the underlying io.Writer.
+	//
+	// Flush writes the response header if it has not already been written.
+	// It writes a failure status code if one is not set.
+	Flush() error
+}
+
+type responseWriter struct {
+	b           *bufio.Writer
+	status      int
+	meta        string
+	wroteHeader bool
+	bodyAllowed bool
+}
+
+// NewResponseWriter returns a ResponseWriter that uses the provided io.Writer.
+func NewResponseWriter(w io.Writer) ResponseWriter {
+	return &responseWriter{
+		b: bufio.NewWriter(w),
+	}
+}
+
+func (w *responseWriter) Header(status int, meta string) {
+	w.status = status
+	w.meta = meta
+}
+
+func (w *responseWriter) Status(status int) {
+	w.status = status
+	w.meta = Meta(status)
+}
+
+func (w *responseWriter) Meta(meta string) {
+	w.meta = meta
+}
+
+func (w *responseWriter) Write(b []byte) (int, error) {
+	if !w.wroteHeader {
+		w.writeHeader(StatusSuccess)
+	}
+	if !w.bodyAllowed {
+		return 0, ErrBodyNotAllowed
+	}
+	return w.b.Write(b)
+}
+
+func (w *responseWriter) writeHeader(defaultStatus int) {
+	status := w.status
+	if status == 0 {
+		status = defaultStatus
+	}
+
+	meta := w.meta
+	if StatusClass(status) == StatusSuccess {
+		w.bodyAllowed = true
+
+		if meta == "" {
+			meta = "text/gemini"
+		}
+	}
+
+	w.b.WriteString(strconv.Itoa(status))
+	w.b.WriteByte(' ')
+	w.b.WriteString(meta)
+	w.b.Write(crlf)
+	w.wroteHeader = true
+}
+
+func (w *responseWriter) Flush() error {
+	if !w.wroteHeader {
+		w.writeHeader(StatusTemporaryFailure)
+	}
+	// Write errors from writeHeader will be returned here.
+	return w.b.Flush()
+}
--- a/response_test.go
+++ b/response_test.go
@@ -0,0 +1,104 @@
+package gemini
+
+import (
+	"io"
+	"io/ioutil"
+	"strings"
+	"testing"
+)
+
+func TestReadResponse(t *testing.T) {
+	tests := []struct {
+		Raw    string
+		Status int
+		Meta   string
+		Body   string
+		Err    error
+	}{
+		{
+			Raw:    "20 text/gemini\r\nHello, world!\nWelcome to my capsule.",
+			Status: 20,
+			Meta:   "text/gemini",
+			Body:   "Hello, world!\nWelcome to my capsule.",
+		},
+		{
+			Raw:    "10 Search query\r\n",
+			Status: 10,
+			Meta:   "Search query",
+		},
+		{
+			Raw:    "30 /redirect\r\n",
+			Status: 30,
+			Meta:   "/redirect",
+		},
+		{
+			Raw:    "31 /redirect\r\nThis body is ignored.",
+			Status: 31,
+			Meta:   "/redirect",
+		},
+		{
+			Raw:    "99 Unknown status code\r\n",
+			Status: 99,
+			Meta:   "Unknown status code",
+		},
+		{
+			Raw: "\r\n",
+			Err: ErrInvalidResponse,
+		},
+		{
+			Raw: "\n",
+			Err: ErrInvalidResponse,
+		},
+		{
+			Raw: "1 Bad response\r\n",
+			Err: ErrInvalidResponse,
+		},
+		{
+			Raw: "",
+			Err: io.EOF,
+		},
+		{
+			Raw: "10 Search query",
+			Err: io.EOF,
+		},
+		{
+			Raw: "20 text/gemini\nHello, world!",
+			Err: io.EOF,
+		},
+		{
+			Raw: "20 text/gemini\rHello, world!",
+			Err: ErrInvalidResponse,
+		},
+		{
+			Raw: "20 text/gemini\r",
+			Err: io.EOF,
+		},
+		{
+			Raw: "abcdefghijklmnopqrstuvwxyz",
+			Err: ErrInvalidResponse,
+		},
+	}
+
+	for _, test := range tests {
+		t.Logf("%#v", test.Raw)
+		resp, err := ReadResponse(ioutil.NopCloser(strings.NewReader(test.Raw)))
+		if err != test.Err {
+			t.Errorf("expected err = %v, got %v", test.Err, err)
+		}
+		if test.Err != nil {
+			// No response
+			continue
+		}
+		if resp.Status != test.Status {
+			t.Errorf("expected status = %d, got %d", test.Status, resp.Status)
+		}
+		if resp.Meta != test.Meta {
+			t.Errorf("expected meta = %s, got %s", test.Meta, resp.Meta)
+		}
+		b, _ := ioutil.ReadAll(resp.Body)
+		body := string(b)
+		if body != test.Body {
+			t.Errorf("expected body = %#v, got %#v", test.Body, body)
+		}
+	}
+}
--- a/server.go
+++ b/server.go
@@ -1,65 +1,93 @@
 package gemini

 import (
-	"bufio"
+	"context"
 	"crypto/tls"
+	"errors"
 	"log"
 	"net"
-	"net/url"
-	"strconv"
+	"runtime"
 	"strings"
+	"sync"
+	"sync/atomic"
 	"time"
+
+	"git.sr.ht/~adnano/go-gemini/certificate"
 )

-// Server is a Gemini server.
+// A Server defines parameters for running a Gemini server. The zero value for
+// Server is a valid configuration.
 type Server struct {
-	// Addr specifies the address that the server should listen on.
-	// If Addr is empty, the server will listen on the address ":1965".
+	// Addr optionally specifies the TCP address for the server to listen on,
+	// in the form "host:port". If empty, ":1965" (port 1965) is used.
+	// See net.Dial for details of the address format.
 	Addr string

-	// ReadTimeout is the maximum duration for reading a request.
+	// ReadTimeout is the maximum duration for reading the entire
+	// request.
+	//
+	// A ReadTimeout of zero means no timeout.
 	ReadTimeout time.Duration

 	// WriteTimeout is the maximum duration before timing out
 	// writes of the response.
+	//
+	// A WriteTimeout of zero means no timeout.
 	WriteTimeout time.Duration

-	// Certificates contains the certificates used by the server.
-	Certificates CertificateStore
+	// Certificates contains one or more certificates to present to the
+	// other side of the connection.
+	Certificates certificate.Dir

-	// CreateCertificate, if not nil, will be called to create a new certificate
+	// GetCertificate, if not nil, will be called to retrieve a new certificate
 	// if the current one is expired or missing.
-	CreateCertificate func(hostname string) (tls.Certificate, error)
+	GetCertificate func(hostname string) (tls.Certificate, error)

-	// registered responders
-	responders map[responderKey]Responder
+	// ErrorLog specifies an optional logger for errors accepting connections,
+	// unexpected behavior from handlers, and underlying file system errors.
+	// If nil, logging is done via the log package's standard logger.
+	ErrorLog *log.Logger
+
+	// registered handlers
+	handlers map[handlerKey]Handler
 	hosts    map[string]bool
+	hmu      sync.Mutex
+
+	listeners map[*net.Listener]struct{}
+	conns     map[*net.Conn]struct{}
+	done      int32
+	mu        sync.Mutex
 }

-type responderKey struct {
+type handlerKey struct {
 	scheme   string
 	hostname string
 }

-// Register registers a responder for the given pattern.
+// Handle registers the handler for the given pattern.
+// If a handler already exists for pattern, Handle panics.
 //
-// Patterns must be in the form of "hostname" or "scheme://hostname".
+// The pattern must be in the form of "hostname" or "scheme://hostname".
 // If no scheme is specified, a scheme of "gemini://" is implied.
 // Wildcard patterns are supported (e.g. "*.example.com").
-func (s *Server) Register(pattern string, responder Responder) {
+// To handle any hostname, use the wildcard pattern "*".
+func (srv *Server) Handle(pattern string, handler Handler) {
+	srv.hmu.Lock()
+	defer srv.hmu.Unlock()
+
 	if pattern == "" {
 		panic("gemini: invalid pattern")
 	}
-	if responder == nil {
-		panic("gemini: nil responder")
+	if handler == nil {
+		panic("gemini: nil handler")
 	}
-	if s.responders == nil {
-		s.responders = map[responderKey]Responder{}
-		s.hosts = map[string]bool{}
+	if srv.handlers == nil {
+		srv.handlers = map[handlerKey]Handler{}
+		srv.hosts = map[string]bool{}
 	}

 	split := strings.SplitN(pattern, "://", 2)
-	var key responderKey
+	var key handlerKey
 	if len(split) == 2 {
 		key.scheme = split[0]
 		key.hostname = split[1]
@@ -68,21 +96,32 @@ func (s *Server) Register(pattern string, responder Responder) {
 		key.hostname = split[0]
 	}

-	if _, ok := s.responders[key]; ok {
+	if _, ok := srv.handlers[key]; ok {
 		panic("gemini: multiple registrations for " + pattern)
 	}
-	s.responders[key] = responder
-	s.hosts[key.hostname] = true
+	srv.handlers[key] = handler
+	srv.hosts[key.hostname] = true
 }

-// RegisterFunc registers a responder function for the given pattern.
-func (s *Server) RegisterFunc(pattern string, responder func(*ResponseWriter, *Request)) {
-	s.Register(pattern, ResponderFunc(responder))
+// HandleFunc registers the handler function for the given pattern.
+func (srv *Server) HandleFunc(pattern string, handler func(ResponseWriter, *Request)) {
+	srv.Handle(pattern, HandlerFunc(handler))
 }

 // ListenAndServe listens for requests at the server's configured address.
-func (s *Server) ListenAndServe() error {
-	addr := s.Addr
+// ListenAndServe listens on the TCP network address srv.Addr and then calls
+// Serve to handle requests on incoming connections.
+//
+// If srv.Addr is blank, ":1965" is used.
+//
+// ListenAndServe always returns a non-nil error. After Shutdown or Close, the
+// returned error is ErrServerClosed.
+func (srv *Server) ListenAndServe() error {
+	if atomic.LoadInt32(&srv.done) == 1 {
+		return ErrServerClosed
+	}
+
+	addr := srv.Addr
 	if addr == "" {
 		addr = ":1965"
 	}
@@ -93,20 +132,52 @@ func (s *Server) ListenAndServe() error {
 	}
 	defer ln.Close()

-	return s.Serve(tls.NewListener(ln, &tls.Config{
+	return srv.Serve(tls.NewListener(ln, &tls.Config{
 		ClientAuth:     tls.RequestClientCert,
 		MinVersion:     tls.VersionTLS12,
-		GetCertificate: s.getCertificate,
+		GetCertificate: srv.getCertificate,
 	}))
 }

-// Serve listens for requests on the provided listener.
-func (s *Server) Serve(l net.Listener) error {
+func (srv *Server) trackListener(l *net.Listener) {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+	if srv.listeners == nil {
+		srv.listeners = make(map[*net.Listener]struct{})
+	}
+	srv.listeners[l] = struct{}{}
+}
+
+func (srv *Server) deleteListener(l *net.Listener) {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+	delete(srv.listeners, l)
+}
+
+// Serve accepts incoming connections on the Listener l, creating a new
+// service goroutine for each. The service goroutines read requests and
+// then calls the appropriate Handler to reply to them.
+//
+// Serve always returns a non-nil error and closes l. After Shutdown or Close,
+// the returned error is ErrServerClosed.
+func (srv *Server) Serve(l net.Listener) error {
+	defer l.Close()
+
+	srv.trackListener(&l)
+	defer srv.deleteListener(&l)
+
+	if atomic.LoadInt32(&srv.done) == 1 {
+		return ErrServerClosed
+	}
+
 	var tempDelay time.Duration // how long to sleep on accept failure

 	for {
 		rw, err := l.Accept()
 		if err != nil {
+			if atomic.LoadInt32(&srv.done) == 1 {
+				return ErrServerClosed
+			}
 			// If this is a temporary error, sleep
 			if ne, ok := err.(net.Error); ok && ne.Temporary() {
 				if tempDelay == 0 {
@@ -117,7 +188,7 @@ func (s *Server) Serve(l net.Listener) error {
 				if max := 1 * time.Second; tempDelay > max {
 					tempDelay = max
 				}
-				log.Printf("gemini: Accept error: %v; retrying in %v", err, tempDelay)
+				srv.logf("gemini: Accept error: %v; retrying in %v", err, tempDelay)
 				time.Sleep(tempDelay)
 				continue
 			}
@@ -127,219 +198,264 @@ func (s *Server) Serve(l net.Listener) error {
 		}

 		tempDelay = 0
-		go s.respond(rw)
+		go srv.respond(rw)
 	}
 }

-func (s *Server) getCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	cert, err := s.getCertificateFor(h.ServerName)
+func (srv *Server) closeListenersLocked() error {
+	var err error
+	for ln := range srv.listeners {
+		if cerr := (*ln).Close(); cerr != nil && err == nil {
+			err = cerr
+		}
+		delete(srv.listeners, ln)
+	}
+	return err
+}
+
+// Close immediately closes all active net.Listeners and connections.
+// For a graceful shutdown, use Shutdown.
+//
+// Close returns any error returned from closing the Server's
+// underlying Listener(s).
+func (srv *Server) Close() error {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+	if !atomic.CompareAndSwapInt32(&srv.done, 0, 1) {
+		return ErrServerClosed
+	}
+	err := srv.closeListenersLocked()
+
+	// Close active connections
+	for conn := range srv.conns {
+		(*conn).Close()
+		delete(srv.conns, conn)
+	}
+	return err
+}
+
+func (srv *Server) numConns() int {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+	return len(srv.conns)
+}
+
+// shutdownPollInterval is how often we poll for quiescence
+// during Server.Shutdown. This is lower during tests, to
+// speed up tests.
+// Ideally we could find a solution that doesn't involve polling,
+// but which also doesn't have a high runtime cost (and doesn't
+// involve any contentious mutexes), but that is left as an
+// exercise for the reader.
+var shutdownPollInterval = 500 * time.Millisecond
+
+// Shutdown gracefully shuts down the server without interrupting any
+// active connections. Shutdown works by first closing all open
+// listeners and then waiting indefinitely for connections
+// to close and then shut down.
+// If the provided context expires before the shutdown is complete,
+// Shutdown returns the context's error, otherwise it returns any
+// error returned from closing the Server's underlying Listener(s).
+//
+// When Shutdown is called, Serve, ListenAndServe, and
+// ListenAndServeTLS immediately return ErrServerClosed. Make sure the
+// program doesn't exit and waits instead for Shutdown to return.
+//
+// Once Shutdown has been called on a server, it may not be reused;
+// future calls to methods such as Serve will return ErrServerClosed.
+func (srv *Server) Shutdown(ctx context.Context) error {
+	if !atomic.CompareAndSwapInt32(&srv.done, 0, 1) {
+		return ErrServerClosed
+	}
+
+	srv.mu.Lock()
+	err := srv.closeListenersLocked()
+	srv.mu.Unlock()
+
+	// Wait for active connections to close
+	ticker := time.NewTicker(shutdownPollInterval)
+	defer ticker.Stop()
+	for {
+		if srv.numConns() == 0 {
+			return err
+		}
+
+		select {
+		case <-ctx.Done():
+			return ctx.Err()
+		case <-ticker.C:
+		}
+	}
+}
+
+// getCertificate retrieves a certificate for the given client hello.
+func (srv *Server) getCertificate(h *tls.ClientHelloInfo) (*tls.Certificate, error) {
+	cert, err := srv.lookupCertificate(h.ServerName, h.ServerName)
 	if err != nil {
 		// Try wildcard
 		wildcard := strings.SplitN(h.ServerName, ".", 2)
 		if len(wildcard) == 2 {
-			cert, err = s.getCertificateFor("*." + wildcard[1])
+			// Use the wildcard pattern as the hostname.
+			hostname := "*." + wildcard[1]
+			cert, err = srv.lookupCertificate(hostname, hostname)
+		}
+		// Try "*" wildcard
+		if err != nil {
+			// Use the server name as the hostname
+			// since "*" is not a valid hostname.
+			cert, err = srv.lookupCertificate("*", h.ServerName)
 		}
 	}
 	return cert, err
 }

-func (s *Server) getCertificateFor(hostname string) (*tls.Certificate, error) {
-	if _, ok := s.hosts[hostname]; !ok {
-		return nil, ErrCertificateNotFound
+// lookupCertificate retrieves the certificate for the given hostname,
+// if and only if the provided pattern is registered.
+// If no certificate is found in the certificate store or the certificate
+// is expired, it calls GetCertificate to retrieve a new certificate.
+func (srv *Server) lookupCertificate(pattern, hostname string) (*tls.Certificate, error) {
+	srv.hmu.Lock()
+	_, ok := srv.hosts[pattern]
+	srv.hmu.Unlock()
+	if !ok {
+		return nil, errors.New("hostname not registered")
 	}
-	cert, err := s.Certificates.Lookup(hostname)

-	switch err {
-	case ErrCertificateNotFound, ErrCertificateExpired:
-		if s.CreateCertificate != nil {
-			cert, err := s.CreateCertificate(hostname)
+	cert, ok := srv.Certificates.Lookup(hostname)
+	if !ok || cert.Leaf != nil && cert.Leaf.NotAfter.Before(time.Now()) {
+		if srv.GetCertificate != nil {
+			cert, err := srv.GetCertificate(hostname)
 			if err == nil {
-				s.Certificates.Add(hostname, cert)
+				if err := srv.Certificates.Add(hostname, cert); err != nil {
+					srv.logf("gemini: Failed to write new certificate for %s: %s", hostname, err)
+				}
 			}
 			return &cert, err
 		}
+		return nil, errors.New("no certificate")
 	}

-	return cert, err
+	return &cert, nil
+}
+
+func (srv *Server) trackConn(conn *net.Conn) {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+	if srv.conns == nil {
+		srv.conns = make(map[*net.Conn]struct{})
+	}
+	srv.conns[conn] = struct{}{}
+}
+
+func (srv *Server) deleteConn(conn *net.Conn) {
+	srv.mu.Lock()
+	defer srv.mu.Unlock()
+	delete(srv.conns, conn)
 }

 // respond responds to a connection.
-func (s *Server) respond(conn net.Conn) {
-	if d := s.ReadTimeout; d != 0 {
+func (srv *Server) respond(conn net.Conn) {
+	defer conn.Close()
+
+	defer func() {
+		if err := recover(); err != nil && err != ErrAbortHandler {
+			const size = 64 << 10
+			buf := make([]byte, size)
+			buf = buf[:runtime.Stack(buf, false)]
+			srv.logf("gemini: panic serving %v: %v\n%s", conn.RemoteAddr(), err, buf)
+		}
+	}()
+
+	srv.trackConn(&conn)
+	defer srv.deleteConn(&conn)
+
+	if d := srv.ReadTimeout; d != 0 {
 		conn.SetReadDeadline(time.Now().Add(d))
 	}
-	if d := s.WriteTimeout; d != 0 {
+	if d := srv.WriteTimeout; d != 0 {
 		conn.SetWriteDeadline(time.Now().Add(d))
 	}

-	r := bufio.NewReader(conn)
-	w := newResponseWriter(conn)
-	// Read requested URL
-	rawurl, err := r.ReadString('\r')
+	w := NewResponseWriter(conn)
+
+	req, err := ReadRequest(conn)
 	if err != nil {
+		w.Status(StatusBadRequest)
+		w.Flush()
 		return
 	}
-	// Read terminating line feed
-	if b, err := r.ReadByte(); err != nil {
-		return
-	} else if b != '\n' {
-		w.WriteStatus(StatusBadRequest)
-	}
-	// Trim carriage return
-	rawurl = rawurl[:len(rawurl)-1]
-	// Ensure URL is valid
-	if len(rawurl) > 1024 {
-		w.WriteStatus(StatusBadRequest)
-	} else if url, err := url.Parse(rawurl); err != nil || url.User != nil {
-		// Note that we return an error status if User is specified in the URL
-		w.WriteStatus(StatusBadRequest)
-	} else {
-		// If no scheme is specified, assume a default scheme of gemini://
-		if url.Scheme == "" {
-			url.Scheme = "gemini"
-		}

 	// Store information about the TLS connection
-		connState := conn.(*tls.Conn).ConnectionState()
-		var cert *tls.Certificate
-		if len(connState.PeerCertificates) > 0 {
-			peerCert := connState.PeerCertificates[0]
-			// Store the TLS certificate
-			cert = &tls.Certificate{
-				Certificate: [][]byte{peerCert.Raw},
-				Leaf:        peerCert,
-			}
+	if tlsConn, ok := conn.(*tls.Conn); ok {
+		state := tlsConn.ConnectionState()
+		req.TLS = &state
 	}

-		req := &Request{
-			URL:         url,
-			RemoteAddr:  conn.RemoteAddr(),
-			TLS:         connState,
-			Certificate: cert,
+	// Store remote address
+	req.RemoteAddr = conn.RemoteAddr()
+
+	h := srv.handler(req)
+	if h == nil {
+		w.Status(StatusNotFound)
+		w.Flush()
+		return
 	}
-		resp := s.responder(req)
-		if resp != nil {
-			resp.Respond(w, req)
-		} else {
-			w.WriteStatus(StatusNotFound)
-		}
-	}
-	w.b.Flush()
-	conn.Close()
+
+	h.ServeGemini(w, req)
+	w.Flush()
 }

-func (s *Server) responder(r *Request) Responder {
-	if h, ok := s.responders[responderKey{r.URL.Scheme, r.URL.Hostname()}]; ok {
+func (srv *Server) handler(r *Request) Handler {
+	srv.hmu.Lock()
+	defer srv.hmu.Unlock()
+	if h, ok := srv.handlers[handlerKey{r.URL.Scheme, r.URL.Hostname()}]; ok {
 		return h
 	}
 	wildcard := strings.SplitN(r.URL.Hostname(), ".", 2)
 	if len(wildcard) == 2 {
-		if h, ok := s.responders[responderKey{r.URL.Scheme, "*." + wildcard[1]}]; ok {
+		if h, ok := srv.handlers[handlerKey{r.URL.Scheme, "*." + wildcard[1]}]; ok {
 			return h
 		}
 	}
+	if h, ok := srv.handlers[handlerKey{r.URL.Scheme, "*"}]; ok {
+		return h
+	}
 	return nil
 }

-// ResponseWriter is used by a Gemini handler to construct a Gemini response.
-type ResponseWriter struct {
-	b           *bufio.Writer
-	bodyAllowed bool
-	wroteHeader bool
-	mimetype    string
-}
-
-func newResponseWriter(conn net.Conn) *ResponseWriter {
-	return &ResponseWriter{
-		b: bufio.NewWriter(conn),
+func (srv *Server) logf(format string, args ...interface{}) {
+	if srv.ErrorLog != nil {
+		srv.ErrorLog.Printf(format, args...)
+	} else {
+		log.Printf(format, args...)
 	}
 }

-// WriteHeader writes the response header.
-// If the header has already been written, WriteHeader does nothing.
+// A Handler responds to a Gemini request.
 //
-// Meta contains more information related to the response status.
-// For successful responses, Meta should contain the mimetype of the response.
-// For failure responses, Meta should contain a short description of the failure.
-// Meta should not be longer than 1024 bytes.
-func (w *ResponseWriter) WriteHeader(status Status, meta string) {
-	if w.wroteHeader {
-		return
-	}
-	w.b.WriteString(strconv.Itoa(int(status)))
-	w.b.WriteByte(' ')
-	w.b.WriteString(meta)
-	w.b.Write(crlf)
-
-	// Only allow body to be written on successful status codes.
-	if status.Class() == StatusClassSuccess {
-		w.bodyAllowed = true
-	}
-	w.wroteHeader = true
-}
-
-// WriteStatus writes the response header with the given status code.
+// ServeGemini should write the response header and data to the ResponseWriter
+// and then return. Returning signals that the request is finished; it is not
+// valid to use the ResponseWriter after or concurrently with the completion
+// of the ServeGemini call.
 //
-// WriteStatus is equivalent to WriteHeader(status, status.Message())
-func (w *ResponseWriter) WriteStatus(status Status) {
-	w.WriteHeader(status, status.Message())
-}
-
-// SetMimetype sets the mimetype that will be written for a successful response.
-// If the mimetype is not set, it will default to "text/gemini".
-func (w *ResponseWriter) SetMimetype(mimetype string) {
-	w.mimetype = mimetype
-}
-
-// Write writes the response body.
-// If the response status does not allow for a response body, Write returns
-// ErrBodyNotAllowed.
+// Handlers should not modify the provided Request.
 //
-// If the response header has not yet been written, Write calls WriteHeader
-// with StatusSuccess and the mimetype set in SetMimetype.
-func (w *ResponseWriter) Write(b []byte) (int, error) {
-	if !w.wroteHeader {
-		mimetype := w.mimetype
-		if mimetype == "" {
-			mimetype = "text/gemini"
-		}
-		w.WriteHeader(StatusSuccess, mimetype)
-	}
-	if !w.bodyAllowed {
-		return 0, ErrBodyNotAllowed
-	}
-	return w.b.Write(b)
+// If ServeGemini panics, the server (the caller of ServeGemini) assumes that
+// the effect of the panic was isolated to the active request. It recovers
+// the panic, logs a stack trace to the server error log, and closes the
+// network connection. To abort a handler so the client sees an interrupted
+// response but the server doesn't log an error, panic with the value
+// ErrAbortHandler.
+type Handler interface {
+	ServeGemini(ResponseWriter, *Request)
 }

-// A Responder responds to a Gemini request.
-type Responder interface {
-	// Respond accepts a Request and constructs a Response.
-	Respond(*ResponseWriter, *Request)
-}
+// The HandlerFunc type is an adapter to allow the use of ordinary functions
+// as Gemini handlers. If f is a function with the appropriate signature,
+// HandlerFunc(f) is a Handler that calls f.
+type HandlerFunc func(ResponseWriter, *Request)

-// ResponderFunc is a wrapper around a bare function that implements Responder.
-type ResponderFunc func(*ResponseWriter, *Request)
-
-func (f ResponderFunc) Respond(w *ResponseWriter, r *Request) {
+// ServeGemini calls f(w, r).
+func (f HandlerFunc) ServeGemini(w ResponseWriter, r *Request) {
 	f(w, r)
 }
-
-// Input returns the request query.
-// If the query is invalid or no query is provided, ok will be false.
-//
-// Example:
-//
-//    input, ok := gemini.Input(req)
-//    if !ok {
-//        w.WriteHeader(gemini.StatusInput, "Prompt")
-//        return
-//    }
-//    // ...
-//
-func Input(r *Request) (query string, ok bool) {
-	if r.URL.ForceQuery || r.URL.RawQuery != "" {
-		query, err := url.QueryUnescape(r.URL.RawQuery)
-		return query, err == nil
-	}
-	return "", false
-}
--- a/status.go
+++ b/status.go
@@ -1,59 +1,39 @@
 package gemini

-// Status codes.
-type Status int
-
+// Gemini status codes.
 const (
-	StatusInput                    Status = 10
-	StatusSensitiveInput           Status = 11
-	StatusSuccess                  Status = 20
-	StatusRedirect                 Status = 30
-	StatusPermanentRedirect        Status = 31
-	StatusTemporaryFailure         Status = 40
-	StatusServerUnavailable        Status = 41
-	StatusCGIError                 Status = 42
-	StatusProxyError               Status = 43
-	StatusSlowDown                 Status = 44
-	StatusPermanentFailure         Status = 50
-	StatusNotFound                 Status = 51
-	StatusGone                     Status = 52
-	StatusProxyRequestRefused      Status = 53
-	StatusBadRequest               Status = 59
-	StatusCertificateRequired      Status = 60
-	StatusCertificateNotAuthorized Status = 61
-	StatusCertificateNotValid      Status = 62
+	StatusInput                    = 10
+	StatusSensitiveInput           = 11
+	StatusSuccess                  = 20
+	StatusRedirect                 = 30
+	StatusPermanentRedirect        = 31
+	StatusTemporaryFailure         = 40
+	StatusServerUnavailable        = 41
+	StatusCGIError                 = 42
+	StatusProxyError               = 43
+	StatusSlowDown                 = 44
+	StatusPermanentFailure         = 50
+	StatusNotFound                 = 51
+	StatusGone                     = 52
+	StatusProxyRequestRefused      = 53
+	StatusBadRequest               = 59
+	StatusCertificateRequired      = 60
+	StatusCertificateNotAuthorized = 61
+	StatusCertificateNotValid      = 62
 )

-// Status code categories.
-type StatusClass int
-
-const (
-	StatusClassInput               StatusClass = 1
-	StatusClassSuccess             StatusClass = 2
-	StatusClassRedirect            StatusClass = 3
-	StatusClassTemporaryFailure    StatusClass = 4
-	StatusClassPermanentFailure    StatusClass = 5
-	StatusClassCertificateRequired StatusClass = 6
-)
-
-// Class returns the status class for this status code.
-func (s Status) Class() StatusClass {
-	return StatusClass(s / 10)
+// StatusClass returns the status class for this status code.
+// 1x becomes 10, 2x becomes 20, and so on.
+func StatusClass(status int) int {
+	return (status / 10) * 10
 }

-// Message returns a status message corresponding to this status code.
-func (s Status) Message() string {
-	switch s {
-	case StatusInput:
-		return "Input"
-	case StatusSensitiveInput:
-		return "Sensitive input"
-	case StatusSuccess:
-		return "Success"
-	case StatusRedirect:
-		return "Redirect"
-	case StatusPermanentRedirect:
-		return "Permanent redirect"
+// Meta returns a description of the provided status code appropriate
+// for use in a response.
+//
+// Meta returns an empty string for input, success, and redirect status codes.
+func Meta(status int) string {
+	switch status {
 	case StatusTemporaryFailure:
 		return "Temporary failure"
 	case StatusServerUnavailable:
--- a/text.go
+++ b/text.go
@@ -88,17 +88,17 @@ func (l LineText) line()                {}
 type Text []Line

 // ParseText parses Gemini text from the provided io.Reader.
-func ParseText(r io.Reader) Text {
+func ParseText(r io.Reader) (Text, error) {
 	var t Text
-	ParseLines(r, func(line Line) {
+	err := ParseLines(r, func(line Line) {
 		t = append(t, line)
 	})
-	return t
+	return t, err
 }

 // ParseLines parses Gemini text from the provided io.Reader.
 // It calls handler with each line that it parses.
-func ParseLines(r io.Reader, handler func(Line)) {
+func ParseLines(r io.Reader, handler func(Line)) error {
 	const spacetab = " \t"
 	var pre bool
 	scanner := bufio.NewScanner(r)
@@ -149,6 +149,8 @@ func ParseLines(r io.Reader, handler func(Line)) {
 		}
 		handler(line)
 	}
+
+	return scanner.Err()
 }

 // String writes the Gemini text response to a string and returns it.
--- a/tofu.go
+++ b/tofu.go
@@ -1,204 +0,0 @@
-package gemini
-
-import (
-	"bufio"
-	"crypto/sha512"
-	"crypto/x509"
-	"fmt"
-	"io"
-	"os"
-	"path/filepath"
-	"strconv"
-	"strings"
-	"time"
-)
-
-// Trust represents the trustworthiness of a certificate.
-type Trust int
-
-const (
-	TrustNone   Trust = iota // The certificate is not trusted.
-	TrustOnce                // The certificate is trusted once.
-	TrustAlways              // The certificate is trusted always.
-)
-
-// KnownHosts represents a list of known hosts.
-// The zero value for KnownHosts is an empty list ready to use.
-type KnownHosts struct {
-	hosts map[string]certInfo
-	file  *os.File
-}
-
-// LoadDefault loads the known hosts from the default known hosts path, which is
-// $XDG_DATA_HOME/gemini/known_hosts.
-// It creates the path and any of its parent directories if they do not exist.
-// KnownHosts will append to the file whenever a certificate is added.
-func (k *KnownHosts) LoadDefault() error {
-	path, err := defaultKnownHostsPath()
-	if err != nil {
-		return err
-	}
-	return k.Load(path)
-}
-
-// Load loads the known hosts from the provided path.
-// It creates the path and any of its parent directories if they do not exist.
-// KnownHosts will append to the file whenever a certificate is added.
-func (k *KnownHosts) Load(path string) error {
-	if dir := filepath.Dir(path); dir != "." {
-		err := os.MkdirAll(dir, 0755)
-		if err != nil {
-			return err
-		}
-	}
-	f, err := os.OpenFile(path, os.O_CREATE|os.O_RDONLY, 0644)
-	if err != nil {
-		return err
-	}
-	k.Parse(f)
-	f.Close()
-	// Open the file for append-only use
-	f, err = os.OpenFile(path, os.O_CREATE|os.O_WRONLY|os.O_APPEND, 0644)
-	if err != nil {
-		return err
-	}
-	k.file = f
-	return nil
-}
-
-// Add adds a certificate to the list of known hosts.
-// If KnownHosts was loaded from a file, Add will append to the file.
-func (k *KnownHosts) Add(hostname string, cert *x509.Certificate) {
-	k.add(hostname, cert, true)
-}
-
-// AddTemporary adds a certificate to the list of known hosts
-// without writing it to the known hosts file.
-func (k *KnownHosts) AddTemporary(hostname string, cert *x509.Certificate) {
-	k.add(hostname, cert, false)
-}
-
-func (k *KnownHosts) add(hostname string, cert *x509.Certificate, write bool) {
-	if k.hosts == nil {
-		k.hosts = map[string]certInfo{}
-	}
-	info := certInfo{
-		Algorithm:   "SHA-512",
-		Fingerprint: Fingerprint(cert),
-		Expires:     cert.NotAfter.Unix(),
-	}
-	k.hosts[hostname] = info
-	// Append to the file
-	if write && k.file != nil {
-		appendKnownHost(k.file, hostname, info)
-	}
-}
-
-// Lookup looks for the provided certificate in the list of known hosts.
-// If the hostname is not in the list, Lookup returns ErrCertificateNotFound.
-// If the fingerprint doesn't match, Lookup returns ErrCertificateNotTrusted.
-// Otherwise, Lookup returns nil.
-func (k *KnownHosts) Lookup(hostname string, cert *x509.Certificate) error {
-	now := time.Now().Unix()
-	fingerprint := Fingerprint(cert)
-	if c, ok := k.hosts[hostname]; ok {
-		if c.Expires <= now {
-			// Certificate is expired
-			return ErrCertificateExpired
-		}
-		if c.Fingerprint != fingerprint {
-			// Fingerprint does not match
-			return ErrCertificateNotTrusted
-		}
-		// Certificate is found
-		return nil
-	}
-	return ErrCertificateNotFound
-}
-
-// Parse parses the provided reader and adds the parsed known hosts to the list.
-// Invalid lines are ignored.
-func (k *KnownHosts) Parse(r io.Reader) {
-	if k.hosts == nil {
-		k.hosts = map[string]certInfo{}
-	}
-	scanner := bufio.NewScanner(r)
-	for scanner.Scan() {
-		text := scanner.Text()
-		parts := strings.Split(text, " ")
-		if len(parts) < 4 {
-			continue
-		}
-
-		hostname := parts[0]
-		algorithm := parts[1]
-		if algorithm != "SHA-512" {
-			continue
-		}
-		fingerprint := parts[2]
-		expires, err := strconv.ParseInt(parts[3], 10, 0)
-		if err != nil {
-			continue
-		}
-
-		k.hosts[hostname] = certInfo{
-			Algorithm:   algorithm,
-			Fingerprint: fingerprint,
-			Expires:     expires,
-		}
-	}
-}
-
-// Write writes the known hosts to the provided io.Writer.
-func (k *KnownHosts) Write(w io.Writer) {
-	for h, c := range k.hosts {
-		appendKnownHost(w, h, c)
-	}
-}
-
-type certInfo struct {
-	Algorithm   string // fingerprint algorithm e.g. SHA-512
-	Fingerprint string // fingerprint in hexadecimal, with ':' between each octet
-	Expires     int64  // unix time of certificate notAfter date
-}
-
-func appendKnownHost(w io.Writer, hostname string, c certInfo) (int, error) {
-	return fmt.Fprintf(w, "%s %s %s %d\n", hostname, c.Algorithm, c.Fingerprint, c.Expires)
-}
-
-// Fingerprint returns the SHA-512 fingerprint of the provided certificate.
-func Fingerprint(cert *x509.Certificate) string {
-	sum512 := sha512.Sum512(cert.Raw)
-	var b strings.Builder
-	for i, f := range sum512 {
-		if i > 0 {
-			b.WriteByte(':')
-		}
-		fmt.Fprintf(&b, "%02X", f)
-	}
-	return b.String()
-}
-
-// defaultKnownHostsPath returns the default known_hosts path.
-// The default path is $XDG_DATA_HOME/gemini/known_hosts
-func defaultKnownHostsPath() (string, error) {
-	dataDir, err := userDataDir()
-	if err != nil {
-		return "", err
-	}
-	return filepath.Join(dataDir, "gemini", "known_hosts"), nil
-}
-
-// userDataDir returns the user data directory.
-func userDataDir() (string, error) {
-	dataDir, ok := os.LookupEnv("XDG_DATA_HOME")
-	if ok {
-		return dataDir, nil
-	}
-
-	home, err := os.UserHomeDir()
-	if err != nil {
-		return "", err
-	}
-	return filepath.Join(home, ".local", "share"), nil
-}
--- a/tofu/tofu.go
+++ b/tofu/tofu.go
@@ -0,0 +1,417 @@
+// Package tofu implements trust on first use using hosts and fingerprints.
+package tofu
+
+import (
+	"bufio"
+	"bytes"
+	"crypto/sha512"
+	"crypto/x509"
+	"errors"
+	"fmt"
+	"io"
+	"os"
+	"sort"
+	"strconv"
+	"strings"
+	"sync"
+	"time"
+)
+
+// KnownHosts represents a list of known hosts.
+// The zero value for KnownHosts represents an empty list ready to use.
+//
+// KnownHosts is safe for concurrent use by multiple goroutines.
+type KnownHosts struct {
+	hosts map[string]Host
+	mu    sync.RWMutex
+}
+
+// Add adds a host to the list of known hosts.
+func (k *KnownHosts) Add(h Host) {
+	k.mu.Lock()
+	defer k.mu.Unlock()
+	if k.hosts == nil {
+		k.hosts = map[string]Host{}
+	}
+
+	k.hosts[h.Hostname] = h
+}
+
+// Lookup returns the known host entry corresponding to the given hostname.
+func (k *KnownHosts) Lookup(hostname string) (Host, bool) {
+	k.mu.RLock()
+	defer k.mu.RUnlock()
+	c, ok := k.hosts[hostname]
+	return c, ok
+}
+
+// Entries returns the known host entries sorted by hostname.
+func (k *KnownHosts) Entries() []Host {
+	keys := make([]string, 0, len(k.hosts))
+	for key := range k.hosts {
+		keys = append(keys, key)
+	}
+	sort.Strings(keys)
+
+	hosts := make([]Host, 0, len(k.hosts))
+	for _, key := range keys {
+		hosts = append(hosts, k.hosts[key])
+	}
+	return hosts
+}
+
+// WriteTo writes the list of known hosts to the provided io.Writer.
+func (k *KnownHosts) WriteTo(w io.Writer) (int64, error) {
+	k.mu.RLock()
+	defer k.mu.RUnlock()
+
+	var written int
+
+	bw := bufio.NewWriter(w)
+	for _, h := range k.hosts {
+		n, err := bw.WriteString(h.String())
+		written += n
+		if err != nil {
+			return int64(written), err
+		}
+
+		bw.WriteByte('\n')
+		written += 1
+	}
+
+	return int64(written), bw.Flush()
+}
+
+// Load loads the known hosts entries from the provided path.
+func (k *KnownHosts) Load(path string) error {
+	f, err := os.Open(path)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	return k.Parse(f)
+}
+
+// Parse parses the provided io.Reader and adds the parsed hosts to the list.
+// Invalid entries are ignored.
+//
+// For more control over errors encountered during parsing, use bufio.Scanner
+// in combination with ParseHost. For example:
+//
+//    var knownHosts tofu.KnownHosts
+//    scanner := bufio.NewScanner(r)
+//    for scanner.Scan() {
+//        host, err := tofu.ParseHost(scanner.Bytes())
+//        if err != nil {
+//            // handle error
+//        } else {
+//            knownHosts.Add(host)
+//        }
+//    }
+//    err := scanner.Err()
+//    if err != nil {
+//        // handle error
+//    }
+//
+func (k *KnownHosts) Parse(r io.Reader) error {
+	k.mu.Lock()
+	defer k.mu.Unlock()
+
+	if k.hosts == nil {
+		k.hosts = map[string]Host{}
+	}
+
+	scanner := bufio.NewScanner(r)
+	for scanner.Scan() {
+		text := scanner.Bytes()
+		if len(text) == 0 {
+			continue
+		}
+
+		h, err := ParseHost(text)
+		if err != nil {
+			continue
+		}
+
+		k.hosts[h.Hostname] = h
+	}
+
+	return scanner.Err()
+}
+
+// TOFU implements basic trust on first use.
+//
+// If the host is not on file, it is added to the list.
+// If the host on file is expired, a new entry is added to the list.
+// If the fingerprint does not match the one on file, an error is returned.
+func (k *KnownHosts) TOFU(hostname string, cert *x509.Certificate) error {
+	host := NewHost(hostname, cert.Raw, cert.NotAfter)
+
+	knownHost, ok := k.Lookup(hostname)
+	if !ok || time.Now().After(knownHost.Expires) {
+		k.Add(host)
+		return nil
+	}
+
+	// Check fingerprint
+	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+		return fmt.Errorf("fingerprint for %q does not match", hostname)
+	}
+
+	return nil
+}
+
+// HostWriter writes host entries to an io.WriteCloser.
+//
+// HostWriter is safe for concurrent use by multiple goroutines.
+type HostWriter struct {
+	bw *bufio.Writer
+	cl io.Closer
+	mu sync.Mutex
+}
+
+// NewHostWriter returns a new host writer that writes to
+// the provided io.WriteCloser.
+func NewHostWriter(w io.WriteCloser) *HostWriter {
+	return &HostWriter{
+		bw: bufio.NewWriter(w),
+		cl: w,
+	}
+}
+
+// OpenHostsFile returns a new host writer that appends to the file at the given path.
+// The file is created if it does not exist.
+func OpenHostsFile(path string) (*HostWriter, error) {
+	f, err := os.OpenFile(path, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return nil, err
+	}
+	return NewHostWriter(f), nil
+}
+
+// WriteHost writes the host to the underlying io.Writer.
+func (h *HostWriter) WriteHost(host Host) error {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+
+	h.bw.WriteString(host.String())
+	h.bw.WriteByte('\n')
+
+	if err := h.bw.Flush(); err != nil {
+		return fmt.Errorf("failed to write host: %w", err)
+	}
+	return nil
+}
+
+// Close closes the underlying io.Closer.
+func (h *HostWriter) Close() error {
+	h.mu.Lock()
+	defer h.mu.Unlock()
+	return h.cl.Close()
+}
+
+// PersistentHosts represents a persistent set of known hosts.
+type PersistentHosts struct {
+	hosts  *KnownHosts
+	writer *HostWriter
+}
+
+// NewPersistentHosts returns a new persistent set of known hosts.
+func NewPersistentHosts(hosts *KnownHosts, writer *HostWriter) *PersistentHosts {
+	return &PersistentHosts{
+		hosts,
+		writer,
+	}
+}
+
+// LoadPersistentHosts loads persistent hosts from the file at the given path.
+func LoadPersistentHosts(path string) (*PersistentHosts, error) {
+	hosts := &KnownHosts{}
+	if err := hosts.Load(path); err != nil {
+		return nil, err
+	}
+	writer, err := OpenHostsFile(path)
+	if err != nil {
+		return nil, err
+	}
+	return &PersistentHosts{
+		hosts,
+		writer,
+	}, nil
+}
+
+// Add adds a host to the list of known hosts.
+// It returns an error if the host could not be persisted.
+func (p *PersistentHosts) Add(h Host) error {
+	err := p.writer.WriteHost(h)
+	if err != nil {
+		return fmt.Errorf("failed to persist host: %w", err)
+	}
+	p.hosts.Add(h)
+	return nil
+}
+
+// Lookup returns the known host entry corresponding to the given hostname.
+func (p *PersistentHosts) Lookup(hostname string) (Host, bool) {
+	return p.hosts.Lookup(hostname)
+}
+
+// Entries returns the known host entries sorted by hostname.
+func (p *PersistentHosts) Entries() []Host {
+	return p.hosts.Entries()
+}
+
+// TOFU implements trust on first use with a persistent set of known hosts.
+//
+// If the host is not on file, it is added to the list.
+// If the host on file is expired, a new entry is added to the list.
+// If the fingerprint does not match the one on file, an error is returned.
+func (p *PersistentHosts) TOFU(hostname string, cert *x509.Certificate) error {
+	host := NewHost(hostname, cert.Raw, cert.NotAfter)
+
+	knownHost, ok := p.Lookup(hostname)
+	if !ok || time.Now().After(knownHost.Expires) {
+		return p.Add(host)
+	}
+
+	// Check fingerprint
+	if !bytes.Equal(knownHost.Fingerprint, host.Fingerprint) {
+		return fmt.Errorf("fingerprint for %q does not match", hostname)
+	}
+
+	return nil
+}
+
+// Close closes the underlying HostWriter.
+func (p *PersistentHosts) Close() error {
+	return p.writer.Close()
+}
+
+// Host represents a host entry with a fingerprint using a certain algorithm.
+type Host struct {
+	Hostname    string      // hostname
+	Algorithm   string      // fingerprint algorithm e.g. SHA-512
+	Fingerprint Fingerprint // fingerprint
+	Expires     time.Time   // unix time of the fingerprint expiration date
+}
+
+// NewHost returns a new host with a SHA-512 fingerprint of
+// the provided raw data.
+func NewHost(hostname string, raw []byte, expires time.Time) Host {
+	sum := sha512.Sum512(raw)
+
+	return Host{
+		Hostname:    hostname,
+		Algorithm:   "SHA-512",
+		Fingerprint: sum[:],
+		Expires:     expires,
+	}
+}
+
+// ParseHost parses a host from the provided text.
+func ParseHost(text []byte) (Host, error) {
+	var h Host
+	err := h.UnmarshalText(text)
+	return h, err
+}
+
+// String returns a string representation of the host.
+func (h Host) String() string {
+	var b strings.Builder
+	b.WriteString(h.Hostname)
+	b.WriteByte(' ')
+	b.WriteString(h.Algorithm)
+	b.WriteByte(' ')
+	b.WriteString(h.Fingerprint.String())
+	b.WriteByte(' ')
+	b.WriteString(strconv.FormatInt(h.Expires.Unix(), 10))
+	return b.String()
+}
+
+// UnmarshalText unmarshals the host from the provided text.
+func (h *Host) UnmarshalText(text []byte) error {
+	const format = "hostname algorithm hex-fingerprint expiry-unix-ts"
+
+	parts := bytes.Split(text, []byte(" "))
+	if len(parts) != 4 {
+		return fmt.Errorf("expected the format %q", format)
+	}
+
+	if len(parts[0]) == 0 {
+		return errors.New("empty hostname")
+	}
+
+	h.Hostname = string(parts[0])
+
+	algorithm := string(parts[1])
+	if algorithm != "SHA-512" {
+		return fmt.Errorf("unsupported algorithm %q", algorithm)
+	}
+
+	h.Algorithm = algorithm
+
+	fingerprint := make([]byte, 0, sha512.Size)
+	scanner := bufio.NewScanner(bytes.NewReader(parts[2]))
+	scanner.Split(scanFingerprint)
+
+	for scanner.Scan() {
+		b, err := strconv.ParseUint(scanner.Text(), 16, 8)
+		if err != nil {
+			return fmt.Errorf("failed to parse fingerprint hash: %w", err)
+		}
+		fingerprint = append(fingerprint, byte(b))
+	}
+
+	if len(fingerprint) != sha512.Size {
+		return fmt.Errorf("invalid fingerprint size %d, expected %d",
+			len(fingerprint), sha512.Size)
+	}
+
+	h.Fingerprint = fingerprint
+
+	unix, err := strconv.ParseInt(string(parts[3]), 10, 0)
+	if err != nil {
+		return fmt.Errorf("invalid unix timestamp: %w", err)
+	}
+
+	h.Expires = time.Unix(unix, 0)
+
+	return nil
+}
+
+func scanFingerprint(data []byte, atEOF bool) (advance int, token []byte, err error) {
+	if atEOF && len(data) == 0 {
+		return 0, nil, nil
+	}
+	if i := bytes.IndexByte(data, ':'); i >= 0 {
+		// We have a full newline-terminated line.
+		return i + 1, data[0:i], nil
+	}
+
+	// If we're at EOF, we have a final, non-terminated hex byte
+	if atEOF {
+		return len(data), data, nil
+	}
+
+	// Request more data.
+	return 0, nil, nil
+}
+
+// Fingerprint represents a fingerprint.
+type Fingerprint []byte
+
+// String returns a string representation of the fingerprint.
+func (f Fingerprint) String() string {
+	var sb strings.Builder
+
+	for i, b := range f {
+		if i > 0 {
+			sb.WriteByte(':')
+		}
+
+		fmt.Fprintf(&sb, "%02X", b)
+	}
+
+	return sb.String()
+}
Author	SHA1	Message	Date
Adnan Maolood	dfa37aaeb8	client: Don't try to verify unicode hostname	2021-02-16 11:27:53 -05:00
Adnan Maolood	7c1a5184c9	Update examples/auth.go	2021-02-16 11:26:09 -05:00
Adnan Maolood	779be8b95b	request: Allow User in URLs	2021-02-16 00:55:56 -05:00
Adnan Maolood	2157b35c0b	Add build status badge to README.md	2021-02-16 00:07:01 -05:00
Adnan Maolood	1cb31e2d65	Add build manifest	2021-02-16 00:05:10 -05:00
Adnan Maolood	1d6cbddc5b	server: Prevent adding Listeners after Close Check done after calling trackListener to prevent the listener from being registered after the server is closed.	2021-02-15 20:19:44 -05:00
Adnan Maolood	a05fa6d6bd	server: Avoid creating a new Listener after Close	2021-02-15 20:16:32 -05:00
Adnan Maolood	f158bb5f1d	server: Use separate mutex for handlers	2021-02-15 20:05:47 -05:00
Adnan Maolood	ec269c5c9d	Add some tests	2021-02-15 19:20:37 -05:00
Adnan Maolood	bf4959a8ba	Return ErrInvalidResponse on error reading status Return ErrInvalidResponse when unable to read the response status code instead of returning the error from strconv.	2021-02-15 19:18:23 -05:00
Adnan Maolood	19678ef934	Remove NewRequestFromURL method Use a Request struct literal instead.	2021-02-15 17:23:56 -05:00
Adnan Maolood	5a784693ef	server: Rename responder to handler	2021-02-15 01:15:23 -05:00
Adnan Maolood	2c7f8273e9	server: Recover from ServeGemini panics	2021-02-15 00:36:33 -05:00
Adnan Maolood	96a84ddd38	request: Don't read more than 1026 bytes	2021-02-15 00:16:21 -05:00
Adnan Maolood	3f2d540579	server: Implement Close and Shutdown methods	2021-02-14 23:58:33 -05:00
Adnan Maolood	92e7a309c6	Tweak returned error for requests that are too long Return ErrInvalidRequest instead of ErrInvalidURL in Request.Write.	2021-02-14 23:33:18 -05:00
Adnan Maolood	c5ccbf023a	fs: Refactor	2021-02-14 19:50:38 -05:00
Adnan Maolood	ff06e50df5	status: Update documentation	2021-02-14 19:28:29 -05:00
Adnan Maolood	5ec8dea1ba	fs: Update documentation	2021-02-14 19:27:56 -05:00
Adnan Maolood	46e10da3a8	Make Request.Host optional	2021-02-14 19:02:34 -05:00
Adnan Maolood	41eec39a1d	Update examples/client.go	2021-02-14 18:59:33 -05:00
Adnan Maolood	198a0b31c8	Remove faulty status code check in ReadResponse	2021-02-14 18:57:13 -05:00
Adnan Maolood	6f7c183662	server: Don't populate Request.Certificate field Handlers should instead use the certificate provided in Request.TLS.	2021-02-14 17:34:57 -05:00
Adnan Maolood	20e1b14108	Update Client documentation	2021-02-14 17:11:05 -05:00
Adnan Maolood	0c303588a4	Update Response documentation	2021-02-14 16:23:38 -05:00
Adnan Maolood	37e5686764	Remove StatusClass* constants Re-use the existing Status* constants and adjust StatusClass to return a valid Status.	2021-02-14 16:01:39 -05:00
Adnan Maolood	7c703e95de	Update documentation	2021-02-14 15:50:41 -05:00
Adnan Maolood	595b0d0490	server: Populate Request.RemoteAddr field	2021-02-13 21:10:19 -05:00
Adnan Maolood	d2c70a33d5	client: Punycode request URL	2021-02-09 16:55:14 -05:00
Adnan Maolood	79e0296bed	client: Support IDNs Convert IDNs to punycode before performing DNS lookups.	2021-02-09 15:59:47 -05:00
Adnan Maolood	f0e9150663	Add Gemini specification version to README.md	2021-02-09 15:50:54 -05:00
Adnan Maolood	f4b80ef305	Update documentation	2021-02-09 10:00:04 -05:00
Adnan Maolood	0e3b61ed00	examples/client: Fix opening of known hosts file	2021-02-09 09:48:51 -05:00
Adnan Maolood	f6824bd813	Make ResponseWriter an interface	2021-02-09 09:46:18 -05:00
Adnan Maolood	5ef5824d6f	Use plain integers to represent status codes	2021-02-09 09:46:13 -05:00
Adnan Maolood	9bfb007581	Update README.md	2021-02-08 12:53:37 -05:00
Adnan Maolood	7910ed433b	Rename Responder to Handler	2021-02-08 12:50:52 -05:00
Adnan Maolood	29f2b3738d	Make TLS field nil for unencrypted connections	2021-02-08 12:32:49 -05:00
Adnan Maolood	1f39cab063	Remove unused field	2021-02-08 12:30:53 -05:00
Adnan Maolood	62960266ac	tofu: Implement PersistentHosts	2021-01-25 12:11:59 -05:00
Adnan Maolood	3efa17f6fb	Update examples	2021-01-25 10:59:50 -05:00
Adnan Maolood	9e89b93bab	server: Allow handling any hostname with "" Allow registering a responder with the special pattern "" to handle any hostname.	2021-01-25 10:55:40 -05:00
Adnan Maolood	31de8d49b0	Guarantee that (*Response).Body is not nil	2021-01-15 15:18:00 -05:00
Adnan Maolood	2b17f3d8eb	fs: Remove unused import	2021-01-14 22:45:09 -05:00
Adnan Maolood	f36a1c5c87	client: Add note about TOFU	2021-01-14 22:34:12 -05:00
Adnan Maolood	af61c1b60a	fs: Update comments	2021-01-14 22:27:56 -05:00
Adnan Maolood	ad18ae601c	fs: Don't panic on mime.AddExtensionType error It's probably best not to panic if this fails.	2021-01-14 22:25:09 -05:00
Adnan Maolood	8473f3b9d4	fs: Update comments	2021-01-14 22:24:26 -05:00
Adnan Maolood	06c53cc5b1	server: Rename Register to Handle	2021-01-14 22:12:07 -05:00
Adnan Maolood	4b643523fb	Update examples	2021-01-14 21:23:13 -05:00
Adnan Maolood	79a4dfd43f	certificate: Add Dir.Entries function	2021-01-14 21:19:27 -05:00
Adnan Maolood	14d89f304a	Move cert.go to a subpackage	2021-01-14 20:42:12 -05:00
Adnan Maolood	7a00539f75	tofu: Fix example	2021-01-14 19:57:52 -05:00
Adnan Maolood	a0adc42c95	tofu: Update documentation	2021-01-14 19:56:04 -05:00
Adnan Maolood	da8af5dbcb	tofu: Update documentation	2021-01-14 19:40:19 -05:00
Adnan Maolood	ced6b06d76	Update examples/auth.go	2021-01-14 19:04:11 -05:00
Adnan Maolood	4a0f8e5e73	tofu: Rename KnownHosts.Hosts to Entries	2021-01-14 18:52:43 -05:00
Adnan Maolood	e701ceff71	Add KnownHosts.Hosts function	2021-01-14 18:50:03 -05:00
Adnan Maolood	1a3974b3a3	Update examples/client.go	2021-01-14 17:28:03 -05:00
Adnan Maolood	3fd55c5cee	tofu: Add KnownHosts.Load function	2021-01-14 17:09:31 -05:00
Adnan Maolood	6f11910dff	tofu: Add NewHostsFile function	2021-01-14 16:54:38 -05:00
Adnan Maolood	da3e9ac0fe	tofu: Protect HostWriter with a mutex	2021-01-14 16:35:54 -05:00
Adnan Maolood	9fe837ffac	tofu: Refactor known hosts This commit introduces the KnownHosts struct, whose purpose is simply to store known hosts entries. The HostWriter struct is now in charge of appending hosts to files, and the two are not dependent on each other. Users are now responsible for opening the known hosts file and closing it when they are finished with it.	2021-01-14 16:26:43 -05:00
Adnan Maolood	4b8bb16a3d	tofu: Rename KnownHost to Host	2021-01-14 14:15:08 -05:00
Hugo Wetterberg	95aff9c573	tofu: Refactor This commit changes underlying file handling and known hosts parsing. A known hosts file opened through Load() never closed the underlying file. During known hosts parsing most errors were unchecked, or just led to the line being skipped. I removed the KnownHosts type, which didn't really have a role after the refactor. The embedding of KnownHosts in KnownHosts file has been removed as it also leaked the map unprotected by the mutex. The Fingerprint type is now KnownHost and has taken over the responsibility of marshalling and unmarshalling. SetOutput now takes a WriteCloser so that we can close the underlying writer when it's replaced, or when it's explicitly closed through the new Close() function. KnownHostsFile.Add() now also writes the known host to the output if set. I think that makes sense expectation-wise for the type. Turned WriteAll() into WriteTo() to conform with the io.WriterTo interface. Load() is now Open() to better reflect the fact that a file is opened, and kept open. It can now also return errors from the parsing process. The parser does a lot more error checking, and this might be an area where I've changed a desired behaviour as invalid entries no longer are ignored, but aborts the parsing process. That could be changed to a warning, or some kind of parsing feedback. I added KnownHostsFile.TOFU() to fill the developer experience gap that was left after the client no longer knows about KnownHostsFile. It implements a basic non-interactive TOFU flow.	2021-01-14 13:48:57 -05:00
Hugo Wetterberg	de042e4724	client: set the client timout on the dialer, close connection on err Client.Timout isn't respected for the dial. Requests will hang on dial until OS-level timouts kick in unless there is a Request.Context with a deadline. We also fail to close the connection on errors. This change sets the client timeout as the dialer timeout so that it will be respected. It also ensures that we close the connection if we fail to make the request.	2021-01-13 17:13:56 -05:00
Adnan Maolood	d78052ce08	Move tofu.go to a subpackage	2021-01-10 16:46:12 -05:00
Adnan Maolood	1f2888c54a	Update documentation	2021-01-10 01:21:56 -05:00
Adnan Maolood	41d5f8d31b	Move documentation back to doc.go	2021-01-10 01:16:50 -05:00
Adnan Maolood	24026422b2	Update examples/stream.go	2021-01-10 01:13:07 -05:00
Adnan Maolood	5e977250ec	Update comments	2021-01-10 01:07:38 -05:00
Adnan Maolood	d8c5da1c7c	Update link to documentation	2021-01-10 00:55:39 -05:00
Adnan Maolood	d01d50ff1a	Simplify ResponseWriter implementation	2021-01-10 00:50:35 -05:00
Adnan Maolood	3ed39e62d8	Rename status.Message to status.Meta	2021-01-10 00:10:57 -05:00
Hugo Wetterberg	f2921a396f	Add missing error handling Error handling is currently missing is a couple of places. Most of them are i/o related. This change adds checks, an therefore sometimes also has to change function signatures by adding an error return value. In the case of the response writer the status and meta handling is changed and this also breaks the API. In some places where we don't have any reasonable I've added assignment to a blank identifier to make it clear that we're ignoring an error. text: read the Err() that can be set by the scanner. client: check if conn.SetDeadline() returns an error. client: check if req.Write() returns an error. fs: panic if mime type registration fails. server: stop performing i/o in Header/Status functions By deferring the actual header write to the first Write() or Flush() call we don't have to do any error handling in Header() or Status(). As Server.respond() now defers a ResponseWriter.Flush() instead of directly flushing the underlying bufio.Writer this has the added benefit of ensuring that we always write a header to the client, even if the responder is a complete NOOP. tofu: return an error if we fail to write to the known hosts writer.	2021-01-09 23:53:07 -05:00
Hugo Wetterberg	efef44c2f9	server: abort request handling on bad requests A request to a hostname that hasn't been registered with the server currently results in a nil pointer deref panic in server.go:215 as request handling continues even if ReadRequest() returns an error. This change changes all if-else error handling in Server.respond() to a WriteStatus-call and early return. This makes it clear when request handling is aborted (and actually aborts when ReadRequest() fails).	2021-01-05 18:33:36 -05:00
Adnan Maolood	c8626bae17	client: Close connection for unsuccessful responses	2020-12-22 19:22:01 -05:00
Adnan Maolood	48fa6a724e	examples/client: Fix fingerprint check	2020-12-19 13:44:33 -05:00
Adnan Maolood	80ffa72863	client: Verify expiration time	2020-12-19 13:43:47 -05:00
Adnan Maolood	61b417a5c4	Add ResponseWriter.Flush function	2020-12-18 13:15:34 -05:00
Adnan Maolood	a912ef996a	Add examples/stream.go	2020-12-18 12:31:37 -05:00
Adnan Maolood	d9a690a98f	Make NewResponseWriter take an io.Writer	2020-12-18 01:47:29 -05:00
Adnan Maolood	04bd0f4520	Update Request documentation	2020-12-18 01:43:18 -05:00
Adnan Maolood	d34d5df89e	Add ReadRequest and ReadResponse functions	2020-12-18 01:42:05 -05:00
Adnan Maolood	decd72cc23	Expose Request.Write and Response.Read functions	2020-12-18 01:14:06 -05:00
Adnan Maolood	c329a2487e	server: Don't always assume TLS is used	2020-12-18 01:02:04 -05:00
Adnan Maolood	df1794c803	examples: Add missing descriptions	2020-12-18 00:47:30 -05:00
Adnan Maolood	5af1acbd54	examples/html: Read from stdin and write to stdout	2020-12-18 00:45:09 -05:00
Adnan Maolood	36c2086c82	Remove unnecessary variable	2020-12-18 00:35:08 -05:00
Adnan Maolood	d52d0af783	Update QueryEscape documentation	2020-12-18 00:26:47 -05:00
Adnan Maolood	35836f2ff7	Remove Input function	2020-12-18 00:25:06 -05:00
Adnan Maolood	824887eab9	Remove Response.Request field	2020-12-18 00:19:53 -05:00
Adnan Maolood	e2c907a7f6	client: Remove GetInput and CheckRedirect callbacks	2020-12-18 00:12:32 -05:00
Adnan Maolood	a09cb5a23c	Update switch statement	2020-12-17 23:03:33 -05:00
Adnan Maolood	7ca7053f66	client: Remove GetCertificate callback	2020-12-17 22:56:48 -05:00
Adnan Maolood	ca35aadaea	examples/auth: Fix crash on changing username	2020-12-17 21:10:53 -05:00
Adnan Maolood	805a80dddf	Update GetCertificate documentation	2020-12-17 19:54:46 -05:00
Adnan Maolood	28c5c857dc	Decouple Client from KnownHostsFile	2020-12-17 19:50:26 -05:00
Adnan Maolood	176b260468	Allow Request.Context to be nil	2020-12-17 17:16:55 -05:00
Adnan Maolood	a1dd8de337	Fix locking up of KnownHostsFile and CertificateDir	2020-12-17 17:15:24 -05:00
Adnan Maolood	7be0715d39	Use RWMutex instead of Mutex	2020-12-17 17:08:45 -05:00
Adnan Maolood	4704b8fbcf	Add missing imports	2020-12-17 17:07:00 -05:00
Adnan Maolood	aeafd57956	Make CertificateDir safe for concurrent use by multiple goroutines	2020-12-17 16:52:08 -05:00
Adnan Maolood	e687a05170	Make KnownHostsFile safe for concurrent use	2020-12-17 16:49:59 -05:00
Adnan Maolood	846fa2ac41	client: Add GetCertificate callback	2020-12-17 16:46:16 -05:00
Adnan Maolood	611a7d54c0	Revert to using hexadecimal to encode fingerprints	2020-12-16 23:58:02 -05:00
Adnan Maolood	16739d20d0	Fix escaping of queries	2020-11-27 22:27:52 -05:00
Adnan Maolood	24e488a4cb	examples/server: Increase certificate duration	2020-11-27 17:54:26 -05:00
Adnan Maolood	e0ac1685d2	Fix server name in TLS connections	2020-11-27 17:45:15 -05:00
Adnan Maolood	82688746dd	Add context to requests	2020-11-26 00:42:25 -05:00
Adnan Maolood	3b9cc7f168	Update examples/auth.go	2020-11-25 19:10:01 -05:00
Adnan Maolood	3c7940f153	Fix known hosts expiration timestamps	2020-11-25 14:24:49 -05:00
Adnan Maolood	8ee55ee009	Fix certificate fingerprint check	2020-11-25 14:20:31 -05:00
Adnan Maolood	7ee0ea8b7f	Use base64 to encode fingerprints	2020-11-25 14:16:51 -05:00
Adnan Maolood	ab1db34f02	Fix client locking up on redirects	2020-11-24 21:49:24 -05:00
Adnan Maolood	35e984fbba	Escape path character in certificate scopes	2020-11-24 20:24:38 -05:00
Adnan Maolood	cab23032c0	Don't assume a default scheme of gemini	2020-11-24 17:13:52 -05:00
Adnan Maolood	4b653032e4	Make Client safe for concurrent use	2020-11-24 16:28:58 -05:00
Adnan Maolood	0c75e5d5ad	Expose KnownHosts and CertificateStore internals	2020-11-23 12:17:54 -05:00
Adnan Maolood	f6b0443a62	Update KnownHosts documentation	2020-11-09 13:57:30 -05:00
Adnan Maolood	3dee6dcff3	Add (*CertificateStore).Write function	2020-11-09 13:54:15 -05:00
Adnan Maolood	85f8e84bd5	Rename (*ResponseWriter).SetMimetype to SetMediaType	2020-11-09 13:44:42 -05:00
Adnan Maolood	9338681256	Add (*KnownHosts).SetOutput function	2020-11-09 12:26:08 -05:00
Adnan Maolood	f2a1510375	Move documentation to gemini.go	2020-11-09 12:07:49 -05:00
Adnan Maolood	46cbcfcaa4	Remove top-level Get and Do functions	2020-11-09 12:04:53 -05:00
Adnan Maolood	76dfe257f1	Remove (*KnownHosts).LoadDefault function	2020-11-09 09:28:44 -05:00
Adnan Maolood	5332dc6280	Don't guarantee that (*Response).Body is always non-nil	2020-11-08 18:38:08 -05:00
Adnan Maolood	6b3cf1314b	Fix relative redirects	2020-11-07 23:43:07 -05:00
Adnan Maolood	fe92db1e9c	Allow redirects to non-gemini schemes	2020-11-06 11:18:58 -05:00
Adnan Maolood	ff6c95930b	Fix TOFU	2020-11-05 22:30:13 -05:00
Adnan Maolood	a5712c7705	Don't check if certificate is expired	2020-11-05 18:35:25 -05:00
Adnan Maolood	520d0a7fb1	Don't redirect by default	2020-11-05 15:44:01 -05:00
Adnan Maolood	bf185e4091	update examples/cert.go	2020-11-05 15:38:41 -05:00
Adnan Maolood	8101fbe473	Update examples/auth.go	2020-11-05 15:37:46 -05:00
Adnan Maolood	b76080c863	Refactor KnownHosts	2020-11-05 15:27:12 -05:00
Adnan Maolood	53390dad6b	Document CertificateOptions	2020-11-05 00:04:58 -05:00
Adnan Maolood	cec1f118fb	Remove some unnecessary errors	2020-11-04 23:46:05 -05:00
Adnan Maolood	95716296b4	Use ECDSA keys by default	2020-11-03 19:43:04 -05:00
Adnan Maolood	1490bf6a75	Update examples/auth.go	2020-11-03 16:29:39 -05:00
Adnan Maolood	610c6fc533	Add ErrorLog field to Server	2020-11-03 16:11:31 -05:00
Adnan Maolood	01670647d2	Add Subject option in CertificateOptions	2020-11-02 23:11:46 -05:00
Adnan Maolood	5b3194695f	Store request certificate to prevent infinite loop	2020-11-02 13:47:07 -05:00