regress: add test_ipv6_server

at least on the CI is failing with "can't connect to ::1:10965:
Address not available" which suggests IPv6 is broken there.

.cirrus.yml

@@ -1,6 +1,9 @@
 # gcc' -Werror=use-after-free gets tripped by vis.c: it sees a use
 # after free where it's not possible and breaks the CI.
 
+# seems that inside the CI it's not currently possible to bind to ::1
+# so set HAVE_IPV6=no.
+
 linux_amd64_task:
   container:
     image: alpine:latest
@@ -8,7 +11,7 @@ linux_amd64_task:
     - apk add alpine-sdk linux-headers bison libretls-dev libevent-dev
     - ./configure CFLAGS='-O2 -pipe -Wno-deprecated-declarations -Wno-use-after-free' -Werror
     - make
-    - make regress REGRESS_HOST="*"
+    - make regress REGRESS_HOST="*" HAVE_IPV6=no
 
 linux_arm_task:
   arm_container:
@@ -17,20 +20,25 @@ linux_arm_task:
     - apk add alpine-sdk linux-headers bison libretls-dev libevent-dev
     - ./configure CFLAGS='-O2 -pipe -Wno-deprecated-declarations -Wno-use-after-free' -Werror
     - make
-    - make regress REGRESS_HOST="*"
+    - make regress REGRESS_HOST="*" HAVE_IPV6=no
 
-freebsd_13_task:
+freebsd_14_task:
   freebsd_instance:
-    image_family: freebsd-13-0
+    image_family: freebsd-14-0
-  test_script:
+  install_script: pkg install -y libevent libressl pkgconf
-    - pkg install -y libevent libressl pkgconf
+  script:
     - ./configure CFLAGS='-O2 -pipe -Wno-deprecated-declarations' -Werror
     - make
-    - make regress
+    - make regress HAVE_IPV6=no
 
+#
+# There are some issues with imsg fd passing on macos at the moment that
+# seem to be triggered only in applications that do a heavy use of them,
+# like gmid or opensmtpd.  Still, keep macos to ensure gmid builds here.
+#
 mac_task:
   macos_instance:
-    image: ghcr.io/cirruslabs/macos-ventura-xcode:latest
+    image: ghcr.io/cirruslabs/macos-sonoma-xcode:latest
   test_script:
     - brew install libevent openssl libretls
     - PKG_CONFIG_PATH="$(brew --prefix openssl)/lib/pkgconfig" ./configure CFLAGS='-O2 -pipe -Wno-deprecated-declarations' -Werror

.github/workflows/alpine-release.yml

@@ -0,0 +1,33 @@
+name: release docker image
+on:
+  push:
+    tags:
+env:
+  IMAGE_NAME: "gmid"
+jobs:
+  build:
+    permissions: write-all
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v1
+
+    - name: build the image
+      run: docker build -f contrib/Dockerfile -t gmid:alpine .
+
+    - name: login to ghcr.io
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: push the image
+      run: |
+        IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME
+        IMAGE_ID=$(echo $IMAGE_ID | tr A-Z a-z)
+        # strip git ref prefix from version
+        VERSION=$(echo "${{ github.ref }}" | sed -e 's,.*/\(.*\),\1,')
+        echo IMAGE_ID=$IMAGE_ID
+        echo VERSION=$VERSION
+        docker tag gmid:alpine $IMAGE_ID:$VERSION
+        docker push $IMAGE_ID:$VERSION

ChangeLog

@@ -1,3 +1,43 @@
+2024-04-03  Omar Polo  <op@omarpolo.com>
+
+	* configure: improve function checking in the configure
+	* have/landlock.c: fix landlock test
+	* gmid.c (main_print_conf): fix config dumping with -nn
+
+2024-03-03  Omar Polo  <op@omarpolo.com>
+
+	* gmid.c: fix `log access path' with a chroot
+
+2024-01-30  Anna “CyberTailor”
+
+	* contrib/vim/indent/gmid.vim: fix indent
+
+2024-01-30  Omar Polo  <op@omarpolo.com>
+
+	* parse.y: don't make log styles reserved keywords.  Unbreaks the
+	example in the manpage with `common = ...'.
+
+2024-01-26  Omar Polo  <op@omarpolo.com>
+
+	* parse.y: rework grammar to allow the semicolon after
+	variables/macros definition and top-level options
+
+2024-01-24  Omar Polo  <op@omarpolo.com>
+
+	* configure (VERSION): release 2.0.1
+
+2024-01-21  Omar Polo  <op@omarpolo.com>
+
+	* convert gmid to the new imsg API
+
+2024-01-14  Anna “CyberTailor”
+
+	* configure: fix --mandir handling
+
+2024-01-11  Omar Polo  <op@omarpolo.com>
+
+	* configure (VERSION): release 2.0
+
 2024-01-09  Anna “CyberTailor”
 
 	* contrib/vim/syntax/gmid.vim: update Vim syntax file

Makefile

@@ -131,7 +131,7 @@ y.tab.c: parse.y
 lint:
 	man -Tlint -Wstyle -l gmid.8 gmid.conf.5 gemexp.1 gg.1 titan.1
 
-PUBKEY =	keys/gmid-${VERSION}.pub
+PUBKEY =	keys/gmid-2.0.pub
 PRIVKEY =	set-PRIVKEY
 DISTFILES =	.cirrus.yml .dockerignore .gitignore ChangeLog LICENSE \
 		Makefile README.md config.c configure crypto.c dirs.c fcgi.c \

config.c

@@ -474,19 +474,20 @@ config_crypto_recv_kp(struct conf *conf, struct imsg *imsg)
 	static struct pki *pki;
 	uint8_t *d;
 	size_t len;
+	int fd;
 
 	/* XXX: check for duplicates */
 
-	if (imsg->fd == -1)
+	if ((fd = imsg_get_fd(imsg)) == -1)
-		fatalx("no fd for imsg %d", imsg->hdr.type);
+		fatalx("%s: no fd for imsg %d", __func__, imsg_get_type(imsg));
 
-	switch (imsg->hdr.type) {
+	switch (imsg_get_type(imsg)) {
 	case IMSG_RECONF_CERT:
 		if (pki != NULL)
 			fatalx("imsg in wrong order; pki is not NULL");
 		if ((pki = calloc(1, sizeof(*pki))) == NULL)
 			fatal("calloc");
-		if (load_file(imsg->fd, &d, &len) == -1)
+		if (load_file(fd, &d, &len) == -1)
 			fatalx("can't load file");
 		if ((pki->hash = ssl_pubkey_hash(d, len)) == NULL)
 			fatalx("failed to compute cert hash");
@@ -496,9 +497,9 @@ config_crypto_recv_kp(struct conf *conf, struct imsg *imsg)
 
 	case IMSG_RECONF_KEY:
 		if (pki == NULL)
-			fatalx("got key without cert beforehand %d",
+			fatalx("%s: RECONF_KEY: got key without cert",
-			    imsg->hdr.type);
+			    __func__);
-		if (load_file(imsg->fd, &d, &len) == -1)
+		if (load_file(fd, &d, &len) == -1)
 			fatalx("failed to load private key");
 		if ((pki->pkey = ssl_load_pkey(d, len)) == NULL)
 			fatalx("failed load private key");
@@ -529,11 +530,10 @@ config_recv(struct conf *conf, struct imsg *imsg)
 	struct proxy	*proxy;
 	struct address	*addr;
 	uint8_t		*d;
-	size_t		 len, datalen;
+	size_t		 len;
+	int		 fd;
 
-	datalen = IMSG_DATA_SIZE(imsg);
+	switch (imsg_get_type(imsg)) {
-
-	switch (imsg->hdr.type) {
 	case IMSG_RECONF_START:
 		config_purge(conf);
 		h = NULL;
@@ -541,13 +541,14 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		break;
 
 	case IMSG_RECONF_LOG_FMT:
-		IMSG_SIZE_CHECK(imsg, &conf->log_format);
+		if (imsg_get_data(imsg, &conf->log_format,
-		memcpy(&conf->log_format, imsg->data, datalen);
+		    sizeof(conf->log_format)) == -1)
+			fatalx("bad length imsg LOG_FMT");
 		break;
 
 	case IMSG_RECONF_MIME:
-		IMSG_SIZE_CHECK(imsg, &m);
+		if (imsg_get_data(imsg, &m, sizeof(m)) == -1)
-		memcpy(&m, imsg->data, datalen);
+			fatalx("bad length imsg RECONF_MIME");
 		if (m.mime[sizeof(m.mime) - 1] != '\0' ||
 		    m.ext[sizeof(m.ext) - 1] != '\0')
 			fatal("received corrupted IMSG_RECONF_MIME");
@@ -557,18 +558,19 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		break;
 
 	case IMSG_RECONF_PROTOS:
-		IMSG_SIZE_CHECK(imsg, &conf->protos);
+		if (imsg_get_data(imsg, &conf->protos, sizeof(conf->protos))
-		memcpy(&conf->protos, imsg->data, datalen);
+		    == -1)
+			fatalx("bad length imsg RECONF_PROTOS");
 		break;
 
 	case IMSG_RECONF_SOCK:
 		addr = xcalloc(1, sizeof(*addr));
-		IMSG_SIZE_CHECK(imsg, addr);
+		if (imsg_get_data(imsg, addr, sizeof(*addr)) == -1)
-		memcpy(addr, imsg->data, sizeof(*addr));
+			fatalx("bad length imsg RECONF_SOCK");
-		if (imsg->fd == -1)
+		if ((fd = imsg_get_fd(imsg)) == -1)
 			fatalx("missing socket for IMSG_RECONF_SOCK");
 		addr->conf = conf;
-		addr->sock = imsg->fd;
+		addr->sock = fd;
 		event_set(&addr->evsock, addr->sock, EV_READ|EV_PERSIST,
 		    server_accept, addr);
 		if ((addr->ctx = tls_server()) == NULL)
@@ -577,16 +579,16 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		break;
 
 	case IMSG_RECONF_FCGI:
-		IMSG_SIZE_CHECK(imsg, fcgi);
 		fcgi = xcalloc(1, sizeof(*fcgi));
-		memcpy(fcgi, imsg->data, datalen);
+		if (imsg_get_data(imsg, fcgi, sizeof(*fcgi)) == -1)
+			fatalx("bad length imsg RECONF_FCGI");
 		log_debug("received fcgi %s", fcgi->path);
 		TAILQ_INSERT_TAIL(&conf->fcgi, fcgi, fcgi);
 		break;
 
 	case IMSG_RECONF_HOST:
-		IMSG_SIZE_CHECK(imsg, &vht);
+		if (imsg_get_data(imsg, &vht, sizeof(vht)) == -1)
-		memcpy(&vht, imsg->data, datalen);
+			fatalx("bad length imsg RECONF_HOST");
 		vh = new_vhost();
 		strlcpy(vh->domain, vht.domain, sizeof(vh->domain));
 		h = vh;
@@ -605,9 +607,9 @@ config_recv(struct conf *conf, struct imsg *imsg)
 			fatalx("recv'd cert without host");
 		if (h->cert != NULL)
 			fatalx("cert already received");
-		if (imsg->fd == -1)
+		if ((fd = imsg_get_fd(imsg)) == -1)
 			fatalx("no fd for IMSG_RECONF_CERT");
-		if (load_file(imsg->fd, &h->cert, &h->certlen) == -1)
+		if (load_file(fd, &h->cert, &h->certlen) == -1)
 			fatalx("failed to load cert for %s",
 			    h->domain);
 		break;
@@ -620,9 +622,9 @@ config_recv(struct conf *conf, struct imsg *imsg)
 			fatalx("recv'd key without host");
 		if (h->key != NULL)
 			fatalx("key already received");
-		if (imsg->fd == -1)
+		if ((fd = imsg_get_fd(imsg)) == -1)
 			fatalx("no fd for IMSG_RECONF_KEY");
-		if (load_file(imsg->fd, &h->key, &h->keylen) == -1)
+		if (load_file(fd, &h->key, &h->keylen) == -1)
 			fatalx("failed to load key for %s",
 			    h->domain);
 		break;
@@ -633,9 +635,9 @@ config_recv(struct conf *conf, struct imsg *imsg)
 			fatalx("recv'd ocsp without host");
 		if (h->ocsp != NULL)
 			fatalx("ocsp already received");
-		if (imsg->fd == -1)
+		if ((fd = imsg_get_fd(imsg)) == -1)
 			fatalx("no fd for IMSG_RECONF_OCSP");
-		if (load_file(imsg->fd, &h->ocsp, &h->ocsplen) == -1)
+		if (load_file(fd, &h->ocsp, &h->ocsplen) == -1)
 			fatalx("failed to load ocsp for %s",
 			    h->domain);
 		break;
@@ -644,22 +646,22 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		log_debug("receiving host addr");
 		if (h == NULL)
 			fatalx("recv'd host address withouth host");
-		IMSG_SIZE_CHECK(imsg, addr);
 		addr = xcalloc(1, sizeof(*addr));
-		memcpy(addr, imsg->data, datalen);
+		if (imsg_get_data(imsg, addr, sizeof(*addr)) == -1)
+			fatalx("bad length imsg RECONF_HOST_ADDR");
 		TAILQ_INSERT_TAIL(&h->addrs, addr, addrs);
 		break;
 
 	case IMSG_RECONF_LOC:
 		if (h == NULL)
 			fatalx("recv'd location without host");
-		IMSG_SIZE_CHECK(imsg, loc);
 		loc = xcalloc(1, sizeof(*loc));
-		memcpy(loc, imsg->data, datalen);
+		if (imsg_get_data(imsg, loc, sizeof(*loc)) == -1)
+			fatalx("bad length imsg RECONF_LOC");
 		TAILQ_INIT(&loc->params);
 
-		if (imsg->fd != -1) {
+		if ((fd = imsg_get_fd(imsg)) != -1) {
-			if (load_file(imsg->fd, &d, &len) == -1)
+			if (load_file(fd, &d, &len) == -1)
 				fatal("load_file");
 			loc->reqca = load_ca(d, len);
 			if (loc->reqca == NULL)
@@ -674,18 +676,18 @@ config_recv(struct conf *conf, struct imsg *imsg)
 	case IMSG_RECONF_ENV:
 		if (l == NULL)
 			fatalx("recv'd env without location");
-		IMSG_SIZE_CHECK(imsg, env);
 		env = xcalloc(1, sizeof(*env));
-		memcpy(env, imsg->data, datalen);
+		if (imsg_get_data(imsg, env, sizeof(*env)) == -1)
+			fatalx("bad length imsg RECONF_ENV");
 		TAILQ_INSERT_TAIL(&l->params, env, envs);
 		break;
 
 	case IMSG_RECONF_ALIAS:
 		if (h == NULL)
 			fatalx("recv'd alias without host");
-		IMSG_SIZE_CHECK(imsg, alias);
 		alias = xcalloc(1, sizeof(*alias));
-		memcpy(alias, imsg->data, datalen);
+		if (imsg_get_data(imsg, alias, sizeof(*alias)) == -1)
+			fatalx("bad length imsg RECONF_ALIAS");
 		TAILQ_INSERT_TAIL(&h->aliases, alias, aliases);
 		break;
 
@@ -693,12 +695,12 @@ config_recv(struct conf *conf, struct imsg *imsg)
 		log_debug("receiving proxy");
 		if (h == NULL)
 			fatalx("recv'd proxy without host");
-		IMSG_SIZE_CHECK(imsg, proxy);
 		proxy = xcalloc(1, sizeof(*proxy));
-		memcpy(proxy, imsg->data, datalen);
+		if (imsg_get_data(imsg, proxy, sizeof(*proxy)) == -1)
+			fatalx("bad length imsg RECONF_PROXY");
 
-		if (imsg->fd != -1) {
+		if ((fd = imsg_get_fd(imsg)) != -1) {
-			if (load_file(imsg->fd, &d, &len) == -1)
+			if (load_file(fd, &d, &len) == -1)
 				fatal("load_file");
 			proxy->reqca = load_ca(d, len);
 			if (proxy->reqca == NULL)
@@ -716,9 +718,9 @@ config_recv(struct conf *conf, struct imsg *imsg)
 			fatalx("recv'd proxy cert without proxy");
 		if (p->cert != NULL)
 			fatalx("proxy cert already received");
-		if (imsg->fd == -1)
+		if ((fd = imsg_get_fd(imsg)) == -1)
 			fatalx("no fd for IMSG_RECONF_PROXY_CERT");
-		if (load_file(imsg->fd, &p->cert, &p->certlen) == -1)
+		if (load_file(fd, &p->cert, &p->certlen) == -1)
 			fatalx("failed to load cert for proxy %s of %s",
 			    p->host, h->domain);
 		break;
@@ -729,9 +731,9 @@ config_recv(struct conf *conf, struct imsg *imsg)
 			fatalx("recv'd proxy key without proxy");
 		if (p->key != NULL)
 			fatalx("proxy key already received");
-		if (imsg->fd == -1)
+		if ((fd = imsg_get_fd(imsg)) == -1)
 			fatalx("no fd for IMSG_RECONF_PROXY_KEY");
-		if (load_file(imsg->fd, &p->key, &p->keylen) == -1)
+		if (load_file(fd, &p->key, &p->keylen) == -1)
 			fatalx("failed to load key for proxy %s of %s",
 			    p->host, h->domain);
 		break;

configure

@@ -19,7 +19,7 @@
 set -e
 
 RELEASE=no
-VERSION=2.0
+VERSION=2.0.2-current
 
 usage()
 {
@@ -59,6 +59,10 @@ CDIAGFLAGS="${CDIAGFLAGS} -Wsign-compare -Wno-unused-parameter" # -Wshadow
 CDIAGFLAGS="${CDIAGFLAGS} -Wno-missing-field-initializers"
 CDIAGFLAGS="${CDIAGFLAGS} -Wno-pointer-sign"
 
+# On all OSes except OpenBSD use the bundled one.  It may crash at
+# runtime otherwise since we depend on the libtls internals for the
+# privsep crypto engine.
+# See <https://codeberg.org/op/gmid/issues/2>.
 LIBTLS=bundled # or system
 if [ "$(uname || true)" = OpenBSD ]; then
 	LIBTLS=system
@@ -120,6 +124,7 @@ while [ $# -gt 0 ]; do
 	DISABLE_SANDBOX) DISABLE_SANDBOX="$val" ;;
 	INSTALL)	INSTALL="$val" ;;
 	LDFLAGS)	LDFLAGS="$val" ;;
+	MANDIR)		MANDIR="$val" ;;
 	PKG_CONFIG)	PKG_CONFIG="$val" ;;
 	PREFIX)		PREFIX="$val" ;;
 	SYSCONFDIR)	SYSCONFDIR="$val" ;;
@@ -141,7 +146,7 @@ NEED_OPENBSD_SOURCE=0
 NEED_LIBBSD_OPENBSD_VIS=0
 
 COMPATS=
-COMP="${CC} ${CFLAGS} -Wno-unused -Werror"
+COMP="${CC} ${CFLAGS} -Werror=implicit-function-declaration"
 
 # singletest name var extra-cflags extra-libs msg
 singletest() {

contrib/gmid.service

@@ -6,8 +6,6 @@ Wants=network-online.target
 
 [Service]
 Type=simple
-User=gmid
-Group=nobody
 ExecStart=/usr/local/bin/gmid -f -c /etc/gmid.conf
 ExecStop=/bin/kill -TERM $MAINPID
 ExecReload=/bin/kill -HUP $MAINPID

contrib/vim/indent/gmid.vim

@@ -9,3 +9,5 @@ setlocal indentexpr=
 setlocal cindent
 " Just make sure that the comments are not reset as defs would be.
 setlocal cinkeys-=0#
+" And indentation works correctly without semicolons.
+setlocal cinoptions=+0

crypto.c

@@ -80,7 +80,7 @@ crypto_init(struct privsep *ps, struct privsep_proc *p, void *arg)
 static int
 crypto_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 {
-	switch (imsg->hdr.type) {
+	switch (imsg_get_type(imsg)) {
 	case IMSG_RECONF_START:
 	case IMSG_RECONF_CERT:
 	case IMSG_RECONF_KEY:
@@ -117,25 +117,25 @@ crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
 	EVP_PKEY		*pkey;
 	struct imsg_crypto_req	 req;
 	struct imsg_crypto_res	 res;
+	struct ibuf		 ibuf;
 	struct iovec		 iov[2];
 	const void		*from;
-	unsigned char		*data, *to;
+	unsigned char		*to;
-	size_t			 datalen;
+	int			 n, ret, type;
-	int			 n, ret;
 	unsigned int		 len;
+	pid_t			 pid;
 
-	data = imsg->data;
+	if (imsg_get_ibuf(imsg, &ibuf) == -1)
-	datalen = IMSG_DATA_SIZE(imsg);
+		fatalx("%s: couldn't get an ibuf", __func__);
 
-	switch (imsg->hdr.type) {
+	pid = imsg_get_pid(imsg);
+	switch (type = imsg_get_type(imsg)) {
 	case IMSG_CRYPTO_RSA_PRIVENC:
 	case IMSG_CRYPTO_RSA_PRIVDEC:
-		if (datalen < sizeof(req))
+		if (ibuf_get(&ibuf, &req, sizeof(req)) == -1 ||
-			fatalx("size mismatch for imsg %d", imsg->hdr.type);
+		    ibuf_size(&ibuf) != req.flen)
-		memcpy(&req, data, sizeof(req));
+			fatalx("size mismatch for imsg %d", type);
-		if (datalen != sizeof(req) + req.flen)
+		from = ibuf_data(&ibuf);
-			fatalx("size mismatch for imsg %d", imsg->hdr.type);
-		from = data + sizeof(req);
 
 		if ((pkey = get_pkey(req.hash)) == NULL ||
 		    (rsa = EVP_PKEY_get1_RSA(pkey)) == NULL)
@@ -144,7 +144,7 @@ crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
 		if ((to = calloc(1, req.tlen)) == NULL)
 			fatal("calloc");
 
-		if (imsg->hdr.type == IMSG_CRYPTO_RSA_PRIVENC)
+		if (type == IMSG_CRYPTO_RSA_PRIVENC)
 			ret = RSA_private_encrypt(req.flen, from,
 			    to, rsa, req.padding);
 		else
@@ -168,12 +168,12 @@ crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
 			n++;
 		}
 
-		log_debug("replying to server #%d", imsg->hdr.pid);
+		log_debug("replying to server #%d", pid);
-		if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
+		if (proc_composev_imsg(ps, PROC_SERVER, pid - 1,
-		    imsg->hdr.type, 0, -1, iov, n) == -1)
+		    type, 0, -1, iov, n) == -1)
 			fatal("proc_composev_imsg");
 
-		if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
+		if (proc_flush_imsg(ps, PROC_SERVER, pid - 1) == -1)
 			fatal("proc_flush_imsg");
 
 		free(to);
@@ -181,12 +181,10 @@ crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
 		break;
 
 	case IMSG_CRYPTO_ECDSA_SIGN:
-		if (datalen < sizeof(req))
+		if (ibuf_get(&ibuf, &req, sizeof(req)) == -1 ||
-			fatalx("size mismatch for imsg %d", imsg->hdr.type);
+		    ibuf_size(&ibuf) != req.flen)
-		memcpy(&req, data, sizeof(req));
+			fatalx("size mismatch for imsg %d", type);
-		if (datalen != sizeof(req) + req.flen)
+		from = ibuf_data(&ibuf);
-			fatalx("size mismatch for imsg %d", imsg->hdr.type);
-		from = data + sizeof(req);
 
 		if ((pkey = get_pkey(req.hash)) == NULL ||
 		    (ecdsa = EVP_PKEY_get1_EC_KEY(pkey)) == NULL)
@@ -214,12 +212,12 @@ crypto_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
 			n++;
 		}
 
-		log_debug("replying to server #%d", imsg->hdr.pid);
+		log_debug("replying to server #%d", pid);
-		if (proc_composev_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1,
+		if (proc_composev_imsg(ps, PROC_SERVER, pid - 1,
-		    imsg->hdr.type, 0, -1, iov, n) == -1)
+		    type, 0, -1, iov, n) == -1)
 			fatal("proc_composev_imsg");
 
-		if (proc_flush_imsg(ps, PROC_SERVER, imsg->hdr.pid - 1) == -1)
+		if (proc_flush_imsg(ps, PROC_SERVER, pid - 1) == -1)
 			fatal("proc_flush_imsg");
 
 		free(to);
@@ -251,14 +249,13 @@ rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
 	struct imsgev		*iev;
 	struct privsep_proc	*p;
 	struct privsep		*ps = conf->ps;
-	struct imsgbuf		*ibuf;
+	struct imsgbuf		*imsgbuf;
 	struct imsg		 imsg;
+	struct ibuf		 ibuf;
 	int			 ret = 0;
 	int			 n, done = 0;
 	const void		*toptr;
 	char			*hash;
-	unsigned char		*data;
-	size_t			 datalen;
 
 	if ((hash = RSA_get_ex_data(rsa, 0)) == NULL)
 		return (0);
@@ -289,56 +286,52 @@ rsae_send_imsg(int flen, const unsigned char *from, unsigned char *to,
 
 	iev = ps->ps_ievs[PROC_CRYPTO];
 	p = iev->proc;
-	ibuf = &iev->ibuf;
+	imsgbuf = &iev->ibuf;
 
 	while (!done) {
-		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
+		if ((n = imsg_read(imsgbuf)) == -1 && errno != EAGAIN)
 			fatalx("imsg_read");
 		if (n == 0)
 			fatalx("pipe closed");
 
 		while (!done) {
-			if ((n = imsg_get(ibuf, &imsg)) == -1)
+			if ((n = imsg_get(imsgbuf, &imsg)) == -1)
 				fatalx("imsg_get error");
 			if (n == 0)
 				break;
 
 #if DEBUG > 1
 			log_debug(
-			    "%s: %s %d got imsg %d peerid %d from %s %d",
+			    "%s: %s %d got imsg %d id %d from %s %d",
-			    __func__, title, 1, imsg.hdr.type,
+			    __func__, title, 1, imsg_get_type(&imsg),
-			    imsg.hdr.peerid, "crypto", imsg.hdr.pid);
+			    imsg_get_id(&imsg), "crypto", imsg_get_pid(&imsg));
 #endif
 
-			if ((p->p_cb)(ibuf->fd, p, &imsg) == 0) {
+			if ((p->p_cb)(imsgbuf->fd, p, &imsg) == 0) {
 				/* Message was handled by the callback */
 				imsg_free(&imsg);
 				continue;
 			}
 
-			switch (imsg.hdr.type) {
+			switch (imsg_get_type(&imsg)) {
 			case IMSG_CRYPTO_RSA_PRIVENC:
 			case IMSG_CRYPTO_RSA_PRIVDEC:
 				break;
 			default:
 				fatalx("%s: %s %d got invalid imsg %d"
-				    " peerid %d from %s %d",
+				    " id %d from %s %d",
 				    __func__, "server", ps->ps_instance + 1,
-				    imsg.hdr.type, imsg.hdr.peerid,
+				    imsg_get_type(&imsg), imsg_get_id(&imsg),
-				    "crypto", imsg.hdr.pid);
+				    "crypto", imsg_get_pid(&imsg));
 			}
 
-			data = imsg.data;
+			if (imsg_get_ibuf(&imsg, &ibuf) == -1 ||
-			datalen = IMSG_DATA_SIZE(&imsg);
+			    ibuf_get(&ibuf, &res, sizeof(res)) == -1 ||
-			if (datalen < sizeof(res))
+			    (int)ibuf_size(&ibuf) != res.ret)
-				fatalx("size mismatch for imsg %d",
-				    imsg.hdr.type);
-			memcpy(&res, data, sizeof(res));
-			if (datalen != sizeof(res) + res.ret)
 				fatalx("size mismatch for imsg %d",
 				    imsg.hdr.type);
 			ret = res.ret;
-			toptr = data + sizeof(res);
+			toptr = ibuf_data(&ibuf);
 
 			if (res.id != reqid)
 				fatalx("invalid id; got %llu, want %llu",
@@ -399,13 +392,12 @@ ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len,
 	struct imsgev		*iev;
 	struct privsep_proc	*p;
 	struct privsep		*ps = conf->ps;
-	struct imsgbuf		*ibuf;
+	struct imsgbuf		*imsgbuf;
 	struct imsg		 imsg;
+	struct ibuf		 ibuf;
 	int			 n, done = 0;
 	const void		*toptr;
 	char			*hash;
-	unsigned char		*data;
-	size_t			 datalen;
 
 	if ((hash = EC_KEY_get_ex_data(eckey, 0)) == NULL)
 		return (0);
@@ -434,16 +426,16 @@ ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len,
 
 	iev = ps->ps_ievs[PROC_CRYPTO];
 	p = iev->proc;
-	ibuf = &iev->ibuf;
+	imsgbuf = &iev->ibuf;
 
 	while (!done) {
-		if ((n = imsg_read(ibuf)) == -1 && errno != EAGAIN)
+		if ((n = imsg_read(imsgbuf)) == -1 && errno != EAGAIN)
 			fatalx("imsg_read");
 		if (n == 0)
 			fatalx("pipe closed");
 
 		while (!done) {
-			if ((n = imsg_get(ibuf, &imsg)) == -1)
+			if ((n = imsg_get(imsgbuf, &imsg)) == -1)
 				fatalx("imsg_get error");
 			if (n == 0)
 				break;
@@ -456,7 +448,8 @@ ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len,
 #endif
 
 			if (imsg.hdr.type != IMSG_CRYPTO_ECDSA_SIGN &&
-			    crypto_dispatch_server(ibuf->fd, p, &imsg) == 0) {
+			    crypto_dispatch_server(imsgbuf->fd, p, &imsg)
+			    == 0) {
 				/* Message was handled by the callback */
 				imsg_free(&imsg);
 				continue;
@@ -469,16 +462,13 @@ ecdsae_send_enc_imsg(const unsigned char *dgst, int dgst_len,
 				    imsg.hdr.type, imsg.hdr.peerid,
 				    "crypto", imsg.hdr.pid);
 
-			data = imsg.data;
+			if (imsg_get_ibuf(&imsg, &ibuf) == -1 ||
-			datalen = IMSG_DATA_SIZE(&imsg);
+			    ibuf_get(&ibuf, &res, sizeof(res)) == -1 ||
-			if (datalen < sizeof(res))
+			    ibuf_size(&ibuf) != res.len)
 				fatalx("size mismatch for imsg %d",
 				    imsg.hdr.type);
-			memcpy(&res, data, sizeof(res));
+
-			if (datalen != sizeof(res) + res.len)
+			toptr = ibuf_data(&ibuf);
-				fatalx("size mismatch for imsg %d",
-				    imsg.hdr.type);
-			toptr = data + sizeof(res);
 
 			if (res.id != reqid)
 				fatalx("invalid response id");

gg.1

@@ -20,7 +20,7 @@
 .Sh SYNOPSIS
 .Nm
 .Bk -words
-.Op Fl 23Nn
+.Op Fl 23Nnq
 .Op Fl C Ar cert
 .Op Fl d Ar mode
 .Op Fl H Ar sni
@@ -82,6 +82,8 @@ and
 to do the request instead of the ones extracted by the IRI.
 .Ar port
 is by default 1965.
+.It Fl q
+Don't print server error messages to standard error.
 .It Fl T Ar seconds
 Kill
 .Nm

gg.c

@@ -41,6 +41,7 @@ int		 flag3;
 int		 nop;
 int		 redirects = 5;
 int		 timer;
+int		 quiet;
 const char	*cert;
 const char	*key;
 const char	*proxy_host;
@@ -308,8 +309,11 @@ get(const char *r)
 		assert(t != NULL);
 		if (code < 20 || code >= 30) {
 			*t = '\0';
-			fprintf(stderr, "Server says: ");
+			if (!quiet) {
-			safeprint(stderr, buf + 3); /* skip return code */
+				fprintf(stderr, "Server says: ");
+				/* skip return code */
+				safeprint(stderr, buf + 3);
+			}
 		}
 		t += 2; /* skip \r\n */
 		len -= t - buf;
@@ -335,7 +339,7 @@ static void __attribute__((noreturn))
 usage(void)
 {
 	fprintf(stderr, "version: " GG_STRING "\n");
-	fprintf(stderr, "usage: %s [-23Nn] [-C cert] [-d mode] [-H sni] "
+	fprintf(stderr, "usage: %s [-23Nnq] [-C cert] [-d mode] [-H sni] "
 	    "[-K key] [-P host[:port]]\n",
 	    getprogname());
 	fprintf(stderr, "          [-T seconds] gemini://...\n");
@@ -385,7 +389,7 @@ main(int argc, char **argv)
 
 	setlocale(LC_CTYPE, "");
 
-	while ((ch = getopt(argc, argv, "23C:d:H:K:NP:T:")) != -1) {
+	while ((ch = getopt(argc, argv, "23C:d:H:K:nNP:qT:")) != -1) {
 		switch (ch) {
 		case '2':
 			flag2 = 1;
@@ -415,6 +419,9 @@ main(int argc, char **argv)
 			parse_proxy(optarg);
 			dont_verify_name = 1;
 			break;
+		case 'q':
+			quiet = 1;
+			break;
 		case 'T':
 			timer = strtonum(optarg, 1, 1000, &errstr);
 			if (errstr != NULL)

gmid.8

@@ -1,4 +1,4 @@
-.\" Copyright (c) 2021, 2022, 2023 Omar Polo <op@omarpolo.com>
+.\" Copyright (c) 2021, 2022, 2023, 2024 Omar Polo <op@omarpolo.com>
 .\"
 .\" Permission to use, copy, modify, and distribute this software for any
 .\" purpose with or without fee is hereby granted, provided that the above
@@ -11,7 +11,7 @@
 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd October 20, 2023
+.Dd April 27, 2024
 .Dt GMID 8
 .Os
 .Sh NAME
@@ -52,7 +52,8 @@ Overrides the definition of
 .Ar macro
 in the config file if present.
 .It Fl f
-Stays and logs on the foreground.
+Do not daemonize.
+Stay and log in the foreground.
 .It Fl h , Fl -help
 Print the usage and exit.
 .It Fl n

gmid.c

@@ -412,7 +412,7 @@ main_send_logfd(struct conf *conf)
 			goto done;
 		}
 
-		fd = open(conf->log_access, O_WRONLY|O_CREAT|O_APPEND, 0600);
+		fd = open(path, O_WRONLY|O_CREAT|O_APPEND, 0600);
 		if (fd == -1)
 			log_warn("can't open %s", conf->log_access);
 	}
@@ -526,7 +526,7 @@ main_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
 	struct privsep	*ps = p->p_ps;
 	struct conf	*conf = ps->ps_env;
 
-	switch (imsg->hdr.type) {
+	switch (imsg_get_type(imsg)) {
 	case IMSG_RECONF_DONE:
 		main_configure_done(conf);
 		break;
@@ -543,7 +543,7 @@ main_dispatch_crypto(int fd, struct privsep_proc *p, struct imsg *imsg)
 	struct privsep	*ps = p->p_ps;
 	struct conf	*conf = ps->ps_env;
 
-	switch (imsg->hdr.type) {
+	switch (imsg_get_type(imsg)) {
 	case IMSG_RECONF_DONE:
 		main_configure_done(conf);
 		break;
@@ -560,7 +560,7 @@ main_dispatch_logger(int fd, struct privsep_proc *p, struct imsg *imsg)
 	struct privsep	*ps = p->p_ps;
 	struct conf	*conf = ps->ps_env;
 
-	switch (imsg->hdr.type) {
+	switch (imsg_get_type(imsg)) {
 	case IMSG_RECONF_DONE:
 		main_configure_done(conf);
 		break;
@@ -605,8 +605,8 @@ main_print_conf(struct conf *conf)
 
 	TAILQ_FOREACH(h, &conf->hosts, vhosts) {
 		printf("\nserver \"%s\" {\n", h->domain);
-		printf("	cert \"%s\"\n", h->cert);
+		printf("	cert \"%s\"\n", h->cert_path);
-		printf("	key \"%s\"\n", h->key);
+		printf("	key \"%s\"\n", h->key_path);
 		/* TODO: print locations... */
 		printf("}\n");
 	}

gmid.conf.5

@@ -11,7 +11,7 @@
 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.Dd January 11, 2024
+.Dd April 4, 2024
 .Dt GMID.CONF 5
 .Os
 .Sh NAME
@@ -384,7 +384,7 @@ The port the server is listening on.
 .Dq GEMINI
 .It Ev SERVER_SOFTWARE
 The name and version of the server, i.e.
-.Dq gmid/2.0
+.Dq gmid/2.0.2
 .It Ev REMOTE_USER
 The subject of the client certificate if provided, otherwise unset.
 .It Ev TLS_CLIENT_ISSUER

gmid.h

@@ -114,6 +114,9 @@ struct address {
 	socklen_t		 slen;
 	int16_t			 port;
 
+	/* pretty-printed version of `ss' */
+	char			 pp[NI_MAXHOST];
+
 	/* used in the server */
 	struct conf		*conf;
 	int			 sock;
@@ -412,7 +415,6 @@ void		 mark_nonblock(int);
 void		 client_write(struct bufferevent *, void *);
 int		 start_reply(struct client*, int, const char*);
 void		 client_close(struct client *);
-struct client	*client_by_id(int);
 void		 server_accept(int, short, void *);
 void		 server_init(struct privsep *, struct privsep_proc *, void *);
 int		 server_configure_done(struct conf *);

have/imsg.c

@@ -24,7 +24,8 @@ int
 main(void)
 {
 	struct imsgbuf buf;
+	struct imsg imsg;
 
 	imsg_init(&buf, -1);
-	return 0;
+	return imsg_get_fd(&imsg);
 }

have/landlock.c

@@ -19,6 +19,8 @@
 #include <sys/stat.h>
 #include <sys/syscall.h>
 
+#include <stddef.h>
+
 #ifndef landlock_create_ruleset
 static inline int
 landlock_create_ruleset(const struct landlock_ruleset_attr *attr, size_t size,

iri.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, 2022 Omar Polo <op@omarpolo.com>
+ * Copyright (c) 2020, 2022, 2024 Omar Polo <op@omarpolo.com>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -177,25 +177,47 @@ parse_port(struct parser *p)
 	return 1;
 }
 
-/* TODO: add support for ip-literal and ipv4addr ? */
 /* *( unreserved / sub-delims / pct-encoded ) */
 static int
 parse_authority(struct parser *p)
 {
-	p->parsed->host = p->iri;
+	struct addrinfo	 hints, *ai;
+	char		*end;
+	int		 err;
 
-	while (unreserved(*p->iri)
+	if (*p->iri == '[') {
-	    || sub_delimiters(*p->iri)
-	    || parse_pct_encoded(p)
-	    || valid_multibyte_utf8(p)) {
-		/* normalize the host name. */
-		if (*p->iri < 0x7F)
-			*p->iri = tolower(*p->iri);
 		p->iri++;
-	}
+		p->parsed->host = p->iri;
+		if ((end = strchr(p->iri, ']')) == NULL) {
+			p->err = "invalid IPv6 address";
+			return 0;
+		}
+		*end++ = '\0';
+		p->iri = end;
 
-	if (p->err != NULL)
+		memset(&hints, 0, sizeof(hints));
-		return 0;
+		hints.ai_flags = AI_NUMERICHOST;
+		err = getaddrinfo(p->parsed->host, NULL, &hints, &ai);
+		if (err != 0) {
+			p->err = "invalid IPv6 address";
+			return 0;
+		}
+		freeaddrinfo(ai);
+	} else {
+		p->parsed->host = p->iri;
+		while (unreserved(*p->iri)
+		    || sub_delimiters(*p->iri)
+		    || parse_pct_encoded(p)
+		    || valid_multibyte_utf8(p)) {
+			/* normalize the host name. */
+			if (*p->iri < 0x7F)
+				*p->iri = tolower(*p->iri);
+			p->iri++;
+		}
+
+		if (p->err != NULL)
+			return 0;
+	}
 
 	if (*p->iri == ':') {
 		*p->iri = '\0';

logger.c

@@ -79,24 +79,20 @@ logger_shutdown(void)
 static int
 logger_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 {
-	switch (imsg->hdr.type) {
+	switch (imsg_get_type(imsg)) {
 	case IMSG_LOG_FACILITY:
-		if (IMSG_DATA_SIZE(imsg) != sizeof(facility))
+		if (imsg_get_data(imsg, &facility, sizeof(facility)) == -1)
 			fatal("corrupted IMSG_LOG_SYSLOG");
-		memcpy(&facility, imsg->data, sizeof(facility));
 		break;
 	case IMSG_LOG_SYSLOG:
-		if (IMSG_DATA_SIZE(imsg) != sizeof(log_to_syslog))
+		if (imsg_get_data(imsg, &log_to_syslog,
+		    sizeof(log_to_syslog)) == -1)
 			fatal("corrupted IMSG_LOG_SYSLOG");
-		memcpy(&log_to_syslog, imsg->data, sizeof(log_to_syslog));
 		break;
 	case IMSG_LOG_ACCESS:
 		if (logfd != -1)
 			close(logfd);
-		logfd = -1;
+		logfd = imsg_get_fd(imsg);
-
-		if (imsg->fd != -1)
-			logfd = imsg->fd;
 		break;
 	default:
 		return -1;
@@ -109,14 +105,15 @@ static int
 logger_dispatch_server(int fd, struct privsep_proc *p, struct imsg *imsg)
 {
 	char *msg;
-	size_t datalen;
+	size_t datalen = 0;
+	struct ibuf ibuf;
 
-	switch (imsg->hdr.type) {
+	switch (imsg_get_type(imsg)) {
 	case IMSG_LOG_REQUEST:
-		msg = imsg->data;
+		if (imsg_get_ibuf(imsg, &ibuf) == -1 ||
-		datalen = IMSG_DATA_SIZE(imsg);
+		    (datalen = ibuf_size(&ibuf)) == 0)
-		if (datalen == 0)
 			fatal("got invalid IMSG_LOG_REQUEST");
+		msg = ibuf_data(&ibuf);
 		msg[datalen - 1] = '\0';
 		if (logfd != -1)
 			dprintf(logfd, "%s\n", msg);

parse.y

@@ -1,7 +1,7 @@
 %{
 
 /*
- * Copyright (c) 2021, 2022, 2023 Omar Polo <op@omarpolo.com>
+ * Copyright (c) 2021-2024 Omar Polo <op@omarpolo.com>
  * Copyright (c) 2018 Florian Obser <florian@openbsd.org>
  * Copyright (c) 2004, 2005 Esben Norby <norby@openbsd.org>
  * Copyright (c) 2004 Ryan McBride <mcbride@openbsd.org>
@@ -46,7 +46,7 @@ static struct file {
 	TAILQ_ENTRY(file)	 entry;
 	FILE			*stream;
 	char			*name;
-	size_t	 		 ungetpos;
+	size_t			 ungetpos;
 	size_t			 ungetsize;
 	u_char			*ungetbuf;
 	int			 eof_reached;
@@ -92,11 +92,9 @@ char		*ensure_absolute_path(char*);
 int		 check_block_code(int);
 char		*check_block_fmt(char*);
 int		 check_strip_no(int);
-int		 check_port_num(int);
 int		 check_prefork_num(int);
 void		 advance_loc(void);
 void		 advance_proxy(void);
-void		 parsehp(char *, char **, const char **, const char *);
 int		 fastcgi_conf(const char *, const char *);
 void		 add_param(char *, char *);
 int		 getservice(const char *);
@@ -125,12 +123,12 @@ typedef struct {
 
 %token	ACCESS ALIAS AUTO
 %token	BLOCK
-%token	CA CERT CHROOT CLIENT COMBINED COMMON CONDENSED
+%token	CA CERT CHROOT CLIENT
 %token	DEFAULT
 %token	FACILITY FASTCGI FOR_HOST
 %token	INCLUDE INDEX IPV6
 %token	KEY
-%token	LANG LEGACY LISTEN LOCATION LOG
+%token	LANG LISTEN LOCATION LOG
 %token	OCSP OFF ON
 %token	PARAM PORT PREFORK PROTO PROTOCOLS PROXY
 %token	RELAY_TO REQUIRE RETURN ROOT
@@ -150,13 +148,12 @@ typedef struct {
 %%
 
 conf		: /* empty */
-		| conf include '\n'
+		| conf include nl
-		| conf '\n'
+		| conf varset nl
-		| conf varset '\n'
+		| conf option nl
-		| conf option '\n'
+		| conf vhost nl
-		| conf vhost '\n'
+		| conf types nl
-		| conf types '\n'
+		| conf error nl		{ file->errors++; }
-		| conf error '\n'		{ file->errors++; }
 		;
 
 include		: INCLUDE STRING		{
@@ -265,17 +262,18 @@ logopt		: ACCESS string		{
 			free(conf->log_access);
 			conf->log_access = $2;
 		}
-		| STYLE COMMON		{
+		| STYLE string {
-			conf->log_format = LOG_FORMAT_COMMON;
+			if (!strcmp("combined", $2))
-		}
+				conf->log_format = LOG_FORMAT_COMBINED;
-		| STYLE COMBINED	{
+			else if (!strcmp("common", $2))
-			conf->log_format = LOG_FORMAT_COMBINED;
+				conf->log_format = LOG_FORMAT_COMMON;
-		}
+			else if (!strcmp("condensed", $2))
-		| STYLE CONDENSED	{
+				conf->log_format = LOG_FORMAT_CONDENSED;
-			conf->log_format = LOG_FORMAT_CONDENSED;
+			else if (!strcmp("legacy", $2))
-		}
+				conf->log_format = LOG_FORMAT_LEGACY;
-		| STYLE LEGACY		{
+			else
-			conf->log_format = LOG_FORMAT_LEGACY;
+				yyerror("unknown log style: %s", $2);
+			free($2);
 		}
 		| SYSLOG FACILITY string {
 			const char *str = $3;
@@ -617,7 +615,7 @@ mediaopts_l	: mediaopts_l mediaoptsl nl
 mediaoptsl	: STRING {
 			free(current_media);
 			current_media = $1;
-		} medianames_l optsemicolon
+		} medianames_l
 		| include
 		;
 
@@ -633,17 +631,13 @@ medianamesl	: numberstring {
 		;
 
 nl		: '\n' optnl
+		| ';' optnl
 		;
 
-optnl		: '\n' optnl		/* zero or more newlines */
+optnl		: nl
-		| ';' optnl		/* semicolons too */
 		| /*empty*/
 		;
 
-optsemicolon	: ';'
-		|
-		;
-
 %%
 
 static const struct keyword {
@@ -659,9 +653,6 @@ static const struct keyword {
 	{"cert", CERT},
 	{"chroot", CHROOT},
 	{"client", CLIENT},
-	{"combined", COMBINED},
-	{"common", COMMON},
-	{"condensed", CONDENSED},
 	{"default", DEFAULT},
 	{"facility", FACILITY},
 	{"fastcgi", FASTCGI},
@@ -671,7 +662,6 @@ static const struct keyword {
 	{"ipv6", IPV6},
 	{"key", KEY},
 	{"lang", LANG},
-	{"legacy", LEGACY},
 	{"listen", LISTEN},
 	{"location", LOCATION},
 	{"log", LOG},
@@ -1211,16 +1201,6 @@ check_strip_no(int n)
 	return n;
 }
 
-int
-check_port_num(int n)
-{
-	if (n <= 0 || n >= UINT16_MAX)
-		yyerror("port number is %s: %d",
-		    n <= 0 ? "too small" : "too large",
-		    n);
-	return n;
-}
-
 int
 check_prefork_num(int n)
 {
@@ -1243,25 +1223,6 @@ advance_proxy(void)
 	TAILQ_INSERT_TAIL(&host->proxies, proxy, proxies);
 }
 
-void
-parsehp(char *str, char **host, const char **port, const char *def)
-{
-	char		*at;
-	const char	*errstr;
-
-	*host = str;
-
-	if ((at = strchr(str, ':')) != NULL) {
-		*at++ = '\0';
-		*port = at;
-	} else
-		*port = def;
-
-	strtonum(*port, 1, UINT16_MAX, &errstr);
-	if (errstr != NULL)
-		yyerror("port is %s: %s", errstr, *port);
-}
-
 int
 fastcgi_conf(const char *path, const char *port)
 {
@@ -1319,7 +1280,7 @@ getservice(const char *n)
 }
 
 static void
-add_to_addr_queue(struct addrhead *a, struct addrinfo *ai)
+add_to_addr_queue(struct addrhead *a, struct addrinfo *ai, const char *pp)
 {
 	struct address		*addr;
 	struct sockaddr_in	*sin;
@@ -1345,6 +1306,7 @@ add_to_addr_queue(struct addrhead *a, struct addrinfo *ai)
 	addr->ai_protocol = ai->ai_protocol;
 	addr->slen = ai->ai_addrlen;
 	memcpy(&addr->ss, ai->ai_addr, ai->ai_addrlen);
+	strlcpy(addr->pp, pp, sizeof(addr->pp));
 
 	/* for commodity */
 	switch (addr->ai_family) {
@@ -1369,6 +1331,7 @@ void
 listen_on(const char *hostname, const char *servname)
 {
 	struct addrinfo hints, *res, *res0;
+	char pp[NI_MAXHOST];
 	int error;
 
 	memset(&hints, 0, sizeof(hints));
@@ -1383,8 +1346,14 @@ listen_on(const char *hostname, const char *servname)
 	}
 
 	for (res = res0; res; res = res->ai_next) {
-		add_to_addr_queue(&host->addrs, res);
+		if (getnameinfo(res->ai_addr, res->ai_addrlen, pp, sizeof(pp),
-		add_to_addr_queue(&conf->addrs, res);
+		    NULL, 0, NI_NUMERICHOST) == -1) {
+			yyerror("getnameinfo failed: %s", strerror(errno));
+			break;
+		}
+
+		add_to_addr_queue(&host->addrs, res, pp);
+		add_to_addr_queue(&conf->addrs, res, pp);
 	}
 
 	freeaddrinfo(res0);

proc.c

@@ -671,9 +671,9 @@ proc_dispatch(int fd, short event, void *arg)
 		 */
 		switch (imsg.hdr.type) {
 		case IMSG_CTL_PROCFD:
-			IMSG_SIZE_CHECK(&imsg, &pf);
+			if (imsg_get_data(&imsg, &pf, sizeof(pf)))
-			memcpy(&pf, imsg.data, sizeof(pf));
+				fatalx("bad length imsg CTL_PROCFD");
-			proc_accept(ps, imsg.fd, pf.pf_procid,
+			proc_accept(ps, imsg_get_fd(&imsg), pf.pf_procid,
 			    pf.pf_instance);
 			break;
 		default:
@@ -799,14 +799,6 @@ proc_composev(struct privsep *ps, enum privsep_procid id,
 	return (proc_composev_imsg(ps, id, -1, type, -1, -1, iov, iovcnt));
 }
 
-int
-proc_forward_imsg(struct privsep *ps, struct imsg *imsg,
-    enum privsep_procid id, int n)
-{
-	return (proc_compose_imsg(ps, id, n, imsg->hdr.type,
-	    imsg->hdr.peerid, imsg->fd, imsg->data, IMSG_DATA_SIZE(imsg)));
-}
-
 struct imsgbuf *
 proc_ibuf(struct privsep *ps, enum privsep_procid id, int n)
 {

proc.h

@@ -114,8 +114,6 @@ int	 proc_composev_imsg(struct privsep *, enum privsep_procid, int,
 	    uint16_t, uint32_t, int, const struct iovec *, int);
 int	 proc_composev(struct privsep *, enum privsep_procid,
 	    uint16_t, const struct iovec *, int);
-int	 proc_forward_imsg(struct privsep *, struct imsg *,
-	    enum privsep_procid, int);
 struct imsgbuf *
 	 proc_ibuf(struct privsep *, enum privsep_procid, int);
 struct imsgev *

proxy.c

@@ -22,7 +22,7 @@
 
 #include "log.h"
 
-#define MIN(a, b)	((a) < (b) ? (a) : (b))
+#define MINIMUM(a, b)	((a) < (b) ? (a) : (b))
 
 static const struct timeval handshake_timeout = { 5, 0 };
 
@@ -50,7 +50,7 @@ proxy_tls_readcb(int fd, short event, void *d)
 	}
 
 	if (bufev->wm_read.high != 0)
-		howmuch = MIN(sizeof(buf), bufev->wm_read.high);
+		howmuch = MINIMUM(sizeof(buf), bufev->wm_read.high);
 
 	switch (ret = tls_read(c->proxyctx, buf, howmuch)) {
 	case TLS_WANT_POLLIN:

regress/Makefile

@@ -7,6 +7,9 @@ GENCERT_FLAGS=
 # host to bind to during regress
 REGRESS_HOST =	localhost
 
+# set to no if don't have IPv6 working (need to listen on ::1)
+HAVE_IPV6 =	yes
+
 DISTFILES =	Makefile \
 		env \
 		err \
@@ -39,7 +42,7 @@ IRI_OBJS =	${IRI_SRCS:.c=.o} ${REG_COMPATS}
 .PHONY: all data clean dist
 
 all: data puny-test iri_test fcgi-test
-	env REGRESS_HOST="${REGRESS_HOST}" ./regress ${TESTS}
+	env HAVE_IPV6="${HAVE_IPV6}" REGRESS_HOST="${REGRESS_HOST}" ./regress ${TESTS}
 
 data: testdata localhost.pem testca.pem valid.crt invalid.pem
 

regress/iri_test.c

@@ -162,6 +162,14 @@ main(void)
 	    PASS,
 	    IRI("gemini", "naïve.omarpolo.com", "", "", "", ""),
 	    "Can percent decode hostnames");
+	TEST("gemini://100.64.3.27/",
+	    PASS,
+	    IRI("gemini", "100.64.3.27", "", "", "", ""),
+	    "Accepts IPv4 addresses");
+	TEST("gemini://[::1]/",
+	    PASS,
+	    IRI("gemini", "::1", "", "", "", ""),
+	    "Accepts IPv6 addresses");
 
 	/* path */
 	TEST("gemini://omarpolo.com/foo/bar/baz",

regress/lib.sh

@@ -6,9 +6,12 @@ gemexp="./../gemexp"
 gg="./../gg"
 gmid="./../gmid"
 current_test=
+server_name=
+gghost=
 
 run_test() {
 	ggflags=
+	host="$REGRESS_HOST"
 	port=10965
 	config_common="log syslog off"
 	hdr=
@@ -18,9 +21,15 @@ run_test() {
 	ran_no=$((ran_no + 1))
 
 	current_test=$1
+	server_name=localhost
+	gghost=localhost
+
 	rm -f reg.conf
 
-	if ! $1; then
+	if [ "$2" = "need_ipv6" -a "$HAVE_IPV6" != "yes" ]; then
+		echo "$1 skipped (needs HAVE_IPV6='yes')"
+		return
+	elif ! $1; then
 		echo "$1 failed"
 		failed="$failed $1"
 		failed_no=$((failed_no + 1))
@@ -58,11 +67,11 @@ gen_config() {
 	cat <<EOF > reg.conf
 $config_common
 $1
-server "localhost" {
+server "$server_name" {
 	cert "$PWD/localhost.pem"
 	key  "$PWD/localhost.key"
 	root "$PWD/testdata"
-	listen on $REGRESS_HOST port $port
+	listen on $host port $port
 	$2
 }
 EOF
@@ -77,7 +86,7 @@ set_proxy() {
 server "localhost.local" {
 	cert "$PWD/localhost.pem"
 	key "$PWD/localhost.key"
-	listen on $REGRESS_HOST port $port
+	listen on $host port $port
 	proxy {
 		relay-to localhost port $port
 		$1
@@ -108,13 +117,13 @@ setup_simple_test() {
 # usage: get <path>
 # return the body of the request on stdout
 get() {
-	$gg -T10 $ggflags "gemini://localhost:10965/$1" || true
+	$gg -q -T10 $ggflags "gemini://$gghost:10965/$1" || true
 }
 
 # usage: head <path>
 # return the meta response line on stdout
 head() {
-	$gg -T10 -d header $ggflags "gemini://localhost:10965/$1" || true
+	$gg -q -T10 -d header $ggflags "gemini://$gghost:10965/$1" || true
 }
 
 # usage: fetch <path>

regress/regress

@@ -20,6 +20,9 @@ fi
 run_test test_punycode
 run_test test_iri
 
+# Run configuration dumping test.
+run_test test_dump_config
+
 if [ "${SKIP_RUNTIME_TESTS:-0}" -eq 1 ]; then
 	echo
 	echo "======================"
@@ -59,6 +62,9 @@ run_test test_proxy_with_certs
 # run_test test_unknown_host	# XXX: breaks on some distro
 run_test test_include_mime
 run_test test_log_file
+run_test test_ipv4_addr
+run_test test_ipv6_addr need_ipv6
+run_test test_ipv6_server need_ipv6
 
 # TODO: add test that uses only a TLSv1.2 or TLSv1.3
 # TODO: add a test that attempt to serve a non-regular file

regress/tests.sh

@@ -8,6 +8,34 @@ test_iri() {
 	./iri_test
 }
 
+test_dump_config() {
+	dont_check_server_alive=yes
+	gen_config '' ''
+
+        exp="$(mktemp)"
+	got="$(mktemp)"
+	cat <<EOF >$exp
+prefork 3
+
+server "localhost" {
+	cert "$PWD/localhost.pem"
+	key "$PWD/localhost.key"
+}
+EOF
+
+	$gmid -nn -c reg.conf > $got 2>/dev/null
+
+	ret=0
+	if ! cmp -s "$exp" "$got"; then
+    		echo "config differs!" >&2
+    		diff -u "$exp" "$got" >&2
+    		ret=1
+	fi
+
+	rm "$exp" "$got"
+	return $ret
+}
+
 test_gemexp() {
 	dont_check_server_alive=yes
 
@@ -287,13 +315,15 @@ test_fastcgi_deprecated_syntax() {
 test_macro_expansion() {
 	cat <<EOF > reg.conf
 pwd = "$PWD"
+common = "lang it; auto index on"
 
 server "localhost" {
 	# the quoting of \$ is for sh
 	cert \$pwd "/localhost.pem"
 	key  \$pwd "/localhost.key"
 	root \$pwd "/testdata"
-	listen on $REGRESS_HOST port $port
+	listen on $host port $port
+	@common
 }
 EOF
 
@@ -305,7 +335,7 @@ EOF
 	run
 
 	fetch /
-	check_reply "20 text/gemini" "# hello world"
+	check_reply "20 text/gemini;lang=it" "# hello world"
 }
 
 test_proxy_relay_to() {
@@ -400,3 +430,36 @@ log style legacy'
 	rm -f log log.edited
 	return 0
 }
+
+test_ipv4_addr() {
+	server_name="*"
+	host="127.0.0.1"
+	gghost=127.0.0.1
+	ggflags=-N
+	setup_simple_test
+
+	fetch /
+	check_reply "20 text/gemini" "# hello world" || return 1
+}
+
+test_ipv6_addr() {
+	server_name="*"
+	host="::1"
+	gghost="[::1]"
+	ggflags=-N
+	setup_simple_test
+
+	fetch /
+	check_reply "20 text/gemini" "# hello world" || return 1
+}
+
+test_ipv6_server() {
+	server_name="::1"
+	host="::1"
+	gghost="[::1]"
+	ggflags=-N
+	setup_simple_test
+
+	fetch /
+	check_reply "20 text/gemini" "# hello world" || return 1
+}

server.c

@@ -31,7 +31,7 @@
 #include "log.h"
 #include "proc.h"
 
-#define MIN(a, b)	((a) < (b) ? (a) : (b))
+#define MINIMUM(a, b)	((a) < (b) ? (a) : (b))
 
 #ifndef nitems
 #define nitems(_a) (sizeof((_a)) / sizeof((_a)[0]))
@@ -119,6 +119,9 @@ match_host(struct vhost *v, struct client *c)
 	if (addr == NULL)
 		return 0;
 
+	if (*c->domain == '\0')
+		strlcpy(c->domain, addr->pp, sizeof(c->domain));
+
 	if (matches(v->domain, c->domain))
 		return 1;
 
@@ -403,16 +406,19 @@ handle_handshake(int fd, short ev, void *d)
 	evbuffer_unfreeze(c->bev->output, 1);
 #endif
 
-	if ((servname = tls_conn_servername(c->ctx)) == NULL) {
+	if ((servname = tls_conn_servername(c->ctx)) == NULL)
 		log_debug("handshake: missing SNI");
-		goto err;
-	}
-
 	if (!puny_decode(servname, c->domain, sizeof(c->domain), &parse_err)) {
 		log_info("puny_decode: %s", parse_err);
-		goto err;
+		start_reply(c, BAD_REQUEST, "Wrong/malformed host");
+		return;
 	}
 
+	/*
+	 * match_addr will serialize the (matching) address if c->domain
+	 * is empty, so that we can support requests for raw IPv6 address
+	 * that can't have a SNI.
+	 */
 	TAILQ_FOREACH(h, &conf->hosts, vhosts)
 		if (match_host(h, c))
 			break;
@@ -428,8 +434,7 @@ handle_handshake(int fd, short ev, void *d)
 		return;
 	}
 
-err:
+	start_reply(c, BAD_REQUEST, "Wrong/malformed host");
-	start_reply(c, BAD_REQUEST, "Wrong/malformed host or missing SNI");
 }
 
 static void
@@ -853,7 +858,7 @@ client_tls_readcb(int fd, short event, void *d)
 	}
 
 	if (bufev->wm_read.high != 0)
-		howmuch = MIN(sizeof(buf), bufev->wm_read.high);
+		howmuch = MINIMUM(sizeof(buf), bufev->wm_read.high);
 
 	switch (ret = tls_read(client->ctx, buf, howmuch)) {
 	case TLS_WANT_POLLIN:
@@ -1329,15 +1334,6 @@ server_accept(int sock, short et, void *d)
 	connected_clients++;
 }
 
-struct client *
-client_by_id(int id)
-{
-	struct client find;
-
-	find.id = id;
-	return SPLAY_FIND(client_tree_id, &clients, &find);
-}
-
 static void
 handle_siginfo(int fd, short ev, void *d)
 {
@@ -1496,7 +1492,7 @@ server_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 	struct privsep	*ps = p->p_ps;
 	struct conf	*conf = ps->ps_env;
 
-	switch (imsg->hdr.type) {
+	switch (imsg_get_type(imsg)) {
 	case IMSG_RECONF_START:
 	case IMSG_RECONF_LOG_FMT:
 	case IMSG_RECONF_MIME:

site/Makefile

@@ -21,7 +21,7 @@ REPOLOGY_URL =		https://repology.org/project/gmid/versions
 
 SUBST =		./subst GITHUB=https://github.com/omar-polo/gmid \
 			SITE=https://ftp.omarpolo.com \
-			VERS=2.0 \
+			VERS=2.0.2 \
 			PUBKEY=gmid-2.0.pub \
 			TREE=https://github.com/omar-polo/gmid/blob/master
 

site/changelog.gmi

@@ -1,5 +1,19 @@
 # change log
 
+## 2024/04/04 - 2.0.2 “Lady Stardust” bugfix release
+
+- fix `log access path' with `chroot' enabled.
+- fix config dumping (-nn).
+- rework grammar to allow semicolons after top-level statements.
+- don't make the log styles reserved keywords.
+- contrib/vim: fixed indent, from Anna “CyberTailor”, thanks!
+
+## 2024/01/24 - 2.0.1 “Lady Stardust” bugfix release
+
+* convert gmid to the new imsg API
+* update bundled imsg
+* configure: fix --mandir handling; from Anna “CyberTailor”, thanks!
+
 ## 2024/01/11 - 2.0 “Lady Stardust”
 
 ### New Features
@@ -33,6 +47,7 @@
 
 ### Breaking Changes
 
+* removed CGI support
 * gg now warns when the server doesn't use TLS' close_notify
 * deprecated the global `ipv6' and `port' settings in favour of the per-server `listen on` directive
 * removed the already deprecated config options `mime' and `map'

site/index.gmi

@@ -46,7 +46,7 @@ $ sudo make install # eventually
 A SHA256 file is available.  However, it only checks for accidental corruption.  You can use signify (gmid-VERS.sha256.sig) and the public key PUBKEY to cryptographically verify the downloaded tarball.  The signify public key for the previous and the next release is included in the tarball.
 
 => SITE/gmid-VERS.sha256	gmid-VERS.sha256
-=> SITE/gmid-VERS.sha25.sig	gmid-VERS.sha256.sig
+=> SITE/gmid-VERS.sha256.sig	gmid-VERS.sha256.sig
 
 To verify the signatures with signify(1):