Hello, just to make this point clear:
Cntlm doesn't and never have used libntlm library, any parts thereof,
nor any other external library for that matter, linked or
source-included. Entire code was written by me from scratch, in a clean
room environment. I wrote it at the beginning of 2006 for non-Windows
systems in the corporation I worked for and GPL'd it about year later.
As acknowledged and documented, I imported MD4, MD5, HMAC-MD5, Base64
and DES routines. Those come from gnulib, an excellent source of high
quality, well tested GPL code.
Unfortunately, libntlm didn't exist at the time and in fact still
couldn't be used today. I just had a look at it and it apparently
provides only the common basic set of NTLMv1 features (just like other
"NTLM-enabled" Linux projects). Cntlm has to support all NTLM variants,
including some optional (but in reality required) NTLMv2 features and
flags. Apart from full NTLM, NTLMv2 and NTLM2SR protocols, Cntlm
implements NT- and LM(2)-only modes for legacy appliances/networks, the
nowadays often used backwards-compatible LM2 higher security extension
used in mixed NTLM/NTLMv2 domains and of course NTLMv2 signing /
security options. To my knowledge, there is no other GPL C code
including all this functionality except for Samba, I'd presume, but
their code-base is way too intricate and has too many
(intra-)dependencies to be useful in a minimalistic humble daemon like
Cntlm. :)
As far as "security maintenance" goes, there hasn't been a single
security (or memory management) bug in the 4 years of public use -- if I
remember correctly.
--
David Kubicek
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]