RubyGems - rugged - Versions diffs - 0.25.1.1 → 0.26.0b1 - Mend

rugged 0.25.1.1 → 0.26.0b1

Files changed (108) hide show

checksums.yaml +4 -4
data/lib/rugged/version.rb +1 -1
data/vendor/libgit2/include/git2/common.h +10 -0
data/vendor/libgit2/include/git2/merge.h +2 -1
data/vendor/libgit2/include/git2/oid.h +4 -5
data/vendor/libgit2/include/git2/submodule.h +2 -11
data/vendor/libgit2/include/git2/sys/repository.h +29 -0
data/vendor/libgit2/include/git2/tree.h +13 -0
data/vendor/libgit2/src/apply.c +2 -2
data/vendor/libgit2/src/attr_file.c +5 -5
data/vendor/libgit2/src/attrcache.c +9 -7
data/vendor/libgit2/src/blob.c +3 -3
data/vendor/libgit2/src/branch.c +10 -10
data/vendor/libgit2/src/buffer.c +4 -4
data/vendor/libgit2/src/cache.c +1 -1
data/vendor/libgit2/src/checkout.c +29 -25
data/vendor/libgit2/src/cherrypick.c +2 -2
data/vendor/libgit2/src/commit.c +2 -2
data/vendor/libgit2/src/commit_list.c +2 -2
data/vendor/libgit2/src/common.h +1 -1
data/vendor/libgit2/src/config.c +12 -12
data/vendor/libgit2/src/config_file.c +9 -9
data/vendor/libgit2/src/crlf.c +1 -1
data/vendor/libgit2/src/delta.c +4 -4
data/vendor/libgit2/src/describe.c +11 -11
data/vendor/libgit2/src/diff_driver.c +1 -1
data/vendor/libgit2/src/diff_file.c +1 -1
data/vendor/libgit2/src/diff_generate.c +2 -2
data/vendor/libgit2/src/diff_print.c +5 -5
data/vendor/libgit2/src/diff_tform.c +1 -1
data/vendor/libgit2/src/diff_xdiff.c +2 -2
data/vendor/libgit2/src/fetch.c +1 -1
data/vendor/libgit2/src/fetchhead.c +8 -8
data/vendor/libgit2/src/filebuf.c +9 -9
data/vendor/libgit2/src/fileops.c +27 -27
data/vendor/libgit2/src/filter.c +4 -4
data/vendor/libgit2/src/hashsig.c +2 -2
data/vendor/libgit2/src/ignore.c +4 -4
data/vendor/libgit2/src/index.c +15 -15
data/vendor/libgit2/src/indexer.c +39 -6
data/vendor/libgit2/src/integer.h +6 -6
data/vendor/libgit2/src/merge.c +12 -12
data/vendor/libgit2/src/merge_file.c +1 -1
data/vendor/libgit2/src/mwindow.c +1 -1
data/vendor/libgit2/src/netops.c +4 -4
data/vendor/libgit2/src/notes.c +3 -3
data/vendor/libgit2/src/object.c +5 -5
data/vendor/libgit2/src/odb.c +12 -12
data/vendor/libgit2/src/odb_loose.c +6 -6
data/vendor/libgit2/src/oid.c +5 -5
data/vendor/libgit2/src/openssl_stream.c +3 -3
data/vendor/libgit2/src/pack-objects.c +6 -6
data/vendor/libgit2/src/pack.c +19 -10
data/vendor/libgit2/src/pack.h +1 -0
data/vendor/libgit2/src/patch_generate.c +5 -3
data/vendor/libgit2/src/path.c +15 -15
data/vendor/libgit2/src/pathspec.c +2 -2
data/vendor/libgit2/src/posix.c +1 -1
data/vendor/libgit2/src/push.c +6 -6
data/vendor/libgit2/src/rebase.c +12 -12
data/vendor/libgit2/src/refdb.c +1 -1
data/vendor/libgit2/src/refdb_fs.c +12 -12
data/vendor/libgit2/src/reflog.c +2 -2
data/vendor/libgit2/src/refs.c +34 -17
data/vendor/libgit2/src/refs.h +3 -0
data/vendor/libgit2/src/remote.c +3 -3
data/vendor/libgit2/src/repository.c +46 -13
data/vendor/libgit2/src/repository.h +2 -1
data/vendor/libgit2/src/reset.c +1 -1
data/vendor/libgit2/src/revert.c +2 -2
data/vendor/libgit2/src/revparse.c +5 -5
data/vendor/libgit2/src/revwalk.c +3 -3
data/vendor/libgit2/src/settings.c +6 -1
data/vendor/libgit2/src/sha1_lookup.c +1 -1
data/vendor/libgit2/src/signature.c +1 -1
data/vendor/libgit2/src/socket_stream.c +5 -5
data/vendor/libgit2/src/sortedcache.c +5 -5
data/vendor/libgit2/src/stash.c +6 -6
data/vendor/libgit2/src/status.c +4 -4
data/vendor/libgit2/src/submodule.c +159 -110
data/vendor/libgit2/src/submodule.h +3 -0
data/vendor/libgit2/src/sysdir.c +2 -2
data/vendor/libgit2/src/tag.c +14 -14
data/vendor/libgit2/src/trace.c +1 -1
data/vendor/libgit2/src/transport.c +1 -1
data/vendor/libgit2/src/transports/auth_negotiate.c +4 -4
data/vendor/libgit2/src/transports/cred.c +1 -1
data/vendor/libgit2/src/transports/git.c +3 -3
data/vendor/libgit2/src/transports/http.c +6 -6
data/vendor/libgit2/src/transports/local.c +2 -2
data/vendor/libgit2/src/transports/smart.c +5 -5
data/vendor/libgit2/src/transports/smart_pkt.c +4 -4
data/vendor/libgit2/src/transports/smart_protocol.c +1 -1
data/vendor/libgit2/src/transports/ssh.c +9 -9
data/vendor/libgit2/src/transports/winhttp.c +155 -118
data/vendor/libgit2/src/tree-cache.c +2 -2
data/vendor/libgit2/src/tree.c +35 -20
data/vendor/libgit2/src/unix/map.c +1 -1
data/vendor/libgit2/src/util.c +3 -3
data/vendor/libgit2/src/vector.c +3 -0
data/vendor/libgit2/src/win32/dir.c +3 -3
data/vendor/libgit2/src/win32/findfile.c +1 -1
data/vendor/libgit2/src/win32/map.c +6 -6
data/vendor/libgit2/src/win32/w32_crtdbg_stacktrace.c +2 -2
data/vendor/libgit2/src/win32/w32_util.c +1 -1
data/vendor/libgit2/src/win32/w32_util.h +1 -1
data/vendor/libgit2/src/zstream.c +1 -1
metadata +4 -4

data/vendor/libgit2/src/transports/winhttp.c CHANGED Viewed

@@ -68,7 +68,8 @@ static const IID IID_IInternetSecurityManager_mingw =
 typedef enum {
 	GIT_WINHTTP_AUTH_BASIC = 1,
-	GIT_WINHTTP_AUTH_NEGOTIATE = 2,
+	GIT_WINHTTP_AUTH_NTLM = 2,
+	GIT_WINHTTP_AUTH_NEGOTIATE = 4,
 } winhttp_authmechanism_t;
 typedef struct {
@@ -95,79 +96,66 @@ typedef struct {
 	git_cred *cred;
 	git_cred *url_cred;
 	git_cred *proxy_cred;
-	int auth_mechanism;
+	int auth_mechanisms;
 	HINTERNET session;
 	HINTERNET connection;
 } winhttp_subtransport;
-static int apply_basic_credential_proxy(HINTERNET request, git_cred *cred)
+static int _apply_userpass_credential(HINTERNET request, DWORD target, DWORD scheme, git_cred *cred)
 {
 	git_cred_userpass_plaintext *c = (git_cred_userpass_plaintext *)cred;
 	wchar_t *user, *pass;
-	int error;
+	int user_len = 0, pass_len = 0, error = 0;
-	if ((error = git__utf8_to_16_alloc(&user, c->username)) < 0)
-		return error;
+	if ((error = user_len = git__utf8_to_16_alloc(&user, c->username)) < 0)
+		goto done;
-	if ((error = git__utf8_to_16_alloc(&pass, c->password)) < 0)
-		return error;
+	if ((error = pass_len = git__utf8_to_16_alloc(&pass, c->password)) < 0)
+		goto done;
-	if (!WinHttpSetCredentials(request, WINHTTP_AUTH_TARGET_PROXY, WINHTTP_AUTH_SCHEME_BASIC,
-	                           user, pass, NULL)) {
-		giterr_set(GITERR_OS, "failed to set proxy auth");
+	if (!WinHttpSetCredentials(request, target, scheme, user, pass, NULL)) {
+		giterr_set(GITERR_OS, "failed to set credentials");
 		error = -1;
 	}
+done:
+	if (user_len > 0)
+		git__memzero(user, user_len * sizeof(wchar_t));
+	if (pass_len > 0)
+		git__memzero(pass, pass_len * sizeof(wchar_t));
 	git__free(user);
 	git__free(pass);
 	return error;
 }
-static int apply_basic_credential(HINTERNET request, git_cred *cred)
+static int apply_userpass_credential_proxy(HINTERNET request, git_cred *cred)
 {
-	git_cred_userpass_plaintext *c = (git_cred_userpass_plaintext *)cred;
-	git_buf buf = GIT_BUF_INIT, raw = GIT_BUF_INIT;
-	wchar_t *wide = NULL;
-	int error = -1, wide_len;
-	git_buf_printf(&raw, "%s:%s", c->username, c->password);
-	if (git_buf_oom(&raw) ||
-		git_buf_puts(&buf, "Authorization: Basic ") < 0 ||
-		git_buf_encode_base64(&buf, git_buf_cstr(&raw), raw.size) < 0)
-		goto on_error;
+	return _apply_userpass_credential(request, WINHTTP_AUTH_TARGET_PROXY,
+		WINHTTP_AUTH_SCHEME_BASIC, cred);
+}
-	if ((wide_len = git__utf8_to_16_alloc(&wide, git_buf_cstr(&buf))) < 0) {
-		giterr_set(GITERR_OS, "Failed to convert string to wide form");
-		goto on_error;
-	}
+static int apply_userpass_credential(HINTERNET request, int mechanisms, git_cred *cred)
+{
+	DWORD native_scheme;
-	if (!WinHttpAddRequestHeaders(request, wide, (ULONG) -1L, WINHTTP_ADDREQ_FLAG_ADD)) {
-		giterr_set(GITERR_OS, "Failed to add a header to the request");
-		goto on_error;
+	if ((mechanisms & GIT_WINHTTP_AUTH_NTLM) ||
+		(mechanisms & GIT_WINHTTP_AUTH_NEGOTIATE)) {
+		native_scheme = WINHTTP_AUTH_SCHEME_NTLM;
+	} else if (mechanisms & GIT_WINHTTP_AUTH_BASIC) {
+		native_scheme = WINHTTP_AUTH_SCHEME_BASIC;
+	} else {
+		giterr_set(GITERR_NET, "invalid authentication scheme");
+		return -1;
 	}
-	error = 0;
-on_error:
-	/* We were dealing with plaintext passwords, so clean up after ourselves a bit. */
-	if (wide)
-		memset(wide, 0x0, wide_len * sizeof(wchar_t));
-	if (buf.size)
-		memset(buf.ptr, 0x0, buf.size);
-	if (raw.size)
-		memset(raw.ptr, 0x0, raw.size);
-	git__free(wide);
-	git_buf_free(&buf);
-	git_buf_free(&raw);
-	return error;
+	return _apply_userpass_credential(request, WINHTTP_AUTH_TARGET_SERVER,
+		native_scheme, cred);
 }
-static int apply_default_credentials(HINTERNET request)
+static int apply_default_credentials(HINTERNET request, int mechanisms)
 {
 	/* Either the caller explicitly requested that default credentials be passed,
 	 * or our fallback credential callback was invoked and checked that the target
@@ -177,6 +165,12 @@ static int apply_default_credentials(HINTERNET request)
 	 * to Internet Explorer security zones, but in fact does not. */
 	DWORD data = WINHTTP_AUTOLOGON_SECURITY_LEVEL_LOW;
+	if ((mechanisms & GIT_WINHTTP_AUTH_NTLM) == 0 &&
+		(mechanisms & GIT_WINHTTP_AUTH_NEGOTIATE) == 0) {
+		giterr_set(GITERR_NET, "invalid authentication scheme");
+		return -1;
+	}
 	if (!WinHttpSetOption(request, WINHTTP_OPTION_AUTOLOGON_POLICY, &data, sizeof(DWORD)))
 		return -1;
@@ -202,7 +196,7 @@ static int fallback_cred_acquire_cb(
 		/* Convert URL to wide characters */
 		if (git__utf8_to_16_alloc(&wide_url, url) < 0) {
-			giterr_set(GITERR_OS, "Failed to convert string to wide form");
+			giterr_set(GITERR_OS, "failed to convert string to wide form");
 			return -1;
 		}
@@ -248,8 +242,12 @@ static int certificate_check(winhttp_stream *s, int valid)
 	git_cert_x509 cert;
 	/* If there is no override, we should fail if WinHTTP doesn't think it's fine */
-	if (t->owner->certificate_check_cb == NULL && !valid)
+	if (t->owner->certificate_check_cb == NULL && !valid) {
+		if (!giterr_last())
+			giterr_set(GITERR_NET, "unknown certificate check failure");
 		return GIT_ECERTIFICATE;
+	}
 	if (t->owner->certificate_check_cb == NULL || !t->connection_data.use_ssl)
 		return 0;
@@ -351,7 +349,7 @@ static int winhttp_stream_connect(winhttp_stream *s)
 	/* Convert URL to wide characters */
 	if (git__utf8_to_16_alloc(&s->request_uri, git_buf_cstr(&buf)) < 0) {
-		giterr_set(GITERR_OS, "Failed to convert string to wide form");
+		giterr_set(GITERR_OS, "failed to convert string to wide form");
 		goto on_error;
 	}
@@ -366,12 +364,12 @@ static int winhttp_stream_connect(winhttp_stream *s)
 			t->connection_data.use_ssl ? WINHTTP_FLAG_SECURE : 0);
 	if (!s->request) {
-		giterr_set(GITERR_OS, "Failed to open request");
+		giterr_set(GITERR_OS, "failed to open request");
 		goto on_error;
 	}
 	if (!WinHttpSetTimeouts(s->request, default_timeout, default_connect_timeout, default_timeout, default_timeout)) {
-		giterr_set(GITERR_OS, "Failed to set timeouts for WinHTTP");
+		giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP");
 		goto on_error;
 	}
@@ -444,7 +442,7 @@ static int winhttp_stream_connect(winhttp_stream *s)
 			WINHTTP_OPTION_PROXY,
 			&proxy_info,
 			sizeof(WINHTTP_PROXY_INFO))) {
-			giterr_set(GITERR_OS, "Failed to set proxy");
+			giterr_set(GITERR_OS, "failed to set proxy");
 			git__free(proxy_wide);
 			goto on_error;
 		}
@@ -453,7 +451,7 @@ static int winhttp_stream_connect(winhttp_stream *s)
 		if (t->proxy_cred) {
 			if (t->proxy_cred->credtype == GIT_CREDTYPE_USERPASS_PLAINTEXT) {
-				if ((error = apply_basic_credential_proxy(s->request, t->proxy_cred)) < 0)
+				if ((error = apply_userpass_credential_proxy(s->request, t->proxy_cred)) < 0)
 					goto on_error;
 			}
 		}
@@ -467,7 +465,7 @@ static int winhttp_stream_connect(winhttp_stream *s)
 		WINHTTP_OPTION_DISABLE_FEATURE,
 		&disable_redirects,
 		sizeof(disable_redirects))) {
-			giterr_set(GITERR_OS, "Failed to disable redirects");
+			giterr_set(GITERR_OS, "failed to disable redirects");
 			goto on_error;
 	}
@@ -481,7 +479,7 @@ static int winhttp_stream_connect(winhttp_stream *s)
 	/* Send Pragma: no-cache header */
 	if (!WinHttpAddRequestHeaders(s->request, pragma_nocache, (ULONG) -1L, WINHTTP_ADDREQ_FLAG_ADD)) {
-		giterr_set(GITERR_OS, "Failed to add a header to the request");
+		giterr_set(GITERR_OS, "failed to add a header to the request");
 		goto on_error;
 	}
@@ -494,13 +492,13 @@ static int winhttp_stream_connect(winhttp_stream *s)
 			goto on_error;
 		if (git__utf8_to_16(ct, MAX_CONTENT_TYPE_LEN, git_buf_cstr(&buf)) < 0) {
-			giterr_set(GITERR_OS, "Failed to convert content-type to wide characters");
+			giterr_set(GITERR_OS, "failed to convert content-type to wide characters");
 			goto on_error;
 		}
 		if (!WinHttpAddRequestHeaders(s->request, ct, (ULONG)-1L,
 			WINHTTP_ADDREQ_FLAG_ADD | WINHTTP_ADDREQ_FLAG_REPLACE)) {
-			giterr_set(GITERR_OS, "Failed to add a header to the request");
+			giterr_set(GITERR_OS, "failed to add a header to the request");
 			goto on_error;
 		}
@@ -511,13 +509,13 @@ static int winhttp_stream_connect(winhttp_stream *s)
 			goto on_error;
 		if (git__utf8_to_16(ct, MAX_CONTENT_TYPE_LEN, git_buf_cstr(&buf)) < 0) {
-			giterr_set(GITERR_OS, "Failed to convert accept header to wide characters");
+			giterr_set(GITERR_OS, "failed to convert accept header to wide characters");
 			goto on_error;
 		}
 		if (!WinHttpAddRequestHeaders(s->request, ct, (ULONG)-1L,
 			WINHTTP_ADDREQ_FLAG_ADD | WINHTTP_ADDREQ_FLAG_REPLACE)) {
-			giterr_set(GITERR_OS, "Failed to add a header to the request");
+			giterr_set(GITERR_OS, "failed to add a header to the request");
 			goto on_error;
 		}
 	}
@@ -527,13 +525,13 @@ static int winhttp_stream_connect(winhttp_stream *s)
 			git_buf_clear(&buf);
 			git_buf_puts(&buf, t->owner->custom_headers.strings[i]);
 			if (git__utf8_to_16(ct, MAX_CONTENT_TYPE_LEN, git_buf_cstr(&buf)) < 0) {
-				giterr_set(GITERR_OS, "Failed to convert custom header to wide characters");
+				giterr_set(GITERR_OS, "failed to convert custom header to wide characters");
 				goto on_error;
 			}
 			if (!WinHttpAddRequestHeaders(s->request, ct, (ULONG)-1L,
 				WINHTTP_ADDREQ_FLAG_ADD | WINHTTP_ADDREQ_FLAG_REPLACE)) {
-				giterr_set(GITERR_OS, "Failed to add a header to the request");
+				giterr_set(GITERR_OS, "failed to add a header to the request");
 				goto on_error;
 			}
 		}
@@ -550,13 +548,11 @@ static int winhttp_stream_connect(winhttp_stream *s)
 	/* If we have a credential on the subtransport, apply it to the request */
 	if (t->cred &&
 		t->cred->credtype == GIT_CREDTYPE_USERPASS_PLAINTEXT &&
-		t->auth_mechanism == GIT_WINHTTP_AUTH_BASIC &&
-		apply_basic_credential(s->request, t->cred) < 0)
+		apply_userpass_credential(s->request, t->auth_mechanisms, t->cred) < 0)
 		goto on_error;
 	else if (t->cred &&
 		t->cred->credtype == GIT_CREDTYPE_DEFAULT &&
-		t->auth_mechanism == GIT_WINHTTP_AUTH_NEGOTIATE &&
-		apply_default_credentials(s->request) < 0)
+		apply_default_credentials(s->request, t->auth_mechanisms) < 0)
 		goto on_error;
 	/* If no other credentials have been applied and the URL has username and
@@ -565,7 +561,7 @@ static int winhttp_stream_connect(winhttp_stream *s)
 		if (!t->url_cred &&
 			git_cred_userpass_plaintext_new(&t->url_cred, t->connection_data.user, t->connection_data.pass) < 0)
 			goto on_error;
-		if (apply_basic_credential(s->request, t->url_cred) < 0)
+		if (apply_userpass_credential(s->request, GIT_WINHTTP_AUTH_BASIC, t->url_cred) < 0)
 			goto on_error;
 	}
@@ -585,30 +581,35 @@ on_error:
 static int parse_unauthorized_response(
 	HINTERNET request,
 	int *allowed_types,
-	int *auth_mechanism)
+	int *allowed_mechanisms)
 {
 	DWORD supported, first, target;
 	*allowed_types = 0;
-	*auth_mechanism = 0;
+	*allowed_mechanisms = 0;
 	/* WinHttpQueryHeaders() must be called before WinHttpQueryAuthSchemes().
 	 * We can assume this was already done, since we know we are unauthorized.
 	 */
 	if (!WinHttpQueryAuthSchemes(request, &supported, &first, &target)) {
-		giterr_set(GITERR_OS, "Failed to parse supported auth schemes");
+		giterr_set(GITERR_OS, "failed to parse supported auth schemes");
 		return -1;
 	}
-	if (WINHTTP_AUTH_SCHEME_BASIC & supported) {
+	if (WINHTTP_AUTH_SCHEME_NTLM & supported) {
 		*allowed_types |= GIT_CREDTYPE_USERPASS_PLAINTEXT;
-		*auth_mechanism = GIT_WINHTTP_AUTH_BASIC;
+		*allowed_types |= GIT_CREDTYPE_DEFAULT;
+		*allowed_mechanisms = GIT_WINHTTP_AUTH_NEGOTIATE;
 	}
-	if ((WINHTTP_AUTH_SCHEME_NTLM & supported) ||
-		(WINHTTP_AUTH_SCHEME_NEGOTIATE & supported)) {
+	if (WINHTTP_AUTH_SCHEME_NEGOTIATE & supported) {
 		*allowed_types |= GIT_CREDTYPE_DEFAULT;
-		*auth_mechanism = GIT_WINHTTP_AUTH_NEGOTIATE;
+		*allowed_mechanisms = GIT_WINHTTP_AUTH_NEGOTIATE;
+	}
+	if (WINHTTP_AUTH_SCHEME_BASIC & supported) {
+		*allowed_types |= GIT_CREDTYPE_USERPASS_PLAINTEXT;
+		*allowed_mechanisms |= GIT_WINHTTP_AUTH_BASIC;
 	}
 	return 0;
@@ -629,7 +630,7 @@ static int write_chunk(HINTERNET request, const char *buffer, size_t len)
 		git_buf_cstr(&buf),	(DWORD)git_buf_len(&buf),
 		&bytes_written)) {
 		git_buf_free(&buf);
-		giterr_set(GITERR_OS, "Failed to write chunk header");
+		giterr_set(GITERR_OS, "failed to write chunk header");
 		return -1;
 	}
@@ -639,7 +640,7 @@ static int write_chunk(HINTERNET request, const char *buffer, size_t len)
 	if (!WinHttpWriteData(request,
 		buffer, (DWORD)len,
 		&bytes_written)) {
-		giterr_set(GITERR_OS, "Failed to write chunk");
+		giterr_set(GITERR_OS, "failed to write chunk");
 		return -1;
 	}
@@ -647,7 +648,7 @@ static int write_chunk(HINTERNET request, const char *buffer, size_t len)
 	if (!WinHttpWriteData(request,
 		"\r\n", 2,
 		&bytes_written)) {
-		giterr_set(GITERR_OS, "Failed to write chunk footer");
+		giterr_set(GITERR_OS, "failed to write chunk footer");
 		return -1;
 	}
@@ -660,7 +661,7 @@ static int winhttp_close_connection(winhttp_subtransport *t)
 	if (t->connection) {
 		if (!WinHttpCloseHandle(t->connection)) {
-			giterr_set(GITERR_OS, "Unable to close connection");
+			giterr_set(GITERR_OS, "unable to close connection");
 			ret = -1;
 		}
@@ -669,7 +670,7 @@ static int winhttp_close_connection(winhttp_subtransport *t)
 	if (t->session) {
 		if (!WinHttpCloseHandle(t->session)) {
-			giterr_set(GITERR_OS, "Unable to close session");
+			giterr_set(GITERR_OS, "unable to close session");
 			ret = -1;
 		}
@@ -694,6 +695,38 @@ static int user_agent(git_buf *ua)
 	return git_buf_putc(ua, ')');
 }
+static void CALLBACK winhttp_status(
+	HINTERNET connection,
+	DWORD_PTR ctx,
+	DWORD code,
+	LPVOID info,
+	DWORD info_len)
+{
+	DWORD status;
+	if (code != WINHTTP_CALLBACK_STATUS_SECURE_FAILURE)
+		return;
+	status = *((DWORD *)info);
+	if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID))
+		giterr_set(GITERR_NET, "SSL certificate issued for different common name");
+	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID))
+		giterr_set(GITERR_NET, "SSL certificate has expired");
+	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA))
+		giterr_set(GITERR_NET, "SSL certificate signed by unknown CA");
+	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CERT))
+		giterr_set(GITERR_NET, "SSL certificate is invalid");
+	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED))
+		giterr_set(GITERR_NET, "certificate revocation check failed");
+	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_REVOKED))
+		giterr_set(GITERR_NET, "SSL certificate was revoked");
+	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR))
+		giterr_set(GITERR_NET, "security libraries could not be loaded");
+	else
+		giterr_set(GITERR_NET, "unknown security error %d", status);
+}
 static int winhttp_connect(
 	winhttp_subtransport *t)
 {
@@ -714,7 +747,7 @@ static int winhttp_connect(
 	/* Prepare host */
 	if (git__utf8_to_16_alloc(&wide_host, t->connection_data.host) < 0) {
-		giterr_set(GITERR_OS, "Unable to convert host to wide characters");
+		giterr_set(GITERR_OS, "unable to convert host to wide characters");
 		return -1;
 	}
@@ -724,7 +757,7 @@ static int winhttp_connect(
 	}
 	if (git__utf8_to_16_alloc(&wide_ua, git_buf_cstr(&ua)) < 0) {
-		giterr_set(GITERR_OS, "Unable to convert host to wide characters");
+		giterr_set(GITERR_OS, "unable to convert host to wide characters");
 		git__free(wide_host);
 		git_buf_free(&ua);
 		return -1;
@@ -741,12 +774,12 @@ static int winhttp_connect(
 		0);
 	if (!t->session) {
-		giterr_set(GITERR_OS, "Failed to init WinHTTP");
+		giterr_set(GITERR_OS, "failed to init WinHTTP");
 		goto on_error;
 	}
 	if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) {
-		giterr_set(GITERR_OS, "Failed to set timeouts for WinHTTP");
+		giterr_set(GITERR_OS, "failed to set timeouts for WinHTTP");
 		goto on_error;
 	}
@@ -759,7 +792,12 @@ static int winhttp_connect(
 		0);
 	if (!t->connection) {
-		giterr_set(GITERR_OS, "Failed to connect to host");
+		giterr_set(GITERR_OS, "failed to connect to host");
+		goto on_error;
+	}
+	if (WinHttpSetStatusCallback(t->connection, winhttp_status, WINHTTP_CALLBACK_FLAG_SECURE_FAILURE, 0) == WINHTTP_INVALID_STATUS_CALLBACK) {
+		giterr_set(GITERR_OS, "failed to set status callback");
 		goto on_error;
 	}
@@ -801,16 +839,15 @@ static int send_request(winhttp_stream *s, size_t len, int ignore_length)
 	int request_failed = 0, cert_valid = 1, error = 0;
 	DWORD ignore_flags;
-	if ((error = do_send_request(s, len, ignore_length)) < 0)
-		request_failed = 1;
-	if (request_failed) {
+	giterr_clear();
+	if ((error = do_send_request(s, len, ignore_length)) < 0) {
 		if (GetLastError() != ERROR_WINHTTP_SECURE_FAILURE) {
 			giterr_set(GITERR_OS, "failed to send request");
 			return -1;
-		} else {
-			cert_valid = 0;
 		}
+		request_failed = 1;
+		cert_valid = 0;
 	}
 	giterr_clear();
@@ -853,7 +890,7 @@ static int winhttp_stream_read(
 replay:
 	/* Enforce a reasonable cap on the number of replays */
 	if (++replay_count >= 7) {
-		giterr_set(GITERR_NET, "Too many redirects or authentication replays");
+		giterr_set(GITERR_NET, "too many redirects or authentication replays");
 		return -1;
 	}
@@ -888,7 +925,7 @@ replay:
 			if (!WinHttpWriteData(s->request,
 				"0\r\n\r\n", 5,
 				&bytes_written)) {
-				giterr_set(GITERR_OS, "Failed to write final chunk");
+				giterr_set(GITERR_OS, "failed to write final chunk");
 				return -1;
 			}
 		}
@@ -899,7 +936,7 @@ replay:
 			if (INVALID_SET_FILE_POINTER == SetFilePointer(s->post_body,
 					0, 0, FILE_BEGIN) &&
 				NO_ERROR != GetLastError()) {
-				giterr_set(GITERR_OS, "Failed to reset file pointer");
+				giterr_set(GITERR_OS, "failed to reset file pointer");
 				return -1;
 			}
@@ -913,14 +950,14 @@ replay:
 					&bytes_read, NULL) ||
 					!bytes_read) {
 					git__free(buffer);
-					giterr_set(GITERR_OS, "Failed to read from temp file");
+					giterr_set(GITERR_OS, "failed to read from temp file");
 					return -1;
 				}
 				if (!WinHttpWriteData(s->request, buffer,
 					bytes_read, &bytes_written)) {
 					git__free(buffer);
-					giterr_set(GITERR_OS, "Failed to write data");
+					giterr_set(GITERR_OS, "failed to write data");
 					return -1;
 				}
@@ -936,7 +973,7 @@ replay:
 		}
 		if (!WinHttpReceiveResponse(s->request, 0)) {
-			giterr_set(GITERR_OS, "Failed to receive response");
+			giterr_set(GITERR_OS, "failed to receive response");
 			return -1;
 		}
@@ -948,7 +985,7 @@ replay:
 			WINHTTP_HEADER_NAME_BY_INDEX,
 			&status_code, &status_code_length,
 			WINHTTP_NO_HEADER_INDEX)) {
-				giterr_set(GITERR_OS, "Failed to retrieve status code");
+				giterr_set(GITERR_OS, "failed to retrieve status code");
 				return -1;
 		}
@@ -978,7 +1015,7 @@ replay:
 				&location_length,
 				WINHTTP_NO_HEADER_INDEX) ||
 				GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
-				giterr_set(GITERR_OS, "Failed to read Location header");
+				giterr_set(GITERR_OS, "failed to read Location header");
 				return -1;
 			}
@@ -991,14 +1028,14 @@ replay:
 				location,
 				&location_length,
 				WINHTTP_NO_HEADER_INDEX)) {
-				giterr_set(GITERR_OS, "Failed to read Location header");
+				giterr_set(GITERR_OS, "failed to read Location header");
 				git__free(location);
 				return -1;
 			}
 			/* Convert the Location header to UTF-8 */
 			if (git__utf16_to_8_alloc(&location8, location) < 0) {
-				giterr_set(GITERR_OS, "Failed to convert Location header to UTF-8");
+				giterr_set(GITERR_OS, "failed to convert Location header to UTF-8");
 				git__free(location);
 				return -1;
 			}
@@ -1029,7 +1066,7 @@ replay:
 		if (status_code == HTTP_STATUS_PROXY_AUTH_REQ) {
 			int allowed_types;
-			if (parse_unauthorized_response(s->request, &allowed_types, &t->auth_mechanism) < 0)
+			if (parse_unauthorized_response(s->request, &allowed_types, &t->auth_mechanisms) < 0)
 				return -1;
 			/* TODO: extract the username from the url, no payload? */
@@ -1049,7 +1086,7 @@ replay:
 		if (HTTP_STATUS_DENIED == status_code && get_verb == s->verb) {
 			int allowed_types;
-			if (parse_unauthorized_response(s->request, &allowed_types, &t->auth_mechanism) < 0)
+			if (parse_unauthorized_response(s->request, &allowed_types, &t->auth_mechanisms) < 0)
 				return -1;
 			if (allowed_types) {
@@ -1090,7 +1127,7 @@ replay:
 		}
 		if (HTTP_STATUS_OK != status_code) {
-			giterr_set(GITERR_NET, "Request failed with status code: %d", status_code);
+			giterr_set(GITERR_NET, "request failed with status code: %d", status_code);
 			return -1;
 		}
@@ -1101,7 +1138,7 @@ replay:
 			p_snprintf(expected_content_type_8, MAX_CONTENT_TYPE_LEN, "application/x-git-%s-advertisement", s->service);
 		if (git__utf8_to_16(expected_content_type, MAX_CONTENT_TYPE_LEN, expected_content_type_8) < 0) {
-			giterr_set(GITERR_OS, "Failed to convert expected content-type to wide characters");
+			giterr_set(GITERR_OS, "failed to convert expected content-type to wide characters");
 			return -1;
 		}
@@ -1112,12 +1149,12 @@ replay:
 			WINHTTP_HEADER_NAME_BY_INDEX,
 			&content_type, &content_type_length,
 			WINHTTP_NO_HEADER_INDEX)) {
-				giterr_set(GITERR_OS, "Failed to retrieve response content-type");
+				giterr_set(GITERR_OS, "failed to retrieve response content-type");
 				return -1;
 		}
 		if (wcscmp(expected_content_type, content_type)) {
-			giterr_set(GITERR_NET, "Received unexpected content-type");
+			giterr_set(GITERR_NET, "received unexpected content-type");
 			return -1;
 		}
@@ -1129,7 +1166,7 @@ replay:
 		(DWORD)buf_size,
 		&dw_bytes_read))
 	{
-		giterr_set(GITERR_OS, "Failed to read data");
+		giterr_set(GITERR_OS, "failed to read data");
 		return -1;
 	}
@@ -1152,7 +1189,7 @@ static int winhttp_stream_write_single(
 	/* This implementation of write permits only a single call. */
 	if (s->sent_request) {
-		giterr_set(GITERR_NET, "Subtransport configured for only one write");
+		giterr_set(GITERR_NET, "subtransport configured for only one write");
 		return -1;
 	}
@@ -1165,7 +1202,7 @@ static int winhttp_stream_write_single(
 			(LPCVOID)buffer,
 			(DWORD)len,
 			&bytes_written)) {
-		giterr_set(GITERR_OS, "Failed to write data");
+		giterr_set(GITERR_OS, "failed to write data");
 		return -1;
 	}
@@ -1183,12 +1220,12 @@ static int put_uuid_string(LPWSTR buffer, size_t buffer_len_cch)
 	if (RPC_S_OK != status &&
 		RPC_S_UUID_LOCAL_ONLY != status &&
 		RPC_S_UUID_NO_ADDRESS != status) {
-		giterr_set(GITERR_NET, "Unable to generate name for temp file");
+		giterr_set(GITERR_NET, "unable to generate name for temp file");
 		return -1;
 	}
 	if (buffer_len_cch < UUID_LENGTH_CCH + 1) {
-		giterr_set(GITERR_NET, "Buffer too small for name of temp file");
+		giterr_set(GITERR_NET, "buffer too small for name of temp file");
 		return -1;
 	}
@@ -1203,7 +1240,7 @@ static int put_uuid_string(LPWSTR buffer, size_t buffer_len_cch)
 		uuid.Data4[4], uuid.Data4[5], uuid.Data4[6], uuid.Data4[7]);
 	if (result < UUID_LENGTH_CCH) {
-		giterr_set(GITERR_OS, "Unable to generate name for temp file");
+		giterr_set(GITERR_OS, "unable to generate name for temp file");
 		return -1;
 	}
@@ -1215,7 +1252,7 @@ static int get_temp_file(LPWSTR buffer, DWORD buffer_len_cch)
 	size_t len;
 	if (!GetTempPathW(buffer_len_cch, buffer)) {
-		giterr_set(GITERR_OS, "Failed to get temp path");
+		giterr_set(GITERR_OS, "failed to get temp path");
 		return -1;
 	}
@@ -1258,13 +1295,13 @@ static int winhttp_stream_write_buffered(
 		if (INVALID_HANDLE_VALUE == s->post_body) {
 			s->post_body = NULL;
-			giterr_set(GITERR_OS, "Failed to create temporary file");
+			giterr_set(GITERR_OS, "failed to create temporary file");
 			return -1;
 		}
 	}
 	if (!WriteFile(s->post_body, buffer, (DWORD)len, &bytes_written, NULL)) {
-		giterr_set(GITERR_OS, "Failed to write to temporary file");
+		giterr_set(GITERR_OS, "failed to write to temporary file");
 		return -1;
 	}
@@ -1291,7 +1328,7 @@ static int winhttp_stream_write_chunked(
 		if (!WinHttpAddRequestHeaders(s->request,
 			transfer_encoding, (ULONG) -1L,
 			WINHTTP_ADDREQ_FLAG_ADD)) {
-			giterr_set(GITERR_OS, "Failed to add a header to the request");
+			giterr_set(GITERR_OS, "failed to add a header to the request");
 			return -1;
 		}