[PATCH] Add support for MS Catalog files

Andreas Schneider asn at samba.org
Mon Jun 25 05:45:14 UTC 2018 

On Monday, 25 June 2018 04:05:07 CEST Andrew Bartlett wrote:
> On Fri, 2018-06-22 at 07:35 +0200, Andreas Schneider via samba-
> 
> technical wrote:
> > On Thursday, 21 June 2018 22:28:30 CEST Andrew Bartlett wrote:
> > > On Thu, 2018-06-21 at 18:05 +0200, Andreas Schneider via samba-
> > > 
> > > technical wrote:
> > > > Hi,
> > > > 
> > > > the attached patch adds support for parsing MS Catalog files. This
> > > > will be
> > > > needed for MS-PAR support in future.
> > > > 
> > > > For the cryptography it is using GnuTLS and for the asn1 part it uses
> > > > libtasn1. libtasn1 is used by GnuTLS and maintained by Nikos
> > > > Mavrogiannopoulos. As we already use GnuTLS we already consume
> > > > libtasn1
> > > > through it.
> > > > 
> > > > libtasn1 is fuzzed via GnuTLS on oss-fuzz.
> > > > 
> > > > It is very well documented, see:
> > > > https://www.gnu.org/software/libtasn1/manual/libtasn1.html
> > > > 
> > > > It would make sense to use it for other asn1 stuff in Samba.
> > > > 
> > > > Review is much appreciated.
> > > 
> > > Just a few things.  Not now, but when this becomes a dependency for
> > > printing, can we please ensure it is a hard dependency?  Having
> > > features drop out based on configure-time tests causes trouble.
> > 
> > Yes, we can. When I developed this code we needed to implement a few
> > features in GnuTLS. So I just checked for the required function to build
> > that code. This is 2 years old now. GnuTLS with the required functions
> > should be rolled out on most distros in the meantime.
> 
> Good.  As long as we don't need a time machine to get back to RHEL6 ;-)
> 
> > > If we can't add a hard dependency on libtasn1 and gnutls, then we
> > > should have a --without-printing-support that removes all the spoolss,
> > > ms-par etc code and so this dependency.  (Additionally useful for the
> > > small-build folks).
> > 
> > We would love to have that, but it is a really long way to achieve that.
> > Printing should be in a separate daemon.
> 
> Sure.  I was more thinking waf build rules to cut out the subsystems at
> the same point 'enable spoolss' does.  (Note contradiction with my
> other line of argument today, but anyway).
> 
> > > Finally, this needs automated tests, particularly as it is handling
> > > ASN.1, the root of too many security holes historically.
> > 
> > It should be relatively safe. Unless someone steals the Microsoft Root
> > Keys to create bogus catalog files :-) We only parse the asn.1 if the
> > signature is valid.
> > 
> > The problem is the drivers licenses ... How can we test with real drivers
> > without licensing issues. Same for MS-PAR/spoolss testing.
> 
> Perhaps test fake drivers with a Samba certificate?

I've tried, but I couldn't figure how to implement a v3 printer driver 
(Windows 8 and earlier). Creating a v4 printer driver is pretty easy, there is 
a template project in Visual Studio, I have samba_p1000 here ;-)

v3 is what we need as most drivers out there are v3 drivers.


Cheers,


	Andreas

-- 
Andreas Schneider                      asn at samba.org
Samba Team                             www.samba.org
GPG-ID:     8DFF53E18F2ABC8D8F3C92237EE0FC4DCC014E3D

More information about the samba-technical mailing list