Bug 156835 - FILEOPEN XLSX Password protected file with SHA-384 encryption does not open
Summary: FILEOPEN XLSX Password protected file with SHA-384 encryption does not open
Status: VERIFIED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: Calc (show other bugs)
Version:
(earliest affected)
24.2.0.0 alpha0+
Hardware: All All
: medium normal
Assignee: Balázs Varga (allotropia)
URL:
Whiteboard: target:24.2.0 target:7.6.2
Keywords:
Depends on:
Blocks: XLSX-Doc-Protection
  Show dependency treegraph
 
Reported: 2023-08-21 10:12 UTC by Gabor Kelemen (allotropia)
Modified: 2023-09-03 16:35 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:

Attachments
Example file from Excel 2019 (15.00 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet)
2023-08-21 10:12 UTC, Gabor Kelemen (allotropia) 		Details
Error message in Calc when trying to open the example (56.56 KB, image/png)
2023-08-21 10:13 UTC, Gabor Kelemen (allotropia) 		Details
Reference example file from MSO 2019 Standard. Pw: 1234 (14.50 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet)
2023-08-21 10:19 UTC, Gabor Kelemen (allotropia) 		Details
The second example in Calc (133.14 KB, image/png)
2023-08-21 10:21 UTC, Gabor Kelemen (allotropia) 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gabor Kelemen (allotropia) 2023-08-21 10:12:28 UTC 
Created attachment 189063 [details]
Example file from Excel 2019

Attached user made file has file open password set in Excel 2019.
Calc can not open this file, considers it as broken.

1. Open attached file
-> after a bit of thinking, Calc says it can not be opened because it's corrupt.

Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: e60ef8651cfb30335471d1622e58c13eebc7d58b
CPU threads: 15; OS: Windows 10.0 Build 19045; UI render: Skia/Raster; VCL: win
Locale: en-US (hu_HU); UI: en-US
Calc: threaded

The interesting part is in the EncryptedInfo file inside, here:

<keyData saltSize="16" blockSize="16" keyBits="128" hashSize="48" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA384" 

<p:encryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="128" hashSize="48" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA384" 

If I make a new similar password protected file in my Excel 2019 pro, then these look like:

<keyData saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" 

<p:encryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512"

and LO can open this file just fine. So my guess the relevant difference is the SHA-384 vs SHA-512.

Note: this is not a duplicate of bug 148576 as Calc asks for the password of the example file there, and the above xml look like:

<keyData saltSize="16" blockSize="16" keyBits="128" hashSize="20" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA1" 

<p:encryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512"
Comment 1 Gabor Kelemen (allotropia) 2023-08-21 10:13:03 UTC 
Created attachment 189064 [details]
Error message in Calc when trying to open the example
Comment 2 Gabor Kelemen (allotropia) 2023-08-21 10:19:39 UTC 
Created attachment 189065 [details]
Reference example file from MSO 2019 Standard. Pw: 1234

This opens just fine.
Comment 3 Gabor Kelemen (allotropia) 2023-08-21 10:21:35 UTC 
Created attachment 189066 [details]
The second example in Calc
Comment 4 m_a_riosv 2023-08-21 16:02:49 UTC 
Reproducible with first sample,

Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 8b9643960117612b7e1cae1ed8325c2630232d0f
CPU threads: 16; OS: Windows 10.0 Build 22621; UI render: Skia/Raster; VCL: win
Locale: es-ES (es_ES); UI: en-US Calc: CL threaded

Microsoft® Excel® para Microsoft 365 MSO (versión 2307 compilación 16.0.16626.20170) de 64 bits, ask for the password.
Comment 5 Commit Notification 2023-08-30 12:35:18 UTC 
Balazs Varga committed a patch related to this issue.
It has been pushed to "master":

https://git.libreoffice.org/core/commit/9254fbce6b9e20a75aa2a379bcf2fc9dc41a5b44

tdf#156835 - FILEOPEN XLSX: add SHA-384 encryption support for ooxml import

It will be available in 24.2.0.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 6 Commit Notification 2023-08-31 07:18:52 UTC 
Balazs Varga committed a patch related to this issue.
It has been pushed to "libreoffice-7-6":

https://git.libreoffice.org/core/commit/3159296b3b033f2355a96b024c6834ad51321b75

tdf#156835 - FILEOPEN XLSX: add SHA-384 encryption support for ooxml import

It will be available in 7.6.2.

The patch should be included in the daily builds available at
https://dev-builds.libreoffice.org/daily/ in the next 24-48 hours. More
information about daily builds can be found at:
https://wiki.documentfoundation.org/Testing_Daily_Builds

Affected users are encouraged to test the fix and report feedback.
Comment 7 m_a_riosv 2023-09-03 16:35:21 UTC 
Verified
Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 3c7a35dd28fbc337a23473873b3dd47392b883ae
CPU threads: 16; OS: Windows 10.0 Build 22621; UI render: Skia/Raster; VCL: win
Locale: es-ES (es_ES); UI: en-US Calc: CL threaded Jumbo
Version: 7.6.2.0.0+ (X86_64) / LibreOffice Community
Build ID: a453cafde419d186625c191154d8d6178f0149d0
CPU threads: 16; OS: Windows 10.0 Build 22621; UI render: Skia/Raster; VCL: win
Locale: es-ES (es_ES); UI: en-US Calc: CL threaded