将 openssl 组合为控制台和库的问题 [英] Problems combining openssl as console and library
问题描述
我想隐藏在 C/C++ 程序中用作字符串的文本信息(在我的例子中是 GLSL 着色器),因为它们在二进制文件中是直接可读的.因此,我考虑在编译/构建时加密文件并在运行时解密数据以继续重建着色器.
I would like to hide textual information (GLSL shaders in my case) used as strings in a C/C++ program, as they are directly readable within the binary. Therefore, I thought about encrypting the files during compile/build time and decrypt the data during runtime to continue with the reconstructed shaders.
但是,我在使控制台上的 openssl 与 C 程序中的库 (evp) 一起工作时遇到了一些麻烦.我不得不承认,我绝不是密码学专家,但现在必须进入这个主题......
However, I have some trouble in getting openssl on the console work together with the library (evp) in the C program. I have to admit that I am by no means an expert in cryptography but have to go in for this topic now...
这是我尝试过的:
// on the console:
openssl enc -aes-256-cbc -salt -in shader.frag -out shader.frag.enc
// ...
// in the program:
//// read enc file ////
int lengthIN;
char * buffer_encIN;
ifstream is2;
is2.open( "/Path/To/My/Shader/shader.frag.enc", ios::binary );
// get length of file:
is2.seekg( 0, ios::end );
lengthIN = is2.tellg();
is2.seekg( 0, ios::beg );
// allocate memory:
buffer_encIN = new char[ lengthIN ];
// read data as a block:
is2.read( buffer_encIN, lengthIN );
is2.close();
//// decryption ////
char mykey[EVP_MAX_KEY_LENGTH] = "changeit"; // also tried: unsigned char mykey[] = {0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15};
char iv[EVP_MAX_IV_LENGTH] = "01020304"; // also tried: unsigned char iv[] = {1,2,3,4,5,6,7,8};
int tmp_len = 0, in_len, out_len=0;
EVP_CIPHER_CTX ctx;
in_len = strlen( buffer_encIN );
char * buffer_dec = new char[ in_len ];
// decrypt
EVP_DecryptInit( &ctx, EVP_aes_256_cbc(), (unsigned char *)mykey, (unsigned char *)iv );
EVP_DecryptUpdate( &ctx, (unsigned char *)buffer_dec, &out_len, (unsigned char *)buffer_encIN, in_len );
tmp_len += out_len;
EVP_DecryptFinal( &ctx, (unsigned char *)&buffer_dec[ out_len ], &out_len );
printf( "Output:\n%s\n", buffer_dec );
我被两个问题困在这里.首先,大多数事情只有在我使用 -nosalt 选项时才能很好地工作,这不适用于部署.至少我让 EVP_DecryptInit 和 *Update 返回 1,但 *Final 结果为 0:最后的几个字节被弄乱了.其次,使用完整版本(即加盐)我根本无法启动和运行:(
I am stuck here with two problems. First, most of the things work out nicely only if I use the -nosalt option, which is not applicable for deployment. At least I get EVP_DecryptInit and *Update to return 1, but *Final results in 0: several bytes at the end are messed up then. Second, using the full version (i.e. with salt) I cannot get things up and running at all :(
简而言之:这是正确的方法吗,我只需要做我的功课(帮助特别是在盐/静脉注射方面受到赞赏;)),或者这只是花费几个小时并且没有比应用一些 ROT13 方案获得更多的安全性隐藏字符串?
In a nutshell: is this the right approach and I just have to do my homework (help esp. on salt/IV appreciated ;)), or is this just spending hours and getting no more security than applying some ROT13 scheme to hide the string?
非常感谢任何帮助和评论!
马蒂亚斯
Any help and comments much appreciated!
Matthias
推荐答案
从逆向工程的角度来看,我建议不要打扰.您的密钥也必须存储在您的应用程序中,与直接获取着色器相比,找到存储密钥的位置以及如何加密着色器只是稍微困难一些.根据我的经验,着色器中没有那么多专有代码,因此我建议您将其嵌入到明文中.
Coming from the side of reverse engineering, I'd suggest to not bother. Your keys will have to be stored inside your app as well, and it's only marginally harder to find where you're storing keys and how you're encrypting your shaders than it is to just get at the shaders directly. In my experience, shaders don't have that much proprietary code in them as it is, so I'd suggest you just embed it in clear text.
执行 ROT13 显然会更容易,并且可以阻止人们在您的二进制文件中搜索vec3"等最简单的攻击.
Doing ROT13 would obviously be easier and thwart the simplest of attacks of people just searching your binaries for 'vec3' or the like.
您需要问自己的问题是:您要阻止谁查看您的着色器源?随意的观察者?在这种情况下,ROT13 可能就足够了.熟练的逆向工程师?那么您的进程内加密将不会提供太多保护.
The question you need to ask yourself is: who are you trying to prevent from looking at your shader source? The casual observer? In that case, a ROT13 might be sufficient. A skilled reverse engineer? Then your in-process encryption won't pose much of a protection.
如果您正在努力保护您的数据并正在编写支持网络的应用程序,请考虑通过网络发送着色器并在它们发送到 GPU 后清除您的内存.
If you are trying to protect your data in earnest and are writing a network-enabled application, consider sending your shaders over the wire and clearing your memory once they're sent to the GPU.
这篇关于将 openssl 组合为控制台和库的问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
