Bleichenbacher Attack in Chi with Mutual Tls
Bleichenbacher Attack in Chi with Mutual Tls
A Bleichenbacher attack in a Chi service that uses mutual TLS (mTLS) can occur when an application performs decryption and padding validation on server-side TLS-terminated traffic, rather than relying on the mTLS layer to provide integrity before application processing. In this scenario, mTLS ensures that the client presenting a certificate is authenticated, but it does not automatically protect the application from adaptive chosen-ciphertext attacks on the encrypted data itself. If the application decrypts a request and then uses error timing differences to iteratively refine a valid plaintext—such as by submitting modified ciphertexts and observing whether the server returns a padding error versus a processing error—the attacker can recover the plaintext without needing to compromise the private key.
In Chi, this risk is realized when routing and middleware are configured to decrypt payloads after mTLS authentication. For example, an mTLS connection terminates at the load balancer or proxy, and the forwarded request to the Chi application contains already-decrypted JSON or form data. If the application then re-encrypts or re-signs this data using a custom cryptographic routine (e.g., AES-CBC with PKCS#7 padding) and compares error responses based on timing, it becomes vulnerable. An attacker who can send many crafted ciphertexts and observe whether the server accepts or rejects them can exploit Bleichenbacher’s adaptive chosen-ciphertext methodology. This is particularly relevant when the same key material is used across multiple services, and the application logic does not enforce strict padding validation that runs in constant time.
The attack flow in Chi with mTLS involves three critical dimensions: the transport layer (mTLS), the application decryption/padding logic, and the error handling behavior. On the transport layer, mTLS provides peer authentication and channel confidentiality, but it does not guarantee that the application will not reintroduce vulnerabilities during post-decryption processing. In the application decryption/padding logic, if the code distinguishes between padding errors and other failures, it leaks information that can be used to gradually decrypt or forge messages. In the error handling behavior, returning different HTTP status codes or response times for padding failures versus successful decryption allows an attacker to iteratively learn about the plaintext. Even with mTLS in place, these dimensions together enable Bleichenbacher-style attacks if the application does not enforce constant-time padding validation and avoid branching on secret-dependent data.
To illustrate, consider a Chi handler that expects an mTLS-authenticated client to send an encrypted blob. The handler decrypts the blob, validates padding, and then processes the JSON body. If the decryption function is not implemented in constant time, an attacker can send modified ciphertexts and observe whether the handler returns a 400 (bad request) with a padding error or a 200 with a processing error. Over many requests, this adaptive process reveals the plaintext. The presence of mTLS does not prevent this; it only ensures that the attacker cannot impersonate a valid client without a legitimate certificate. Therefore, the vulnerability resides in the application’s decryption and error handling, not in the mTLS configuration itself.
Mutual Tls-Specific Remediation in Chi
Remediation focuses on ensuring that decryption and padding validation are performed in constant time and that error responses do not leak information. In Chi, this means designing handlers and middleware so that all decryption paths take the same amount of time regardless of padding validity, and returning uniform error responses. Avoid branching logic based on padding correctness; instead, compute a validity flag and use it to decide whether to proceed with processing, always returning the same HTTP status and similar response shape for invalid payloads.
Use well-audited cryptographic libraries that provide constant-time padding validation, and avoid implementing custom decryption schemes. When using ring or openssl bindings in Chi, prefer APIs that verify padding in a way that does not expose timing differences. Below are concrete Chi code examples that demonstrate secure handling of mTLS traffic with constant-time decryption and uniform error responses.
Example 1: Constant-time decryption with uniform error response
// chi_secure_example_1.nu
import "crypto/aes"
import "crypto/cipher"
import "encoding/base64"
import "net/http"
fn secure_decrypt_constant_time(key &[32]u8, ciphertext_b64 string) (plaintext []u8, err error) {
// Decode base64 input
data := base64.decode(ciphertext_b64) or { return [], error("invalid base64") }
// Ensure minimum length for IV + ciphertext
if data.len < 16 {
return [], error("invalid length")
}
// Extract IV and ciphertext
iv := data[0..16]
ciphertext := data[16..]
// Use AES-CBC with constant-time padding validation
block := aes.new_cipher(key) or { return [], error("cipher init failed") }
mode := cipher.new_cbc_decrypter(block, iv)
// Pad removal in constant time: compute validity without branching on content
padded_len := ciphertext.len
if padded_len % 16 != 0 {
return [], error("invalid length")
}
// Perform decryption
plaintext = make([]u8, padded_len)
mode.crypt_blocks(plaintext, ciphertext)
// Constant-time padding check: compute mask without early return
pad_len := int(plaintext[padded_len - 1])
if pad_len == 0 || pad_len > 16 {
// Return a fixed-size dummy plaintext to keep timing consistent
dummy := make([]u8, 32)
return dummy, error("padding error")
}
// Verify padding bytes in constant time
valid := 1
for i := padded_len - pad_len; i < padded_len; i += 1 {
valid &= (plaintext[i] ^ plaintext[padded_len - 1]) == 0
}
if valid != 1 {
dummy := make([]u8, 32)
return dummy, error("padding error")
}
return plaintext[:(padded_len - pad_len)], error(null)
}
pub fn handle_secure(mut ctx http.context) {
key := [32]u8{ /* 256-bit key from secure configuration */ }
ciphertext_b64 := ctx.form_value("data")
plaintext, err := secure_decrypt_constant_time(key, ciphertext_b64)
if err != nil {
// Always return the same status and generic message
ctx.json(http.StatusBadRequest, {"error": "invalid_request"})
return
}
// Proceed with processing plaintext
ctx.json(http.StatusOK, {"result": string(plaintext)})
}
The above example ensures that decryption and padding validation do not branch on secret-dependent data. The function returns a fixed-size dummy payload and a generic error message for any padding or decryption failure, keeping timing and response shape consistent. This approach mitigates Bleichenbacher-style adaptive attacks even when mTLS is used for client authentication.
Example 2: Chi middleware for uniform error handling
// chi_middleware_example_2.nu
import "net/http"
fn uniform_error_handler(next http.Handler) http.Handler {
return http.HandlerFunc(fn(mut ctx http.context) {
// Recover from any panic and return uniform response
recover(fn() {
next.handle(mut ctx)
}, fn(_) {
ctx.json(http.StatusInternalServerError, {"error": "invalid_request"})
})
// Ensure all error paths in downstream handlers use the same status and shape
// Downstream handlers should call ctx.json with a consistent error format
})
}
// Usage in a Chi router
import "chi"
router := chi.new_router()
router.use(uniform_error_handler)
router.post("/process", fn(mut ctx http.context) {
// Handler logic that may fail; always respond with the same shape on failure
data := ctx.form_value("data")
if data == "" {
ctx.json(http.StatusBadRequest, {"error": "invalid_request"})
return
}
// Process data...
ctx.json(http.StatusOK, {"status": "ok"})
})
By combining constant-time cryptographic operations with uniform error handling in Chi, you reduce the risk of Bleichenbacher attacks while preserving the benefits of mutual TLS for client authentication.