rugged 1.0.0 → 1.2.0

data/vendor/libgit2/src/transports/httpclient.h

@@ -90,7 +90,7 @@ extern int git_http_client_new(
 
 /*
  * Sends a request to the host specified by the request URL.  If the
- * method is POST, either the the content_length or the chunked flag must
+ * method is POST, either the content_length or the chunked flag must
  * be specified.  The body should be provided in subsequent calls to
  * git_http_client_send_body.
  *

data/vendor/libgit2/src/transports/local.c

@@ -36,7 +36,7 @@ typedef struct {
 	char *url;
 	int direction;
 	int flags;
-	git_atomic cancelled;
+	git_atomic32 cancelled;
 	git_repository *repo;
 	git_transport_message_cb progress_cb;
 	git_transport_message_cb error_cb;
@@ -158,7 +158,7 @@ static int store_refs(transport_local *t)
 	git_remote_head *head;
 	git_strarray ref_names = {0};
 
-	assert(t);
+	GIT_ASSERT_ARG(t);
 
 	if (git_reference_list(&ref_names, t->repo) < 0)
 		goto on_error;
@@ -185,12 +185,12 @@ static int store_refs(transport_local *t)
 	}
 
 	t->have_refs = 1;
-	git_strarray_free(&ref_names);
+	git_strarray_dispose(&ref_names);
 	return 0;
 
 on_error:
 	git_vector_free(&t->refs);
-	git_strarray_free(&ref_names);
+	git_strarray_dispose(&ref_names);
 	return -1;
 }
 
@@ -671,7 +671,7 @@ static void local_cancel(git_transport *transport)
 {
 	transport_local *t = (transport_local *)transport;
 
-	git_atomic_set(&t->cancelled, 1);
+	git_atomic32_set(&t->cancelled, 1);
 }
 
 static int local_close(git_transport *transport)

data/vendor/libgit2/src/transports/smart.c

@@ -18,7 +18,7 @@ static int git_smart__recv_cb(gitno_buffer *buf)
 	size_t old_len, bytes_read;
 	int error;
 
-	assert(t->current_stream);
+	GIT_ASSERT(t->current_stream);
 
 	old_len = buf->offset;
 
@@ -30,7 +30,7 @@ static int git_smart__recv_cb(gitno_buffer *buf)
 	if (t->packetsize_cb && !t->cancelled.val) {
 		error = t->packetsize_cb(bytes_read, t->packetsize_payload);
 		if (error) {
-			git_atomic_set(&t->cancelled, 1);
+			git_atomic32_set(&t->cancelled, 1);
 			return GIT_EUSER;
 		}
 	}
@@ -132,7 +132,7 @@ static int git_smart__set_custom_headers(
 	size_t i;
 
 	if (t->custom_headers.count)
-		git_strarray_free(&t->custom_headers);
+		git_strarray_dispose(&t->custom_headers);
 
 	if (!custom_headers)
 		return 0;
@@ -226,6 +226,8 @@ static int git_smart__connect(
 	t->url = git__strdup(url);
 	GIT_ERROR_CHECK_ALLOC(t->url);
 
+	git_proxy_options_clear(&t->proxy);
+
 	if (git_proxy_options_dup(&t->proxy, proxy) < 0)
 		return -1;
 
@@ -346,7 +348,7 @@ int git_smart__negotiation_step(git_transport *transport, void *data, size_t len
 		return error;
 
 	/* If this is a stateful implementation, the stream we get back should be the same */
-	assert(t->rpc || t->current_stream == stream);
+	GIT_ASSERT(t->rpc || t->current_stream == stream);
 
 	/* Save off the current stream (i.e. socket) that we are working with */
 	t->current_stream = stream;
@@ -375,7 +377,7 @@ int git_smart__get_push_stream(transport_smart *t, git_smart_subtransport_stream
 		return error;
 
 	/* If this is a stateful implementation, the stream we get back should be the same */
-	assert(t->rpc || t->current_stream == *stream);
+	GIT_ASSERT(t->rpc || t->current_stream == *stream);
 
 	/* Save off the current stream (i.e. socket) that we are working with */
 	t->current_stream = *stream;
@@ -389,7 +391,7 @@ static void git_smart__cancel(git_transport *transport)
 {
 	transport_smart *t = GIT_CONTAINER_OF(transport, transport_smart, parent);
 
-	git_atomic_set(&t->cancelled, 1);
+	git_atomic32_set(&t->cancelled, 1);
 }
 
 static int git_smart__is_connected(git_transport *transport)
@@ -465,7 +467,7 @@ static void git_smart__free(git_transport *transport)
 	git_vector_free(refs);
 	git__free((char *)t->proxy.url);
 
-	git_strarray_free(&t->custom_headers);
+	git_strarray_dispose(&t->custom_headers);
 
 	git__free(t);
 }
@@ -481,7 +483,9 @@ int git_transport_smart_certificate_check(git_transport *transport, git_cert *ce
 {
 	transport_smart *t = GIT_CONTAINER_OF(transport, transport_smart, parent);
 
-	assert(transport && cert && hostname);
+	GIT_ASSERT_ARG(transport);
+	GIT_ASSERT_ARG(cert);
+	GIT_ASSERT_ARG(hostname);
 
 	if (!t->certificate_check_cb)
 		return GIT_PASSTHROUGH;
@@ -493,7 +497,8 @@ int git_transport_smart_credentials(git_credential **out, git_transport *transpo
 {
 	transport_smart *t = GIT_CONTAINER_OF(transport, transport_smart, parent);
 
-	assert(out && transport);
+	GIT_ASSERT_ARG(out);
+	GIT_ASSERT_ARG(transport);
 
 	if (!t->cred_acquire_cb)
 		return GIT_PASSTHROUGH;

data/vendor/libgit2/src/transports/smart.h

@@ -153,7 +153,7 @@ typedef struct {
 	git_vector refs;
 	git_vector heads;
 	git_vector common;
-	git_atomic cancelled;
+	git_atomic32 cancelled;
 	packetsize_cb packetsize_cb;
 	void *packetsize_payload;
 	unsigned rpc : 1,

data/vendor/libgit2/src/transports/smart_protocol.c

@@ -64,7 +64,9 @@ int git_smart__store_refs(transport_smart *t, int flushes)
 			continue;
 		}
 
-		gitno_consume(buf, line_end);
+		if (gitno_consume(buf, line_end) < 0)
+			return -1;
+
 		if (pkt->type == GIT_PKT_ERR) {
 			git_error_set(GIT_ERROR_NET, "remote error: %s", ((git_pkt_err *)pkt)->error);
 			git__free(pkt);
@@ -236,7 +238,9 @@ static int recv_pkt(git_pkt **out_pkt, git_pkt_type *out_type, gitno_buffer *buf
 		}
 	} while (error);
 
-	gitno_consume(buf, line_end);
+	if (gitno_consume(buf, line_end) < 0)
+		return -1;
+
 	if (out_type != NULL)
 		*out_type = pkt->type;
 	if (out_pkt != NULL)
@@ -531,7 +535,7 @@ int git_smart__download_pack(
 		/* We might have something in the buffer already from negotiate_fetch */
 		if (t->buffer.offset > 0 && !t->cancelled.val)
 			if (t->packetsize_cb(t->buffer.offset, t->packetsize_payload))
-				git_atomic_set(&t->cancelled, 1);
+				git_atomic32_set(&t->cancelled, 1);
 	}
 
 	if ((error = git_repository_odb__weakptr(&odb, repo)) < 0 ||
@@ -791,7 +795,8 @@ static int parse_report(transport_smart *transport, git_push *push)
 			continue;
 		}
 
-		gitno_consume(buf, line_end);
+		if (gitno_consume(buf, line_end) < 0)
+			return -1;
 
 		error = 0;
 
@@ -970,9 +975,10 @@ static int stream_thunk(void *buf, size_t size, void *data)
 
 	if (payload->cb) {
 		double current_time = git__timer();
+		double elapsed = current_time - payload->last_progress_report_time;
 		payload->last_bytes += size;
 
-		if ((current_time - payload->last_progress_report_time) >= MIN_PROGRESS_UPDATE_INTERVAL) {
+		if (elapsed < 0 || elapsed >= MIN_PROGRESS_UPDATE_INTERVAL) {
 			payload->last_progress_report_time = current_time;
 			error = payload->cb(payload->pb->nr_written, payload->pb->nr_objects, payload->last_bytes, payload->cb_payload);
 		}

data/vendor/libgit2/src/transports/ssh.c

@@ -11,7 +11,7 @@
 #include <libssh2.h>
 #endif
 
-#include "global.h"
+#include "runtime.h"
 #include "git2.h"
 #include "buffer.h"
 #include "net.h"
@@ -238,7 +238,7 @@ static int ssh_stream_alloc(
 {
 	ssh_stream *s;
 
-	assert(stream);
+	GIT_ASSERT_ARG(stream);
 
 	s = git__calloc(sizeof(ssh_stream), 1);
 	GIT_ERROR_CHECK_ALLOC(s);
@@ -404,8 +404,8 @@ static int _git_ssh_authenticate_session(
 		case GIT_CREDENTIAL_SSH_MEMORY: {
 			git_credential_ssh_key *c = (git_credential_ssh_key *)cred;
 
-			assert(c->username);
-			assert(c->privatekey);
+			GIT_ASSERT(c->username);
+			GIT_ASSERT(c->privatekey);
 
 			rc = libssh2_userauth_publickey_frommemory(
 				session,
@@ -461,13 +461,13 @@ static int request_creds(git_credential **out, ssh_subtransport *t, const char *
 
 	if (no_callback) {
 		git_error_set(GIT_ERROR_SSH, "authentication required but no callback set");
-		return -1;
+		return GIT_EAUTH;
 	}
 
 	if (!(cred->credtype & auth_methods)) {
 		cred->free(cred);
-		git_error_set(GIT_ERROR_SSH, "callback returned unsupported credentials type");
-		return -1;
+		git_error_set(GIT_ERROR_SSH, "authentication callback returned unsupported credentials type");
+		return GIT_EAUTH;
 	}
 
 	*out = cred;
@@ -483,7 +483,7 @@ static int _git_ssh_session_create(
 	LIBSSH2_SESSION* s;
 	git_socket_stream *socket = GIT_CONTAINER_OF(io, git_socket_stream, parent);
 
-	assert(session);
+	GIT_ASSERT_ARG(session);
 
 	s = libssh2_session_init();
 	if (!s) {
@@ -563,9 +563,46 @@ post_extract:
 	if (t->owner->certificate_check_cb != NULL) {
 		git_cert_hostkey cert = {{ 0 }}, *cert_ptr;
 		const char *key;
+		size_t cert_len;
+		int cert_type;
 
 		cert.parent.cert_type = GIT_CERT_HOSTKEY_LIBSSH2;
 
+		key = libssh2_session_hostkey(session, &cert_len, &cert_type);
+		if (key != NULL) {
+			cert.type |= GIT_CERT_SSH_RAW;
+			cert.hostkey = key;
+			cert.hostkey_len = cert_len;
+			switch (cert_type) {
+				case LIBSSH2_HOSTKEY_TYPE_RSA:
+					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_RSA;
+					break;
+				case LIBSSH2_HOSTKEY_TYPE_DSS:
+					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_DSS;
+					break;
+					
+#ifdef LIBSSH2_HOSTKEY_TYPE_ECDSA_256
+				case LIBSSH2_HOSTKEY_TYPE_ECDSA_256:
+					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_256;
+					break;
+				case LIBSSH2_HOSTKEY_TYPE_ECDSA_384:
+					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_384;
+					break;
+				case LIBSSH2_KNOWNHOST_KEY_ECDSA_521:
+					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ECDSA_521;
+					break;
+#endif
+					
+#ifdef LIBSSH2_HOSTKEY_TYPE_ED25519
+				case LIBSSH2_HOSTKEY_TYPE_ED25519:
+					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_KEY_ED25519;
+					break;
+#endif
+				default:
+					cert.raw_type = GIT_CERT_SSH_RAW_TYPE_UNKNOWN;
+			}
+		}
+
 #ifdef LIBSSH2_HOSTKEY_HASH_SHA256
 		key = libssh2_hostkey_hash(session, LIBSSH2_HOSTKEY_HASH_SHA256);
 		if (key != NULL) {
@@ -772,7 +809,7 @@ static int _ssh_close(git_smart_subtransport *subtransport)
 {
 	ssh_subtransport *t = GIT_CONTAINER_OF(subtransport, ssh_subtransport, parent);
 
-	assert(!t->current_stream);
+	GIT_ASSERT(!t->current_stream);
 
 	GIT_UNUSED(t);
 
@@ -783,8 +820,6 @@ static void _ssh_free(git_smart_subtransport *subtransport)
 {
 	ssh_subtransport *t = GIT_CONTAINER_OF(subtransport, ssh_subtransport, parent);
 
-	assert(!t->current_stream);
-
 	git__free(t->cmd_uploadpack);
 	git__free(t->cmd_receivepack);
 	git__free(t);
@@ -805,7 +840,7 @@ static int list_auth_methods(int *out, LIBSSH2_SESSION *session, const char *use
 	/* either error, or the remote accepts NONE auth, which is bizarre, let's punt */
 	if (list == NULL && !libssh2_userauth_authenticated(session)) {
 		ssh_error(session, "Failed to retrieve list of SSH authentication methods");
-		return -1;
+		return GIT_EAUTH;
 	}
 
 	ptr = list;
@@ -849,7 +884,7 @@ int git_smart_subtransport_ssh(
 #ifdef GIT_SSH
 	ssh_subtransport *t;
 
-	assert(out);
+	GIT_ASSERT_ARG(out);
 
 	GIT_UNUSED(param);
 
@@ -867,7 +902,7 @@ int git_smart_subtransport_ssh(
 	GIT_UNUSED(owner);
 	GIT_UNUSED(param);
 
-	assert(out);
+	GIT_ASSERT_ARG(out);
 	*out = NULL;
 
 	git_error_set(GIT_ERROR_INVALID, "cannot create SSH transport. Library was built without SSH support");
@@ -911,7 +946,7 @@ int git_transport_ssh_with_paths(git_transport **out, git_remote *owner, void *p
 	GIT_UNUSED(owner);
 	GIT_UNUSED(payload);
 
-	assert(out);
+	GIT_ASSERT_ARG(out);
 	*out = NULL;
 
 	git_error_set(GIT_ERROR_INVALID, "cannot create SSH transport. Library was built without SSH support");
@@ -934,8 +969,7 @@ int git_transport_ssh_global_init(void)
 		return -1;
 	}
 
-	git__on_shutdown(shutdown_ssh);
-	return 0;
+	return git_runtime_shutdown_register(shutdown_ssh);
 
 #else
 

data/vendor/libgit2/src/transports/winhttp.c

@@ -17,7 +17,6 @@
 #include "smart.h"
 #include "remote.h"
 #include "repository.h"
-#include "global.h"
 #include "http.h"
 #include "git2/sys/credential.h"
 
@@ -41,14 +40,22 @@
 #define WINHTTP_IGNORE_REQUEST_TOTAL_LENGTH 0
 #endif
 
-#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_1
+#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1
 # define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 0x00000200
 #endif
 
-#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS_1_2
+#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2
 # define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 0x00000800
 #endif
 
+#ifndef WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3
+# define WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3 0x00002000
+#endif
+
+#ifndef WINHTTP_NO_CLIENT_CERT_CONTEXT
+# define WINHTTP_NO_CLIENT_CERT_CONTEXT NULL
+#endif
+
 #ifndef HTTP_STATUS_PERMANENT_REDIRECT
 # define HTTP_STATUS_PERMANENT_REDIRECT 308
 #endif
@@ -108,7 +115,8 @@ typedef struct {
 	DWORD post_body_len;
 	unsigned sent_request : 1,
 		received_response : 1,
-		chunked : 1;
+		chunked : 1,
+		status_sending_request_reached: 1;
 } winhttp_stream;
 
 typedef struct {
@@ -146,7 +154,7 @@ static int apply_userpass_credentials(HINTERNET request, DWORD target, int mecha
 		native_scheme = WINHTTP_AUTH_SCHEME_BASIC;
 	} else {
 		git_error_set(GIT_ERROR_HTTP, "invalid authentication scheme");
-		error = -1;
+		error = GIT_EAUTH;
 		goto done;
 	}
 
@@ -185,7 +193,7 @@ static int apply_default_credentials(HINTERNET request, DWORD target, int mechan
 		native_scheme = WINHTTP_AUTH_SCHEME_NTLM;
 	} else {
 		git_error_set(GIT_ERROR_HTTP, "invalid authentication scheme");
-		return -1;
+		return GIT_EAUTH;
 	}
 
 	/*
@@ -265,7 +273,7 @@ static int acquire_fallback_cred(
 				pISM->lpVtbl->Release(pISM);
 			}
 
-			/* Only unitialize if the call to CoInitializeEx was successful. */
+			/* Only uninitialize if the call to CoInitializeEx was successful. */
 			if (SUCCEEDED(hCoInitResult))
 				CoUninitialize();
 		}
@@ -421,7 +429,7 @@ static int winhttp_stream_connect(winhttp_stream *s)
 	proxy_opts = &t->owner->proxy;
 	if (proxy_opts->type == GIT_PROXY_AUTO) {
 		/* Set proxy if necessary */
-		if (git_remote__get_http_proxy(t->owner->owner, (strcmp(t->server.url.scheme, "https") == 0), &proxy_url) < 0)
+		if (git_remote__http_proxy(&proxy_url, t->owner->owner, &t->server.url) < 0)
 			goto on_error;
 	}
 	else if (proxy_opts->type == GIT_PROXY_SPECIFIED) {
@@ -448,8 +456,14 @@ static int winhttp_stream_connect(winhttp_stream *s)
 		git_buf_puts(&processed_url, t->proxy.url.scheme);
 		git_buf_PUTS(&processed_url, "://");
 
+		if (git_net_url_is_ipv6(&t->proxy.url))
+			git_buf_putc(&processed_url, '[');
+
 		git_buf_puts(&processed_url, t->proxy.url.host);
 
+		if (git_net_url_is_ipv6(&t->proxy.url))
+			git_buf_putc(&processed_url, ']');
+
 		if (!git_net_url_is_default_port(&t->proxy.url))
 			git_buf_printf(&processed_url, ":%s", t->proxy.url.port);
 
@@ -602,7 +616,7 @@ static int parse_unauthorized_response(
 	 */
 	if (!WinHttpQueryAuthSchemes(request, &supported, &first, &target)) {
 		git_error_set(GIT_ERROR_OS, "failed to parse supported auth schemes");
-		return -1;
+		return GIT_EAUTH;
 	}
 
 	if (WINHTTP_AUTH_SCHEME_NTLM & supported) {
@@ -704,46 +718,54 @@ static void CALLBACK winhttp_status(
 	DWORD status;
 
 	GIT_UNUSED(connection);
-	GIT_UNUSED(ctx);
 	GIT_UNUSED(info_len);
 
-	if (code != WINHTTP_CALLBACK_STATUS_SECURE_FAILURE)
-		return;
-
-	status = *((DWORD *)info);
-
-	if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID))
-		git_error_set(GIT_ERROR_HTTP, "SSL certificate issued for different common name");
-	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID))
-		git_error_set(GIT_ERROR_HTTP, "SSL certificate has expired");
-	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA))
-		git_error_set(GIT_ERROR_HTTP, "SSL certificate signed by unknown CA");
-	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CERT))
-		git_error_set(GIT_ERROR_HTTP, "SSL certificate is invalid");
-	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED))
-		git_error_set(GIT_ERROR_HTTP, "certificate revocation check failed");
-	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_REVOKED))
-		git_error_set(GIT_ERROR_HTTP, "SSL certificate was revoked");
-	else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR))
-		git_error_set(GIT_ERROR_HTTP, "security libraries could not be loaded");
-	else
-		git_error_set(GIT_ERROR_HTTP, "unknown security error %lu", status);
+	switch (code) {
+		case WINHTTP_CALLBACK_STATUS_SECURE_FAILURE:
+			status = *((DWORD *)info);
+
+			if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID))
+				git_error_set(GIT_ERROR_HTTP, "SSL certificate issued for different common name");
+			else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_DATE_INVALID))
+				git_error_set(GIT_ERROR_HTTP, "SSL certificate has expired");
+			else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA))
+				git_error_set(GIT_ERROR_HTTP, "SSL certificate signed by unknown CA");
+			else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CERT))
+				git_error_set(GIT_ERROR_HTTP, "SSL certificate is invalid");
+			else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED))
+				git_error_set(GIT_ERROR_HTTP, "certificate revocation check failed");
+			else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_CERT_REVOKED))
+				git_error_set(GIT_ERROR_HTTP, "SSL certificate was revoked");
+			else if ((status & WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR))
+				git_error_set(GIT_ERROR_HTTP, "security libraries could not be loaded");
+			else
+				git_error_set(GIT_ERROR_HTTP, "unknown security error %lu", status);
+
+			break;
+
+		case WINHTTP_CALLBACK_STATUS_SENDING_REQUEST:
+			((winhttp_stream *) ctx)->status_sending_request_reached = 1;
+
+			break;
+	}
 }
 
 static int winhttp_connect(
 	winhttp_subtransport *t)
 {
-	wchar_t *wide_host;
+	wchar_t *wide_host = NULL;
 	int32_t port;
-	wchar_t *wide_ua;
-	git_buf ua = GIT_BUF_INIT;
+	wchar_t *wide_ua = NULL;
+	git_buf ipv6 = GIT_BUF_INIT, ua = GIT_BUF_INIT;
+	const char *host;
 	int error = -1;
 	int default_timeout = TIMEOUT_INFINITE;
 	int default_connect_timeout = DEFAULT_CONNECT_TIMEOUT;
 	DWORD protocols =
 		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1 |
 		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_1 |
-		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2;
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_2 |
+		WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
 
 	t->session = NULL;
 	t->connection = NULL;
@@ -751,29 +773,33 @@ static int winhttp_connect(
 	/* Prepare port */
 	if (git__strntol32(&port, t->server.url.port,
 			   strlen(t->server.url.port), NULL, 10) < 0)
-		return -1;
+		goto on_error;
+
+	/* IPv6? Add braces around the host. */
+	if (git_net_url_is_ipv6(&t->server.url)) {
+		if (git_buf_printf(&ipv6, "[%s]", t->server.url.host) < 0)
+			goto on_error;
+
+		host = ipv6.ptr;
+	} else {
+		host = t->server.url.host;
+	}
 
 	/* Prepare host */
-	if (git__utf8_to_16_alloc(&wide_host, t->server.url.host) < 0) {
+	if (git__utf8_to_16_alloc(&wide_host, host) < 0) {
 		git_error_set(GIT_ERROR_OS, "unable to convert host to wide characters");
-		return -1;
+		goto on_error;
 	}
 
 
-	if ((error = git_http__user_agent(&ua)) < 0) {
-		git__free(wide_host);
-		return error;
-	}
+	if (git_http__user_agent(&ua) < 0)
+		goto on_error;
 
 	if (git__utf8_to_16_alloc(&wide_ua, git_buf_cstr(&ua)) < 0) {
 		git_error_set(GIT_ERROR_OS, "unable to convert host to wide characters");
-		git__free(wide_host);
-		git_buf_dispose(&ua);
-		return -1;
+		goto on_error;
 	}
 
-	git_buf_dispose(&ua);
-
 	/* Establish session */
 	t->session = WinHttpOpen(
 		wide_ua,
@@ -788,14 +814,20 @@ static int winhttp_connect(
 	}
 
 	/*
-	 * Do a best-effort attempt to enable TLS 1.2 but allow this to
-	 * fail; if TLS 1.2 support is not available for some reason,
+	 * Do a best-effort attempt to enable TLS 1.3 and 1.2 but allow this to
+	 * fail; if TLS 1.2 or 1.3 support is not available for some reason,
 	 * ignore the failure (it will keep the default protocols).
 	 */
-	WinHttpSetOption(t->session,
+	if (WinHttpSetOption(t->session,
 		WINHTTP_OPTION_SECURE_PROTOCOLS,
 		&protocols,
-		sizeof(protocols));
+		sizeof(protocols)) == FALSE) {
+		protocols &= ~WINHTTP_FLAG_SECURE_PROTOCOL_TLS1_3;
+		WinHttpSetOption(t->session,
+			WINHTTP_OPTION_SECURE_PROTOCOLS,
+			&protocols,
+			sizeof(protocols));
+	}
 
 	if (!WinHttpSetTimeouts(t->session, default_timeout, default_connect_timeout, default_timeout, default_timeout)) {
 		git_error_set(GIT_ERROR_OS, "failed to set timeouts for WinHTTP");
@@ -815,7 +847,12 @@ static int winhttp_connect(
 		goto on_error;
 	}
 
-	if (WinHttpSetStatusCallback(t->connection, winhttp_status, WINHTTP_CALLBACK_FLAG_SECURE_FAILURE, 0) == WINHTTP_INVALID_STATUS_CALLBACK) {
+	if (WinHttpSetStatusCallback(
+			t->connection,
+			winhttp_status,
+			WINHTTP_CALLBACK_FLAG_SECURE_FAILURE | WINHTTP_CALLBACK_FLAG_SEND_REQUEST,
+			0
+		) == WINHTTP_INVALID_STATUS_CALLBACK) {
 		git_error_set(GIT_ERROR_OS, "failed to set status callback");
 		goto on_error;
 	}
@@ -826,6 +863,8 @@ on_error:
 	if (error < 0)
 		winhttp_close_connection(t);
 
+	git_buf_dispose(&ua);
+	git_buf_dispose(&ipv6);
 	git__free(wide_host);
 	git__free(wide_ua);
 
@@ -847,12 +886,12 @@ static int do_send_request(winhttp_stream *s, size_t len, bool chunked)
 			success = WinHttpSendRequest(s->request,
 				WINHTTP_NO_ADDITIONAL_HEADERS, 0,
 				WINHTTP_NO_REQUEST_DATA, 0,
-				WINHTTP_IGNORE_REQUEST_TOTAL_LENGTH, 0);
+				WINHTTP_IGNORE_REQUEST_TOTAL_LENGTH, (DWORD_PTR)s);
 		} else {
 			success = WinHttpSendRequest(s->request,
 				WINHTTP_NO_ADDITIONAL_HEADERS, 0,
 				WINHTTP_NO_REQUEST_DATA, 0,
-				(DWORD)len, 0);
+				(DWORD)len, (DWORD_PTR)s);
 		}
 
 		if (success || GetLastError() != (DWORD)SEC_E_BUFFER_TOO_SMALL)
@@ -864,42 +903,71 @@ static int do_send_request(winhttp_stream *s, size_t len, bool chunked)
 
 static int send_request(winhttp_stream *s, size_t len, bool chunked)
 {
-	int request_failed = 0, cert_valid = 1, error = 0;
-	DWORD ignore_flags;
+	int request_failed = 1, error, attempts = 0;
+	DWORD ignore_flags, send_request_error;
 
 	git_error_clear();
-	if ((error = do_send_request(s, len, chunked)) < 0) {
-		if (GetLastError() != ERROR_WINHTTP_SECURE_FAILURE) {
-			git_error_set(GIT_ERROR_OS, "failed to send request");
-			return -1;
-		}
 
-		request_failed = 1;
-		cert_valid = 0;
-	}
+	while (request_failed && attempts++ < 3) {
+		int cert_valid = 1;
+		int client_cert_requested = 0;
+		request_failed = 0;
+		if ((error = do_send_request(s, len, chunked)) < 0) {
+			send_request_error = GetLastError();
+			request_failed = 1;
+			switch (send_request_error) {
+				case ERROR_WINHTTP_SECURE_FAILURE:
+					cert_valid = 0;
+					break;
+				case ERROR_WINHTTP_CLIENT_AUTH_CERT_NEEDED:
+					client_cert_requested = 1;
+					break;
+				default:
+					git_error_set(GIT_ERROR_OS, "failed to send request");
+					return -1;
+			}
+		}
 
-	git_error_clear();
-	if ((error = certificate_check(s, cert_valid)) < 0) {
-		if (!git_error_last())
-			git_error_set(GIT_ERROR_OS, "user cancelled certificate check");
+		/*
+		 * Only check the certificate if we were able to reach the sending request phase, or
+		 * received a secure failure error. Otherwise, the server certificate won't be available
+		 * since the request wasn't able to complete (e.g. proxy auth required)
+		 */
+		if (!cert_valid ||
+			(!request_failed && s->status_sending_request_reached)) {
+			git_error_clear();
+			if ((error = certificate_check(s, cert_valid)) < 0) {
+				if (!git_error_last())
+					git_error_set(GIT_ERROR_OS, "user cancelled certificate check");
 
-		return error;
-	}
+				return error;
+			}
+		}
 
-	/* if neither the request nor the certificate check returned errors, we're done */
-	if (!request_failed)
-		return 0;
+		/* if neither the request nor the certificate check returned errors, we're done */
+		if (!request_failed)
+			return 0;
 
-	ignore_flags = no_check_cert_flags;
+		if (!cert_valid) {
+			ignore_flags = no_check_cert_flags;
+			if (!WinHttpSetOption(s->request, WINHTTP_OPTION_SECURITY_FLAGS, &ignore_flags, sizeof(ignore_flags))) {
+				git_error_set(GIT_ERROR_OS, "failed to set security options");
+				return -1;
+			}
+		}
 
-	if (!WinHttpSetOption(s->request, WINHTTP_OPTION_SECURITY_FLAGS, &ignore_flags, sizeof(ignore_flags))) {
-		git_error_set(GIT_ERROR_OS, "failed to set security options");
-		return -1;
+		if (client_cert_requested) {
+			/*
+			 * Client certificates are not supported, explicitly tell the server that
+			 * (it's possible a client certificate was requested but is not required)
+			 */
+			if (!WinHttpSetOption(s->request, WINHTTP_OPTION_CLIENT_CERT_CONTEXT, WINHTTP_NO_CLIENT_CERT_CONTEXT, 0)) {
+				git_error_set(GIT_ERROR_OS, "failed to set client cert context");
+				return -1;
+			}
+		}
 	}
 
-	if ((error = do_send_request(s, len, chunked)) < 0)
-		git_error_set(GIT_ERROR_OS, "failed to send request with unchecked certificate");
-
 	return error;
 }
 
@@ -972,7 +1040,7 @@ replay:
 	/* Enforce a reasonable cap on the number of replays */
 	if (replay_count++ >= GIT_HTTP_REPLAY_MAX) {
 		git_error_set(GIT_ERROR_HTTP, "too many redirects or authentication replays");
-		return -1;
+		return GIT_ERROR; /* not GIT_EAUTH because the exact cause is not clear */
 	}
 
 	/* Connect if necessary */
@@ -993,7 +1061,7 @@ replay:
 		}
 
 		if (s->chunked) {
-			assert(s->verb == post_verb);
+			GIT_ASSERT(s->verb == post_verb);
 
 			/* Flush, if necessary */
 			if (s->chunk_buffer_len > 0 &&
@@ -1044,7 +1112,7 @@ replay:
 				}
 
 				len -= bytes_read;
-				assert(bytes_read == bytes_written);
+				GIT_ASSERT(bytes_read == bytes_written);
 			}
 
 			git__free(buffer);
@@ -1156,7 +1224,7 @@ replay:
 			if (error < 0) {
 				return error;
 			} else if (!error) {
-				assert(t->server.cred);
+				GIT_ASSERT(t->server.cred);
 				winhttp_stream_close(s);
 				goto replay;
 			}
@@ -1170,7 +1238,7 @@ replay:
 			if (error < 0) {
 				return error;
 			} else if (!error) {
-				assert(t->proxy.cred);
+				GIT_ASSERT(t->proxy.cred);
 				winhttp_stream_close(s);
 				goto replay;
 			}
@@ -1256,7 +1324,7 @@ static int winhttp_stream_write_single(
 		return -1;
 	}
 
-	assert((DWORD)len == bytes_written);
+	GIT_ASSERT((DWORD)len == bytes_written);
 
 	return 0;
 }
@@ -1355,7 +1423,7 @@ static int winhttp_stream_write_buffered(
 		return -1;
 	}
 
-	assert((DWORD)len == bytes_written);
+	GIT_ASSERT((DWORD)len == bytes_written);
 
 	s->post_body_len += bytes_written;
 
@@ -1562,7 +1630,7 @@ static int winhttp_action(
 			break;
 
 		default:
-			assert(0);
+			GIT_ASSERT(0);
 	}
 
 	if (!ret)