[PATCH] Add support for MS Catalog files

Andreas Schneider asn at samba.org
Fri Jun 22 05:35:02 UTC 2018 

On Thursday, 21 June 2018 22:28:30 CEST Andrew Bartlett wrote:
> On Thu, 2018-06-21 at 18:05 +0200, Andreas Schneider via samba-
> 
> technical wrote:
> > Hi,
> > 
> > the attached patch adds support for parsing MS Catalog files. This will be
> > needed for MS-PAR support in future.
> > 
> > For the cryptography it is using GnuTLS and for the asn1 part it uses
> > libtasn1. libtasn1 is used by GnuTLS and maintained by Nikos
> > Mavrogiannopoulos. As we already use GnuTLS we already consume libtasn1
> > through it.
> > 
> > libtasn1 is fuzzed via GnuTLS on oss-fuzz.
> > 
> > It is very well documented, see:
> > https://www.gnu.org/software/libtasn1/manual/libtasn1.html
> > 
> > It would make sense to use it for other asn1 stuff in Samba.
> > 
> > Review is much appreciated.
> 
> Just a few things.  Not now, but when this becomes a dependency for
> printing, can we please ensure it is a hard dependency?  Having
> features drop out based on configure-time tests causes trouble.

Yes, we can. When I developed this code we needed to implement a few features 
in GnuTLS. So I just checked for the required function to build that code. 
This is 2 years old now. GnuTLS with the required functions should be rolled 
out on most distros in the meantime.
 
> If we can't add a hard dependency on libtasn1 and gnutls, then we
> should have a --without-printing-support that removes all the spoolss,
> ms-par etc code and so this dependency.  (Additionally useful for the
> small-build folks).

We would love to have that, but it is a really long way to achieve that. 
Printing should be in a separate daemon.

> Finally, this needs automated tests, particularly as it is handling
> ASN.1, the root of too many security holes historically.

It should be relatively safe. Unless someone steals the Microsoft Root Keys to 
create bogus catalog files :-) We only parse the asn.1 if the signature is 
valid.

The problem is the drivers licenses ... How can we test with real drivers 
without licensing issues. Same for MS-PAR/spoolss testing.


Thanks,


	Andreas


-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list