feat: add client hello random getter #5620
Merged
kaukabrizvi merged 13 commits intoaws:mainfrom Nov 24, 2025
Merged
Conversation
jouho
reviewed
Nov 19, 2025
jouho
reviewed
Nov 19, 2025
jouho
approved these changes
Nov 20, 2025
maddeleine
approved these changes
Nov 24, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Release Summary:
Add a new public API,
s2n_client_hello_get_random(), and moveclient_randomstorage from the connection to thes2n_client_hellostruct so applications can retrieve the client random from a parsed ClientHello.Goal
Add a public API function to retrieve the client random value from a parsed client hello message.
Why
Applications may need access to the client random, but currently have no way to retrieve it without manually parsing the raw client hello message. The raw message has the client random zeroed out for security, making it inaccessible. Moving forward, we want to have one souce of truth for CH random, so this change moves random from the connection object to the client_hello object so that it can be accessed.
How
client_randomfield tos2n_client_hellostruct to store the actual client random values2n_client_hello_get_random()public API function that copies the stored value to caller's buffers2n_stuffer_erase_and_read_bytes()during parsing to read the client random into the struct field while zeroing it in the raw message for securityconn->handshake_params.client_randomtoconn->client_hello.client_randomthroughout the codebaseCallouts
The raw message continues to have the client random zeroed for security/privacy reasons. Applications must use the new getter function to access the actual client random value. On Hello Retry Request, the client random is preserved from the first client hello for validation purposes.
This change consolidates client random storage from
handshake_paramstoclient_hello, making it the single source of truth for the client random value and aligning with the logical ownership of this data. This also mitigates the performance/memory impact of adding a new field since we are replacing a connection level field with a client_hello field.Testing
s2n_client_hello_test.cthat:s2n_client_hello_retry_testBy submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.