From 8a87bafe02c87bc3ea73f1c33da77d6765ce9a83 Mon Sep 17 00:00:00 2001
From: Felix Martin <mail@felixm.de>
Date: Mon, 24 Oct 2022 08:45:43 -0400
Subject: [PATCH] Implement challenge 41 unpadded message recovery oracle

---
 src/set6.rs | 31 +++++++++++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/set6.rs b/src/set6.rs
index a4cdb30..44cbeeb 100644
--- a/src/set6.rs
+++ b/src/set6.rs
@@ -1,4 +1,31 @@
+use crate::rsa;
+use openssl::bn::BigNum;
+use openssl::bn::BigNumContext;
+
 pub fn challenge41() -> Option<()> {
-    // println!("[xxxx] Challenge 41: TBD");
-    None
+    let (public_key, private_key) = rsa::rsa_gen_keys().ok()?;
+
+    let i = BigNum::from_u32(1337).ok()?;
+    let c = rsa::rsa_encrypt(&i, &public_key).ok()?;
+    let m = rsa::rsa_decrypt(&c, &private_key).ok()?;
+    assert_eq!(i, m, "rsa is broken");
+
+    let mut ctx = BigNumContext::new().ok()?;
+    // Let S be a random number > 1 mod N. Doesn't matter what.
+    let mut s = BigNum::new().ok()?;
+    public_key.n.rand_range(&mut s).ok()?;
+    // C' = ((S**E mod N) C) mod N
+    let mut c2 = BigNum::new().ok()?;
+    c2.mod_exp(&s, &public_key.e, &public_key.n, &mut ctx).ok()?;
+    let c2 = &(&c2 * &c) % &public_key.n;
+    let p2 = rsa::rsa_decrypt(&c2, &private_key).ok()?;
+
+    //      P'
+    // P = ---  mod N
+    //      S
+    let p2 = &(&p2 * &rsa::invmod(&s, &public_key.n).ok()?) % &public_key.n;
+    assert_eq!(i, p2, "message recovery oracle failed");
+
+    println!("[okay] Challenge 41: implement unpadded message recovery oracle");
+    Some(())
 }