delta/libgit2.git/src, branch ethomson/https_proxy github.com: libgit2/libgit2.git Merge pull request #5107 from pks-t/pks/sha1dc-update 2019-06-11T11:45:27+00:00 Edward Thomson ethomson@edwardthomson.com 2019-06-11T11:45:27+00:00 fd734f7d30383f80501470edec81c43f9346116b sha1dc: update to fix endianess issues on AIX/HP-UX 
sha1dc: update to fix endianess issues on AIX/HP-UX
 sha1dc: update to fix endianess issues on AIX/HP-UX 2019-06-11T05:49:14+00:00 Patrick Steinhardt ps@pks.im 2019-06-10T11:54:11+00:00 230a451ee6182d773c11ee199d37c7ae911c59b1 Update our copy of sha1dc to the upstream commit 855827c (Detect endianess on HP-UX, 2019-05-09). Changes include fixes to endian detection on AIX and HP-UX systems as well as a define that allows us to force aligned access, which we're not using yet. 
Update our copy of sha1dc to the upstream commit 855827c (Detect
endianess on HP-UX, 2019-05-09). Changes include fixes to endian
detection on AIX and HP-UX systems as well as a define that
allows us to force aligned access, which we're not using yet.
http: free auth context on failure 2019-06-10T18:58:22+00:00 Edward Thomson ethomson@edwardthomson.com 2019-04-07T11:11:59+00:00 7ea8630e04bd0b5f86c6fcc73899433317b8f0fa When we send HTTP credentials but the server rejects them, tear down the authentication context so that we can start fresh. To maintain this state, additionally move all of the authentication handling into `on_auth_required`. 
When we send HTTP credentials but the server rejects them, tear down the
authentication context so that we can start fresh.  To maintain this
state, additionally move all of the authentication handling into
`on_auth_required`.
http: reconnect to proxy on connection close 2019-06-10T18:58:22+00:00 Edward Thomson ethomson@edwardthomson.com 2019-04-07T08:55:23+00:00 005b5bc28794624305d82597e1072726e189827e When we're issuing a CONNECT to a proxy, we expect to keep-alive to the proxy. However, during authentication negotiations, the proxy may close the connection. Reconnect if the server closes the connection. 
When we're issuing a CONNECT to a proxy, we expect to keep-alive to the
proxy.  However, during authentication negotiations, the proxy may close
the connection.  Reconnect if the server closes the connection.
http: allow server to drop a keepalive connection 2019-06-10T18:58:22+00:00 Edward Thomson ethomson@edwardthomson.com 2019-04-07T08:40:23+00:00 d171fbee16d7ca7868c1d2d85f19d6dcaf31f8ee When we have a keep-alive connection to the server, that server may legally drop the connection for any reason once a successful request and response has occurred. It's common for servers to drop the connection after some amount of time or number of requests have occurred. 
When we have a keep-alive connection to the server, that server may
legally drop the connection for any reason once a successful request and
response has occurred.  It's common for servers to drop the connection
after some amount of time or number of requests have occurred.
http: stop on server EOF 2019-06-10T18:58:22+00:00 Edward Thomson ethomson@edwardthomson.com 2019-03-25T03:49:57+00:00 9af1de5bc5b57a68bd659e9f76540c3f569772e8 We stop the read loop when we have read all the data. We should also consider the server's feelings. If the server hangs up on us, we need to stop our read loop. Otherwise, we'll try to read from the server - and fail - ad infinitum. 
We stop the read loop when we have read all the data.  We should also
consider the server's feelings.

If the server hangs up on us, we need to stop our read loop.  Otherwise,
we'll try to read from the server - and fail - ad infinitum.
http: teach auth mechanisms about connection affinity 2019-06-10T18:58:22+00:00 Edward Thomson ethomson@edwardthomson.com 2019-03-23T05:06:46+00:00 539e62935552c59a3f51b225c67dab5d3e02debd Instead of using `is_complete` to decide whether we have connection or request affinity for authentication mechanisms, set a boolean on the mechanism definition itself. 
Instead of using `is_complete` to decide whether we have connection or
request affinity for authentication mechanisms, set a boolean on the
mechanism definition itself.
http: maintain authentication across connections 2019-06-10T18:58:22+00:00 Edward Thomson ethomson@edwardthomson.com 2019-03-23T04:52:03+00:00 3e0b4b43c8b3d9d1da71297b8e8f346117624919 For request-based authentication mechanisms (Basic, Digest) we should keep the authentication context alive across socket connections, since the authentication headers must be transmitted with every request. However, we should continue to remove authentication contexts for mechanisms with connection affinity (NTLM, Negotiate) since we need to reauthenticate for every socket connection. 
For request-based authentication mechanisms (Basic, Digest) we should
keep the authentication context alive across socket connections, since
the authentication headers must be transmitted with every request.

However, we should continue to remove authentication contexts for
mechanisms with connection affinity (NTLM, Negotiate) since we need to
reauthenticate for every socket connection.
http: simplify authentication mechanisms 2019-06-10T18:58:22+00:00 Edward Thomson ethomson@edwardthomson.com 2019-03-22T20:53:30+00:00 ce72ae9527274bf835d9beb27bb28bc134dc0b06 Hold an individual authentication context instead of trying to maintain all the contexts; we can select the preferred context during the initial negotiation. Subsequent authentication steps will re-use the chosen authentication (until such time as it's rejected) instead of trying to manage multiple contexts when all but one will never be used (since we can only authenticate with a single mechanism at a time.) Also, when we're given a 401 or 407 in the middle of challenge/response handling, short-circuit immediately without incrementing the retry count. The multi-step authentication is expected, and not a "retry" and should not be penalized as such. This means that we don't need to keep the contexts around and ensures that we do not unnecessarily fail for too many retries when we have challenge/response auth on a proxy and a server and potentially redirects in play as well. 
Hold an individual authentication context instead of trying to maintain
all the contexts; we can select the preferred context during the initial
negotiation.

Subsequent authentication steps will re-use the chosen authentication
(until such time as it's rejected) instead of trying to manage multiple
contexts when all but one will never be used (since we can only
authenticate with a single mechanism at a time.)

Also, when we're given a 401 or 407 in the middle of challenge/response
handling, short-circuit immediately without incrementing the retry
count.  The multi-step authentication is expected, and not a "retry" and
should not be penalized as such.

This means that we don't need to keep the contexts around and ensures
that we do not unnecessarily fail for too many retries when we have
challenge/response auth on a proxy and a server and potentially
redirects in play as well.
http: don't set the header in the auth token 2019-06-10T18:58:22+00:00 Edward Thomson ethomson@edwardthomson.com 2019-03-23T02:35:59+00:00 6d931ba717700504fd6725c6f64ce385ac40a1bc