rugged 0.27.10 → 0.27.10.1

data/vendor/libgit2/src/transports/auth_negotiate.h

@@ -12,11 +12,11 @@
 #include "git2.h"
 #include "auth.h"
 
-#if defined(GIT_GSSAPI) || defined(GIT_GSSFRAMEWORK)
+#ifdef GIT_GSSAPI
 
 extern int git_http_auth_negotiate(
 	git_http_auth_context **out,
-	const git_net_url *url);
+	const gitno_connection_data *connection_data);
 
 #else
 

data/vendor/libgit2/src/transports/cred.c

@@ -5,10 +5,10 @@
  * a Linking Exception. For full terms see the included COPYING file.
  */
 
-#include "common.h"
+#include "cred.h"
 
-#include "git2/cred.h"
-#include "git2/sys/cred.h"
+#include "git2.h"
+#include "smart.h"
 #include "git2/cred_helpers.h"
 
 static int git_cred_ssh_key_type_new(
@@ -27,7 +27,7 @@ int git_cred_has_username(git_cred *cred)
 	return 1;
 }
 
-const char *git_cred_get_username(git_cred *cred)
+const char *git_cred__username(git_cred *cred)
 {
 	switch (cred->credtype) {
 	case GIT_CREDTYPE_USERNAME:
@@ -88,7 +88,7 @@ int git_cred_userpass_plaintext_new(
 	assert(cred && username && password);
 
 	c = git__malloc(sizeof(git_cred_userpass_plaintext));
-	GIT_ERROR_CHECK_ALLOC(c);
+	GITERR_CHECK_ALLOC(c);
 
 	c->parent.credtype = GIT_CREDTYPE_USERPASS_PLAINTEXT;
 	c->parent.free = plaintext_free;
@@ -217,7 +217,7 @@ int git_cred_ssh_key_memory_new(
 	GIT_UNUSED(privatekey);
 	GIT_UNUSED(passphrase);
 
-	git_error_set(GIT_ERROR_INVALID,
+	giterr_set(GITERR_INVALID,
 		"this version of libgit2 was not built with ssh memory credentials.");
 	return -1;
 #endif
@@ -236,25 +236,25 @@ static int git_cred_ssh_key_type_new(
 	assert(username && cred && privatekey);
 
 	c = git__calloc(1, sizeof(git_cred_ssh_key));
-	GIT_ERROR_CHECK_ALLOC(c);
+	GITERR_CHECK_ALLOC(c);
 
 	c->parent.credtype = credtype;
 	c->parent.free = ssh_key_free;
 
 	c->username = git__strdup(username);
-	GIT_ERROR_CHECK_ALLOC(c->username);
+	GITERR_CHECK_ALLOC(c->username);
 
 	c->privatekey = git__strdup(privatekey);
-	GIT_ERROR_CHECK_ALLOC(c->privatekey);
+	GITERR_CHECK_ALLOC(c->privatekey);
 
 	if (publickey) {
 		c->publickey = git__strdup(publickey);
-		GIT_ERROR_CHECK_ALLOC(c->publickey);
+		GITERR_CHECK_ALLOC(c->publickey);
 	}
 
 	if (passphrase) {
 		c->passphrase = git__strdup(passphrase);
-		GIT_ERROR_CHECK_ALLOC(c->passphrase);
+		GITERR_CHECK_ALLOC(c->passphrase);
 	}
 
 	*cred = &c->parent;
@@ -264,7 +264,7 @@ static int git_cred_ssh_key_type_new(
 int git_cred_ssh_interactive_new(
 	git_cred **out,
 	const char *username,
-	git_cred_ssh_interactive_cb prompt_callback,
+	git_cred_ssh_interactive_callback prompt_callback,
 	void *payload)
 {
 	git_cred_ssh_interactive *c;
@@ -272,13 +272,13 @@ int git_cred_ssh_interactive_new(
 	assert(out && username && prompt_callback);
 
 	c = git__calloc(1, sizeof(git_cred_ssh_interactive));
-	GIT_ERROR_CHECK_ALLOC(c);
+	GITERR_CHECK_ALLOC(c);
 
 	c->parent.credtype = GIT_CREDTYPE_SSH_INTERACTIVE;
 	c->parent.free = ssh_interactive_free;
 
 	c->username = git__strdup(username);
-	GIT_ERROR_CHECK_ALLOC(c->username);
+	GITERR_CHECK_ALLOC(c->username);
 
 	c->prompt_callback = prompt_callback;
 	c->payload = payload;
@@ -293,13 +293,13 @@ int git_cred_ssh_key_from_agent(git_cred **cred, const char *username) {
 	assert(username && cred);
 
 	c = git__calloc(1, sizeof(git_cred_ssh_key));
-	GIT_ERROR_CHECK_ALLOC(c);
+	GITERR_CHECK_ALLOC(c);
 
 	c->parent.credtype = GIT_CREDTYPE_SSH_KEY;
 	c->parent.free = ssh_key_free;
 
 	c->username = git__strdup(username);
-	GIT_ERROR_CHECK_ALLOC(c->username);
+	GITERR_CHECK_ALLOC(c->username);
 
 	c->privatekey = NULL;
 
@@ -312,7 +312,7 @@ int git_cred_ssh_custom_new(
 	const char *username,
 	const char *publickey,
 	size_t publickey_len,
-	git_cred_sign_cb sign_callback,
+	git_cred_sign_callback sign_callback,
 	void *payload)
 {
 	git_cred_ssh_custom *c;
@@ -320,17 +320,17 @@ int git_cred_ssh_custom_new(
 	assert(username && cred);
 
 	c = git__calloc(1, sizeof(git_cred_ssh_custom));
-	GIT_ERROR_CHECK_ALLOC(c);
+	GITERR_CHECK_ALLOC(c);
 
 	c->parent.credtype = GIT_CREDTYPE_SSH_CUSTOM;
 	c->parent.free = ssh_custom_free;
 
 	c->username = git__strdup(username);
-	GIT_ERROR_CHECK_ALLOC(c->username);
+	GITERR_CHECK_ALLOC(c->username);
 
 	if (publickey_len > 0) {
 		c->publickey = git__malloc(publickey_len);
-		GIT_ERROR_CHECK_ALLOC(c->publickey);
+		GITERR_CHECK_ALLOC(c->publickey);
 
 		memcpy(c->publickey, publickey, publickey_len);
 	}
@@ -350,7 +350,7 @@ int git_cred_default_new(git_cred **cred)
 	assert(cred);
 
 	c = git__calloc(1, sizeof(git_cred_default));
-	GIT_ERROR_CHECK_ALLOC(c);
+	GITERR_CHECK_ALLOC(c);
 
 	c->credtype = GIT_CREDTYPE_DEFAULT;
 	c->free = default_free;
@@ -368,10 +368,10 @@ int git_cred_username_new(git_cred **cred, const char *username)
 
 	len = strlen(username);
 
-	GIT_ERROR_CHECK_ALLOC_ADD(&allocsize, sizeof(git_cred_username), len);
-	GIT_ERROR_CHECK_ALLOC_ADD(&allocsize, allocsize, 1);
+	GITERR_CHECK_ALLOC_ADD(&allocsize, sizeof(git_cred_username), len);
+	GITERR_CHECK_ALLOC_ADD(&allocsize, allocsize, 1);
 	c = git__malloc(allocsize);
-	GIT_ERROR_CHECK_ALLOC(c);
+	GITERR_CHECK_ALLOC(c);
 
 	c->parent.credtype = GIT_CREDTYPE_USERNAME;
 	c->parent.free = username_free;

data/vendor/libgit2/src/{allocators/win32_crtdbg.h → transports/cred.h}

@@ -4,14 +4,13 @@
  * This file is part of libgit2, distributed under the GNU GPL v2 with
  * a Linking Exception. For full terms see the included COPYING file.
  */
-
-#ifndef INCLUDE_allocators_crtdbg_h
-#define INCLUDE_allocators_crtdbg_h
+#ifndef INCLUDE_transports_cred_h__
+#define INCLUDE_transports_cred_h__
 
 #include "common.h"
 
-#include "alloc.h"
+#include "git2/transport.h"
 
-int git_win32_crtdbg_init_allocator(git_allocator *allocator);
+const char *git_cred__username(git_cred *cred);
 
 #endif

data/vendor/libgit2/src/transports/git.c

@@ -47,7 +47,7 @@ static int gen_proto(git_buf *request, const char *cmd, const char *url)
 
 	delim = strchr(url, '/');
 	if (delim == NULL) {
-		git_error_set(GIT_ERROR_NET, "malformed URL");
+		giterr_set(GITERR_NET, "malformed URL");
 		return -1;
 	}
 
@@ -75,19 +75,19 @@ static int gen_proto(git_buf *request, const char *cmd, const char *url)
 
 static int send_command(git_proto_stream *s)
 {
-	git_buf request = GIT_BUF_INIT;
 	int error;
+	git_buf request = GIT_BUF_INIT;
 
-	if ((error = gen_proto(&request, s->cmd, s->url)) < 0)
-		goto cleanup;
-
-	if ((error = git_stream__write_full(s->io, request.ptr, request.size, 0)) < 0)
+	error = gen_proto(&request, s->cmd, s->url);
+	if (error < 0)
 		goto cleanup;
 
-	s->sent_command = 1;
+	error = git_stream_write(s->io, request.ptr, request.size, 0);
+	if (error >= 0)
+		s->sent_command = 1;
 
 cleanup:
-	git_buf_dispose(&request);
+	git_buf_free(&request);
 	return error;
 }
 
@@ -121,13 +121,13 @@ static int git_proto_stream_write(
 	const char *buffer,
 	size_t len)
 {
-	git_proto_stream *s = (git_proto_stream *)stream;
 	int error;
+	git_proto_stream *s = (git_proto_stream *)stream;
 
 	if (!s->sent_command && (error = send_command(s)) < 0)
 		return error;
 
-	return git_stream__write_full(s->io, buffer, len, 0);
+	return git_stream_write(s->io, buffer, len, 0);
 }
 
 static void git_proto_stream_free(git_smart_subtransport_stream *stream)
@@ -163,7 +163,7 @@ static int git_proto_stream_alloc(
 		return -1;
 
 	s = git__calloc(1, sizeof(git_proto_stream));
-	GIT_ERROR_CHECK_ALLOC(s);
+	GITERR_CHECK_ALLOC(s);
 
 	s->parent.subtransport = &t->parent;
 	s->parent.read = git_proto_stream_read;
@@ -181,7 +181,7 @@ static int git_proto_stream_alloc(
 	if ((git_socket_stream_new(&s->io, host, port)) < 0)
 		return -1;
 
-	GIT_ERROR_CHECK_VERSION(s->io, GIT_STREAM_VERSION, "git_stream");
+	GITERR_CHECK_VERSION(s->io, GIT_STREAM_VERSION, "git_stream");
 
 	*stream = &s->parent;
 	return 0;
@@ -192,9 +192,8 @@ static int _git_uploadpack_ls(
 	const char *url,
 	git_smart_subtransport_stream **stream)
 {
-	git_net_url urldata = GIT_NET_URL_INIT;
+	char *host=NULL, *port=NULL, *path=NULL, *user=NULL, *pass=NULL;
 	const char *stream_url = url;
-	const char *host, *port;
 	git_proto_stream *s;
 	int error;
 
@@ -203,15 +202,17 @@ static int _git_uploadpack_ls(
 	if (!git__prefixcmp(url, prefix_git))
 		stream_url += strlen(prefix_git);
 
-	if ((error = git_net_url_parse(&urldata, url)) < 0)
+	if ((error = gitno_extract_url_parts(&host, &port, &path, &user, &pass, url, GIT_DEFAULT_PORT)) < 0)
 		return error;
 
-	host = urldata.host;
-	port = urldata.port ? urldata.port : GIT_DEFAULT_PORT;
-
 	error = git_proto_stream_alloc(t, stream_url, cmd_uploadpack, host, port, stream);
 
-	git_net_url_dispose(&urldata);
+	git__free(host);
+	git__free(port);
+	git__free(path);
+	git__free(user);
+	git__free(pass);
+
 
 	if (error < 0) {
 		git_proto_stream_free(*stream);
@@ -241,7 +242,7 @@ static int _git_uploadpack(
 		return 0;
 	}
 
-	git_error_set(GIT_ERROR_NET, "must call UPLOADPACK_LS before UPLOADPACK");
+	giterr_set(GITERR_NET, "must call UPLOADPACK_LS before UPLOADPACK");
 	return -1;
 }
 
@@ -250,7 +251,7 @@ static int _git_receivepack_ls(
 	const char *url,
 	git_smart_subtransport_stream **stream)
 {
-	git_net_url urldata = GIT_NET_URL_INIT;
+	char *host=NULL, *port=NULL, *path=NULL, *user=NULL, *pass=NULL;
 	const char *stream_url = url;
 	git_proto_stream *s;
 	int error;
@@ -259,12 +260,16 @@ static int _git_receivepack_ls(
 	if (!git__prefixcmp(url, prefix_git))
 		stream_url += strlen(prefix_git);
 
-	if ((error = git_net_url_parse(&urldata, url)) < 0)
+	if ((error = gitno_extract_url_parts(&host, &port, &path, &user, &pass, url, GIT_DEFAULT_PORT)) < 0)
 		return error;
 
-	error = git_proto_stream_alloc(t, stream_url, cmd_receivepack, urldata.host, urldata.port, stream);
+	error = git_proto_stream_alloc(t, stream_url, cmd_receivepack, host, port, stream);
 
-	git_net_url_dispose(&urldata);
+	git__free(host);
+	git__free(port);
+	git__free(path);
+	git__free(user);
+	git__free(pass);
 
 	if (error < 0) {
 		git_proto_stream_free(*stream);
@@ -293,7 +298,7 @@ static int _git_receivepack(
 		return 0;
 	}
 
-	git_error_set(GIT_ERROR_NET, "must call RECEIVEPACK_LS before RECEIVEPACK");
+	giterr_set(GITERR_NET, "must call RECEIVEPACK_LS before RECEIVEPACK");
 	return -1;
 }
 
@@ -353,7 +358,7 @@ int git_smart_subtransport_git(git_smart_subtransport **out, git_transport *owne
 		return -1;
 
 	t = git__calloc(1, sizeof(git_subtransport));
-	GIT_ERROR_CHECK_ALLOC(t);
+	GITERR_CHECK_ALLOC(t);
 
 	t->owner = owner;
 	t->parent.action = _git_action;

data/vendor/libgit2/src/transports/http.c

@@ -12,22 +12,19 @@
 #include "git2.h"
 #include "http_parser.h"
 #include "buffer.h"
-#include "net.h"
 #include "netops.h"
 #include "global.h"
 #include "remote.h"
-#include "git2/sys/cred.h"
 #include "smart.h"
 #include "auth.h"
 #include "http.h"
 #include "auth_negotiate.h"
-#include "auth_ntlm.h"
 #include "streams/tls.h"
 #include "streams/socket.h"
+#include "streams/curl.h"
 
 git_http_auth_scheme auth_schemes[] = {
 	{ GIT_AUTHTYPE_NEGOTIATE, "Negotiate", GIT_CREDTYPE_DEFAULT, git_http_auth_negotiate },
-	{ GIT_AUTHTYPE_NTLM, "NTLM", GIT_CREDTYPE_USERPASS_PLAINTEXT, git_http_auth_ntlm },
 	{ GIT_AUTHTYPE_BASIC, "Basic", GIT_CREDTYPE_USERPASS_PLAINTEXT, git_http_auth_basic },
 };
 
@@ -40,12 +37,6 @@ static const char *receive_pack_service_url = "/git-receive-pack";
 static const char *get_verb = "GET";
 static const char *post_verb = "POST";
 
-#define AUTH_HEADER_SERVER "Authorization"
-#define AUTH_HEADER_PROXY  "Proxy-Authorization"
-
-#define SERVER_TYPE_REMOTE "remote"
-#define SERVER_TYPE_PROXY  "proxy"
-
 #define OWNING_SUBTRANSPORT(s) ((http_subtransport *)(s)->parent.subtransport)
 
 #define PARSE_ERROR_GENERIC	-1
@@ -71,36 +62,17 @@ typedef struct {
 	unsigned chunk_buffer_len;
 	unsigned sent_request : 1,
 		received_response : 1,
-		chunked : 1;
+		chunked : 1,
+		redirect_count : 3;
 } http_stream;
 
-typedef struct {
-	git_net_url url;
-	git_stream *stream;
-
-	git_http_authtype_t authtypes;
-	git_credtype_t credtypes;
-
-	git_cred *cred;
-	unsigned url_cred_presented : 1,
-	    authenticated : 1;
-
-	git_vector auth_challenges;
-	git_http_auth_context *auth_context;
-} http_server;
-
 typedef struct {
 	git_smart_subtransport parent;
 	transport_smart *owner;
-	git_stream *gitserver_stream;
+	git_stream *io;
+	gitno_connection_data connection_data;
 	bool connected;
 
-	http_server server;
-
-	http_server proxy;
-	char *proxy_url;
-	git_proxy_options proxy_opts;
-
 	/* Parser structures */
 	http_parser parser;
 	http_parser_settings settings;
@@ -109,15 +81,17 @@ typedef struct {
 	git_buf parse_header_value;
 	char parse_buffer_data[NETIO_BUFSIZE];
 	char *content_type;
-	char *content_length;
 	char *location;
+	git_vector www_authenticate;
 	enum last_cb last_cb;
 	int parse_error;
 	int error;
-	unsigned request_count;
-	unsigned parse_finished : 1,
-	    keepalive : 1,
-	    replay_count : 4;
+	unsigned parse_finished : 1;
+
+	/* Authentication */
+	git_cred *cred;
+	git_cred *url_cred;
+	git_vector auth_contexts;
 } http_subtransport;
 
 typedef struct {
@@ -130,50 +104,94 @@ typedef struct {
 	size_t *bytes_read;
 } parser_context;
 
-static git_http_auth_scheme *scheme_for_challenge(
-	const char *challenge,
-	git_cred *cred)
+static bool credtype_match(git_http_auth_scheme *scheme, void *data)
+{
+	unsigned int credtype = *(unsigned int *)data;
+
+	return !!(scheme->credtypes & credtype);
+}
+
+static bool challenge_match(git_http_auth_scheme *scheme, void *data)
+{
+	const char *scheme_name = scheme->name;
+	const char *challenge = (const char *)data;
+	size_t scheme_len;
+
+	scheme_len = strlen(scheme_name);
+	return (strncasecmp(challenge, scheme_name, scheme_len) == 0 &&
+		(challenge[scheme_len] == '\0' || challenge[scheme_len] == ' '));
+}
+
+static int auth_context_match(
+	git_http_auth_context **out,
+	http_subtransport *t,
+	bool (*scheme_match)(git_http_auth_scheme *scheme, void *data),
+	void *data)
 {
 	git_http_auth_scheme *scheme = NULL;
+	git_http_auth_context *context = NULL, *c;
 	size_t i;
 
+	*out = NULL;
+
 	for (i = 0; i < ARRAY_SIZE(auth_schemes); i++) {
-		const char *scheme_name = auth_schemes[i].name;
-		const git_credtype_t scheme_types = auth_schemes[i].credtypes;
-		size_t scheme_len;
+		if (scheme_match(&auth_schemes[i], data)) {
+			scheme = &auth_schemes[i];
+			break;
+		}
+	}
 
-		scheme_len = strlen(scheme_name);
+	if (!scheme)
+		return 0;
 
-		if ((!cred || (cred->credtype & scheme_types)) &&
-		    strncasecmp(challenge, scheme_name, scheme_len) == 0 &&
-		    (challenge[scheme_len] == '\0' || challenge[scheme_len] == ' ')) {
-			scheme = &auth_schemes[i];
+	/* See if authentication has already started for this scheme */
+	git_vector_foreach(&t->auth_contexts, i, c) {
+		if (c->type == scheme->type) {
+			context = c;
 			break;
 		}
 	}
 
-	return scheme;
+	if (!context) {
+		if (scheme->init_context(&context, &t->connection_data) < 0)
+			return -1;
+		else if (!context)
+			return 0;
+		else if (git_vector_insert(&t->auth_contexts, context) < 0)
+			return -1;
+	}
+
+	*out = context;
+
+	return 0;
 }
 
-static int apply_credentials(
-	git_buf *buf,
-	http_server *server,
-	const char *header_name)
+static int apply_credentials(git_buf *buf, http_subtransport *t)
 {
-	git_buf token = GIT_BUF_INIT;
-	int error = 0;
+	git_cred *cred = t->cred;
+	git_http_auth_context *context;
+
+	/* Apply the credentials given to us in the URL */
+	if (!cred && t->connection_data.user && t->connection_data.pass) {
+		if (!t->url_cred &&
+			git_cred_userpass_plaintext_new(&t->url_cred,
+				t->connection_data.user, t->connection_data.pass) < 0)
+			return -1;
+
+		cred = t->url_cred;
+	}
 
-	if (!server->auth_context)
-		goto done;
+	if (!cred)
+		return 0;
 
-	if ((error = server->auth_context->next_token(&token, server->auth_context, server->cred)) < 0)
-		goto done;
+	/* Get or create a context for the best scheme for this cred type */
+	if (auth_context_match(&context, t, credtype_match, &cred->credtype) < 0)
+		return -1;
 
-	error = git_buf_printf(buf, "%s: %s\r\n", header_name, token.ptr);
+	if (!context)
+		return 0;
 
-done:
-	git_buf_dispose(&token);
-	return error;
+	return context->next_token(buf, context, cred);
 }
 
 static int gen_request(
@@ -182,29 +200,15 @@ static int gen_request(
 	size_t content_length)
 {
 	http_subtransport *t = OWNING_SUBTRANSPORT(s);
-	const char *path = t->server.url.path ? t->server.url.path : "/";
+	const char *path = t->connection_data.path ? t->connection_data.path : "/";
 	size_t i;
 
-	if (t->proxy_opts.type == GIT_PROXY_SPECIFIED)
-		git_buf_printf(buf, "%s %s://%s:%s%s%s HTTP/1.1\r\n",
-			s->verb,
-			t->server.url.scheme,
-			t->server.url.host,
-			t->server.url.port,
-			path, s->service_url);
-	else
-		git_buf_printf(buf, "%s %s%s HTTP/1.1\r\n",
-			s->verb, path, s->service_url);
+	git_buf_printf(buf, "%s %s%s HTTP/1.1\r\n", s->verb, path, s->service_url);
 
 	git_buf_puts(buf, "User-Agent: ");
 	git_http__user_agent(buf);
 	git_buf_puts(buf, "\r\n");
-	git_buf_printf(buf, "Host: %s", t->server.url.host);
-
-	if (!git_net_url_is_default_port(&t->server.url))
-		git_buf_printf(buf, ":%s", t->server.url.port);
-
-	git_buf_puts(buf, "\r\n");
+	git_buf_printf(buf, "Host: %s\r\n", t->connection_data.host);
 
 	if (s->chunked || content_length > 0) {
 		git_buf_printf(buf, "Accept: application/x-git-%s-result\r\n", s->service);
@@ -222,12 +226,8 @@ static int gen_request(
 			git_buf_printf(buf, "%s\r\n", t->owner->custom_headers.strings[i]);
 	}
 
-	/* Apply proxy and server credentials to the request */
-	if (t->proxy_opts.type != GIT_PROXY_NONE &&
-	    apply_credentials(buf, &t->proxy, AUTH_HEADER_PROXY) < 0)
-		return -1;
-
-	if (apply_credentials(buf, &t->server, AUTH_HEADER_SERVER) < 0)
+	/* Apply credentials to the request */
+	if (apply_credentials(buf, t) < 0)
 		return -1;
 
 	git_buf_puts(buf, "\r\n");
@@ -238,86 +238,29 @@ static int gen_request(
 	return 0;
 }
 
-static int set_authentication_challenge(http_server *server)
-{
-	const char *challenge;
-
-	if (git_vector_length(&server->auth_challenges) > 1) {
-		git_error_set(GIT_ERROR_NET, "received multiple authentication challenges");
-		return -1;
-	}
-
-	challenge = git_vector_get(&server->auth_challenges, 0);
-
-	if (server->auth_context->set_challenge)
-		return server->auth_context->set_challenge(server->auth_context, challenge);
-	else
-		return 0;
-}
-
-static int set_authentication_types(http_server *server)
+static int parse_authenticate_response(
+	git_vector *www_authenticate,
+	http_subtransport *t,
+	int *allowed_types)
 {
-	git_http_auth_scheme *scheme;
+	git_http_auth_context *context;
 	char *challenge;
 	size_t i;
 
-	git_vector_foreach(&server->auth_challenges, i, challenge) {
-		if ((scheme = scheme_for_challenge(challenge, NULL)) != NULL) {
-			server->authtypes |= scheme->type;
-			server->credtypes |= scheme->credtypes;
-		}
-	}
-
-	return 0;
-}
-
-static bool auth_context_complete(http_server *server)
-{
-	/* If there's no is_complete function, we're always complete */
-	if (!server->auth_context->is_complete)
-		return true;
-
-	if (server->auth_context->is_complete(server->auth_context))
-		return true;
-
-	return false;
-}
-
-static void free_auth_context(http_server *server)
-{
-	if (!server->auth_context)
-		return;
-
-	if (server->auth_context->free)
-		server->auth_context->free(server->auth_context);
-
-	server->auth_context = NULL;
-}
+	git_vector_foreach(www_authenticate, i, challenge) {
+		if (auth_context_match(&context, t, challenge_match, challenge) < 0)
+			return -1;
+		else if (!context)
+			continue;
 
-static int parse_authenticate_response(http_server *server)
-{
-	/*
-	 * If we think that we've completed authentication (ie, we've either
-	 * sent a basic credential or we've sent the NTLM/Negotiate response)
-	 * but we've got an authentication request from the server then our
-	 * last authentication did not succeed.  Start over.
-	 */
-	if (server->auth_context && auth_context_complete(server)) {
-		free_auth_context(server);
+		if (context->set_challenge &&
+			context->set_challenge(context, challenge) < 0)
+			return -1;
 
-		server->authenticated = 0;
+		*allowed_types |= context->credtypes;
 	}
 
-	/*
-	 * If we've begun authentication, give the challenge to the context.
-	 * Otherwise, set up the types to prepare credentials.
-	 */
-	if (git_vector_length(&server->auth_challenges) == 0)
-		return 0;
-	else if (server->auth_context)
-		return set_authentication_challenge(server);
-	else
-		return set_authentication_types(server);
+	return 0;
 }
 
 static int on_header_ready(http_subtransport *t)
@@ -326,45 +269,22 @@ static int on_header_ready(http_subtransport *t)
 	git_buf *value = &t->parse_header_value;
 
 	if (!strcasecmp("Content-Type", git_buf_cstr(name))) {
-		if (t->content_type) {
-			git_error_set(GIT_ERROR_NET, "multiple Content-Type headers");
-			return -1;
-		}
-
-		t->content_type = git__strdup(git_buf_cstr(value));
-		GIT_ERROR_CHECK_ALLOC(t->content_type);
-	}
-	else if (!strcasecmp("Content-Length", git_buf_cstr(name))) {
-		if (t->content_length) {
-			git_error_set(GIT_ERROR_NET, "multiple Content-Length headers");
-			return -1;
+		if (!t->content_type) {
+			t->content_type = git__strdup(git_buf_cstr(value));
+			GITERR_CHECK_ALLOC(t->content_type);
 		}
-
-		t->content_length = git__strdup(git_buf_cstr(value));
-		GIT_ERROR_CHECK_ALLOC(t->content_length);
-	}
-	else if (!strcasecmp("Proxy-Authenticate", git_buf_cstr(name))) {
-		char *dup = git__strdup(git_buf_cstr(value));
-		GIT_ERROR_CHECK_ALLOC(dup);
-
-		if (git_vector_insert(&t->proxy.auth_challenges, dup) < 0)
-			return -1;
 	}
 	else if (!strcasecmp("WWW-Authenticate", git_buf_cstr(name))) {
 		char *dup = git__strdup(git_buf_cstr(value));
-		GIT_ERROR_CHECK_ALLOC(dup);
+		GITERR_CHECK_ALLOC(dup);
 
-		if (git_vector_insert(&t->server.auth_challenges, dup) < 0)
-			return -1;
+		git_vector_insert(&t->www_authenticate, dup);
 	}
 	else if (!strcasecmp("Location", git_buf_cstr(name))) {
-		if (t->location) {
-			git_error_set(GIT_ERROR_NET, "multiple Location headers");
-			return -1;
+		if (!t->location) {
+			t->location = git__strdup(git_buf_cstr(value));
+			GITERR_CHECK_ALLOC(t->location);
 		}
-
-		t->location = git__strdup(git_buf_cstr(value));
-		GIT_ERROR_CHECK_ALLOC(t->location);
 	}
 
 	return 0;
@@ -408,204 +328,85 @@ static int on_header_value(http_parser *parser, const char *str, size_t len)
 	return 0;
 }
 
-GIT_INLINE(void) free_cred(git_cred **cred)
-{
-	if (*cred) {
-		git_cred_free(*cred);
-		(*cred) = NULL;
-	}
-}
-
-static int apply_url_credentials(
-	git_cred **cred,
-	unsigned int allowed_types,
-	const char *username,
-	const char *password)
-{
-	if (allowed_types & GIT_CREDTYPE_USERPASS_PLAINTEXT)
-		return git_cred_userpass_plaintext_new(cred, username, password);
-
-	if ((allowed_types & GIT_CREDTYPE_DEFAULT) && *username == '\0' && *password == '\0')
-		return git_cred_default_new(cred);
-
-	return GIT_PASSTHROUGH;
-}
-
-static int init_auth(http_server *server)
-{
-	git_http_auth_scheme *s, *scheme = NULL;
-	char *c, *challenge = NULL;
-	size_t i;
-	int error;
-
-	git_vector_foreach(&server->auth_challenges, i, c) {
-		s = scheme_for_challenge(c, server->cred);
-
-		if (s && !!(s->credtypes & server->credtypes)) {
-			scheme = s;
-			challenge = c;
-			break;
-		}
-	}
-
-	if (!scheme) {
-		git_error_set(GIT_ERROR_NET, "no authentication mechanism could be negotiated");
-		return -1;
-	}
-
-	if ((error = scheme->init_context(&server->auth_context, &server->url)) == GIT_PASSTHROUGH)
-		return 0;
-	else if (error < 0)
-		return error;
-
-	if (server->auth_context->set_challenge &&
-		(error = server->auth_context->set_challenge(server->auth_context, challenge)) < 0)
-		return error;
-
-	return 0;
-}
-
-static int on_auth_required(
-	http_parser *parser,
-	http_server *server,
-	const char *url,
-	const char *type,
-	git_cred_acquire_cb callback,
-	void *callback_payload)
-{
-	parser_context *ctx = (parser_context *) parser->data;
-	http_subtransport *t = ctx->t;
-	int error = 1;
-
-	if (parse_authenticate_response(server) < 0) {
-		t->parse_error = PARSE_ERROR_GENERIC;
-		return t->parse_error;
-	}
-
-	/* If we're in the middle of challenge/response auth, continue */
-	if (parser->status_code == 407 || parser->status_code == 401) {
-		if (server->auth_context && !auth_context_complete(server)) {
-			t->parse_error = PARSE_ERROR_REPLAY;
-			return 0;
-		}
-	}
-
-	/* Enforce a reasonable cap on the number of replays */
-	if (t->replay_count++ >= GIT_HTTP_REPLAY_MAX) {
-		git_error_set(GIT_ERROR_NET, "too many redirects or authentication replays");
-		return t->parse_error = PARSE_ERROR_GENERIC;
-	}
-
-	if (!server->credtypes) {
-		git_error_set(GIT_ERROR_NET, "%s requested authentication but did not negotiate mechanisms", type);
-		t->parse_error = PARSE_ERROR_GENERIC;
-		return t->parse_error;
-	}
-
-	free_auth_context(server);
-	free_cred(&server->cred);
-
-	/* Start with URL-specified credentials, if there were any. */
-	if (!server->url_cred_presented && server->url.username && server->url.password) {
-		error = apply_url_credentials(&server->cred, server->credtypes, server->url.username, server->url.password);
-		server->url_cred_presented = 1;
-
-		if (error == GIT_PASSTHROUGH) {
-			/* treat GIT_PASSTHROUGH as if callback isn't set */
-			error = 1;
-		}
-	}
-
-	if (error > 0 && callback) {
-		error = callback(&server->cred, url, server->url.username, server->credtypes, callback_payload);
-
-		if (error == GIT_PASSTHROUGH) {
-			/* treat GIT_PASSTHROUGH as if callback isn't set */
-			error = 1;
-		}
-	}
-
-	if (error > 0) {
-		git_error_set(GIT_ERROR_NET, "%s authentication required but no callback set",
-			type);
-		t->parse_error = PARSE_ERROR_GENERIC;
-		return t->parse_error;
-	} else if (error < 0) {
-		t->error = error;
-		t->parse_error = PARSE_ERROR_EXT;
-		return t->parse_error;
-	}
-
-	assert(server->cred);
-
-    if (!(server->cred->credtype & server->credtypes)) {
-		git_error_set(GIT_ERROR_NET, "%s credential provider returned an invalid cred type", type);
-		t->parse_error = PARSE_ERROR_GENERIC;
-		return t->parse_error;
-	}
-
-	/* Successfully acquired a credential. Start an auth context. */
-	if (init_auth(server) < 0) {
-		t->parse_error = PARSE_ERROR_GENERIC;
-		return t->parse_error;
-	}
-
-	t->parse_error = PARSE_ERROR_REPLAY;
-	return 0;
-}
-
-static void on_auth_success(http_server *server)
-{
-	server->url_cred_presented = 0;
-	server->authenticated = 1;
-}
-
 static int on_headers_complete(http_parser *parser)
 {
 	parser_context *ctx = (parser_context *) parser->data;
 	http_subtransport *t = ctx->t;
 	http_stream *s = ctx->s;
 	git_buf buf = GIT_BUF_INIT;
+	int error = 0, no_callback = 0, allowed_auth_types = 0;
 
 	/* Both parse_header_name and parse_header_value are populated
 	 * and ready for consumption. */
-	if (t->last_cb == VALUE && on_header_ready(t) < 0)
-		return t->parse_error = PARSE_ERROR_GENERIC;
+	if (VALUE == t->last_cb)
+		if (on_header_ready(t) < 0)
+			return t->parse_error = PARSE_ERROR_GENERIC;
 
-	/* Check for a proxy authentication failure. */
-	if (parser->status_code == 407 && get_verb == s->verb)
-		return on_auth_required(
-		    parser,
-		    &t->proxy,
-		    t->proxy_opts.url,
-		    SERVER_TYPE_PROXY,
-		    t->proxy_opts.credentials,
-		    t->proxy_opts.payload);
-	else
-		on_auth_success(&t->proxy);
+	/* Capture authentication headers which may be a 401 (authentication
+	 * is not complete) or a 200 (simply informing us that auth *is*
+	 * complete.)
+	 */
+	if (parse_authenticate_response(&t->www_authenticate, t,
+			&allowed_auth_types) < 0)
+		return t->parse_error = PARSE_ERROR_GENERIC;
 
 	/* Check for an authentication failure. */
-	if (parser->status_code == 401 && get_verb == s->verb)
-		return on_auth_required(
-		    parser,
-		    &t->server,
-		    t->owner->url,
-		    SERVER_TYPE_REMOTE,
-		    t->owner->cred_acquire_cb,
-		    t->owner->cred_acquire_payload);
-	else
-		on_auth_success(&t->server);
+	if (parser->status_code == 401 && get_verb == s->verb) {
+		if (!t->owner->cred_acquire_cb) {
+			no_callback = 1;
+		} else {
+			if (allowed_auth_types) {
+				if (t->cred) {
+					t->cred->free(t->cred);
+					t->cred = NULL;
+				}
+
+				error = t->owner->cred_acquire_cb(&t->cred,
+								  t->owner->url,
+								  t->connection_data.user,
+								  allowed_auth_types,
+								  t->owner->cred_acquire_payload);
+
+				if (error == GIT_PASSTHROUGH) {
+					no_callback = 1;
+				} else if (error < 0) {
+					t->error = error;
+					return t->parse_error = PARSE_ERROR_EXT;
+				} else {
+					assert(t->cred);
+
+					if (!(t->cred->credtype & allowed_auth_types)) {
+						giterr_set(GITERR_NET, "credentials callback returned an invalid cred type");
+						return t->parse_error = PARSE_ERROR_GENERIC;
+					}
+
+					/* Successfully acquired a credential. */
+					t->parse_error = PARSE_ERROR_REPLAY;
+					return 0;
+				}
+			}
+		}
+
+		if (no_callback) {
+			giterr_set(GITERR_NET, "authentication required but no callback set");
+			return t->parse_error = PARSE_ERROR_GENERIC;
+		}
+	}
 
 	/* Check for a redirect.
 	 * Right now we only permit a redirect to the same hostname. */
 	if ((parser->status_code == 301 ||
 	     parser->status_code == 302 ||
 	     (parser->status_code == 303 && get_verb == s->verb) ||
-	     parser->status_code == 307 ||
-	     parser->status_code == 308) &&
+	     parser->status_code == 307) &&
 	    t->location) {
 
-		if (gitno_connection_data_handle_redirect(&t->server.url, t->location, s->service_url) < 0)
+		if (s->redirect_count >= 7) {
+			giterr_set(GITERR_NET, "too many redirects");
+			return t->parse_error = PARSE_ERROR_GENERIC;
+		}
+
+		if (gitno_connection_data_from_url(&t->connection_data, t->location, s->service_url) < 0)
 			return t->parse_error = PARSE_ERROR_GENERIC;
 
 		/* Set the redirect URL on the stream. This is a transfer of
@@ -617,13 +418,15 @@ static int on_headers_complete(http_parser *parser)
 		t->location = NULL;
 
 		t->connected = 0;
+		s->redirect_count++;
+
 		t->parse_error = PARSE_ERROR_REPLAY;
 		return 0;
 	}
 
 	/* Check for a 200 HTTP status code. */
 	if (parser->status_code != 200) {
-		git_error_set(GIT_ERROR_NET,
+		giterr_set(GITERR_NET,
 			"unexpected HTTP status code: %d",
 			parser->status_code);
 		return t->parse_error = PARSE_ERROR_GENERIC;
@@ -631,7 +434,7 @@ static int on_headers_complete(http_parser *parser)
 
 	/* The response must contain a Content-Type header. */
 	if (!t->content_type) {
-		git_error_set(GIT_ERROR_NET, "no Content-Type header in response");
+		giterr_set(GITERR_NET, "no Content-Type header in response");
 		return t->parse_error = PARSE_ERROR_GENERIC;
 	}
 
@@ -649,14 +452,14 @@ static int on_headers_complete(http_parser *parser)
 		return t->parse_error = PARSE_ERROR_GENERIC;
 
 	if (strcmp(t->content_type, git_buf_cstr(&buf))) {
-		git_buf_dispose(&buf);
-		git_error_set(GIT_ERROR_NET,
+		git_buf_free(&buf);
+		giterr_set(GITERR_NET,
 			"invalid Content-Type: %s",
 			t->content_type);
 		return t->parse_error = PARSE_ERROR_GENERIC;
 	}
 
-	git_buf_dispose(&buf);
+	git_buf_free(&buf);
 
 	return 0;
 }
@@ -667,7 +470,6 @@ static int on_message_complete(http_parser *parser)
 	http_subtransport *t = ctx->t;
 
 	t->parse_finished = 1;
-	t->keepalive = http_should_keep_alive(parser);
 
 	return 0;
 }
@@ -677,19 +479,22 @@ static int on_body_fill_buffer(http_parser *parser, const char *str, size_t len)
 	parser_context *ctx = (parser_context *) parser->data;
 	http_subtransport *t = ctx->t;
 
-	/* If there's no buffer set, we're explicitly ignoring the body. */
-	if (ctx->buffer) {
-		if (ctx->buf_size < len) {
-			git_error_set(GIT_ERROR_NET, "can't fit data in the buffer");
-			return t->parse_error = PARSE_ERROR_GENERIC;
-		}
+	/* If our goal is to replay the request (either an auth failure or
+	 * a redirect) then don't bother buffering since we're ignoring the
+	 * content anyway.
+	 */
+	if (t->parse_error == PARSE_ERROR_REPLAY)
+		return 0;
 
-		memcpy(ctx->buffer, str, len);
-		ctx->buffer += len;
-		ctx->buf_size -= len;
+	if (ctx->buf_size < len) {
+		giterr_set(GITERR_NET, "can't fit data in the buffer");
+		return t->parse_error = PARSE_ERROR_GENERIC;
 	}
 
+	memcpy(ctx->buffer, str, len);
 	*(ctx->bytes_read) += len;
+	ctx->buffer += len;
+	ctx->buf_size -= len;
 
 	return 0;
 }
@@ -697,7 +502,7 @@ static int on_body_fill_buffer(http_parser *parser, const char *str, size_t len)
 static void clear_parser_state(http_subtransport *t)
 {
 	http_parser_init(&t->parser, HTTP_RESPONSE);
-	gitno_buffer_setup_fromstream(t->server.stream,
+	gitno_buffer_setup_fromstream(t->io,
 		&t->parse_buffer,
 		t->parse_buffer_data,
 		sizeof(t->parse_buffer_data));
@@ -705,25 +510,20 @@ static void clear_parser_state(http_subtransport *t)
 	t->last_cb = NONE;
 	t->parse_error = 0;
 	t->parse_finished = 0;
-	t->keepalive = 0;
 
-	git_buf_dispose(&t->parse_header_name);
+	git_buf_free(&t->parse_header_name);
 	git_buf_init(&t->parse_header_name, 0);
 
-	git_buf_dispose(&t->parse_header_value);
+	git_buf_free(&t->parse_header_value);
 	git_buf_init(&t->parse_header_value, 0);
 
 	git__free(t->content_type);
 	t->content_type = NULL;
 
-	git__free(t->content_length);
-	t->content_length = NULL;
-
 	git__free(t->location);
 	t->location = NULL;
 
-	git_vector_free_deep(&t->proxy.auth_challenges);
-	git_vector_free_deep(&t->server.auth_challenges);
+	git_vector_free_deep(&t->www_authenticate);
 }
 
 static int write_chunk(git_stream *io, const char *buffer, size_t len)
@@ -736,424 +536,117 @@ static int write_chunk(git_stream *io, const char *buffer, size_t len)
 	if (git_buf_oom(&buf))
 		return -1;
 
-	if (git_stream__write_full(io, buf.ptr, buf.size, 0) < 0) {
-		git_buf_dispose(&buf);
+	if (git_stream_write(io, buf.ptr, buf.size, 0) < 0) {
+		git_buf_free(&buf);
 		return -1;
 	}
 
-	git_buf_dispose(&buf);
+	git_buf_free(&buf);
 
 	/* Chunk body */
-	if (len > 0 && git_stream__write_full(io, buffer, len, 0) < 0)
+	if (len > 0 && git_stream_write(io, buffer, len, 0) < 0)
 		return -1;
 
 	/* Chunk footer */
-	if (git_stream__write_full(io, "\r\n", 2, 0) < 0)
+	if (git_stream_write(io, "\r\n", 2, 0) < 0)
 		return -1;
 
 	return 0;
 }
 
-static int load_proxy_config(http_subtransport *t)
+static int apply_proxy_config(http_subtransport *t)
 {
 	int error;
+	git_proxy_t proxy_type;
 
-	switch (t->owner->proxy.type) {
-	case GIT_PROXY_NONE:
+	if (!git_stream_supports_proxy(t->io))
 		return 0;
 
-	case GIT_PROXY_AUTO:
-		git__free(t->proxy_url);
-		t->proxy_url = NULL;
-
-		git_proxy_options_init(&t->proxy_opts, GIT_PROXY_OPTIONS_VERSION);
-
-		if ((error = git_remote__get_http_proxy(t->owner->owner,
-			!strcmp(t->server.url.scheme, "https"), &t->proxy_url)) < 0)
-			return error;
-
-		if (!t->proxy_url)
-			return 0;
-
-		t->proxy_opts.type = GIT_PROXY_SPECIFIED;
-		t->proxy_opts.url = t->proxy_url;
-		t->proxy_opts.credentials = t->owner->proxy.credentials;
-		t->proxy_opts.certificate_check = t->owner->proxy.certificate_check;
-		t->proxy_opts.payload = t->owner->proxy.payload;
-		break;
+	proxy_type = t->owner->proxy.type;
 
-	case GIT_PROXY_SPECIFIED:
-		memcpy(&t->proxy_opts, &t->owner->proxy, sizeof(git_proxy_options));
-		break;
-
-	default:
-		assert(0);
-		return -1;
-	}
-
-	git_net_url_dispose(&t->proxy.url);
-
-	return git_net_url_parse(&t->proxy.url, t->proxy_opts.url);
-}
-
-static int check_certificate(
-	git_stream *stream,
-	git_net_url *url,
-	int is_valid,
-	git_transport_certificate_check_cb cert_cb,
-	void *cert_cb_payload)
-{
-	git_cert *cert;
-	git_error_state last_error = {0};
-	int error;
-
-	if ((error = git_stream_certificate(&cert, stream)) < 0)
-		return error;
-
-	git_error_state_capture(&last_error, GIT_ECERTIFICATE);
-
-	error = cert_cb(cert, is_valid, url->host, cert_cb_payload);
-
-	if (error == GIT_PASSTHROUGH && !is_valid)
-		return git_error_state_restore(&last_error);
-	else if (error == GIT_PASSTHROUGH)
-		error = 0;
-	else if (error && !git_error_last())
-		git_error_set(GIT_ERROR_NET, "user rejected certificate for %s", url->host);
-
-	git_error_state_free(&last_error);
-	return error;
-}
+	if (proxy_type == GIT_PROXY_NONE)
+		return 0;
 
-static int stream_connect(
-	git_stream *stream,
-	git_net_url *url,
-	git_transport_certificate_check_cb cert_cb,
-	void *cb_payload)
-{
-	int error;
+	if (proxy_type == GIT_PROXY_AUTO) {
+		char *url;
+		git_proxy_options opts = GIT_PROXY_OPTIONS_INIT;
 
-	GIT_ERROR_CHECK_VERSION(stream, GIT_STREAM_VERSION, "git_stream");
+		if ((error = git_remote__get_http_proxy(t->owner->owner, !!t->connection_data.use_ssl, &url)) < 0)
+			return error;
 
-	error = git_stream_connect(stream);
+		opts.credentials = t->owner->proxy.credentials;
+		opts.certificate_check = t->owner->proxy.certificate_check;
+		opts.payload = t->owner->proxy.payload;
+		opts.type = GIT_PROXY_SPECIFIED;
+		opts.url = url;
+		error = git_stream_set_proxy(t->io, &opts);
+		git__free(url);
 
-	if (error && error != GIT_ECERTIFICATE)
 		return error;
-
-	if (git_stream_is_encrypted(stream) && cert_cb != NULL)
-		error = check_certificate(stream, url, !error, cert_cb, cb_payload);
-
-	return error;
-}
-
-static int gen_connect_req(git_buf *buf, http_subtransport *t)
-{
-	git_buf_printf(buf, "CONNECT %s:%s HTTP/1.1\r\n",
-		t->server.url.host, t->server.url.port);
-
-	git_buf_puts(buf, "User-Agent: ");
-	git_http__user_agent(buf);
-	git_buf_puts(buf, "\r\n");
-
-	git_buf_printf(buf, "Host: %s\r\n", t->proxy.url.host);
-
-	if (apply_credentials(buf, &t->proxy, AUTH_HEADER_PROXY) < 0)
-		return -1;
-
-	git_buf_puts(buf, "\r\n");
-
-	return git_buf_oom(buf) ? -1 : 0;
-}
-
-static int proxy_headers_complete(http_parser *parser)
-{
-	parser_context *ctx = (parser_context *) parser->data;
-	http_subtransport *t = ctx->t;
-
-	/* Both parse_header_name and parse_header_value are populated
-	 * and ready for consumption. */
-	if (t->last_cb == VALUE && on_header_ready(t) < 0)
-			return t->parse_error = PARSE_ERROR_GENERIC;
-
-	/*
-	 * Capture authentication headers for the proxy or final endpoint,
-	 * these may be 407/401 (authentication is not complete) or a 200
-	 * (informing us that auth has completed).
-	 */
-	if (parse_authenticate_response(&t->proxy) < 0)
-		return t->parse_error = PARSE_ERROR_GENERIC;
-
-	/* If we're in the middle of challenge/response auth, continue */
-	if (parser->status_code == 407) {
-		if (t->proxy.auth_context && !auth_context_complete(&t->proxy)) {
-			t->parse_error = PARSE_ERROR_REPLAY;
-			return 0;
-		}
-	}
-
-	/* Enforce a reasonable cap on the number of replays */
-	if (t->replay_count++ >= GIT_HTTP_REPLAY_MAX) {
-		git_error_set(GIT_ERROR_NET, "too many redirects or authentication replays");
-		return t->parse_error = PARSE_ERROR_GENERIC;
-	}
-
-	/* Check for a proxy authentication failure. */
-	if (parser->status_code == 407)
-		return on_auth_required(
-			parser,
-			&t->proxy,
-			t->proxy_opts.url,
-			SERVER_TYPE_PROXY,
-			t->proxy_opts.credentials,
-			t->proxy_opts.payload);
-
-	if (parser->status_code != 200) {
-		git_error_set(GIT_ERROR_NET, "unexpected status code from proxy: %d",
-			parser->status_code);
-		return t->parse_error = PARSE_ERROR_GENERIC;
 	}
 
-	if (!t->content_length || strcmp(t->content_length, "0") == 0)
-		t->parse_finished = 1;
-
-	return 0;
+	return git_stream_set_proxy(t->io, &t->owner->proxy);
 }
 
-static int proxy_connect(
-	git_stream **out, git_stream *proxy_stream, http_subtransport *t)
+static int http_connect(http_subtransport *t)
 {
-	git_buf request = GIT_BUF_INIT;
-	static http_parser_settings proxy_parser_settings = {0};
-	size_t bytes_read = 0, bytes_parsed;
-	parser_context ctx;
-	bool auth_replay;
 	int error;
 
-	/* Use the parser settings only to parser headers. */
-	proxy_parser_settings.on_header_field = on_header_field;
-	proxy_parser_settings.on_header_value = on_header_value;
-	proxy_parser_settings.on_headers_complete = proxy_headers_complete;
-	proxy_parser_settings.on_message_complete = on_message_complete;
-
-replay:
-	clear_parser_state(t);
-
-	auth_replay = false;
-
-	gitno_buffer_setup_fromstream(proxy_stream,
-		&t->parse_buffer,
-		t->parse_buffer_data,
-		sizeof(t->parse_buffer_data));
-
-	if ((error = gen_connect_req(&request, t)) < 0)
-		goto done;
-
-	if ((error = git_stream__write_full(proxy_stream, request.ptr,
-					    request.size, 0)) < 0)
-		goto done;
-
-	git_buf_dispose(&request);
-
-	while (!bytes_read && !t->parse_finished) {
-		t->parse_buffer.offset = 0;
-
-		if ((error = gitno_recv(&t->parse_buffer)) < 0) {
-			goto done;
-		} else if (error == 0 && t->request_count > 0) {
-			/* Server closed a keep-alive socket; reconnect. */
-			auth_replay = true;
-			goto done;
-		} else if (error == 0) {
-			git_error_set(GIT_ERROR_NET, "unexpected disconnection from server");
-			error = -1;
-			goto done;
-		}
-
-		/*
-		 * This call to http_parser_execute will invoke the on_*
-		 * callbacks.  Since we don't care about the body of the response,
-		 * we can set our buffer to NULL.
-		 */
-		ctx.t = t;
-		ctx.s = NULL;
-		ctx.buffer = NULL;
-		ctx.buf_size = 0;
-		ctx.bytes_read = &bytes_read;
-
-		/* Set the context, call the parser, then unset the context. */
-		t->parser.data = &ctx;
-
-		bytes_parsed = http_parser_execute(&t->parser,
-			&proxy_parser_settings, t->parse_buffer.data, t->parse_buffer.offset);
-
-		t->parser.data = NULL;
-
-		/* Ensure that we didn't get a redirect; unsupported. */
-		if (t->location) {
-			git_error_set(GIT_ERROR_NET, "proxy server sent unsupported redirect during CONNECT");
-			error = -1;
-			goto done;
-		}
-
-		/* Replay the request with authentication headers. */
-		if (PARSE_ERROR_REPLAY == t->parse_error) {
-			auth_replay = true;
-		} else if (t->parse_error < 0) {
-			error = t->parse_error == PARSE_ERROR_EXT ? PARSE_ERROR_EXT : -1;
-			goto done;
-		}
-
-		if (bytes_parsed != t->parse_buffer.offset) {
-			git_error_set(GIT_ERROR_NET,
-				"HTTP parser error: %s",
-				http_errno_description((enum http_errno)t->parser.http_errno));
-			error = -1;
-			goto done;
-		}
-	}
-
-	t->request_count++;
-
-	if (auth_replay) {
-		if (t->keepalive && t->parse_finished)
-			goto replay;
+	if (t->connected &&
+		http_should_keep_alive(&t->parser) &&
+		t->parse_finished)
+		return 0;
 
-		return PARSE_ERROR_REPLAY;
+	if (t->io) {
+		git_stream_close(t->io);
+		git_stream_free(t->io);
+		t->io = NULL;
+		t->connected = 0;
 	}
 
-	if ((error = git_tls_stream_wrap(out, proxy_stream, t->server.url.host)) == 0)
-		error = stream_connect(*out, &t->server.url,
-		    t->owner->certificate_check_cb,
-			t->owner->message_cb_payload);
-
-	/*
-	 * Since we've connected via a HTTPS proxy tunnel, we don't behave
-	 * as if we have an HTTP proxy.
-	 */
-	t->proxy_opts.type = GIT_PROXY_NONE;
-	t->replay_count = 0;
-	t->request_count = 0;
-
-done:
-	return error;
-}
-
-static void reset_auth_connection(http_server *server)
-{
-	/*
-	 * If we've authenticated and we're doing "normal"
-	 * authentication with a request affinity (Basic, Digest)
-	 * then we want to _keep_ our context, since authentication
-	 * survives even through non-keep-alive connections.  If
-	 * we've authenticated and we're doing connection-based
-	 * authentication (NTLM, Negotiate) - indicated by the presence
-	 * of an `is_complete` callback - then we need to restart
-	 * authentication on a new connection.
-	 */
-
-	if (server->authenticated &&
-	    server->auth_context &&
-	    server->auth_context->connection_affinity) {
-		free_auth_context(server);
-
-		server->url_cred_presented = 0;
-		server->authenticated = 0;
+	if (t->connection_data.use_ssl) {
+		error = git_tls_stream_new(&t->io, t->connection_data.host, t->connection_data.port);
+	} else {
+#ifdef GIT_CURL
+		error = git_curl_stream_new(&t->io, t->connection_data.host, t->connection_data.port);
+#else
+		error = git_socket_stream_new(&t->io,  t->connection_data.host, t->connection_data.port);
+#endif
 	}
-}
-
-static int http_connect(http_subtransport *t)
-{
-	git_net_url *url;
-	git_stream *proxy_stream = NULL, *stream = NULL;
-	git_transport_certificate_check_cb cert_cb;
-	void *cb_payload;
-	int error;
-
-auth_replay:
-	if (t->connected && t->keepalive && t->parse_finished)
-		return 0;
 
-	if ((error = load_proxy_config(t)) < 0)
+	if (error < 0)
 		return error;
 
-	if (t->server.stream) {
-		git_stream_close(t->server.stream);
-		git_stream_free(t->server.stream);
-		t->server.stream = NULL;
-	}
-
-	if (t->proxy.stream) {
-		git_stream_close(t->proxy.stream);
-		git_stream_free(t->proxy.stream);
-		t->proxy.stream = NULL;
-	}
+	GITERR_CHECK_VERSION(t->io, GIT_STREAM_VERSION, "git_stream");
 
-	reset_auth_connection(&t->server);
-	reset_auth_connection(&t->proxy);
+	apply_proxy_config(t);
 
-	t->connected = 0;
-	t->keepalive = 0;
-	t->request_count = 0;
+	error = git_stream_connect(t->io);
 
-	if (t->proxy_opts.type == GIT_PROXY_SPECIFIED) {
-		url = &t->proxy.url;
-		cert_cb = t->proxy_opts.certificate_check;
-		cb_payload = t->proxy_opts.payload;
-	} else {
-		url = &t->server.url;
-		cert_cb = t->owner->certificate_check_cb;
-		cb_payload = t->owner->message_cb_payload;
-	}
+	if ((!error || error == GIT_ECERTIFICATE) && t->owner->certificate_check_cb != NULL &&
+	    git_stream_is_encrypted(t->io)) {
+		git_cert *cert;
+		int is_valid = (error == GIT_OK);
 
-	if (strcmp(url->scheme, "https") == 0)
-		error = git_tls_stream_new(&stream, url->host, url->port);
-	else
-		error = git_socket_stream_new(&stream, url->host, url->port);
+		if ((error = git_stream_certificate(&cert, t->io)) < 0)
+			return error;
 
-	if (error < 0)
-		goto on_error;
+		giterr_clear();
+		error = t->owner->certificate_check_cb(cert, is_valid, t->connection_data.host, t->owner->message_cb_payload);
 
-	if ((error = stream_connect(stream, url, cert_cb, cb_payload)) < 0)
-		goto on_error;
+		if (error < 0) {
+			if (!giterr_last())
+				giterr_set(GITERR_NET, "user cancelled certificate check");
 
-	/*
-	 * At this point we have a connection to the remote server or to
-	 * a proxy.  If it's a proxy and the remote server is actually
-	 * an HTTPS connection, then we need to build a CONNECT tunnel.
-	 */
-	if (t->proxy_opts.type == GIT_PROXY_SPECIFIED &&
-	    strcmp(t->server.url.scheme, "https") == 0) {
-		proxy_stream = stream;
-		stream = NULL;
-
-		error = proxy_connect(&stream, proxy_stream, t);
-
-		if (error == PARSE_ERROR_REPLAY) {
-			git_stream_close(proxy_stream);
-			git_stream_free(proxy_stream);
-			goto auth_replay;
-		} else if (error < 0) {
-			goto on_error;
+			return error;
 		}
 	}
 
-	t->proxy.stream = proxy_stream;
-	t->server.stream = stream;
+	if (error < 0)
+		return error;
+
 	t->connected = 1;
 	return 0;
-
-on_error:
-	if (stream) {
-		git_stream_close(stream);
-		git_stream_free(stream);
-	}
-
-	if (proxy_stream) {
-		git_stream_close(proxy_stream);
-		git_stream_free(proxy_stream);
-	}
-
-	return error;
 }
 
 static int http_stream_read(
@@ -1166,23 +659,26 @@ static int http_stream_read(
 	http_subtransport *t = OWNING_SUBTRANSPORT(s);
 	parser_context ctx;
 	size_t bytes_parsed;
-	git_buf request = GIT_BUF_INIT;
-	bool auth_replay;
-	int error = 0;
 
 replay:
 	*bytes_read = 0;
-	auth_replay = false;
 
 	assert(t->connected);
 
 	if (!s->sent_request) {
-		git_buf_clear(&request);
+		git_buf request = GIT_BUF_INIT;
+
 		clear_parser_state(t);
 
-		if ((error = gen_request(&request, s, 0)) < 0 ||
-		    (error = git_stream__write_full(t->server.stream, request.ptr, request.size, 0)) < 0)
-			goto done;
+		if (gen_request(&request, s, 0) < 0)
+			return -1;
+
+		if (git_stream_write(t->io, request.ptr, request.size, 0) < 0) {
+			git_buf_free(&request);
+			return -1;
+		}
+
+		git_buf_free(&request);
 
 		s->sent_request = 1;
 	}
@@ -1192,17 +688,15 @@ replay:
 			assert(s->verb == post_verb);
 
 			/* Flush, if necessary */
-			if (s->chunk_buffer_len > 0) {
-				if ((error = write_chunk(t->server.stream, s->chunk_buffer, s->chunk_buffer_len)) < 0)
-					goto done;
+			if (s->chunk_buffer_len > 0 &&
+				write_chunk(t->io, s->chunk_buffer, s->chunk_buffer_len) < 0)
+				return -1;
 
-				s->chunk_buffer_len = 0;
-			}
+			s->chunk_buffer_len = 0;
 
 			/* Write the final chunk. */
-			if ((error = git_stream__write_full(t->server.stream,
-						   "0\r\n\r\n", 5, 0)) < 0)
-				goto done;
+			if (git_stream_write(t->io, "0\r\n\r\n", 5, 0) < 0)
+				return -1;
 		}
 
 		s->received_response = 1;
@@ -1210,6 +704,7 @@ replay:
 
 	while (!*bytes_read && !t->parse_finished) {
 		size_t data_offset;
+		int error;
 
 		/*
 		 * Make the parse_buffer think it's as full of data as
@@ -1219,37 +714,26 @@ replay:
 		 * data_offset is the actual data offset from which we
 		 * should tell the parser to start reading.
 		 */
-		if (buf_size >= t->parse_buffer.len)
+		if (buf_size >= t->parse_buffer.len) {
 			t->parse_buffer.offset = 0;
-		else
+		} else {
 			t->parse_buffer.offset = t->parse_buffer.len - buf_size;
+		}
 
 		data_offset = t->parse_buffer.offset;
 
-		if ((error = gitno_recv(&t->parse_buffer)) < 0) {
-			goto done;
-		} else if (error == 0 && t->request_count > 0) {
-			/* Server closed a keep-alive socket; reconnect. */
-			auth_replay = true;
-			goto done;
-		} else if (error == 0) {
-			git_error_set(GIT_ERROR_NET, "unexpected disconnection from server");
-			error = -1;
-			goto done;
-		}
+		if (gitno_recv(&t->parse_buffer) < 0)
+			return -1;
 
-		/*
-		 * This call to http_parser_execute will result in invocations
-		 * of the on_* family of callbacks, including on_body_fill_buffer
-		 * which will write into the target buffer.  Set up the buffer
-		 * for it to write into _unless_ we got an auth failure; in
-		 * that case we only care about the headers and don't need to
-		 * bother copying the body.
-		 */
+		/* This call to http_parser_execute will result in invocations of the
+		 * on_* family of callbacks. The most interesting of these is
+		 * on_body_fill_buffer, which is called when data is ready to be copied
+		 * into the target buffer. We need to marshal the buffer, buf_size, and
+		 * bytes_read parameters to this callback. */
 		ctx.t = t;
 		ctx.s = s;
-		ctx.buffer = auth_replay ? NULL : buffer;
-		ctx.buf_size = auth_replay ? 0 : buf_size;
+		ctx.buffer = buffer;
+		ctx.buf_size = buf_size;
 		ctx.bytes_read = bytes_read;
 
 		/* Set the context, call the parser, then unset the context. */
@@ -1262,40 +746,33 @@ replay:
 
 		t->parser.data = NULL;
 
-		/* On a 401, read the rest of the response then retry. */
-		if (t->parse_error == PARSE_ERROR_REPLAY) {
-			auth_replay = true;
-		} else if (t->parse_error == PARSE_ERROR_EXT) {
-			error = t->error;
-			goto done;
-		} else if (t->parse_error < 0) {
-			error = -1;
-			goto done;
+		/* If there was a handled authentication failure, then parse_error
+		 * will have signaled us that we should replay the request. */
+		if (PARSE_ERROR_REPLAY == t->parse_error) {
+			s->sent_request = 0;
+
+			if ((error = http_connect(t)) < 0)
+				return error;
+
+			goto replay;
+		}
+
+		if (t->parse_error == PARSE_ERROR_EXT) {
+			return t->error;
 		}
 
+		if (t->parse_error < 0)
+			return -1;
+
 		if (bytes_parsed != t->parse_buffer.offset - data_offset) {
-			git_error_set(GIT_ERROR_NET,
+			giterr_set(GITERR_NET,
 				"HTTP parser error: %s",
 				http_errno_description((enum http_errno)t->parser.http_errno));
-			error = -1;
-			goto done;
+			return -1;
 		}
 	}
 
-	t->request_count++;
-
-	if (auth_replay) {
-		s->sent_request = 0;
-
-		if ((error = http_connect(t)) < 0)
-			return error;
-
-		goto replay;
-	}
-
-done:
-	git_buf_dispose(&request);
-	return error;
+	return 0;
 }
 
 static int http_stream_write_chunked(
@@ -1303,7 +780,7 @@ static int http_stream_write_chunked(
 	const char *buffer,
 	size_t len)
 {
-	http_stream *s = GIT_CONTAINER_OF(stream, http_stream, parent);
+	http_stream *s = (http_stream *)stream;
 	http_subtransport *t = OWNING_SUBTRANSPORT(s);
 
 	assert(t->connected);
@@ -1317,13 +794,12 @@ static int http_stream_write_chunked(
 		if (gen_request(&request, s, 0) < 0)
 			return -1;
 
-		if (git_stream__write_full(t->server.stream, request.ptr,
-					   request.size, 0) < 0) {
-			git_buf_dispose(&request);
+		if (git_stream_write(t->io, request.ptr, request.size, 0) < 0) {
+			git_buf_free(&request);
 			return -1;
 		}
 
-		git_buf_dispose(&request);
+		git_buf_free(&request);
 
 		s->sent_request = 1;
 	}
@@ -1331,25 +807,22 @@ static int http_stream_write_chunked(
 	if (len > CHUNK_SIZE) {
 		/* Flush, if necessary */
 		if (s->chunk_buffer_len > 0) {
-			if (write_chunk(t->server.stream,
-			    s->chunk_buffer, s->chunk_buffer_len) < 0)
+			if (write_chunk(t->io, s->chunk_buffer, s->chunk_buffer_len) < 0)
 				return -1;
 
 			s->chunk_buffer_len = 0;
 		}
 
 		/* Write chunk directly */
-		if (write_chunk(t->server.stream, buffer, len) < 0)
+		if (write_chunk(t->io, buffer, len) < 0)
 			return -1;
 	}
 	else {
 		/* Append as much to the buffer as we can */
 		int count = min(CHUNK_SIZE - s->chunk_buffer_len, len);
 
-		if (!s->chunk_buffer) {
+		if (!s->chunk_buffer)
 			s->chunk_buffer = git__malloc(CHUNK_SIZE);
-			GIT_ERROR_CHECK_ALLOC(s->chunk_buffer);
-		}
 
 		memcpy(s->chunk_buffer + s->chunk_buffer_len, buffer, count);
 		s->chunk_buffer_len += count;
@@ -1358,8 +831,7 @@ static int http_stream_write_chunked(
 
 		/* Is the buffer full? If so, then flush */
 		if (CHUNK_SIZE == s->chunk_buffer_len) {
-			if (write_chunk(t->server.stream,
-			    s->chunk_buffer, s->chunk_buffer_len) < 0)
+			if (write_chunk(t->io, s->chunk_buffer, s->chunk_buffer_len) < 0)
 				return -1;
 
 			s->chunk_buffer_len = 0;
@@ -1379,14 +851,14 @@ static int http_stream_write_single(
 	const char *buffer,
 	size_t len)
 {
-	http_stream *s = GIT_CONTAINER_OF(stream, http_stream, parent);
+	http_stream *s = (http_stream *)stream;
 	http_subtransport *t = OWNING_SUBTRANSPORT(s);
 	git_buf request = GIT_BUF_INIT;
 
 	assert(t->connected);
 
 	if (s->sent_request) {
-		git_error_set(GIT_ERROR_NET, "subtransport configured for only one write");
+		giterr_set(GITERR_NET, "subtransport configured for only one write");
 		return -1;
 	}
 
@@ -1395,25 +867,25 @@ static int http_stream_write_single(
 	if (gen_request(&request, s, len) < 0)
 		return -1;
 
-	if (git_stream__write_full(t->server.stream, request.ptr, request.size, 0) < 0)
+	if (git_stream_write(t->io, request.ptr, request.size, 0) < 0)
 		goto on_error;
 
-	if (len && git_stream__write_full(t->server.stream, buffer, len, 0) < 0)
+	if (len && git_stream_write(t->io, buffer, len, 0) < 0)
 		goto on_error;
 
-	git_buf_dispose(&request);
+	git_buf_free(&request);
 	s->sent_request = 1;
 
 	return 0;
 
 on_error:
-	git_buf_dispose(&request);
+	git_buf_free(&request);
 	return -1;
 }
 
 static void http_stream_free(git_smart_subtransport_stream *stream)
 {
-	http_stream *s = GIT_CONTAINER_OF(stream, http_stream, parent);
+	http_stream *s = (http_stream *)stream;
 
 	if (s->chunk_buffer)
 		git__free(s->chunk_buffer);
@@ -1433,7 +905,7 @@ static int http_stream_alloc(http_subtransport *t,
 		return -1;
 
 	s = git__calloc(sizeof(http_stream), 1);
-	GIT_ERROR_CHECK_ALLOC(s);
+	GITERR_CHECK_ALLOC(s);
 
 	s->parent.subtransport = &t->parent;
 	s->parent.read = http_stream_read;
@@ -1526,24 +998,16 @@ static int http_action(
 	const char *url,
 	git_smart_service_t action)
 {
-	http_subtransport *t = GIT_CONTAINER_OF(subtransport, http_subtransport, parent);
+	http_subtransport *t = (http_subtransport *)subtransport;
 	int ret;
 
-	assert(stream);
+	if (!stream)
+		return -1;
 
-	/*
-	 * If we've seen a redirect then preserve the location that we've
-	 * been given.  This is important to continue authorization against
-	 * the redirect target, not the user-given source; the endpoint may
-	 * have redirected us from HTTP->HTTPS and is using an auth mechanism
-	 * that would be insecure in plaintext (eg, HTTP Basic).
-	 */
-	if ((!t->server.url.host || !t->server.url.port || !t->server.url.path) &&
-	    (ret = git_net_url_parse(&t->server.url, url)) < 0)
+	if ((!t->connection_data.host || !t->connection_data.port || !t->connection_data.path) &&
+		 (ret = gitno_connection_data_from_url(&t->connection_data, url, NULL)) < 0)
 		return ret;
 
-	assert(t->server.url.host && t->server.url.port && t->server.url.path);
-
 	if ((ret = http_connect(t)) < 0)
 		return ret;
 
@@ -1567,47 +1031,50 @@ static int http_action(
 
 static int http_close(git_smart_subtransport *subtransport)
 {
-	http_subtransport *t = GIT_CONTAINER_OF(subtransport, http_subtransport, parent);
+	http_subtransport *t = (http_subtransport *) subtransport;
+	git_http_auth_context *context;
+	size_t i;
 
 	clear_parser_state(t);
 
 	t->connected = 0;
 
-	if (t->server.stream) {
-		git_stream_close(t->server.stream);
-		git_stream_free(t->server.stream);
-		t->server.stream = NULL;
+	if (t->io) {
+		git_stream_close(t->io);
+		git_stream_free(t->io);
+		t->io = NULL;
 	}
 
-	if (t->proxy.stream) {
-		git_stream_close(t->proxy.stream);
-		git_stream_free(t->proxy.stream);
-		t->proxy.stream = NULL;
+	if (t->cred) {
+		t->cred->free(t->cred);
+		t->cred = NULL;
 	}
 
-	free_cred(&t->server.cred);
-	free_cred(&t->proxy.cred);
-
-	free_auth_context(&t->server);
-	free_auth_context(&t->proxy);
+	if (t->url_cred) {
+		t->url_cred->free(t->url_cred);
+		t->url_cred = NULL;
+	}
 
-	t->server.url_cred_presented = false;
-	t->proxy.url_cred_presented = false;
+	git_vector_foreach(&t->auth_contexts, i, context) {
+		if (context->free)
+			context->free(context);
+	}
 
-	git_net_url_dispose(&t->server.url);
-	git_net_url_dispose(&t->proxy.url);
+	git_vector_clear(&t->auth_contexts);
 
-	git__free(t->proxy_url);
-	t->proxy_url = NULL;
+	gitno_connection_data_free_ptrs(&t->connection_data);
+	memset(&t->connection_data, 0x0, sizeof(gitno_connection_data));
 
 	return 0;
 }
 
 static void http_free(git_smart_subtransport *subtransport)
 {
-	http_subtransport *t = GIT_CONTAINER_OF(subtransport, http_subtransport, parent);
+	http_subtransport *t = (http_subtransport *) subtransport;
 
 	http_close(subtransport);
+
+	git_vector_free(&t->auth_contexts);
 	git__free(t);
 }
 
@@ -1621,7 +1088,7 @@ int git_smart_subtransport_http(git_smart_subtransport **out, git_transport *own
 		return -1;
 
 	t = git__calloc(sizeof(http_subtransport), 1);
-	GIT_ERROR_CHECK_ALLOC(t);
+	GITERR_CHECK_ALLOC(t);
 
 	t->owner = (transport_smart *)owner;
 	t->parent.action = http_action;