Support Finished-based APIs for TLS 1.3

include/openssl/ssl.h

@@ -5361,15 +5361,14 @@ OPENSSL_EXPORT int SSL_want(const SSL *ssl);
 
 // SSL_get_finished writes up to |count| bytes of the Finished message sent by
 // |ssl| to |buf|. It returns the total untruncated length or zero if none has
-// been sent yet. At TLS 1.3 and later, it returns zero.
+// been sent yet.
 //
 // Use |SSL_get_tls_unique| instead.
 OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);
 
 // SSL_get_peer_finished writes up to |count| bytes of the Finished message
 // received from |ssl|'s peer to |buf|. It returns the total untruncated length
-// or zero if none has been received yet. At TLS 1.3 and later, it returns
-// zero.
+// or zero if none has been received yet.
 //
 // Use |SSL_get_tls_unique| instead.
 OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,

ssl/internal.h

@@ -2861,7 +2861,7 @@ enum ssl_ech_status_t {
 #define SSL3_SEND_ALERT_SIZE 2
 #define TLS_SEQ_NUM_SIZE 8
 #define SSL3_CHANNEL_ID_SIZE 64
-#define PREV_FINISHED_MAX_SIZE 12
+#define PREV_FINISHED_MAX_SIZE EVP_MAX_MD_SIZE
 
 struct SSL3_STATE {
   static constexpr bool kAllowUniquePtr = true;

ssl/ssl_lib.cc

@@ -1701,8 +1701,7 @@ static size_t copy_finished(void *out, size_t out_len, const uint8_t *in,
 }
 
 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
-  if (!ssl->s3->initial_handshake_complete ||
-      ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (!ssl->s3->initial_handshake_complete) {
     return 0;
   }
 
@@ -1716,8 +1715,7 @@ size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
 }
 
 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
-  if (!ssl->s3->initial_handshake_complete ||
-      ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (!ssl->s3->initial_handshake_complete) {
     return 0;
   }
 

ssl/ssl_test.cc

@@ -7844,7 +7844,7 @@ struct EncodeDecodeKATTestParam {
 };
 
 static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = {
-    // V1 input round-trips as V2 output
+    // V1 input round-trips as V3 output
     {"308201173082011302010102020303020240003081fa0201010408000000000000000104"
      "0800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb44"
      "4f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274d9"
@@ -7853,17 +7853,21 @@ static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = {
      "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
      "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
      "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff",
-     "308201173082011302010102020303020240003081fa0201020408000000000000000104"
-     "0800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb44"
-     "4f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274d9"
-     "42e99e42a604020000020100020103040cb9b409f5129440622f87f84402010c040c1f49"
-     "e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402cc"
-     "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
-     "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
-     "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff"},
+     "308201803082017c02010102020303020240003082016202010304080000000000000001"
+     "040800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb"
+     "444f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274"
+     "d942e99e42a6040200000201000201030440b9b409f5129440622f87f84402010c040c1f"
+     "49e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402"
+     "cca80400043085668dcf02010c04401f49e2e989c66a263e9c227502010c020100020100"
+     "020100a05b3059020101020203030402cca80400043085668dcf9f0921094ebd7f91bf2a"
+     "8c60d276e4c27902010c020100020100020100a05b3059020101020203030402cca80400"
+     "043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f678682324fd809"
+     "8dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b1030101ffb2"
+     "0302011da206040474657374a7030101ff020108020100a0030101ff"},
     // In runner.go, the test case "Basic-Server-TLS-Sync-SSL_Transfer" is used
     // to generate below bytes by adding print statement on the output of
     // |SSL_to_bytes| in bssl_shim.cc.
+    // V2 input round-trips as V3 output.
     {"308201173082011302010102020303020240003081fa0201020408000000000000000104"
      "0800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb44"
      "4f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274d9"
@@ -7872,37 +7876,109 @@ static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = {
      "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
      "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
      "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff",
-     nullptr},
+     "308201803082017c02010102020303020240003082016202010304080000000000000001"
+     "040800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb"
+     "444f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274"
+     "d942e99e42a6040200000201000201030440b9b409f5129440622f87f84402010c040c1f"
+     "49e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402"
+     "cca80400043085668dcf02010c04401f49e2e989c66a263e9c227502010c020100020100"
+     "020100a05b3059020101020203030402cca80400043085668dcf9f0921094ebd7f91bf2a"
+     "8c60d276e4c27902010c020100020100020100a05b3059020101020203030402cca80400"
+     "043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f678682324fd809"
+     "8dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b1030101ffb2"
+     "0302011da206040474657374a7030101ff020108020100a0030101ff"},
+     // In runner.go, the test case
+     // "TLS-TLS13-AES_128_GCM_SHA256-server-SSL_Transfer" is used to generate
+     // below bytes by adding print statement on the output of |SSL_to_bytes| in
+     // bssl_shim.cc.
+     // V2 input round-trips as V3 output.
+     {"308203883082038402010102020304020240003082036a020102040800000000000000000"
+      "408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38a6"
+      "b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3888"
+      "3d33f236a04020000020100020101040c000000000000000000000000020100040c000000"
+      "000000000000000000020100020100020100020100a04e304c02010102020304040213010"
+      "40004200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da1"
+      "04020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374a"
+      "b03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
+      "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c0000000000000000000000000"
+      "0000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c16b"
+      "43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a178c"
+      "e69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c02180000000000000000"
+      "0000000000000000b503020120b88201700482016c040000b20002a30056355452010000a"
+      "027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda1002a4"
+      "d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072ab33c30"
+      "e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6bb111867a"
+      "87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e9044e9094"
+      "9975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c6738010100a0"
+      "27abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2ea52d3401d31"
+      "10a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d18796c97e8320"
+      "4daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573bcf0252dc4d39"
+      "0baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af57173f864070fdce2"
+      "41be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204030013013016020"
+      "101020117040e300c0201010201000201000101ffbb233021020101020403001301301602"
+      "0101020117040e300c0201010201000201000101ff020108020100a0030101ff",
+      "308203f0308203ec0201010202030402024000308203d202010304080000000000000000"
+      "0408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38"
+      "a6b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3"
+      "8883d33f236a040200000201000201010440000000000000000000000000020100040c00"
+      "0000000000000000000000020100020100020100020100a04e304c020101020203040402"
+      "1301040004200b66320d0201000440000000000000000000000000020100020100020100"
+      "020100a04e304c0201010202030404021301040004200b66320d38c8fa1b0dfe9e37fcf2"
+      "bf0bafb43077fa020100020100020100020100a04e304c02010102020304040213010400"
+      "04200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da104"
+      "020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374ab"
+      "03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
+      "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c000000000000000000000000"
+      "00000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c1"
+      "6b43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a1"
+      "78ce69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c0218000000000000"
+      "00000000000000000000b503020120b88201700482016c040000b20002a3005635545201"
+      "0000a027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda"
+      "1002a4d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072"
+      "ab33c30e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6b"
+      "b111867a87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e"
+      "9044e90949975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c67"
+      "38010100a027abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2e"
+      "a52d3401d3110a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d1"
+      "8796c97e83204daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573"
+      "bcf0252dc4d390baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af571"
+      "73f864070fdce241be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204"
+      "030013013016020101020117040e300c0201010201000201000101ffbb23302102010102"
+      "04030013013016020101020117040e300c0201010201000201000101ff020108020100a0"
+      "030101ff"},
     // In runner.go, the test case
-    // "TLS-TLS13-AES_128_GCM_SHA256-server-SSL_Transfer" is used to generate
-    // below bytes by adding print statement on the output of |SSL_to_bytes| in
-    // bssl_shim.cc.
-    {"308203883082038402010102020304020240003082036a020102040800000000000000000"
-     "408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38a6"
-     "b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3888"
-     "3d33f236a04020000020100020101040c000000000000000000000000020100040c000000"
-     "000000000000000000020100020100020100020100a04e304c02010102020304040213010"
-     "40004200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da1"
-     "04020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374a"
-     "b03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
-     "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c0000000000000000000000000"
-     "0000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c16b"
-     "43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a178c"
-     "e69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c02180000000000000000"
-     "0000000000000000b503020120b88201700482016c040000b20002a30056355452010000a"
-     "027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda1002a4"
-     "d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072ab33c30"
-     "e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6bb111867a"
-     "87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e9044e9094"
-     "9975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c6738010100a0"
-     "27abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2ea52d3401d31"
-     "10a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d18796c97e8320"
-     "4daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573bcf0252dc4d39"
-     "0baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af57173f864070fdce2"
-     "41be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204030013013016020"
-     "101020117040e300c0201010201000201000101ffbb233021020101020403001301301602"
-     "0101020117040e300c0201010201000201000101ff020108020100a0030101ff",
-     nullptr}};
+    // "TLS-ECH-Server-Cipher-HKDF-SHA256-AES-256-GCM-SSL_Transfer" is used
+    // to generate below bytes by adding print statement on the output of
+    // |SSL_to_bytes| in bssl_shim.cc.
+    {"308203e3308203df0201010202030402024000308203c502010304080000000000000000"
+     "04080000000000000000042028431b914ffdb44ea92ca53d5734976c6a16f141d44f180b"
+     "0816a5cb2b8e79030420bdaf544fa82d833d58c92213e44e850cc0b8147699b0b410d4aa"
+     "2a277030f3220402000002010002010104409e155007d04cd03cf4d8a95ce244dc978a87"
+     "e1808f0f6c6acb51ad7bf8063ae000000000000000000000000000000000000000000000"
+     "0000000000000000000002012004406680e8c36429d465ea520ae74a2062a5e07c39f34b"
+     "688024ae2edfab2898670700000000000000000000000000000000000000000000000000"
+     "00000000000000020120020100020100020100a04e304c02010102020304040213030400"
+     "0420df74ecd172087ad53083d505145ec4f6cf0ec5ed64b67ba526d55c918a0f8936a104"
+     "020204d2a205020302a300a4020400b20302011db9050203093a80a210040e7365637265"
+     "742e6578616d706c65ab03020100ac03010100ad03010100ae03010100af03020100b032"
+     "0430c40f9f95646fa700d58934e79c36b84ba3502d33df04248d56cded3444927e300000"
+     "0000000000000000000000000000b103020120b23204307a1a99bf276b5e5be57dd68968"
+     "411594e77b1a48cf2c03cc5c143985aa40b32e00000000000000000000000000000000b3"
+     "03020120b4320430cbf50af88bc5a610910139172a468663675882caacaf176aa961b12a"
+     "38a0df2a00000000000000000000000000000000b503020120b703020101b88201700482"
+     "016c040000b20002a300bbccf972010000a041e0b13ecd71dfb3d9e3cb451e37cfde8197"
+     "3a1b73106b6669b53475781f0203a3f32f45cef7742cf0efb86d850081254f20d3b6bd83"
+     "30bc70331464905bcd99383c33e42c7d34bfeb47b387bf43b5c796daa4581f8b0043b7eb"
+     "216911f8eebaf1e8bd5d05277943d5a319cc03d9555e414990099f56ee887145f34e8bff"
+     "27f06d1865aa64d548a22208318566959a097c080fa3e5e0d4b1d933132ef32929950004"
+     "5a5a0000040000b20002a3002ecba343010100a041e0b13ecd71dfb3d9e3cb451e37cfde"
+     "289f90201519fb0dff08aa9e14a9f4ee1434edce481e49d22f061529bb4d230258f3dac8"
+     "86c2c1100bee2ccc7be889a90b417270c30b3b770558ef6f3c444ddefd08e673f788931d"
+     "86542c4a1e7ec44b0957bb315c17851bd8498b1d1131a79e19c66463e0566985ef55deb5"
+     "48fe370058ba83566278d01b3a565075b8ef2a82bea17ae95fa91b7b3ffa611a7d8a6331"
+     "00045a5a0000ba15301302010102040300130330080201010201050400bb153013020101"
+     "02040300130330080201010201050400020108020100a0030101ff", nullptr}
+};
 
 class EncodeDecodeKATTest
     : public testing::TestWithParam<EncodeDecodeKATTestParam> {};

ssl/ssl_transfer_asn1.cc

@@ -115,7 +115,8 @@ static bool SSL3_STATE_get_optional_octet_string(CBS *cbs, void *dst,
 
 enum SSL3_STATE_SERDE_VERSION {
   SSL3_STATE_SERDE_VERSION_ONE = 1,
-  SSL3_STATE_SERDE_VERSION_TWO = 2
+  SSL3_STATE_SERDE_VERSION_TWO = 2,
+  SSL3_STATE_SERDE_VERSION_THREE = 3
 };
 
 static const unsigned kS3EstablishedSessionTag =
@@ -191,7 +192,7 @@ static int SSL3_STATE_to_bytes(SSL3_STATE *in, uint16_t protocol_version,
 
   CBB s3, child, child2;
   if (!CBB_add_asn1(cbb, &s3, CBS_ASN1_SEQUENCE) ||
-      !CBB_add_asn1_uint64(&s3, SSL3_STATE_SERDE_VERSION_TWO) ||
+      !CBB_add_asn1_uint64(&s3, SSL3_STATE_SERDE_VERSION_THREE) ||
       !CBB_add_asn1_octet_string(&s3, in->read_sequence, TLS_SEQ_NUM_SIZE) ||
       !CBB_add_asn1_octet_string(&s3, in->write_sequence, TLS_SEQ_NUM_SIZE) ||
       !CBB_add_asn1_octet_string(&s3, in->server_random, SSL3_RANDOM_SIZE) ||
@@ -469,9 +470,15 @@ static int SSL3_STATE_from_bytes(SSL *ssl, CBS *cbs, const SSL_CTX *ctx) {
   int pending_app_data_present, read_buffer_present;
   if (!CBS_get_asn1(cbs, &s3, CBS_ASN1_SEQUENCE) ||
       !CBS_get_asn1_uint64(&s3, &serde_version) ||
-      serde_version > SSL3_STATE_SERDE_VERSION_TWO ||
-      (is_tls13 && serde_version < SSL3_STATE_SERDE_VERSION_TWO) ||
-      !CBS_get_asn1(&s3, &read_seq, CBS_ASN1_OCTETSTRING) ||
+      serde_version > SSL3_STATE_SERDE_VERSION_THREE ||
+      (is_tls13 && serde_version < SSL3_STATE_SERDE_VERSION_TWO)){
+    OPENSSL_PUT_ERROR(SSL, SSL_R_SERIALIZATION_INVALID_SSL3_STATE);
+    return 0;
+  }
+
+  bool is_pre_v3 = (serde_version < SSL3_STATE_SERDE_VERSION_THREE);
+
+  if (!CBS_get_asn1(&s3, &read_seq, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&read_seq) != TLS_SEQ_NUM_SIZE ||
       !CBS_get_asn1(&s3, &write_seq, CBS_ASN1_OCTETSTRING) ||
       CBS_len(&write_seq) != TLS_SEQ_NUM_SIZE ||
@@ -485,11 +492,13 @@ static int SSL3_STATE_from_bytes(SSL *ssl, CBS *cbs, const SSL_CTX *ctx) {
       !CBS_get_asn1_uint64(&s3, &early_data_reason) ||
       early_data_reason > ssl_early_data_reason_max_value ||
       !CBS_get_asn1(&s3, &previous_client_finished, CBS_ASN1_OCTETSTRING) ||
-      CBS_len(&previous_client_finished) != PREV_FINISHED_MAX_SIZE ||
+      (is_pre_v3 && CBS_len(&previous_client_finished) != 12) ||
+      (!is_pre_v3 && CBS_len(&previous_client_finished) != PREV_FINISHED_MAX_SIZE) ||
       !CBS_get_asn1_uint64(&s3, &previous_client_finished_len) ||
       previous_client_finished_len > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1(&s3, &previous_server_finished, CBS_ASN1_OCTETSTRING) ||
-      CBS_len(&previous_server_finished) != PREV_FINISHED_MAX_SIZE ||
+      (is_pre_v3 && CBS_len(&previous_server_finished) != 12) ||
+      (!is_pre_v3 && CBS_len(&previous_server_finished) != PREV_FINISHED_MAX_SIZE) ||
       !CBS_get_asn1_uint64(&s3, &previous_server_finished_len) ||
       previous_server_finished_len > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1_uint64(&s3, &empty_record_count) ||
@@ -521,7 +530,7 @@ static int SSL3_STATE_from_bytes(SSL *ssl, CBS *cbs, const SSL_CTX *ctx) {
     return 0;
   }
 
-  bool is_v2 = (serde_version == SSL3_STATE_SERDE_VERSION_TWO);
+  bool is_v2 = (serde_version >= SSL3_STATE_SERDE_VERSION_TWO);
 
   // We should have no more data at this point if we are deserializing v1
   // encoding.

ssl/tls13_both.cc

@@ -381,6 +381,22 @@ bool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
     return false;
   }
 
+  if (verify_data.size() > sizeof(ssl->s3->previous_client_finished) ||
+      verify_data.size() > sizeof(ssl->s3->previous_server_finished)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return ssl_hs_error;
+  }
+
+  if (ssl->server) {
+    OPENSSL_memcpy(ssl->s3->previous_client_finished, verify_data.data(),
+                   verify_data.size());
+    ssl->s3->previous_client_finished_len = verify_data.size();
+  } else {
+    OPENSSL_memcpy(ssl->s3->previous_server_finished, verify_data.data(),
+                   verify_data.size());
+    ssl->s3->previous_server_finished_len = verify_data.size();
+  }
+
   return true;
 }
 
@@ -605,6 +621,22 @@ bool tls13_add_finished(SSL_HANDSHAKE *hs) {
     return false;
   }
 
+  if (verify_data_len > sizeof(ssl->s3->previous_client_finished) ||
+      verify_data_len > sizeof(ssl->s3->previous_server_finished)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return ssl_hs_error;
+  }
+
+  if (ssl->server) {
+    OPENSSL_memcpy(ssl->s3->previous_server_finished, verify_data,
+                   verify_data_len);
+    ssl->s3->previous_server_finished_len = verify_data_len;
+  } else {
+    OPENSSL_memcpy(ssl->s3->previous_client_finished, verify_data,
+                   verify_data_len);
+    ssl->s3->previous_client_finished_len = verify_data_len;
+  }
+
   ScopedCBB cbb;
   CBB body;
   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||