rugged 0.28.3.1 → 0.28.4

data/vendor/libgit2/src/transports/auth_negotiate.h

@@ -12,11 +12,11 @@
 #include "git2.h"
 #include "auth.h"
 
-#ifdef GIT_GSSAPI
+#if defined(GIT_GSSAPI) || defined(GIT_GSSFRAMEWORK)
 
 extern int git_http_auth_negotiate(
 	git_http_auth_context **out,
-	const gitno_connection_data *connection_data);
+	const git_net_url *url);
 
 #else
 

data/vendor/libgit2/src/transports/auth_ntlm.c

@@ -0,0 +1,223 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#include "git2.h"
+#include "common.h"
+#include "buffer.h"
+#include "auth.h"
+#include "auth_ntlm.h"
+#include "git2/sys/cred.h"
+
+#ifdef GIT_NTLM
+
+#include "ntlm.h"
+
+typedef struct {
+	git_http_auth_context parent;
+	ntlm_client *ntlm;
+	char *challenge;
+	bool complete;
+} http_auth_ntlm_context;
+
+static int ntlm_set_challenge(
+	git_http_auth_context *c,
+	const char *challenge)
+{
+	http_auth_ntlm_context *ctx = (http_auth_ntlm_context *)c;
+
+	assert(ctx && challenge);
+
+	git__free(ctx->challenge);
+
+	ctx->challenge = git__strdup(challenge);
+	GIT_ERROR_CHECK_ALLOC(ctx->challenge);
+
+	return 0;
+}
+
+static int ntlm_set_credentials(http_auth_ntlm_context *ctx, git_cred *_cred)
+{
+	git_cred_userpass_plaintext *cred;
+	const char *sep, *username;
+	char *domain = NULL, *domainuser = NULL;
+	int error = 0;
+
+	assert(_cred->credtype == GIT_CREDTYPE_USERPASS_PLAINTEXT);
+	cred = (git_cred_userpass_plaintext *)_cred;
+
+	if ((sep = strchr(cred->username, '\\')) != NULL) {
+		domain = strndup(cred->username, (sep - cred->username));
+		GIT_ERROR_CHECK_ALLOC(domain);
+
+		domainuser = strdup(sep + 1);
+		GIT_ERROR_CHECK_ALLOC(domainuser);
+
+		username = domainuser;
+	} else {
+		username = cred->username;
+	}
+
+	if (ntlm_client_set_credentials(ctx->ntlm,
+	    username, domain, cred->password) < 0) {
+		git_error_set(GIT_ERROR_NET, "could not set credentials: %s",
+		    ntlm_client_errmsg(ctx->ntlm));
+		error = -1;
+		goto done;
+	}
+
+done:
+	git__free(domain);
+	git__free(domainuser);
+	return error;
+}
+
+static int ntlm_next_token(
+	git_buf *buf,
+	git_http_auth_context *c,
+	git_cred *cred)
+{
+	http_auth_ntlm_context *ctx = (http_auth_ntlm_context *)c;
+	git_buf input_buf = GIT_BUF_INIT;
+	const unsigned char *msg;
+	size_t challenge_len, msg_len;
+	int error = -1;
+
+	assert(buf && ctx && ctx->ntlm);
+
+	challenge_len = ctx->challenge ? strlen(ctx->challenge) : 0;
+
+	if (ctx->complete)
+		ntlm_client_reset(ctx->ntlm);
+
+	/*
+	 * Set us complete now since it's the default case; the one
+	 * incomplete case (successfully created a client request)
+	 * will explicitly set that it requires a second step.
+	 */
+	ctx->complete = true;
+
+	if (cred && ntlm_set_credentials(ctx, cred) != 0)
+		goto done;
+
+	if (challenge_len < 4) {
+		git_error_set(GIT_ERROR_NET, "no ntlm challenge sent from server");
+		goto done;
+	} else if (challenge_len == 4) {
+		if (memcmp(ctx->challenge, "NTLM", 4) != 0) {
+			git_error_set(GIT_ERROR_NET, "server did not request NTLM");
+			goto done;
+		}
+
+		if (ntlm_client_negotiate(&msg, &msg_len, ctx->ntlm) != 0) {
+			git_error_set(GIT_ERROR_NET, "ntlm authentication failed: %s",
+				ntlm_client_errmsg(ctx->ntlm));
+			goto done;
+		}
+
+		ctx->complete = false;
+	} else {
+		if (memcmp(ctx->challenge, "NTLM ", 5) != 0) {
+			git_error_set(GIT_ERROR_NET, "challenge from server was not NTLM");
+			goto done;
+		}
+
+		if (git_buf_decode_base64(&input_buf,
+		    ctx->challenge + 5, challenge_len - 5) < 0) {
+			git_error_set(GIT_ERROR_NET, "invalid NTLM challenge from server");
+			goto done;
+		}
+
+		if (ntlm_client_set_challenge(ctx->ntlm,
+		    (const unsigned char *)input_buf.ptr, input_buf.size) != 0) {
+			git_error_set(GIT_ERROR_NET, "ntlm challenge failed: %s",
+				ntlm_client_errmsg(ctx->ntlm));
+			goto done;
+		}
+
+		if (ntlm_client_response(&msg, &msg_len, ctx->ntlm) != 0) {
+			git_error_set(GIT_ERROR_NET, "ntlm authentication failed: %s",
+				ntlm_client_errmsg(ctx->ntlm));
+			goto done;
+		}
+	}
+
+	git_buf_puts(buf, "NTLM ");
+	git_buf_encode_base64(buf, (const char *)msg, msg_len);
+
+	if (git_buf_oom(buf))
+		goto done;
+
+	error = 0;
+
+done:
+	git_buf_dispose(&input_buf);
+	return error;
+}
+
+static int ntlm_is_complete(git_http_auth_context *c)
+{
+	http_auth_ntlm_context *ctx = (http_auth_ntlm_context *)c;
+
+	assert(ctx);
+	return (ctx->complete == true);
+}
+
+static void ntlm_context_free(git_http_auth_context *c)
+{
+	http_auth_ntlm_context *ctx = (http_auth_ntlm_context *)c;
+
+	ntlm_client_free(ctx->ntlm);
+	git__free(ctx->challenge);
+	git__free(ctx);
+}
+
+static int ntlm_init_context(
+	http_auth_ntlm_context *ctx,
+	const git_net_url *url)
+{
+	GIT_UNUSED(url);
+
+	if ((ctx->ntlm = ntlm_client_init(NTLM_CLIENT_DEFAULTS)) == NULL) {
+		git_error_set_oom();
+		return -1;
+	}
+
+	return 0;
+}
+
+int git_http_auth_ntlm(
+	git_http_auth_context **out,
+	const git_net_url *url)
+{
+	http_auth_ntlm_context *ctx;
+
+	GIT_UNUSED(url);
+
+	*out = NULL;
+
+	ctx = git__calloc(1, sizeof(http_auth_ntlm_context));
+	GIT_ERROR_CHECK_ALLOC(ctx);
+
+	if (ntlm_init_context(ctx, url) < 0) {
+		git__free(ctx);
+		return -1;
+	}
+
+	ctx->parent.type = GIT_AUTHTYPE_NTLM;
+	ctx->parent.credtypes = GIT_CREDTYPE_USERPASS_PLAINTEXT;
+	ctx->parent.connection_affinity = 1;
+	ctx->parent.set_challenge = ntlm_set_challenge;
+	ctx->parent.next_token = ntlm_next_token;
+	ctx->parent.is_complete = ntlm_is_complete;
+	ctx->parent.free = ntlm_context_free;
+
+	*out = (git_http_auth_context *)ctx;
+
+	return 0;
+}
+
+#endif /* GIT_NTLM */

data/vendor/libgit2/src/transports/auth_ntlm.h

@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) the libgit2 contributors. All rights reserved.
+ *
+ * This file is part of libgit2, distributed under the GNU GPL v2 with
+ * a Linking Exception. For full terms see the included COPYING file.
+ */
+
+#ifndef INCLUDE_transports_auth_ntlm_h__
+#define INCLUDE_transports_auth_ntlm_h__
+
+#include "git2.h"
+#include "auth.h"
+
+#ifdef GIT_NTLM
+
+#if defined(GIT_OPENSSL)
+# define CRYPT_OPENSSL
+#elif defined(GIT_MBEDTLS)
+# define CRYPT_MBEDTLS
+#elif defined(GIT_SECURE_TRANSPORT)
+# define CRYPT_COMMONCRYPTO
+#endif
+
+extern int git_http_auth_ntlm(
+	git_http_auth_context **out,
+	const git_net_url *url);
+
+#else
+
+#define git_http_auth_ntlm git_http_auth_dummy
+
+#endif /* GIT_NTLM */
+
+#endif
+

data/vendor/libgit2/src/transports/cred.c

@@ -5,10 +5,10 @@
  * a Linking Exception. For full terms see the included COPYING file.
  */
 
-#include "cred.h"
+#include "common.h"
 
-#include "git2.h"
-#include "smart.h"
+#include "git2/cred.h"
+#include "git2/sys/cred.h"
 #include "git2/cred_helpers.h"
 
 static int git_cred_ssh_key_type_new(
@@ -27,7 +27,7 @@ int git_cred_has_username(git_cred *cred)
 	return 1;
 }
 
-const char *git_cred__username(git_cred *cred)
+const char *git_cred_get_username(git_cred *cred)
 {
 	switch (cred->credtype) {
 	case GIT_CREDTYPE_USERNAME:
@@ -264,7 +264,7 @@ static int git_cred_ssh_key_type_new(
 int git_cred_ssh_interactive_new(
 	git_cred **out,
 	const char *username,
-	git_cred_ssh_interactive_callback prompt_callback,
+	git_cred_ssh_interactive_cb prompt_callback,
 	void *payload)
 {
 	git_cred_ssh_interactive *c;
@@ -312,7 +312,7 @@ int git_cred_ssh_custom_new(
 	const char *username,
 	const char *publickey,
 	size_t publickey_len,
-	git_cred_sign_callback sign_callback,
+	git_cred_sign_cb sign_callback,
 	void *payload)
 {
 	git_cred_ssh_custom *c;

data/vendor/libgit2/src/transports/git.c

@@ -192,8 +192,9 @@ static int _git_uploadpack_ls(
 	const char *url,
 	git_smart_subtransport_stream **stream)
 {
-	char *host=NULL, *port=NULL, *path=NULL, *user=NULL, *pass=NULL;
+	git_net_url urldata = GIT_NET_URL_INIT;
 	const char *stream_url = url;
+	const char *host, *port;
 	git_proto_stream *s;
 	int error;
 
@@ -202,17 +203,15 @@ static int _git_uploadpack_ls(
 	if (!git__prefixcmp(url, prefix_git))
 		stream_url += strlen(prefix_git);
 
-	if ((error = gitno_extract_url_parts(&host, &port, &path, &user, &pass, url, GIT_DEFAULT_PORT)) < 0)
+	if ((error = git_net_url_parse(&urldata, url)) < 0)
 		return error;
 
-	error = git_proto_stream_alloc(t, stream_url, cmd_uploadpack, host, port, stream);
+	host = urldata.host;
+	port = urldata.port ? urldata.port : GIT_DEFAULT_PORT;
 
-	git__free(host);
-	git__free(port);
-	git__free(path);
-	git__free(user);
-	git__free(pass);
+	error = git_proto_stream_alloc(t, stream_url, cmd_uploadpack, host, port, stream);
 
+	git_net_url_dispose(&urldata);
 
 	if (error < 0) {
 		git_proto_stream_free(*stream);
@@ -251,7 +250,7 @@ static int _git_receivepack_ls(
 	const char *url,
 	git_smart_subtransport_stream **stream)
 {
-	char *host=NULL, *port=NULL, *path=NULL, *user=NULL, *pass=NULL;
+	git_net_url urldata = GIT_NET_URL_INIT;
 	const char *stream_url = url;
 	git_proto_stream *s;
 	int error;
@@ -260,16 +259,12 @@ static int _git_receivepack_ls(
 	if (!git__prefixcmp(url, prefix_git))
 		stream_url += strlen(prefix_git);
 
-	if ((error = gitno_extract_url_parts(&host, &port, &path, &user, &pass, url, GIT_DEFAULT_PORT)) < 0)
+	if ((error = git_net_url_parse(&urldata, url)) < 0)
 		return error;
 
-	error = git_proto_stream_alloc(t, stream_url, cmd_receivepack, host, port, stream);
+	error = git_proto_stream_alloc(t, stream_url, cmd_receivepack, urldata.host, urldata.port, stream);
 
-	git__free(host);
-	git__free(port);
-	git__free(path);
-	git__free(user);
-	git__free(pass);
+	git_net_url_dispose(&urldata);
 
 	if (error < 0) {
 		git_proto_stream_free(*stream);

data/vendor/libgit2/src/transports/http.c

@@ -12,18 +12,22 @@
 #include "git2.h"
 #include "http_parser.h"
 #include "buffer.h"
+#include "net.h"
 #include "netops.h"
 #include "global.h"
 #include "remote.h"
+#include "git2/sys/cred.h"
 #include "smart.h"
 #include "auth.h"
 #include "http.h"
 #include "auth_negotiate.h"
+#include "auth_ntlm.h"
 #include "streams/tls.h"
 #include "streams/socket.h"
 
 git_http_auth_scheme auth_schemes[] = {
 	{ GIT_AUTHTYPE_NEGOTIATE, "Negotiate", GIT_CREDTYPE_DEFAULT, git_http_auth_negotiate },
+	{ GIT_AUTHTYPE_NTLM, "NTLM", GIT_CREDTYPE_USERPASS_PLAINTEXT, git_http_auth_ntlm },
 	{ GIT_AUTHTYPE_BASIC, "Basic", GIT_CREDTYPE_USERPASS_PLAINTEXT, git_http_auth_basic },
 };
 
@@ -71,14 +75,18 @@ typedef struct {
 } http_stream;
 
 typedef struct {
-	gitno_connection_data url;
+	git_net_url url;
 	git_stream *stream;
 
+	git_http_authtype_t authtypes;
+	git_credtype_t credtypes;
+
 	git_cred *cred;
-	git_cred *url_cred;
+	unsigned url_cred_presented : 1,
+	    authenticated : 1;
 
 	git_vector auth_challenges;
-	git_vector auth_contexts;
+	git_http_auth_context *auth_context;
 } http_server;
 
 typedef struct {
@@ -106,8 +114,10 @@ typedef struct {
 	enum last_cb last_cb;
 	int parse_error;
 	int error;
+	unsigned request_count;
 	unsigned parse_finished : 1,
-	    replay_count : 3;
+	    keepalive : 1,
+	    replay_count : 4;
 } http_subtransport;
 
 typedef struct {
@@ -120,66 +130,29 @@ typedef struct {
 	size_t *bytes_read;
 } parser_context;
 
-static bool credtype_match(git_http_auth_scheme *scheme, void *data)
-{
-	unsigned int credtype = *(unsigned int *)data;
-
-	return !!(scheme->credtypes & credtype);
-}
-
-static bool challenge_match(git_http_auth_scheme *scheme, void *data)
-{
-	const char *scheme_name = scheme->name;
-	const char *challenge = (const char *)data;
-	size_t scheme_len;
-
-	scheme_len = strlen(scheme_name);
-	return (strncasecmp(challenge, scheme_name, scheme_len) == 0 &&
-		(challenge[scheme_len] == '\0' || challenge[scheme_len] == ' '));
-}
-
-static int auth_context_match(
-	git_http_auth_context **out,
-	http_server *server,
-	bool (*scheme_match)(git_http_auth_scheme *scheme, void *data),
-	void *data)
+static git_http_auth_scheme *scheme_for_challenge(
+	const char *challenge,
+	git_cred *cred)
 {
 	git_http_auth_scheme *scheme = NULL;
-	git_http_auth_context *context = NULL, *c;
 	size_t i;
 
-	*out = NULL;
-
 	for (i = 0; i < ARRAY_SIZE(auth_schemes); i++) {
-		if (scheme_match(&auth_schemes[i], data)) {
-			scheme = &auth_schemes[i];
-			break;
-		}
-	}
+		const char *scheme_name = auth_schemes[i].name;
+		const git_credtype_t scheme_types = auth_schemes[i].credtypes;
+		size_t scheme_len;
 
-	if (!scheme)
-		return 0;
+		scheme_len = strlen(scheme_name);
 
-	/* See if authentication has already started for this scheme */
-	git_vector_foreach(&server->auth_contexts, i, c) {
-		if (c->type == scheme->type) {
-			context = c;
+		if ((!cred || (cred->credtype & scheme_types)) &&
+		    strncasecmp(challenge, scheme_name, scheme_len) == 0 &&
+		    (challenge[scheme_len] == '\0' || challenge[scheme_len] == ' ')) {
+			scheme = &auth_schemes[i];
 			break;
 		}
 	}
 
-	if (!context) {
-		if (scheme->init_context(&context, &server->url) < 0)
-			return -1;
-		else if (!context)
-			return 0;
-		else if (git_vector_insert(&server->auth_contexts, context) < 0)
-			return -1;
-	}
-
-	*out = context;
-
-	return 0;
+	return scheme;
 }
 
 static int apply_credentials(
@@ -187,31 +160,20 @@ static int apply_credentials(
 	http_server *server,
 	const char *header_name)
 {
-	git_cred *cred = server->cred;
-	git_http_auth_context *context;
-
-	/* Apply the credentials given to us in the URL */
-	if (!cred && server->url.user && server->url.pass) {
-		if (!server->url_cred &&
-			git_cred_userpass_plaintext_new(&server->url_cred,
-			    server->url.user, server->url.pass) < 0)
-			return -1;
-
-		cred = server->url_cred;
-	}
+	git_buf token = GIT_BUF_INIT;
+	int error = 0;
 
-	if (!cred)
-		return 0;
+	if (!server->auth_context)
+		goto done;
 
-	/* Get or create a context for the best scheme for this cred type */
-	if (auth_context_match(&context, server,
-	    credtype_match, &cred->credtype) < 0)
-		return -1;
+	if ((error = server->auth_context->next_token(&token, server->auth_context, server->cred)) < 0)
+		goto done;
 
-	if (!context)
-		return 0;
+	error = git_buf_printf(buf, "%s: %s\r\n", header_name, token.ptr);
 
-	return context->next_token(buf, context, header_name, cred);
+done:
+	git_buf_dispose(&token);
+	return error;
 }
 
 static int gen_request(
@@ -226,7 +188,7 @@ static int gen_request(
 	if (t->proxy_opts.type == GIT_PROXY_SPECIFIED)
 		git_buf_printf(buf, "%s %s://%s:%s%s%s HTTP/1.1\r\n",
 			s->verb,
-			t->server.url.use_ssl ? "https" : "http",
+			t->server.url.scheme,
 			t->server.url.host,
 			t->server.url.port,
 			path, s->service_url);
@@ -238,9 +200,10 @@ static int gen_request(
 	git_http__user_agent(buf);
 	git_buf_puts(buf, "\r\n");
 	git_buf_printf(buf, "Host: %s", t->server.url.host);
-	if (strcmp(t->server.url.port, gitno__default_port(&t->server.url)) != 0) {
+
+	if (!git_net_url_is_default_port(&t->server.url))
 		git_buf_printf(buf, ":%s", t->server.url.port);
-	}
+
 	git_buf_puts(buf, "\r\n");
 
 	if (s->chunked || content_length > 0) {
@@ -275,29 +238,86 @@ static int gen_request(
 	return 0;
 }
 
-static int parse_authenticate_response(
-	http_server *server,
-	int *allowed_types)
+static int set_authentication_challenge(http_server *server)
 {
-	git_http_auth_context *context;
+	const char *challenge;
+
+	if (git_vector_length(&server->auth_challenges) > 1) {
+		git_error_set(GIT_ERROR_NET, "received multiple authentication challenges");
+		return -1;
+	}
+
+	challenge = git_vector_get(&server->auth_challenges, 0);
+
+	if (server->auth_context->set_challenge)
+		return server->auth_context->set_challenge(server->auth_context, challenge);
+	else
+		return 0;
+}
+
+static int set_authentication_types(http_server *server)
+{
+	git_http_auth_scheme *scheme;
 	char *challenge;
 	size_t i;
 
 	git_vector_foreach(&server->auth_challenges, i, challenge) {
-		if (auth_context_match(&context, server,
-		    challenge_match, challenge) < 0)
-			return -1;
-		else if (!context)
-			continue;
+		if ((scheme = scheme_for_challenge(challenge, NULL)) != NULL) {
+			server->authtypes |= scheme->type;
+			server->credtypes |= scheme->credtypes;
+		}
+	}
 
-		if (context->set_challenge &&
-			context->set_challenge(context, challenge) < 0)
-			return -1;
+	return 0;
+}
+
+static bool auth_context_complete(http_server *server)
+{
+	/* If there's no is_complete function, we're always complete */
+	if (!server->auth_context->is_complete)
+		return true;
+
+	if (server->auth_context->is_complete(server->auth_context))
+		return true;
+
+	return false;
+}
+
+static void free_auth_context(http_server *server)
+{
+	if (!server->auth_context)
+		return;
 
-		*allowed_types |= context->credtypes;
+	if (server->auth_context->free)
+		server->auth_context->free(server->auth_context);
+
+	server->auth_context = NULL;
+}
+
+static int parse_authenticate_response(http_server *server)
+{
+	/*
+	 * If we think that we've completed authentication (ie, we've either
+	 * sent a basic credential or we've sent the NTLM/Negotiate response)
+	 * but we've got an authentication request from the server then our
+	 * last authentication did not succeed.  Start over.
+	 */
+	if (server->auth_context && auth_context_complete(server)) {
+		free_auth_context(server);
+
+		server->authenticated = 0;
 	}
 
-	return 0;
+	/*
+	 * If we've begun authentication, give the challenge to the context.
+	 * Otherwise, set up the types to prepare credentials.
+	 */
+	if (git_vector_length(&server->auth_challenges) == 0)
+		return 0;
+	else if (server->auth_context)
+		return set_authentication_challenge(server);
+	else
+		return set_authentication_types(server);
 }
 
 static int on_header_ready(http_subtransport *t)
@@ -396,55 +416,148 @@ GIT_INLINE(void) free_cred(git_cred **cred)
 	}
 }
 
+static int apply_url_credentials(
+	git_cred **cred,
+	unsigned int allowed_types,
+	const char *username,
+	const char *password)
+{
+	if (allowed_types & GIT_CREDTYPE_USERPASS_PLAINTEXT)
+		return git_cred_userpass_plaintext_new(cred, username, password);
+
+	if ((allowed_types & GIT_CREDTYPE_DEFAULT) && *username == '\0' && *password == '\0')
+		return git_cred_default_new(cred);
+
+	return GIT_PASSTHROUGH;
+}
+
+static int init_auth(http_server *server)
+{
+	git_http_auth_scheme *s, *scheme = NULL;
+	char *c, *challenge = NULL;
+	size_t i;
+	int error;
+
+	git_vector_foreach(&server->auth_challenges, i, c) {
+		s = scheme_for_challenge(c, server->cred);
+
+		if (s && !!(s->credtypes & server->credtypes)) {
+			scheme = s;
+			challenge = c;
+			break;
+		}
+	}
+
+	if (!scheme) {
+		git_error_set(GIT_ERROR_NET, "no authentication mechanism could be negotiated");
+		return -1;
+	}
+
+	if ((error = scheme->init_context(&server->auth_context, &server->url)) == GIT_PASSTHROUGH)
+		return 0;
+	else if (error < 0)
+		return error;
+
+	if (server->auth_context->set_challenge &&
+		(error = server->auth_context->set_challenge(server->auth_context, challenge)) < 0)
+		return error;
+
+	return 0;
+}
+
 static int on_auth_required(
-	git_cred **creds,
 	http_parser *parser,
+	http_server *server,
 	const char *url,
 	const char *type,
 	git_cred_acquire_cb callback,
-	void *callback_payload,
-	const char *username,
-	int allowed_types)
+	void *callback_payload)
 {
 	parser_context *ctx = (parser_context *) parser->data;
 	http_subtransport *t = ctx->t;
-	int ret;
+	int error = 1;
 
-	if (!allowed_types) {
+	if (parse_authenticate_response(server) < 0) {
+		t->parse_error = PARSE_ERROR_GENERIC;
+		return t->parse_error;
+	}
+
+	/* If we're in the middle of challenge/response auth, continue */
+	if (parser->status_code == 407 || parser->status_code == 401) {
+		if (server->auth_context && !auth_context_complete(server)) {
+			t->parse_error = PARSE_ERROR_REPLAY;
+			return 0;
+		}
+	}
+
+	/* Enforce a reasonable cap on the number of replays */
+	if (t->replay_count++ >= GIT_HTTP_REPLAY_MAX) {
+		git_error_set(GIT_ERROR_NET, "too many redirects or authentication replays");
+		return t->parse_error = PARSE_ERROR_GENERIC;
+	}
+
+	if (!server->credtypes) {
 		git_error_set(GIT_ERROR_NET, "%s requested authentication but did not negotiate mechanisms", type);
 		t->parse_error = PARSE_ERROR_GENERIC;
 		return t->parse_error;
 	}
 
-	if (callback) {
-		free_cred(creds);
-		ret = callback(creds, url, username, allowed_types, callback_payload);
+	free_auth_context(server);
+	free_cred(&server->cred);
 
-		if (ret == GIT_PASSTHROUGH) {
+	/* Start with URL-specified credentials, if there were any. */
+	if (!server->url_cred_presented && server->url.username && server->url.password) {
+		error = apply_url_credentials(&server->cred, server->credtypes, server->url.username, server->url.password);
+		server->url_cred_presented = 1;
+
+		if (error == GIT_PASSTHROUGH) {
 			/* treat GIT_PASSTHROUGH as if callback isn't set */
-		} else if (ret < 0) {
-			t->error = ret;
-			t->parse_error = PARSE_ERROR_EXT;
-			return t->parse_error;
-		} else {
-			assert(*creds);
-
-			if (!((*creds)->credtype & allowed_types)) {
-				git_error_set(GIT_ERROR_NET, "%s credential provider returned an invalid cred type", type);
-				t->parse_error = PARSE_ERROR_GENERIC;
-				return t->parse_error;
-			}
+			error = 1;
+		}
+	}
 
-			/* Successfully acquired a credential. */
-			t->parse_error = PARSE_ERROR_REPLAY;
-			return 0;
+	if (error > 0 && callback) {
+		error = callback(&server->cred, url, server->url.username, server->credtypes, callback_payload);
+
+		if (error == GIT_PASSTHROUGH) {
+			/* treat GIT_PASSTHROUGH as if callback isn't set */
+			error = 1;
 		}
 	}
 
-	git_error_set(GIT_ERROR_NET, "%s authentication required but no callback set",
-		type);
-	t->parse_error = PARSE_ERROR_GENERIC;
-	return t->parse_error;
+	if (error > 0) {
+		git_error_set(GIT_ERROR_NET, "%s authentication required but no callback set",
+			type);
+		t->parse_error = PARSE_ERROR_GENERIC;
+		return t->parse_error;
+	} else if (error < 0) {
+		t->error = error;
+		t->parse_error = PARSE_ERROR_EXT;
+		return t->parse_error;
+	}
+
+	assert(server->cred);
+
+    if (!(server->cred->credtype & server->credtypes)) {
+		git_error_set(GIT_ERROR_NET, "%s credential provider returned an invalid cred type", type);
+		t->parse_error = PARSE_ERROR_GENERIC;
+		return t->parse_error;
+	}
+
+	/* Successfully acquired a credential. Start an auth context. */
+	if (init_auth(server) < 0) {
+		t->parse_error = PARSE_ERROR_GENERIC;
+		return t->parse_error;
+	}
+
+	t->parse_error = PARSE_ERROR_REPLAY;
+	return 0;
+}
+
+static void on_auth_success(http_server *server)
+{
+	server->url_cred_presented = 0;
+	server->authenticated = 1;
 }
 
 static int on_headers_complete(http_parser *parser)
@@ -453,50 +566,35 @@ static int on_headers_complete(http_parser *parser)
 	http_subtransport *t = ctx->t;
 	http_stream *s = ctx->s;
 	git_buf buf = GIT_BUF_INIT;
-	int proxy_auth_types = 0, server_auth_types = 0;
-
-	/* Enforce a reasonable cap on the number of replays */
-	if (t->replay_count++ >= GIT_HTTP_REPLAY_MAX) {
-		git_error_set(GIT_ERROR_NET, "too many redirects or authentication replays");
-		return t->parse_error = PARSE_ERROR_GENERIC;
-	}
 
 	/* Both parse_header_name and parse_header_value are populated
 	 * and ready for consumption. */
-	if (VALUE == t->last_cb)
-		if (on_header_ready(t) < 0)
-			return t->parse_error = PARSE_ERROR_GENERIC;
-
-	/*
-	 * Capture authentication headers for the proxy or final endpoint,
-	 * these may be 407/401 (authentication is not complete) or a 200
-	 * (informing us that auth has completed).
-	 */
-	if (parse_authenticate_response(&t->proxy, &proxy_auth_types) < 0 ||
-	    parse_authenticate_response(&t->server, &server_auth_types) < 0)
+	if (t->last_cb == VALUE && on_header_ready(t) < 0)
 		return t->parse_error = PARSE_ERROR_GENERIC;
 
 	/* Check for a proxy authentication failure. */
 	if (parser->status_code == 407 && get_verb == s->verb)
-		return on_auth_required(&t->proxy.cred,
+		return on_auth_required(
 		    parser,
+		    &t->proxy,
 		    t->proxy_opts.url,
 		    SERVER_TYPE_PROXY,
 		    t->proxy_opts.credentials,
-		    t->proxy_opts.payload,
-		    t->proxy.url.user,
-			proxy_auth_types);
+		    t->proxy_opts.payload);
+	else
+		on_auth_success(&t->proxy);
 
 	/* Check for an authentication failure. */
 	if (parser->status_code == 401 && get_verb == s->verb)
-		return on_auth_required(&t->server.cred,
+		return on_auth_required(
 		    parser,
+		    &t->server,
 		    t->owner->url,
 		    SERVER_TYPE_REMOTE,
 		    t->owner->cred_acquire_cb,
-		    t->owner->cred_acquire_payload,
-		    t->server.url.user,
-		    server_auth_types);
+		    t->owner->cred_acquire_payload);
+	else
+		on_auth_success(&t->server);
 
 	/* Check for a redirect.
 	 * Right now we only permit a redirect to the same hostname. */
@@ -507,7 +605,7 @@ static int on_headers_complete(http_parser *parser)
 	     parser->status_code == 308) &&
 	    t->location) {
 
-		if (gitno_connection_data_from_url(&t->server.url, t->location, s->service_url) < 0)
+		if (gitno_connection_data_handle_redirect(&t->server.url, t->location, s->service_url) < 0)
 			return t->parse_error = PARSE_ERROR_GENERIC;
 
 		/* Set the redirect URL on the stream. This is a transfer of
@@ -569,6 +667,7 @@ static int on_message_complete(http_parser *parser)
 	http_subtransport *t = ctx->t;
 
 	t->parse_finished = 1;
+	t->keepalive = http_should_keep_alive(parser);
 
 	return 0;
 }
@@ -578,13 +677,6 @@ static int on_body_fill_buffer(http_parser *parser, const char *str, size_t len)
 	parser_context *ctx = (parser_context *) parser->data;
 	http_subtransport *t = ctx->t;
 
-	/* If our goal is to replay the request (either an auth failure or
-	 * a redirect) then don't bother buffering since we're ignoring the
-	 * content anyway.
-	 */
-	if (t->parse_error == PARSE_ERROR_REPLAY)
-		return 0;
-
 	/* If there's no buffer set, we're explicitly ignoring the body. */
 	if (ctx->buffer) {
 		if (ctx->buf_size < len) {
@@ -613,6 +705,7 @@ static void clear_parser_state(http_subtransport *t)
 	t->last_cb = NONE;
 	t->parse_error = 0;
 	t->parse_finished = 0;
+	t->keepalive = 0;
 
 	git_buf_dispose(&t->parse_header_name);
 	git_buf_init(&t->parse_header_name, 0);
@@ -673,10 +766,10 @@ static int load_proxy_config(http_subtransport *t)
 		git__free(t->proxy_url);
 		t->proxy_url = NULL;
 
-		git_proxy_init_options(&t->proxy_opts, GIT_PROXY_OPTIONS_VERSION);
+		git_proxy_options_init(&t->proxy_opts, GIT_PROXY_OPTIONS_VERSION);
 
 		if ((error = git_remote__get_http_proxy(t->owner->owner,
-		    !!t->server.url.use_ssl, &t->proxy_url)) < 0)
+			!strcmp(t->server.url.scheme, "https"), &t->proxy_url)) < 0)
 			return error;
 
 		if (!t->proxy_url)
@@ -698,20 +791,14 @@ static int load_proxy_config(http_subtransport *t)
 		return -1;
 	}
 
-	if ((error = gitno_connection_data_from_url(&t->proxy.url, t->proxy_opts.url, NULL)) < 0)
-		return error;
+	git_net_url_dispose(&t->proxy.url);
 
-	if (t->proxy.url.use_ssl) {
-		git_error_set(GIT_ERROR_NET, "SSL connections to proxy are not supported");
-		return -1;
-	}
-
-	return error;
+	return git_net_url_parse(&t->proxy.url, t->proxy_opts.url);
 }
 
 static int check_certificate(
 	git_stream *stream,
-	gitno_connection_data *url,
+	git_net_url *url,
 	int is_valid,
 	git_transport_certificate_check_cb cert_cb,
 	void *cert_cb_payload)
@@ -740,7 +827,7 @@ static int check_certificate(
 
 static int stream_connect(
 	git_stream *stream,
-	gitno_connection_data *url,
+	git_net_url *url,
 	git_transport_certificate_check_cb cert_cb,
 	void *cb_payload)
 {
@@ -782,18 +869,10 @@ static int proxy_headers_complete(http_parser *parser)
 {
 	parser_context *ctx = (parser_context *) parser->data;
 	http_subtransport *t = ctx->t;
-	int proxy_auth_types = 0;
-
-	/* Enforce a reasonable cap on the number of replays */
-	if (t->replay_count++ >= GIT_HTTP_REPLAY_MAX) {
-		git_error_set(GIT_ERROR_NET, "too many redirects or authentication replays");
-		return t->parse_error = PARSE_ERROR_GENERIC;
-	}
 
 	/* Both parse_header_name and parse_header_value are populated
 	 * and ready for consumption. */
-	if (VALUE == t->last_cb)
-		if (on_header_ready(t) < 0)
+	if (t->last_cb == VALUE && on_header_ready(t) < 0)
 			return t->parse_error = PARSE_ERROR_GENERIC;
 
 	/*
@@ -801,19 +880,32 @@ static int proxy_headers_complete(http_parser *parser)
 	 * these may be 407/401 (authentication is not complete) or a 200
 	 * (informing us that auth has completed).
 	 */
-	if (parse_authenticate_response(&t->proxy, &proxy_auth_types) < 0)
+	if (parse_authenticate_response(&t->proxy) < 0)
 		return t->parse_error = PARSE_ERROR_GENERIC;
 
+	/* If we're in the middle of challenge/response auth, continue */
+	if (parser->status_code == 407) {
+		if (t->proxy.auth_context && !auth_context_complete(&t->proxy)) {
+			t->parse_error = PARSE_ERROR_REPLAY;
+			return 0;
+		}
+	}
+
+	/* Enforce a reasonable cap on the number of replays */
+	if (t->replay_count++ >= GIT_HTTP_REPLAY_MAX) {
+		git_error_set(GIT_ERROR_NET, "too many redirects or authentication replays");
+		return t->parse_error = PARSE_ERROR_GENERIC;
+	}
+
 	/* Check for a proxy authentication failure. */
 	if (parser->status_code == 407)
-		return on_auth_required(&t->proxy.cred,
+		return on_auth_required(
 			parser,
+			&t->proxy,
 			t->proxy_opts.url,
 			SERVER_TYPE_PROXY,
 			t->proxy_opts.credentials,
-			t->proxy_opts.payload,
-			t->proxy.url.user,
-			proxy_auth_types);
+			t->proxy_opts.payload);
 
 	if (parser->status_code != 200) {
 		git_error_set(GIT_ERROR_NET, "unexpected status code from proxy: %d",
@@ -834,6 +926,7 @@ static int proxy_connect(
 	static http_parser_settings proxy_parser_settings = {0};
 	size_t bytes_read = 0, bytes_parsed;
 	parser_context ctx;
+	bool auth_replay;
 	int error;
 
 	/* Use the parser settings only to parser headers. */
@@ -845,6 +938,8 @@ static int proxy_connect(
 replay:
 	clear_parser_state(t);
 
+	auth_replay = false;
+
 	gitno_buffer_setup_fromstream(proxy_stream,
 		&t->parse_buffer,
 		t->parse_buffer_data,
@@ -862,8 +957,17 @@ replay:
 	while (!bytes_read && !t->parse_finished) {
 		t->parse_buffer.offset = 0;
 
-		if ((error = gitno_recv(&t->parse_buffer)) < 0)
+		if ((error = gitno_recv(&t->parse_buffer)) < 0) {
+			goto done;
+		} else if (error == 0 && t->request_count > 0) {
+			/* Server closed a keep-alive socket; reconnect. */
+			auth_replay = true;
+			goto done;
+		} else if (error == 0) {
+			git_error_set(GIT_ERROR_NET, "unexpected disconnection from server");
+			error = -1;
 			goto done;
+		}
 
 		/*
 		 * This call to http_parser_execute will invoke the on_*
@@ -892,10 +996,9 @@ replay:
 		}
 
 		/* Replay the request with authentication headers. */
-		if (PARSE_ERROR_REPLAY == t->parse_error)
-			goto replay;
-
-		if (t->parse_error < 0) {
+		if (PARSE_ERROR_REPLAY == t->parse_error) {
+			auth_replay = true;
+		} else if (t->parse_error < 0) {
 			error = t->parse_error == PARSE_ERROR_EXT ? PARSE_ERROR_EXT : -1;
 			goto done;
 		}
@@ -909,6 +1012,15 @@ replay:
 		}
 	}
 
+	t->request_count++;
+
+	if (auth_replay) {
+		if (t->keepalive && t->parse_finished)
+			goto replay;
+
+		return PARSE_ERROR_REPLAY;
+	}
+
 	if ((error = git_tls_stream_wrap(out, proxy_stream, t->server.url.host)) == 0)
 		error = stream_connect(*out, &t->server.url,
 		    t->owner->certificate_check_cb,
@@ -920,22 +1032,45 @@ replay:
 	 */
 	t->proxy_opts.type = GIT_PROXY_NONE;
 	t->replay_count = 0;
+	t->request_count = 0;
 
 done:
 	return error;
 }
 
+static void reset_auth_connection(http_server *server)
+{
+	/*
+	 * If we've authenticated and we're doing "normal"
+	 * authentication with a request affinity (Basic, Digest)
+	 * then we want to _keep_ our context, since authentication
+	 * survives even through non-keep-alive connections.  If
+	 * we've authenticated and we're doing connection-based
+	 * authentication (NTLM, Negotiate) - indicated by the presence
+	 * of an `is_complete` callback - then we need to restart
+	 * authentication on a new connection.
+	 */
+
+	if (server->authenticated &&
+	    server->auth_context &&
+	    server->auth_context->connection_affinity) {
+		free_auth_context(server);
+
+		server->url_cred_presented = 0;
+		server->authenticated = 0;
+	}
+}
+
 static int http_connect(http_subtransport *t)
 {
-	gitno_connection_data *url;
+	git_net_url *url;
 	git_stream *proxy_stream = NULL, *stream = NULL;
 	git_transport_certificate_check_cb cert_cb;
 	void *cb_payload;
 	int error;
 
-	if (t->connected &&
-		http_should_keep_alive(&t->parser) &&
-		t->parse_finished)
+auth_replay:
+	if (t->connected && t->keepalive && t->parse_finished)
 		return 0;
 
 	if ((error = load_proxy_config(t)) < 0)
@@ -953,7 +1088,12 @@ static int http_connect(http_subtransport *t)
 		t->proxy.stream = NULL;
 	}
 
+	reset_auth_connection(&t->server);
+	reset_auth_connection(&t->proxy);
+
 	t->connected = 0;
+	t->keepalive = 0;
+	t->request_count = 0;
 
 	if (t->proxy_opts.type == GIT_PROXY_SPECIFIED) {
 		url = &t->proxy.url;
@@ -965,7 +1105,7 @@ static int http_connect(http_subtransport *t)
 		cb_payload = t->owner->message_cb_payload;
 	}
 
-	if (url->use_ssl)
+	if (strcmp(url->scheme, "https") == 0)
 		error = git_tls_stream_new(&stream, url->host, url->port);
 	else
 		error = git_socket_stream_new(&stream, url->host, url->port);
@@ -982,18 +1122,24 @@ static int http_connect(http_subtransport *t)
 	 * an HTTPS connection, then we need to build a CONNECT tunnel.
 	 */
 	if (t->proxy_opts.type == GIT_PROXY_SPECIFIED &&
-		t->server.url.use_ssl) {
+	    strcmp(t->server.url.scheme, "https") == 0) {
 		proxy_stream = stream;
 		stream = NULL;
 
-		if ((error = proxy_connect(&stream, proxy_stream, t)) < 0)
+		error = proxy_connect(&stream, proxy_stream, t);
+
+		if (error == PARSE_ERROR_REPLAY) {
+			git_stream_close(proxy_stream);
+			git_stream_free(proxy_stream);
+			goto auth_replay;
+		} else if (error < 0) {
 			goto on_error;
+		}
 	}
 
 	t->proxy.stream = proxy_stream;
 	t->server.stream = stream;
 	t->connected = 1;
-	t->replay_count = 0;
 	return 0;
 
 on_error:
@@ -1020,27 +1166,23 @@ static int http_stream_read(
 	http_subtransport *t = OWNING_SUBTRANSPORT(s);
 	parser_context ctx;
 	size_t bytes_parsed;
+	git_buf request = GIT_BUF_INIT;
+	bool auth_replay;
+	int error = 0;
 
 replay:
 	*bytes_read = 0;
+	auth_replay = false;
 
 	assert(t->connected);
 
 	if (!s->sent_request) {
-		git_buf request = GIT_BUF_INIT;
-
+		git_buf_clear(&request);
 		clear_parser_state(t);
 
-		if (gen_request(&request, s, 0) < 0)
-			return -1;
-
-		if (git_stream__write_full(t->server.stream, request.ptr,
-					   request.size, 0) < 0) {
-			git_buf_dispose(&request);
-			return -1;
-		}
-
-		git_buf_dispose(&request);
+		if ((error = gen_request(&request, s, 0)) < 0 ||
+		    (error = git_stream__write_full(t->server.stream, request.ptr, request.size, 0)) < 0)
+			goto done;
 
 		s->sent_request = 1;
 	}
@@ -1050,17 +1192,17 @@ replay:
 			assert(s->verb == post_verb);
 
 			/* Flush, if necessary */
-			if (s->chunk_buffer_len > 0 &&
-				write_chunk(t->server.stream,
-				    s->chunk_buffer, s->chunk_buffer_len) < 0)
-				return -1;
+			if (s->chunk_buffer_len > 0) {
+				if ((error = write_chunk(t->server.stream, s->chunk_buffer, s->chunk_buffer_len)) < 0)
+					goto done;
 
-			s->chunk_buffer_len = 0;
+				s->chunk_buffer_len = 0;
+			}
 
 			/* Write the final chunk. */
-			if (git_stream__write_full(t->server.stream,
-						   "0\r\n\r\n", 5, 0) < 0)
-				return -1;
+			if ((error = git_stream__write_full(t->server.stream,
+						   "0\r\n\r\n", 5, 0)) < 0)
+				goto done;
 		}
 
 		s->received_response = 1;
@@ -1068,7 +1210,6 @@ replay:
 
 	while (!*bytes_read && !t->parse_finished) {
 		size_t data_offset;
-		int error;
 
 		/*
 		 * Make the parse_buffer think it's as full of data as
@@ -1078,26 +1219,37 @@ replay:
 		 * data_offset is the actual data offset from which we
 		 * should tell the parser to start reading.
 		 */
-		if (buf_size >= t->parse_buffer.len) {
+		if (buf_size >= t->parse_buffer.len)
 			t->parse_buffer.offset = 0;
-		} else {
+		else
 			t->parse_buffer.offset = t->parse_buffer.len - buf_size;
-		}
 
 		data_offset = t->parse_buffer.offset;
 
-		if (gitno_recv(&t->parse_buffer) < 0)
-			return -1;
+		if ((error = gitno_recv(&t->parse_buffer)) < 0) {
+			goto done;
+		} else if (error == 0 && t->request_count > 0) {
+			/* Server closed a keep-alive socket; reconnect. */
+			auth_replay = true;
+			goto done;
+		} else if (error == 0) {
+			git_error_set(GIT_ERROR_NET, "unexpected disconnection from server");
+			error = -1;
+			goto done;
+		}
 
-		/* This call to http_parser_execute will result in invocations of the
-		 * on_* family of callbacks. The most interesting of these is
-		 * on_body_fill_buffer, which is called when data is ready to be copied
-		 * into the target buffer. We need to marshal the buffer, buf_size, and
-		 * bytes_read parameters to this callback. */
+		/*
+		 * This call to http_parser_execute will result in invocations
+		 * of the on_* family of callbacks, including on_body_fill_buffer
+		 * which will write into the target buffer.  Set up the buffer
+		 * for it to write into _unless_ we got an auth failure; in
+		 * that case we only care about the headers and don't need to
+		 * bother copying the body.
+		 */
 		ctx.t = t;
 		ctx.s = s;
-		ctx.buffer = buffer;
-		ctx.buf_size = buf_size;
+		ctx.buffer = auth_replay ? NULL : buffer;
+		ctx.buf_size = auth_replay ? 0 : buf_size;
 		ctx.bytes_read = bytes_read;
 
 		/* Set the context, call the parser, then unset the context. */
@@ -1110,33 +1262,40 @@ replay:
 
 		t->parser.data = NULL;
 
-		/* If there was a handled authentication failure, then parse_error
-		 * will have signaled us that we should replay the request. */
-		if (PARSE_ERROR_REPLAY == t->parse_error) {
-			s->sent_request = 0;
-
-			if ((error = http_connect(t)) < 0)
-				return error;
-
-			goto replay;
-		}
-
-		if (t->parse_error == PARSE_ERROR_EXT) {
-			return t->error;
+		/* On a 401, read the rest of the response then retry. */
+		if (t->parse_error == PARSE_ERROR_REPLAY) {
+			auth_replay = true;
+		} else if (t->parse_error == PARSE_ERROR_EXT) {
+			error = t->error;
+			goto done;
+		} else if (t->parse_error < 0) {
+			error = -1;
+			goto done;
 		}
 
-		if (t->parse_error < 0)
-			return -1;
-
 		if (bytes_parsed != t->parse_buffer.offset - data_offset) {
 			git_error_set(GIT_ERROR_NET,
 				"HTTP parser error: %s",
 				http_errno_description((enum http_errno)t->parser.http_errno));
-			return -1;
+			error = -1;
+			goto done;
 		}
 	}
 
-	return 0;
+	t->request_count++;
+
+	if (auth_replay) {
+		s->sent_request = 0;
+
+		if ((error = http_connect(t)) < 0)
+			return error;
+
+		goto replay;
+	}
+
+done:
+	git_buf_dispose(&request);
+	return error;
 }
 
 static int http_stream_write_chunked(
@@ -1144,7 +1303,7 @@ static int http_stream_write_chunked(
 	const char *buffer,
 	size_t len)
 {
-	http_stream *s = (http_stream *)stream;
+	http_stream *s = GIT_CONTAINER_OF(stream, http_stream, parent);
 	http_subtransport *t = OWNING_SUBTRANSPORT(s);
 
 	assert(t->connected);
@@ -1187,8 +1346,10 @@ static int http_stream_write_chunked(
 		/* Append as much to the buffer as we can */
 		int count = min(CHUNK_SIZE - s->chunk_buffer_len, len);
 
-		if (!s->chunk_buffer)
+		if (!s->chunk_buffer) {
 			s->chunk_buffer = git__malloc(CHUNK_SIZE);
+			GIT_ERROR_CHECK_ALLOC(s->chunk_buffer);
+		}
 
 		memcpy(s->chunk_buffer + s->chunk_buffer_len, buffer, count);
 		s->chunk_buffer_len += count;
@@ -1218,7 +1379,7 @@ static int http_stream_write_single(
 	const char *buffer,
 	size_t len)
 {
-	http_stream *s = (http_stream *)stream;
+	http_stream *s = GIT_CONTAINER_OF(stream, http_stream, parent);
 	http_subtransport *t = OWNING_SUBTRANSPORT(s);
 	git_buf request = GIT_BUF_INIT;
 
@@ -1252,7 +1413,7 @@ on_error:
 
 static void http_stream_free(git_smart_subtransport_stream *stream)
 {
-	http_stream *s = (http_stream *)stream;
+	http_stream *s = GIT_CONTAINER_OF(stream, http_stream, parent);
 
 	if (s->chunk_buffer)
 		git__free(s->chunk_buffer);
@@ -1365,7 +1526,7 @@ static int http_action(
 	const char *url,
 	git_smart_service_t action)
 {
-	http_subtransport *t = (http_subtransport *)subtransport;
+	http_subtransport *t = GIT_CONTAINER_OF(subtransport, http_subtransport, parent);
 	int ret;
 
 	assert(stream);
@@ -1378,7 +1539,7 @@ static int http_action(
 	 * that would be insecure in plaintext (eg, HTTP Basic).
 	 */
 	if ((!t->server.url.host || !t->server.url.port || !t->server.url.path) &&
-	    (ret = gitno_connection_data_from_url(&t->server.url, url, NULL)) < 0)
+	    (ret = git_net_url_parse(&t->server.url, url)) < 0)
 		return ret;
 
 	assert(t->server.url.host && t->server.url.port && t->server.url.path);
@@ -1404,22 +1565,9 @@ static int http_action(
 	return -1;
 }
 
-static void free_auth_contexts(git_vector *contexts)
-{
-	git_http_auth_context *context;
-	size_t i;
-
-	git_vector_foreach(contexts, i, context) {
-		if (context->free)
-			context->free(context);
-	}
-
-	git_vector_clear(contexts);
-}
-
 static int http_close(git_smart_subtransport *subtransport)
 {
-	http_subtransport *t = (http_subtransport *) subtransport;
+	http_subtransport *t = GIT_CONTAINER_OF(subtransport, http_subtransport, parent);
 
 	clear_parser_state(t);
 
@@ -1438,18 +1586,16 @@ static int http_close(git_smart_subtransport *subtransport)
 	}
 
 	free_cred(&t->server.cred);
-	free_cred(&t->server.url_cred);
 	free_cred(&t->proxy.cred);
-	free_cred(&t->proxy.url_cred);
 
-	free_auth_contexts(&t->server.auth_contexts);
-	free_auth_contexts(&t->proxy.auth_contexts);
+	free_auth_context(&t->server);
+	free_auth_context(&t->proxy);
 
-	gitno_connection_data_free_ptrs(&t->server.url);
-	memset(&t->server.url, 0x0, sizeof(gitno_connection_data));
+	t->server.url_cred_presented = false;
+	t->proxy.url_cred_presented = false;
 
-	gitno_connection_data_free_ptrs(&t->proxy.url);
-	memset(&t->proxy.url, 0x0, sizeof(gitno_connection_data));
+	git_net_url_dispose(&t->server.url);
+	git_net_url_dispose(&t->proxy.url);
 
 	git__free(t->proxy_url);
 	t->proxy_url = NULL;
@@ -1459,12 +1605,9 @@ static int http_close(git_smart_subtransport *subtransport)
 
 static void http_free(git_smart_subtransport *subtransport)
 {
-	http_subtransport *t = (http_subtransport *) subtransport;
+	http_subtransport *t = GIT_CONTAINER_OF(subtransport, http_subtransport, parent);
 
 	http_close(subtransport);
-
-	git_vector_free(&t->server.auth_contexts);
-	git_vector_free(&t->proxy.auth_contexts);
 	git__free(t);
 }