Bug 47484 - Use Blowfish encryption in ODF 1.0/1.1 mode by default
Summary: Use Blowfish encryption in ODF 1.0/1.1 mode by default
Status: RESOLVED FIXED
Alias: None
Product: LibreOffice
Classification: Unclassified
Component: LibreOffice (show other bugs)
Version:
(earliest affected)
3.5.0 release
Hardware: Other All
: medium enhancement
Assignee: Not Assigned
URL:
Whiteboard: BSA target:3.5.3
Keywords:
Depends on:
Blocks:
 
Reported: 2012-03-18 17:14 UTC by orcmid
Modified: 2012-06-05 14:37 UTC (History)
2 users (show)

See Also:
Crash report or crash signature:


Attachments
Change so that interoperable encryption is used by default (770 bytes, application/octet-stream)
2012-03-19 21:28 UTC, orcmid
Details
PATCH: Correct settings so taht default encryption is interoperable across ODF 1.0/1.1/1.2 implementations (770 bytes, patch)
2012-03-19 21:31 UTC, orcmid
Details

Note You need to log in before you can comment on or make changes to this bug.
Description orcmid 2012-03-18 17:14:02 UTC
The introduction of new encryption methods in the LO 3.5.x lineage by default leads to documents that cannot be opened by downlevel (e.g., LO 3.4.3, LO 3.3.2, OOo 3.3.0, LotusSymphony 3.0.1) consumers.

This same problem occurs with OOo-dev 3.4.0 (Oracle built) and current AOO 3.4 developer previews.

A more-extensive description of tests and a proposed remedy is found on Apache OpenOffice bugzilla: https://issues.apache.org/ooo/show_bug.cgi?id=119090
Comment 1 orcmid 2012-03-19 21:28:24 UTC
Created attachment 58718 [details]
Change so that interoperable encryption is used by default

* Alter the default UseSHA1InODF12 and UseBlowFishInODF12 settings to True so that the automatic behavior is to create encryptions that can be decrypted by any ODF 1.0/1.1/1.2 Consumer.

AES256 encrypted packages can still be accepted correctly.

Users who want to use AES256 and can limit the recipients to AES256-accepting implementations can change the settings to false in the user configuration information.
Comment 2 orcmid 2012-03-19 21:31:42 UTC
Created attachment 58719 [details]
PATCH: Correct settings so taht default encryption is interoperable across ODF 1.0/1.1/1.2 implementations

* Alter the default UseSHA1InODF12 and UseBlowFishInODF12 settings to True so that the automatic behavior is to create encryptions that can be decrypted by any ODF 1.0/1.1/1.2 Consumer.

AES256 encrypted packages can still be accepted correctly.

Users who want to use AES256 and can limit the recipients to AES256-accepting implementations can change the settings to false in the user configuration information..

[Sorry, I forgot to check the patch box on the first upload, and then Bugzilla treats it as a binary file. -- orcmid]
Comment 3 Caolán McNamara 2012-03-23 15:25:28 UTC
bug 40006 is connected
Comment 4 orcmid 2012-03-23 18:02:48 UTC
(In reply to comment #3)
> bug 40006 is connected

I assume that bug is closed because consumption of the AES256 encryptions was backported?

So do you still intend to produce AES256 by default in future LO 3.5.x versions?

That does nothing for interoperability, it just means those documents can't be consumed by anything but AES256 acceptors.  And that is a small world at the moment.  For anyone else, they get to deal with the strange error messages about defects in parts of the ODF document.  

If you change the default, and give folks the choice to opt-in to AES256, rather than having to learn to opt-out, it is a lot kinder to non-expert users, seems to me.
Comment 5 Not Assigned 2012-04-17 08:20:02 UTC
Thorsten Behrens committed a patch related to this issue.
It has been pushed to "libreoffice-3-5":

http://cgit.freedesktop.org/libreoffice/core/commit/?id=8475d4e14ce068b5eae155aa26f40f79ebadc0e2&g=libreoffice-3-5

Fix fdo#47484 - use older ODF encryption by default


It will be available in LibreOffice 3.5.3.
Comment 6 Thorsten Behrens (CIB) 2012-04-17 08:42:42 UTC
Let's fix that for 3.5.x, and swap the default for 3.6 - that should give actively maintained other projects time to adapt.
Comment 7 Thorsten Behrens (CIB) 2012-04-17 08:43:07 UTC
Fixed in the libreoffice-3-5 branch
Comment 8 Thorsten Behrens (CIB) 2012-04-17 09:56:12 UTC
Note to users of 3.5.3 and beyond - if you've touched settings in Tools->Options->Save->General, LibreOffice potentially stored the previous defaults in your user configuration directory. Clearing the user configuration solves that issue (see http://ask.libreoffice.org/question/484/template-aggro for a description).
Comment 9 Thorsten Behrens (CIB) 2012-06-05 14:37:44 UTC
Related: bug 50703