We must always consume the full parser body if we're going to
keep-alive.  So in the authentication failure case, continue advancing
the http message parser until it's complete, then we can retry the
connection.

Not doing so would mean that we have to tear the connection down and
start over.  Advancing through fully (even though we don't use the data)
will ensure that we can retry a connection with keep-alive.

When we get an authentication failure, we must consume the entire body
of the response.  If we only read half of the body (on the assumption
that we can ignore the rest) then we will never complete the parsing of
the message.  This means that we will never set the complete flag, and
our replay must actually tear down the connection and try again.

This is particularly problematic for stateful authentication mechanisms
(SPNEGO, NTLM) that require that we keep the connection alive.

Note that the prior code is only a problem when the 401 that we are
parsing is too large to be read in a single chunked read from the http
parser.

But now we will continue to invoke the http parser until we've got a
complete message in the authentication failed scenario.  Note that we
need not do anything with the message, so when we get an authentication
failed, we'll stop adding data to our buffer, we'll simply loop in the
parser and let it advance its internal state.

Some authentication mechanisms (like HTTP Basic and Digest) have a
one-step mechanism to create credentials, but there are more complex
mechanisms like NTLM and Negotiate that require challenge/response after
negotiation, requiring several round-trips.  Add an `is_complete`
function to know when they have round-tripped enough to be a single
authentication and should now either have succeeded or failed to
authenticate.

We cannot examine the keep-alive status of the http parser in
`http_connect`; it's too late and the critical information about whether
keep-alive is supported has been destroyed.

Per the documentation for `http_should_keep_alive`:

> If http_should_keep_alive() in the on_headers_complete or
> on_message_complete callback returns 0, then this should be
> the last message on the connection.

Query then and set the state.

Increase the permissible replay count; with multiple-step authentication
schemes (NTLM, Negotiate), proxy authentication and redirects, we need
to be mindful of the number of steps it takes to get connected.

7 seems high but can be exhausted quickly with just a single authentication
failure over a redirected multi-state authentication pipeline.

Update our CI tests to start a proxy that requires NTLM authentication;
ensure that our WIndows HTTP client can speak NTLM.

We did not properly support default credentials for proxies, only for
destination servers.  Refactor the credential handling to support sending
either username/password _or_ default credentials to either the proxy or
the destination server.

This actually shares the authentication logic between proxy servers and
destination servers.  Due to copy/pasta drift over time, they had
diverged.  Now they share a common logic which is: first, use
credentials specified in the URL (if there were any), treating empty
username and password (ie, "http://:@foo.com/") as default credentials,
for compatibility with git.  Next, call the credential callbacks.
Finally, fallback to WinHTTP compatibility layers using built-in
authentication like we always have.

Allowing default credentials for proxies requires moving the security
level downgrade into the credential setting routines themselves.
We will update our security level to "high" by default which means that
we will never send default credentials without prompting.  (A lower
setting, like the WinHTTP default of "medium" would allow WinHTTP to
handle credentials for us, despite what a user may have requested with
their structures.)  Now we start with "high" and downgrade to "low" only
after a user has explicitly requested default credentials.

There's no reason a git repository couldn't be at the root of a server,
and URLs should have an implicit path of '/' when one is not specified.

"Connection data" is an imprecise and largely incorrect name; these
structures are actually parsed URLs.  Provide a parser that takes a URL
string and produces a URL structure (if it is valid).

Separate the HTTP redirect handling logic from URL parsing, keeping a
`gitno_connection_data_handle_redirect` whose only job is redirect
handling logic and does not parse URLs itself.

Callback type names should be suffixed with `_cb`

tests: checkout: fix symlink.git being created outside of sandbox

The trace logging callbacks should match the other callback naming
conventions, using the `_cb` suffix instead of a `_callback` suffix.

The credential callbacks should match the other callback naming
conventions, using the `_cb` suffix instead of a `_callback` suffix.

The function `populate_symlink_workdir` creates a new
"symlink.git" repository with a relative path "../symlink.git".
As the current working directory is the sandbox, the new
repository will be created just outside of the sandbox.

Fix this by using `clar_sandbox_path`.

ignore: handle escaped trailing whitespace

Ignore: only treat one leading slash as a root identifier

The gitignore's pattern format specifies that "Trailing spaces
are ignored unless they are quoted with backslash ("\")". We do
not honor this currently and will treat a pattern "foo\ " as if
it was "foo\" only and a pattern "foo\ \ " as "foo\ \".

Fix our code to handle those special cases and add tests to avoid
regressions.

The stripping of trailing spaces currently happens as part of
`git_attr_fnmatch__parse`. As we aren't currently parsing
trailing whitespaces correct in case they're escaped, we'll have
to change that code, though. To make actual behavioural change
easier to review, refactor the code up-front by pulling it out
into its own function that is expected to retain the exact same
functionality as before. Like this, the fix will be trivial to
apply.

online tests: use gitlab for auth failures

GitHub recently changed their behavior from returning 401s for private
or nonexistent repositories on a clone to returning 404s.  For our tests
that require an auth failure (and 401), move to GitLab to request a
missing repository.  This lets us continue to test our auth failure
case, at least until they decide to mimic that decision.

Ignore files: don't ignore whitespace

Unlike ignore files, gitattribute files can have flexible whitespace at
the beginning of the line.  Ensure that by adding new ignore rules that
we have not impeded correct parsing of attribute files.

When `allow_space` is unset, ensure that leading whitespace is not
skipped.

Comments must have a '#' at the beginning of the line.  For
compatibility with git, '#' after a whitespace is a literal part of the
filename.

Ensure that leading whitespace is treated as being part of the filename,
eg ` foo` in an ignore file indicates that a file literally named ` foo`
is ignored.

cache: fix cache eviction using deallocated key

SECURITY.md: split out security-relevant bits from readme

When evicting cache entries, we first retrieve the object that is
to be evicted, delete the object and then finally delete the key
from the cache. In case where the cache eviction caused us to
free the cached object, though, its key will point to invalid
memory now when trying to remove it from the cache map. On my
system, this causes us to not properly remove the key from the
map, as its memory has been overwritten already and thus the key
lookup it will fail and we cannot delete it.

Fix this by only decrementing the refcount of the evictee after
we have removed it from our cache map. Add a test that caused a
segfault previous to that change.

Restore NetBSD support

See: https://www.netbsd.org/changes/changes-7.0.html

GitHub has recently introduced a new set of tools that aims to
ease the process around vulnerability reports and security fixes.
Part of those tools is a new security tab for projects that will
display contents from a new SECURITY.md file.

Move relevant parts from README.md to this new file to make use
of this feature.

repository: fix garbage return value

error was never initialized and a garbage value returned on success.

cmake: disable fallthrough warnings for PCRE

Our PCRE dependency has uncommented fallthroughs in switch statements.
Turn off warnings for those in the PCRE code.

Configuration parsing: validate section headers with quotes