[PATCH] Add support for MS Catalog files
asn at samba.org
Fri Jun 22 05:35:02 UTC 2018
On Thursday, 21 June 2018 22:28:30 CEST Andrew Bartlett wrote:
> On Thu, 2018-06-21 at 18:05 +0200, Andreas Schneider via samba-
> technical wrote:
> > Hi,
> > the attached patch adds support for parsing MS Catalog files. This will be
> > needed for MS-PAR support in future.
> > For the cryptography it is using GnuTLS and for the asn1 part it uses
> > libtasn1. libtasn1 is used by GnuTLS and maintained by Nikos
> > Mavrogiannopoulos. As we already use GnuTLS we already consume libtasn1
> > through it.
> > libtasn1 is fuzzed via GnuTLS on oss-fuzz.
> > It is very well documented, see:
> > https://www.gnu.org/software/libtasn1/manual/libtasn1.html
> > It would make sense to use it for other asn1 stuff in Samba.
> > Review is much appreciated.
> Just a few things. Not now, but when this becomes a dependency for
> printing, can we please ensure it is a hard dependency? Having
> features drop out based on configure-time tests causes trouble.
Yes, we can. When I developed this code we needed to implement a few features
in GnuTLS. So I just checked for the required function to build that code.
This is 2 years old now. GnuTLS with the required functions should be rolled
out on most distros in the meantime.
> If we can't add a hard dependency on libtasn1 and gnutls, then we
> should have a --without-printing-support that removes all the spoolss,
> ms-par etc code and so this dependency. (Additionally useful for the
> small-build folks).
We would love to have that, but it is a really long way to achieve that.
Printing should be in a separate daemon.
> Finally, this needs automated tests, particularly as it is handling
> ASN.1, the root of too many security holes historically.
It should be relatively safe. Unless someone steals the Microsoft Root Keys to
create bogus catalog files :-) We only parse the asn.1 if the signature is
The problem is the drivers licenses ... How can we test with real drivers
without licensing issues. Same for MS-PAR/spoolss testing.
Andreas Schneider asn at samba.org
Samba Team www.samba.org
More information about the samba-technical