Re: MS Office 2010+ "Agile" encrypted OOXML documents are working now!

[Matthias Seidel]

Hi Damjan, All,

That seems to have fixed the crashes on Windows...

Regards,

   Matthias

Am 17.03.24 um 16:56 schrieb Matthias Seidel:

I am already doing a full build,but hopefully I could pull your last commit soon enough.

Regards,

   Matthias

Am 17.03.24 um 15:20 schrieb Damjan Jovanovic:

If you haven't done "dmake clean" yet like me, try to "git pull" my latest

commit, and then in main/instsetoo_native "build --from oox -P2 -- -P2".

This commit fixes at least one more issue:

commit 244f2bcc921bc5dc45e6c1970e27ac2409c44e17 (HEAD -> trunk,
origin/trunk, origin/HEAD)
Author: Damjan Jovanovic <dam...@apache.org>
Date:   Sun Mar 17 15:56:38 2024 +0200

     Don't allow calls to OpenSSLCipher::blockSize() before the cipher
     is initialized.


wrote:

On Sun, Mar 17, 2024 at 1:24 PM Matthias Seidel <matthias.sei...@hamburg.de>

WTH, shortly after I sent this mail I could open the files...

Matthias

Am 17.03.24 um 14:22 schrieb Matthias Seidel:

Hi Damjan,

That was fast! ;-)

I can confirm that it builds now on Windows.

When I try to open password protected MS Office 2020+ files (xlsx,
docx) I now get the password dialog

But when I enter the correct password AOO crashes.

Regards,

    Matthias

P.S.: This was a partial build, I will try a complete build now.

Am 17.03.24 um 12:23 schrieb Damjan Jovanovic:

I've fixed this now and it seems to build on Windows too. The fixes
are in
these commits, and if they work, should be cherry-picked in the given
order:

f65b4e326d91bfe900dc1dd22ece69e3ddd8444a
f3025b08c40161265442c34e2b50bc05aa5388c6
42c0a318a970f6f7f43d26a8397448d5d5b8bd36


was part of the C++98/03 standard), I had to use &vector[0] instead.
Also
that ancient OpenSSL version we use internally, 1.0.x, uses
EVP_MD_CTX_create()/destroy() instead of EVP_MD_CTX_new()/free().
Finally

though superior compilers like Clang are perfectly happy), and I had
to add
casts.


On Sun, Mar 17, 2024 at 11:15 AM Matthias Seidel
<matthias.sei...@hamburg.de>
wrote:

There were several problems on Windows. The Visual Studio 2008 compiler doesn't have the ::std::vector::data() method (even though it should, it some template function was unhappy about parameter type ambiguity (even

Hi Damjan,

You are right, the interesting part is at the beginning:

---

=============
Building module oox
=============

Entering /cygdrive/c/Source/openoffice/main/oox/prj

cd .. && make -s -r -j1   && make -s -r deliverlog
[ build CXX ] oox/source/core/encryption
encryption.cxx

error C3861: 'EVP_MD_CTX_new': identifier not found

error C3861: 'EVP_MD_CTX_free': identifier not found

C2782: 'bool oox::getFlag(Type,Type)' : template parameter 'Type' is
ambiguous
c:/Source/openoffice/main/oox/inc\oox/helper/helper.hxx(141) : see
declaration of 'oox::getFlag'
           could be 'unsigned int'
           or       'sal_uInt32'

C2782: 'bool oox::getFlag(Type,Type)' : template parameter 'Type' is
ambiguous
c:/Source/openoffice/main/oox/inc\oox/helper/helper.hxx(141) : see
declaration of 'oox::getFlag'
           could be 'unsigned int'
           or       'sal_uInt32'

C2782: 'bool oox::getFlag(Type,Type)' : template parameter 'Type' is
ambiguous
c:/Source/openoffice/main/oox/inc\oox/helper/helper.hxx(141) : see
declaration of 'oox::getFlag'
           could be 'unsigned int'
           or       'sal_uInt32'

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]

C2039: 'data' : is not a member of 'std::vector<_Ty>'
           with
           [
               _Ty=sal_uInt8
           ]
make: *** No rule to make target
'/cygdrive/c/Source/openoffice/main/solver/450/
wntmsci12.pro/workdir/CxxObject/oox/source/core/encryption.o',
needed by
'/cygdrive/c/Source/openoffice/main/solver/450/
wntmsci12.pro/workdir/LinkTarget/Library/ioox.lib'.
Stop.
dmake:  Error code 2, while making 'all'

1 module(s):
           oox
need(s) to be rebuilt

Reason(s):

ERROR: error 65280 occurred while making
/cygdrive/c/Source/openoffice/main/oox/prj


by running:

           build --from oox

---

Regards,

      Matthias

Am 17.03.24 um 01:55 schrieb Damjan Jovanovic:

c:/Source/openoffice/main/oox/inc\oox/helper/openssl_wrapper.hxx(44) : c:/Source/openoffice/main/oox/inc\oox/helper/openssl_wrapper.hxx(51) : c:/Source/openoffice/main/oox/source/core/encryption.cxx(100) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(133) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(134) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(210) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(214) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(217) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(299) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(362) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(700) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(701) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(702) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(710) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(711) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(753) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(754) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(756) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(780) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(781) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(783) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(809) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(833) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(833) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(833) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(852) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(854) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(882) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(882) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(882) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(888) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(888) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(888) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(930) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(932) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(932) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(938) : error c:/Source/openoffice/main/oox/source/core/encryption.cxx(946) : error When you have fixed the errors in that module you can resume the build

Please check further up in the log, or run "build" in main/oox again.

That "No rule to make target" happens after other errors break

compilation.

On Sat, Mar 16, 2024 at 8:38 PM Matthias Seidel <

matthias.sei...@hamburg.de>

wrote:

Hi Damjan,

Tried to build trunk on Windows but it stops here:

make: *** No rule to make target
'/cygdrive/c/Source/openoffice/main/solver/450/
wntmsci12.pro/workdir/CxxObject/oox/source/core/encryption.o',
needed by
'/cygdrive/c/Source/openoffice/main/solver/450/
wntmsci12.pro/workdir/LinkTarget/Library/ioox.lib'.
Stop.
dmake:  Error code 2, while making 'all'

1 module(s):
            oox
need(s) to be rebuilt

Reason(s):

ERROR: error 65280 occurred while making
/cygdrive/c/Source/openoffice/main/oox/prj

When you have fixed the errors in that module you can resume the
build
by running:

            build --from oox

Am 16.03.24 um 04:49 schrieb Damjan Jovanovic:

Hi

Bug 118236 with 7 votes, the inability to open password-protected
(encrypted) OOXML files from MS Office 2010+, is now fixed in
trunk :-)

---snip---
commit 506fa58b1970084a0caacb50b3a805e469be4756 (HEAD -> trunk,
origin/trunk, origin/HEAD)
Author: Damjan Jovanovic <dam...@apache.org>
Date:   Sat Mar 2 18:47:05 2024 +0200

        Implement the (MS Office 2010+) OOXML "Agile encryption"

support, so

that we
        can open such password-protected OOXML files.

        Adds all the Agile encryption XML tokens and namespaces, and

parses

the

XML

        from EncryptionInfo stream, gets OpenOffice to recognize the

file is

encrypted

        and ask for a password, and successfully decrypts the file if

password

is
        correct.

        Also a number of other fixes and improvements:
        - Sorted main/oox/source/token/tokens.txt so it's in
alphabetical

order

          (wrong order might have broken certain tokens?).
        - Refactored how OOXML encryption is generally handled.
It's now

in

its

          own file.
        - Added logging to the FilterDetect class. It logs to the

office-wide

default
          logger.

        - Changed FilterDetect to use XMultiComponentFactory and
XComponentContext
          instead of the deprecated XMultiServiceFactory.
        - Error handling was generally improved.
        - Exception safety and some memory safety (::std::vector
instead

        - Added a flush() method to the BinaryXOutputStream class.

of

new[])


        Much of the code involved in the decryption was ported
from the
excellent


        Patch by: me
---snip---


It took much longer than I expected:

          in all the new code. Memory leaks should not be possible.         Apache POI project, so it's been credited in our NOTICE file. The MS-OFFCRYPTO specification was unclear, and plain wrong in some

parts,

eg. "SHA-1" in the spec but "SHA1" in actual OOXML documents;
I've made

our

code support both.

The "Standard" encryption from MS Office 2007 that we already
supported

was

itself a mess, and much work was needed to refactor and clean up
that

code

before the "Agile" encryption could also be added.

Then XML parsing had to be added, since Agile encryption specifies

settings

in XML instead of binary like Standard encryption did. XML
handling in
OpenOffice is pretty outdated, with no support for namespaces,
but at

least

the newer "FastParser" does support namespaces and is in fact
very fast

because it converts strings to unique integers, and packs namespaces

into

bit fields, for faster comparisons. I ended up updating the main/oox

FastParser to support the new Agile encryption namespaces and
elements.

MS-OFFCRYPTO also only describes encryption, not decryption, and
since

we

can only read OOXML, only decryption matters.

Apache POI code was tremendously helpful in figuring out the
decryption
process. Most of the decryption code I added was just ported
directly

from

theirs, and thus I've added Apache POI to our NOTICE file (please
check

simultaneously stepping through our code in gdb and their code in

that I've done it correctly). Also several bugs were figured out by

NetBeans,

and comparing respective values. A big thank you to the Apache POI

developers, whose OOXML support is still better than ours in many
ways!


because our MD5 and SHA1 algorithms are broken (bug 127661), and

I used OpenSSL for all the message digest and encryption stuff, both

because

Agile encryption requires many digests and ciphers that OpenSSL

supports

but we don't.

Anyway, it works now. All encrypted OOXML files should work, eg.
text
documents, spreadsheets, presentations, etc.

Other issues I am aware of:
- We only support password encrypted documents. Certificate
encrypted
documents: not yet. ODF 1.3 also added certificate encryption, so
maybe
that's something we should develop together.
- There are other variations of encryption we still don't
support, eg.

the

"Extensible" encryption, the "RC4 CryptoAPI" encryption, "XOR

obfuscation",

etc. Apache POI would be a good source for those too. It's
unclear to

me

how widely those are used, and whether they are worth implementing.

- It may need to be rearchitected when we add OOXML writing.

discuss those separately.

- A lot of other required cleanups to our code were discovered, will I've squashed all my work into a single commit, so it can be easily cherry-picked to AOO42X and maybe even AOO41X when people are happy

with

it.

Regards
Damjan

smime.p7s
Description: Kryptografische S/MIME-Signatur