new random on retry

tlswg · Aug 21, 2015 · d4430c8 · d4430c8
1 parent 32361a8
commit d4430c8
Showing 1 changed file with 13 additions and 7 deletions.
diff --git a/draft-ietf-tls-tls13.md b/draft-ietf-tls-tls13.md
@@ -872,7 +872,9 @@ master secret
 
 client random
 
-: A 32-byte value provided by the client.
+: A 32-byte value provided by the client. In the event of a
+  HelloRetryRequest, the client random from the accepted ClientHello
+  is used and the prior attempt's value is discarded.
 
 server random
 
@@ -1847,7 +1849,9 @@ client_version
   {{backward-compatibility}} for details about backward compatibility.)
 
 random
-: A client-generated random structure.
+: A client-generated random structure. This value MUST be separately
+  generated for every ClientHello message, including retries in response
+  to a HelloRetryRequest.
 
 session_id
 : Versions of TLS prior to TLS 1.3 supported a session resumption
@@ -1984,14 +1988,16 @@ Upon receipt of a HelloRetryRequest, the client MUST first verify
 that the "selected_group" field does not identify a group which
 was not in the original ClientHello. If it was present, then
 the client MUST abort the handshake with a fatal "handshake_failure"
-alert. Clients SHOULD also abort with "handshake_failure" in response to any second
-HelloRetryRequest which was sent in the same connection (i.e.,
-where the ClientHello was itself in response to a HelloRetryRequest).
+alert. Clients SHOULD also abort with "handshake_failure" in response
+to any second HelloRetryRequest which was sent in the same connection
+(i.e., where the ClientHello was itself in response to a HelloRetryRequest).
 
 Otherwise, the client MUST send a ClientHello with a new
 ClientKeyShare extension to the server. The ClientKeyShare MUST append
 a new ClientKeyShareOffer which is consistent with the
 "selected_group" field to the groups in the original ClientKeyShare.
+The ClientHello.random value MUST be newly generated and servers
+MAY reject retried ClientHello messages that reuse random values.
 
 Upon re-sending the ClientHello and receiving the
 server's ServerHello/ServerKeyShare, the client MUST verify that
@@ -2907,8 +2913,8 @@ Structure of this message:
             }
        } CertificateVerify;
 
-> Where session_hash is as described in {{the-handshake-hash}} and
-includes the messages sent or received, starting at ClientHello and up
+> Where handshake_hash is as described in {{the-handshake-hash}} and includes
+all messages sent or received, starting at the initial ClientHello and up
 to, but not including, this message, including the type and length
 fields of the handshake messages. This is a digest of the
 concatenation of all the Handshake structures (as defined in