Merge remote-tracking branch 'origin/main' into push-options

2026-01-25 02:56:17 +00:00 · 2024-02-06 20:38:55 +00:00
parent c45d1c6e88 802f08c696
commit b4263c2303
700 changed files with 25017 additions and 7572 deletions
--- a/ci/build.sh
+++ b/ci/build.sh
@@ -13,16 +13,30 @@ BUILD_PATH=${BUILD_PATH:=$PATH}
 CMAKE=$(which cmake)
 CMAKE_GENERATOR=${CMAKE_GENERATOR:-Unix Makefiles}

+indent() { sed "s/^/    /"; }
+
+cygfullpath() {
+	result=$(echo "${1}" | tr \; \\n | while read -r element; do
+		if [ "${last}" != "" ]; then echo -n ":"; fi
+		echo -n $(cygpath "${element}")
+		last="${element}"
+	done)
+	if [ "${result}" = "" ]; then exit 1; fi
+        echo "${result}"
+}
+
 if [[ "$(uname -s)" == MINGW* ]]; then
-	BUILD_PATH=$(cygpath "$BUILD_PATH")
+	BUILD_PATH=$(cygfullpath "${BUILD_PATH}")
 fi

-indent() { sed "s/^/    /"; }

 echo "Source directory: ${SOURCE_DIR}"
 echo "Build directory:  ${BUILD_DIR}"
 echo ""

+echo "Platform:"
+uname -s | indent
+
 if [ "$(uname -s)" = "Darwin" ]; then
 	echo "macOS version:"
 	sw_vers | indent
@@ -40,13 +54,15 @@ echo "Kernel version:"
 uname -a 2>&1 | indent

 echo "CMake version:"
-env PATH="${BUILD_PATH}" "${CMAKE}" --version 2>&1 | indent
+env PATH="${BUILD_PATH}" "${CMAKE}" --version | head -1 2>&1 | indent

 if test -n "${CC}"; then
 	echo "Compiler version:"
 	"${CC}" --version 2>&1 | indent
 fi
 echo "Environment:"
+echo "PATH=${BUILD_PATH}" | indent
+
 if test -n "${CC}"; then
 	echo "CC=${CC}" | indent
 fi
--- a/ci/docker/bionic
+++ b/ci/docker/bionic
@@ -12,7 +12,6 @@ RUN apt-get update && \
        libcurl4-openssl-dev \
        libkrb5-dev \
        libpcre3-dev \
-        libssh2-1-dev \
        libssl-dev \
        libz-dev \
        ninja-build \
@@ -37,7 +36,16 @@ RUN cd /tmp && \
    cd .. && \
    rm -rf mbedtls-mbedtls-2.16.2

-FROM mbedtls AS adduser
+FROM mbedtls AS libssh2
+RUN cd /tmp && \
+    curl --location --silent --show-error https://www.libssh2.org/download/libssh2-1.11.0.tar.gz | tar -xz && \
+    cd libssh2-1.11.0 && \
+    CFLAGS=-fPIC cmake -G Ninja -DBUILD_SHARED_LIBS=ON . && \
+    ninja install && \
+    cd .. && \
+    rm -rf libssh2-1.11.0
+
+FROM libssh2 AS adduser
 ARG UID=""
 ARG GID=""
 RUN if [ "${UID}" != "" ]; then USER_ARG="--uid ${UID}"; fi && \
--- a/ci/docker/centos7
+++ b/ci/docker/centos7
@@ -18,13 +18,13 @@ RUN yum install -y \

 FROM yum AS libssh2
 RUN cd /tmp && \
-    curl --location --silent --show-error https://www.libssh2.org/download/libssh2-1.8.0.tar.gz | tar -xz && \
-    cd libssh2-1.8.0 && \
+    curl --location --silent --show-error https://www.libssh2.org/download/libssh2-1.11.0.tar.gz | tar -xz && \
+    cd libssh2-1.11.0 && \
    ./configure && \
    make && \
    make install && \
    cd .. && \
-    rm -rf libssh-1.8.0
+    rm -rf libssh-1.11.0

 FROM libssh2 AS valgrind
 RUN cd /tmp && \
--- a/ci/docker/centos8
+++ b/ci/docker/centos8
@@ -24,13 +24,13 @@ RUN yum install -y \

 FROM yum AS libssh2
 RUN cd /tmp && \
-    curl --location --silent --show-error https://www.libssh2.org/download/libssh2-1.8.0.tar.gz | tar -xz && \
-    cd libssh2-1.8.0 && \
+    curl --location --silent --show-error https://www.libssh2.org/download/libssh2-1.11.0.tar.gz | tar -xz && \
+    cd libssh2-1.11.0 && \
    ./configure && \
    make && \
    make install && \
    cd .. && \
-    rm -rf libssh2-1.8.0
+    rm -rf libssh2-1.11.0

 FROM libssh2 AS valgrind
 RUN cd /tmp && \
--- a/ci/docker/focal
+++ b/ci/docker/focal
@@ -53,7 +53,7 @@ RUN cd /tmp && \
    cd libssh2-1.9.0 && \
    mkdir build build-msan && \
    cd build && \
-    CC=clang-10 CFLAGS="-fPIC" cmake -G Ninja -DBUILD_SHARED_LIBS=ON -DCRYPTO_BACKEND=Libgcrypt -DCMAKE_PREFIX_PATH=/usr/local -DCMAKE_INSTALL_PREFIX=/usr/local .. && \
+    CC=clang-10 CFLAGS="-fPIC" cmake -G Ninja -DBUILD_SHARED_LIBS=ON -DCMAKE_PREFIX_PATH=/usr/local -DCMAKE_INSTALL_PREFIX=/usr/local .. && \
    ninja install && \
    cd ../build-msan && \
    CC=clang-10 CFLAGS="-fPIC -fsanitize=memory -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer" LDFLAGS="-fsanitize=memory" cmake -G Ninja -DBUILD_SHARED_LIBS=ON -DCRYPTO_BACKEND=mbedTLS -DCMAKE_PREFIX_PATH=/usr/local/msan -DCMAKE_INSTALL_PREFIX=/usr/local/msan .. && \
--- a/ci/docker/noble
+++ b/ci/docker/noble
@@ -0,0 +1,88 @@
+ARG BASE=ubuntu:noble
+
+FROM ${BASE} AS apt
+RUN apt-get update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        bzip2 \
+        clang \
+        cmake \
+        curl \
+        gcc \
+        git \
+        krb5-user \
+        libclang-rt-17-dev \
+        libcurl4-gnutls-dev \
+        libgcrypt20-dev \
+        libkrb5-dev \
+        libpcre3-dev \
+        libssl-dev \
+        libz-dev \
+        llvm-17 \
+        make \
+        ninja-build \
+        openjdk-8-jre-headless \
+        openssh-server \
+        openssl \
+        pkgconf \
+        python3 \
+        sudo \
+        valgrind \
+        && \
+    rm -rf /var/lib/apt/lists/* && \
+    mkdir /usr/local/msan
+
+FROM apt AS mbedtls
+RUN cd /tmp && \
+    curl --location --silent --show-error https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/mbedtls-2.28.6.tar.gz | \
+        tar -xz && \
+    cd mbedtls-mbedtls-2.28.6 && \
+    scripts/config.pl unset MBEDTLS_AESNI_C && \
+    scripts/config.pl set MBEDTLS_MD4_C 1 && \
+    mkdir build build-msan && \
+    cd build && \
+    CC=clang-17 CFLAGS="-fPIC" cmake -G Ninja -DENABLE_PROGRAMS=OFF -DENABLE_TESTING=OFF -DUSE_SHARED_MBEDTLS_LIBRARY=ON -DUSE_STATIC_MBEDTLS_LIBRARY=OFF -DCMAKE_BUILD_TYPE=Debug -DCMAKE_PREFIX_PATH=/usr/local -DCMAKE_INSTALL_PREFIX=/usr/local .. && \
+    ninja install && \
+    cd ../build-msan && \
+    CC=clang-17 CFLAGS="-fPIC" cmake -G Ninja -DENABLE_PROGRAMS=OFF -DENABLE_TESTING=OFF -DUSE_SHARED_MBEDTLS_LIBRARY=ON -DUSE_STATIC_MBEDTLS_LIBRARY=OFF -DCMAKE_BUILD_TYPE=MemSanDbg -DCMAKE_INSTALL_PREFIX=/usr/local/msan .. && \
+    ninja install && \
+    cd .. && \
+    rm -rf mbedtls-mbedtls-2.28.6
+
+FROM mbedtls AS libssh2
+RUN cd /tmp && \
+    curl --location --silent --show-error https://www.libssh2.org/download/libssh2-1.11.0.tar.gz | tar -xz && \
+    cd libssh2-1.11.0 && \
+    mkdir build build-msan && \
+    cd build && \
+    CC=clang-17 CFLAGS="-fPIC" cmake -G Ninja -DBUILD_SHARED_LIBS=ON -DCMAKE_PREFIX_PATH=/usr/local -DCMAKE_INSTALL_PREFIX=/usr/local .. && \
+    ninja install && \
+    cd ../build-msan && \
+    CC=clang-17 CFLAGS="-fPIC -fsanitize=memory -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2 -fno-omit-frame-pointer" LDFLAGS="-fsanitize=memory" cmake -G Ninja -DBUILD_SHARED_LIBS=ON -DCRYPTO_BACKEND=mbedTLS -DCMAKE_PREFIX_PATH=/usr/local/msan -DCMAKE_INSTALL_PREFIX=/usr/local/msan .. && \
+    ninja install && \
+    cd .. && \
+    rm -rf libssh2-1.11.0
+
+FROM libssh2 AS valgrind
+RUN cd /tmp && \
+    curl --insecure --location --silent --show-error https://sourceware.org/pub/valgrind/valgrind-3.22.0.tar.bz2 | \
+        tar -xj && \
+    cd valgrind-3.22.0 && \
+    CC=clang-17 ./configure && \
+    make MAKEFLAGS="-j -l$(grep -c ^processor /proc/cpuinfo)" && \
+    make install && \
+    cd .. && \
+    rm -rf valgrind-3.22.0
+
+FROM valgrind AS adduser
+ARG UID=""
+ARG GID=""
+RUN if [ "${UID}" != "" ]; then USER_ARG="--uid ${UID}"; fi && \
+    if [ "${GID}" != "" ]; then GROUP_ARG="--gid ${GID}"; fi && \
+    groupadd ${GROUP_ARG} libgit2 && \
+    useradd ${USER_ARG} --gid libgit2 --shell /bin/bash --create-home libgit2
+
+FROM adduser AS ldconfig
+RUN ldconfig
+
+FROM ldconfig AS configure
+RUN mkdir /var/run/sshd
--- a/ci/docker/xenial
+++ b/ci/docker/xenial
@@ -7,11 +7,13 @@ RUN apt-get update && \
        clang \
        cmake \
        curl \
+	gettext \
        gcc \
-        git \
        krb5-user \
        libcurl4-gnutls-dev \
+	libexpat1-dev \
        libgcrypt20-dev \
+	libintl-perl \
        libkrb5-dev \
        libpcre3-dev \
        libssl-dev \
@@ -28,7 +30,17 @@ RUN apt-get update && \
        && \
    rm -rf /var/lib/apt/lists/*

-FROM apt AS mbedtls
+FROM apt AS git
+RUN cd /tmp && \
+    curl --location --silent --show-error https://github.com/git/git/archive/refs/tags/v2.39.1.tar.gz | \
+        tar -xz && \
+    cd git-2.39.1 && \
+    make && \
+    make prefix=/usr install && \
+    cd .. && \
+    rm -rf git-2.39.1
+
+FROM git AS mbedtls
 RUN cd /tmp && \
    curl --location --silent --show-error https://github.com/Mbed-TLS/mbedtls/archive/refs/tags/mbedtls-2.16.2.tar.gz | \
        tar -xz && \
@@ -41,12 +53,12 @@ RUN cd /tmp && \

 FROM mbedtls AS libssh2
 RUN cd /tmp && \
-    curl --location --silent --show-error https://www.libssh2.org/download/libssh2-1.8.2.tar.gz | tar -xz && \
-    cd libssh2-1.8.2 && \
-    CFLAGS=-fPIC cmake -G Ninja -DBUILD_SHARED_LIBS=ON -DCRYPTO_BACKEND=Libgcrypt . && \
+    curl --location --silent --show-error https://www.libssh2.org/download/libssh2-1.11.0.tar.gz | tar -xz && \
+    cd libssh2-1.11.0 && \
+    CFLAGS=-fPIC cmake -G Ninja -DBUILD_SHARED_LIBS=ON . && \
    ninja install && \
    cd .. && \
-    rm -rf libssh2-1.8.2
+    rm -rf libssh2-1.11.0

 FROM libssh2 AS valgrind
 RUN cd /tmp && \
--- a/ci/getcontainer.sh
+++ b/ci/getcontainer.sh
@@ -1,55 +0,0 @@
-#!/bin/bash
-
-set -e
-
-IMAGE_NAME=$1
-DOCKERFILE_PATH=$2
-
-if [ "${IMAGE_NAME}" = "" ]; then
-	echo "usage: $0 image_name [dockerfile]"
-	exit 1
-fi
-
-if [ "${DOCKERFILE_PATH}" = "" ]; then
-	DOCKERFILE_PATH="${IMAGE_NAME}"
-fi
-
-if [ "${DOCKER_REGISTRY}" = "" ]; then
-	echo "DOCKER_REGISTRY environment variable is unset."
-	echo "Not running inside GitHub Actions or misconfigured?"
-	exit 1
-fi
-
-DOCKER_CONTAINER="${GITHUB_REPOSITORY}/${IMAGE_NAME}"
-DOCKER_REGISTRY_CONTAINER="${DOCKER_REGISTRY}/${DOCKER_CONTAINER}"
-
-echo "dockerfile=${DOCKERFILE_PATH}" >> $GITHUB_ENV
-echo "docker-container=${DOCKER_CONTAINER}" >> $GITHUB_ENV
-echo "docker-registry-container=${DOCKER_REGISTRY_CONTAINER}" >> $GITHUB_ENV
-
-# Identify the last git commit that touched the Dockerfiles
-# Use this as a hash to identify the resulting docker containers
-DOCKER_SHA=$(git log -1 --pretty=format:"%h" -- "${DOCKERFILE_PATH}")
-echo "docker-sha=${DOCKER_SHA}" >> $GITHUB_ENV
-
-DOCKER_REGISTRY_CONTAINER_SHA="${DOCKER_REGISTRY_CONTAINER}:${DOCKER_SHA}"
-
-echo "docker-registry-container-sha=${DOCKER_REGISTRY_CONTAINER_SHA}" >> $GITHUB_ENV
-echo "docker-registry-container-latest=${DOCKER_REGISTRY_CONTAINER}:latest" >> $GITHUB_ENV
-
-echo "::: logging in to ${DOCKER_REGISTRY} as ${GITHUB_ACTOR}"
-
-exists="true"
-docker login https://${DOCKER_REGISTRY} -u ${GITHUB_ACTOR} -p ${GITHUB_TOKEN} || exists="false"
-
-echo "::: pulling ${DOCKER_REGISTRY_CONTAINER_SHA}"
-
-if [ "${exists}" != "false" ]; then
-	docker pull ${DOCKER_REGISTRY_CONTAINER_SHA} || exists="false"
-fi
-
-if [ "${exists}" = "true" ]; then
-	echo "docker-container-exists=true" >> $GITHUB_ENV
-else
-	echo "docker-container-exists=false" >> $GITHUB_ENV
-fi
--- a/ci/setup-mingw-build.sh
+++ b/ci/setup-mingw-build.sh
@@ -11,9 +11,9 @@ BUILD_TEMP=$(cygpath $BUILD_TEMP)

 case "$ARCH" in
 	amd64)
-		MINGW_URI="https://github.com/libgit2/ci-dependencies/releases/download/2021-05-04/mingw-x86_64-8.1.0-release-win32-sjlj-rt_v6-rev0.zip";;
+		MINGW_URI="https://github.com/libgit2/ci-dependencies/releases/download/2023-01-23/mingw-x86_64-8.1.0-release-win32-sjlj-rt_v6-rev0.zip";;
 	x86)
-		MINGW_URI="https://github.com/libgit2/ci-dependencies/releases/download/2021-05-04/mingw-i686-8.1.0-release-win32-sjlj-rt_v6-rev0.zip";;
+		MINGW_URI="https://github.com/libgit2/ci-dependencies/releases/download/2023-01-23/mingw-i686-8.1.0-release-win32-sjlj-rt_v6-rev0.zip";;
 esac

 if [ -z "$MINGW_URI" ]; then
--- a/ci/setup-osx-build.sh
+++ b/ci/setup-osx-build.sh
@@ -3,6 +3,6 @@
 set -ex

 brew update
-brew install pkgconfig zlib curl openssl libssh2 ninja
+brew install pkgconfig libssh2 ninja

 ln -s /Applications/Xcode.app/Contents/Developer/usr/lib/libLeaksAtExit.dylib /usr/local/lib
--- a/ci/setup-win32-build.sh
+++ b/ci/setup-win32-build.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+set -ex
+
+echo "##############################################################################"
+echo "## Downloading libssh2"
+echo "##############################################################################"
+
+BUILD_TEMP=${BUILD_TEMP:=$TEMP}
+BUILD_TEMP=$(cygpath $BUILD_TEMP)
+
+case "$ARCH" in
+	amd64)
+		LIBSSH2_URI="https://github.com/libgit2/ci-dependencies/releases/download/2023-02-01/libssh2-20230201-amd64.zip";;
+	x86)
+		LIBSSH2_URI="https://github.com/libgit2/ci-dependencies/releases/download/2023-02-01-v2/libssh2-20230201-x86.zip";;
+esac
+
+if [ -z "$LIBSSH2_URI" ]; then
+	echo "No URL"
+	exit 1
+fi
+
+mkdir -p "$BUILD_TEMP"
+
+curl -s -L "$LIBSSH2_URI" -o "$BUILD_TEMP"/libssh2-"$ARCH".zip
+unzip -q "$BUILD_TEMP"/libssh2-"$ARCH".zip -d "$BUILD_TEMP"
--- a/ci/test.sh
+++ b/ci/test.sh
@@ -3,7 +3,14 @@
 set -ex

 if [ -n "$SKIP_TESTS" ]; then
-	exit 0
+	if [ -z "$SKIP_OFFLINE_TESTS" ]; then SKIP_OFFLINE_TESTS=1; fi
+	if [ -z "$SKIP_ONLINE_TESTS" ]; then SKIP_ONLINE_TESTS=1; fi
+	if [ -z "$SKIP_GITDAEMON_TESTS" ]; then SKIP_GITDAEMON_TESTS=1; fi
+	if [ -z "$SKIP_PROXY_TESTS" ]; then SKIP_PROXY_TESTS=1; fi
+	if [ -z "$SKIP_NTLM_TESTS" ]; then SKIP_NTLM_TESTS=1; fi
+	if [ -z "$SKIP_NEGOTIATE_TESTS" ]; then SKIP_NEGOTIATE_TESTS=1; fi
+	if [ -z "$SKIP_SSH_TESTS" ]; then SKIP_SSH_TESTS=1; fi
+	if [ -z "$SKIP_FUZZERS" ]; then SKIP_FUZZERS=1; fi
 fi

 # Windows doesn't run the NTLM tests properly (yet)
@@ -13,12 +20,29 @@ fi

 SOURCE_DIR=${SOURCE_DIR:-$( cd "$( dirname "${BASH_SOURCE[0]}" )" && dirname $( pwd ) )}
 BUILD_DIR=$(pwd)
+BUILD_PATH=${BUILD_PATH:=$PATH}
+CTEST=$(which ctest)
 TMPDIR=${TMPDIR:-/tmp}
 USER=${USER:-$(whoami)}

+GITTEST_SSH_KEYTYPE=${GITTEST_SSH_KEYTYPE:="ecdsa"}
+
+HOME=`mktemp -d ${TMPDIR}/home.XXXXXXXX`
+export CLAR_HOMEDIR=${HOME}
+
 SUCCESS=1
 CONTINUE_ON_FAILURE=0

+should_run() {
+	eval "skip=\${SKIP_${1}}"
+	[ -z "$skip" \
+	  -o "$skip" == "no" -o "$skip" == "NO" \
+	  -o "$skip" == "n" -o "$skip" == "N" \
+	  -o "$skip" == "false" -o "$skip" == "FALSE" \
+	  -o "$skip" == "f" -o "$skip" == "F" \
+	  -o "$skip" == "0" ]
+}
+
 cleanup() {
 	echo "Cleaning up..."

@@ -32,6 +56,11 @@ cleanup() {
 		kill $GIT_NAMESPACE_PID
 	fi

+	if [ ! -z "$GIT_SHA256_PID" ]; then
+		echo "Stopping git daemon (sha256)..."
+		kill $GIT_SHA256_PID
+	fi
+
 	if [ ! -z "$PROXY_BASIC_PID" ]; then
 		echo "Stopping proxy (Basic)..."
 		kill $PROXY_BASIC_PID
@@ -68,11 +97,17 @@ run_test() {
 			echo ""
 			echo "Re-running flaky ${1} tests..."
 			echo ""
+
+			sleep 2
 		fi

 		RETURN_CODE=0

-		CLAR_SUMMARY="${BUILD_DIR}/results_${1}.xml" ctest -V -R "^${1}$" || RETURN_CODE=$? && true
+		(
+			export PATH="${BUILD_PATH}"
+			export CLAR_SUMMARY="${BUILD_DIR}/results_${1}.xml"
+			"${CTEST}" -V -R "^${1}$"
+		) || RETURN_CODE=$? && true

 		if [ "$RETURN_CODE" -eq 0 ]; then
 			FAILED=0
@@ -93,16 +128,38 @@ run_test() {
 	fi
 }

+indent() { sed "s/^/    /"; }
+
+cygfullpath() {
+	result=$(echo "${1}" | tr \; \\n | while read -r element; do
+		if [ "${last}" != "" ]; then echo -n ":"; fi
+		echo -n $(cygpath "${element}")
+		last="${element}"
+	done)
+	if [ "${result}" = "" ]; then exit 1; fi
+	echo "${result}"
+}
+
+if [[ "$(uname -s)" == MINGW* ]]; then
+        BUILD_PATH=$(cygfullpath "$BUILD_PATH")
+fi
+
+
 # Configure the test environment; run them early so that we're certain
 # that they're started by the time we need them.

+echo "CTest version:"
+env PATH="${BUILD_PATH}" "${CTEST}" --version | head -1 2>&1 | indent
+
+echo ""
+
 echo "##############################################################################"
 echo "## Configuring test environment"
 echo "##############################################################################"

 echo ""

-if [ -z "$SKIP_GITDAEMON_TESTS" ]; then
+if should_run "GITDAEMON_TESTS"; then
 	echo "Starting git daemon (standard)..."
 	GIT_STANDARD_DIR=`mktemp -d ${TMPDIR}/git_standard.XXXXXXXX`
 	git init --bare "${GIT_STANDARD_DIR}/test.git" >/dev/null
@@ -122,9 +179,15 @@ if [ -z "$SKIP_GITDAEMON_TESTS" ]; then
 	cp -R "${SOURCE_DIR}/tests/resources/namespace.git" "${GIT_NAMESPACE_DIR}/namespace.git"
 	GIT_NAMESPACE="name1" git daemon --listen=localhost --port=9419 --export-all --enable=receive-pack --base-path="${GIT_NAMESPACE_DIR}" "${GIT_NAMESPACE_DIR}" &
 	GIT_NAMESPACE_PID=$!
+
+	echo "Starting git daemon (sha256)..."
+	GIT_SHA256_DIR=`mktemp -d ${TMPDIR}/git_sha256.XXXXXXXX`
+	cp -R "${SOURCE_DIR}/tests/resources/testrepo_256.git" "${GIT_SHA256_DIR}/testrepo_256.git"
+	git daemon --listen=localhost --port=9420 --export-all --enable=receive-pack --base-path="${GIT_SHA256_DIR}" "${GIT_SHA256_DIR}" &
+	GIT_SHA256_PID=$!
 fi

-if [ -z "$SKIP_PROXY_TESTS" ]; then
+if should_run "PROXY_TESTS"; then
 	curl --location --silent --show-error https://github.com/ethomson/poxyproxy/releases/download/v0.7.0/poxyproxy-0.7.0.jar >poxyproxy.jar

 	echo "Starting HTTP proxy (Basic)..."
@@ -136,8 +199,8 @@ if [ -z "$SKIP_PROXY_TESTS" ]; then
 	PROXY_NTLM_PID=$!
 fi

-if [ -z "$SKIP_NTLM_TESTS" -o -z "$SKIP_ONLINE_TESTS" ]; then
-	curl --location --silent --show-error https://github.com/ethomson/poxygit/releases/download/v0.5.1/poxygit-0.5.1.jar >poxygit.jar
+if should_run "NTLM_TESTS" || should_run "ONLINE_TESTS"; then
+	curl --location --silent --show-error https://github.com/ethomson/poxygit/releases/download/v0.6.0/poxygit-0.6.0.jar >poxygit.jar

 	echo "Starting HTTP server..."
 	HTTP_DIR=`mktemp -d ${TMPDIR}/http.XXXXXXXX`
@@ -154,9 +217,8 @@ if [ -z "$SKIP_NTLM_TESTS" -o -z "$SKIP_ONLINE_TESTS" ]; then
 	HTTP_PID=$!
 fi

-if [ -z "$SKIP_SSH_TESTS" ]; then
+if should_run "SSH_TESTS"; then
 	echo "Starting SSH server..."
-	HOME=`mktemp -d ${TMPDIR}/home.XXXXXXXX`
 	SSHD_DIR=`mktemp -d ${TMPDIR}/sshd.XXXXXXXX`
 	git init --bare "${SSHD_DIR}/test.git" >/dev/null
 	git config --file "${SSHD_DIR}/test.git/config" receive.advertisePushOptions true
@@ -171,7 +233,7 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
 	Port 2222
 	ListenAddress 0.0.0.0
 	Protocol 2
-	HostKey ${SSHD_DIR}/id_rsa
+	HostKey ${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}
 	PidFile ${SSHD_DIR}/pid
 	AuthorizedKeysFile ${HOME}/.ssh/authorized_keys
 	LogLevel DEBUG
@@ -180,19 +242,26 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
 	PubkeyAuthentication yes
 	ChallengeResponseAuthentication no
 	StrictModes no
+	HostCertificate ${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}.pub
+	HostKey ${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}
 	# Required here as sshd will simply close connection otherwise
 	UsePAM no
 	EOF
-	ssh-keygen -t rsa -f "${SSHD_DIR}/id_rsa" -N "" -q
+	ssh-keygen -t "${GITTEST_SSH_KEYTYPE}" -f "${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}" -N "" -q
 	/usr/sbin/sshd -f "${SSHD_DIR}/sshd_config" -E "${SSHD_DIR}/log"

 	# Set up keys
 	mkdir "${HOME}/.ssh"
-	ssh-keygen -t rsa -f "${HOME}/.ssh/id_rsa" -N "" -q
-	cat "${HOME}/.ssh/id_rsa.pub" >>"${HOME}/.ssh/authorized_keys"
+	ssh-keygen -t "${GITTEST_SSH_KEYTYPE}" -f "${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE}" -N "" -q
+	cat "${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE}.pub" >>"${HOME}/.ssh/authorized_keys"
 	while read algorithm key comment; do
 		echo "[localhost]:2222 $algorithm $key" >>"${HOME}/.ssh/known_hosts"
-	done <"${SSHD_DIR}/id_rsa.pub"
+	done <"${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}.pub"
+
+	# Append the github.com keys for the tests that don't override checks.
+	# We ask for ssh-rsa to test that the selection based off of known_hosts
+	# is working.
+	ssh-keyscan -t ssh-rsa github.com >>"${HOME}/.ssh/known_hosts"

 	# Get the fingerprint for localhost and remove the colons so we can
 	# parse it as a hex number. Older versions have a different output
@@ -206,7 +275,7 @@ fi

 # Run the tests that do not require network connectivity.

-if [ -z "$SKIP_OFFLINE_TESTS" ]; then
+if should_run "OFFLINE_TESTS"; then
 	echo ""
 	echo "##############################################################################"
 	echo "## Running core tests"
@@ -237,7 +306,11 @@ if [ -n "$RUN_INVASIVE_TESTS" ]; then
 	unset GITTEST_INVASIVE_SPEED
 fi

-if [ -z "$SKIP_ONLINE_TESTS" ]; then
+# the various network  tests can fail due to network connectivity problems;
+# allow them to retry up to 5 times
+export GITTEST_FLAKY_RETRY=5
+
+if should_run "ONLINE_TESTS"; then
 	# Run the online tests.  The "online" test suite only includes the
 	# default online tests that do not require additional configuration.
 	# The "proxy" and "ssh" test suites require further setup.
@@ -249,9 +322,13 @@ if [ -z "$SKIP_ONLINE_TESTS" ]; then

 	export GITTEST_REMOTE_REDIRECT_INITIAL="http://localhost:9000/initial-redirect/libgit2/TestGitRepository"
 	export GITTEST_REMOTE_REDIRECT_SUBSEQUENT="http://localhost:9000/subsequent-redirect/libgit2/TestGitRepository"
+	export GITTEST_REMOTE_SPEED_SLOW="http://localhost:9000/speed-9600/test.git"
+	export GITTEST_REMOTE_SPEED_TIMESOUT="http://localhost:9000/speed-0.5/test.git"
 	run_test online
 	unset GITTEST_REMOTE_REDIRECT_INITIAL
 	unset GITTEST_REMOTE_REDIRECT_SUBSEQUENT
+	unset GITTEST_REMOTE_SPEED_SLOW
+	unset GITTEST_REMOTE_SPEED_TIMESOUT

 	# Run the online tests that immutably change global state separately
 	# to avoid polluting the test environment.
@@ -262,7 +339,7 @@ if [ -z "$SKIP_ONLINE_TESTS" ]; then
 	run_test online_customcert
 fi

-if [ -z "$SKIP_GITDAEMON_TESTS" ]; then
+if should_run "GITDAEMON_TESTS"; then
 	echo ""
 	echo "Running gitdaemon (standard) tests"
 	echo ""
@@ -284,9 +361,17 @@ if [ -z "$SKIP_GITDAEMON_TESTS" ]; then
 	run_test gitdaemon_namespace
 	unset GITTEST_REMOTE_URL
 	unset GITTEST_REMOTE_BRANCH
+
+	echo ""
+	echo "Running gitdaemon (sha256) tests"
+	echo ""
+
+	export GITTEST_REMOTE_URL="git://localhost:9420/testrepo_256.git"
+	run_test gitdaemon_sha256
+	unset GITTEST_REMOTE_URL
 fi

-if [ -z "$SKIP_PROXY_TESTS" ]; then
+if should_run "PROXY_TESTS"; then
 	echo ""
 	echo "Running proxy tests (Basic authentication)"
 	echo ""
@@ -312,7 +397,7 @@ if [ -z "$SKIP_PROXY_TESTS" ]; then
 	unset GITTEST_REMOTE_PROXY_PASS
 fi

-if [ -z "$SKIP_NTLM_TESTS" ]; then
+if should_run "NTLM_TESTS"; then
 	echo ""
 	echo "Running NTLM tests (IIS emulation)"
 	echo ""
@@ -346,7 +431,7 @@ if [ -z "$SKIP_NTLM_TESTS" ]; then
 	unset GITTEST_REMOTE_PASS
 fi

-if [ -z "$SKIP_NEGOTIATE_TESTS" -a -n "$GITTEST_NEGOTIATE_PASSWORD" ]; then
+if should_run "NEGOTIATE_TESTS" && -n "$GITTEST_NEGOTIATE_PASSWORD" ; then
 	echo ""
 	echo "Running SPNEGO tests"
 	echo ""
@@ -379,13 +464,15 @@ if [ -z "$SKIP_NEGOTIATE_TESTS" -a -n "$GITTEST_NEGOTIATE_PASSWORD" ]; then
 	kdestroy -A
 fi

-if [ -z "$SKIP_SSH_TESTS" ]; then
+if should_run "SSH_TESTS"; then
 	export GITTEST_REMOTE_USER=$USER
-	export GITTEST_REMOTE_SSH_KEY="${HOME}/.ssh/id_rsa"
-	export GITTEST_REMOTE_SSH_PUBKEY="${HOME}/.ssh/id_rsa.pub"
+	export GITTEST_REMOTE_SSH_KEY="${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE}"
+	export GITTEST_REMOTE_SSH_PUBKEY="${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE}.pub"
 	export GITTEST_REMOTE_SSH_PASSPHRASE=""
 	export GITTEST_REMOTE_SSH_FINGERPRINT="${SSH_FINGERPRINT}"

+	export GITTEST_SSH_CMD="ssh -i ${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE} -o UserKnownHostsFile=${HOME}/.ssh/known_hosts"
+
 	echo ""
 	echo "Running ssh tests"
 	echo ""
@@ -410,6 +497,8 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
 	unset GITTEST_PUSH_OPTION_RESULT
 	unset GITTEST_REMOTE_URL

+	unset GITTEST_SSH_CMD
+
 	unset GITTEST_REMOTE_USER
 	unset GITTEST_REMOTE_SSH_KEY
 	unset GITTEST_REMOTE_SSH_PUBKEY
@@ -417,13 +506,15 @@ if [ -z "$SKIP_SSH_TESTS" ]; then
 	unset GITTEST_REMOTE_SSH_FINGERPRINT
 fi

-if [ -z "$SKIP_FUZZERS" ]; then
+unset GITTEST_FLAKY_RETRY
+
+if should_run "FUZZERS"; then
 	echo ""
 	echo "##############################################################################"
 	echo "## Running fuzzers"
 	echo "##############################################################################"

-	ctest -V -R 'fuzzer'
+	env PATH="${BUILD_PATH}" "${CTEST}" -V -R 'fuzzer'
 fi

 cleanup