clarify handling of retried ClientHello messages

* The connection uses the client random in the ClientHello that the server accepted.
* The session hash includes all messages in the session, starting from the initial ClientHello.

draft-ietf-tls-tls13.md

@@ -879,7 +879,9 @@ and used to generate keys for protecting application data.
 
 client random
 
-: A 32-byte value provided by the client.
+: A 32-byte value provided by the client in the ClientHello accepted by the server.
+In the event of a HelloRetryRequest and acceptance of a retried ClientHello, the newly
+provided random value is used and the prior attempt's random value is discarded.
 
 server random
 
@@ -2918,14 +2920,15 @@ When a handshake takes place, we define
        session_hash = Hash(handshake_messages)
 
 where "handshake_messages" refers to all handshake messages sent or
-received, starting at ClientHello up to the present time, with the
+received, starting at the initial ClientHello up to the present time, with the
 exception of the Finished message, including the type and length
 fields of the handshake messages. This is the concatenation of all the
 exchanged Handshake structures.
 
 For concreteness, at the point where the handshake master secret
-is derived, the session hash includes the ClientHello, ClientKeyShare,
-ServerHello, and ServerKeyShare, and HelloRetryRequest (if any)
+is derived, the session hash includes all exchanged ClientHello,
+ClientKeyShare, ServerHello, ServerKeyShare, and HelloRetryRequest
+messages, including any messages sent in response to a retry request
 (though see [https://github.com/tlswg/tls13-spec/issues/104]).
 At the point where the master secret is derived, it includes every
 handshake message, with the exception of the Finished messages.