Support Finished-based APIs for TLS 1.3 (#1952)

Another Ruby 3.1 test depending on certain SSL APIs to retain information when using TLS1.3. This time it's the `SSL_get(_peer)_finished` APIs that are involved. OpenSSL treats the fields identically in 1.2 and 1.3 and uses the same API to update both state machines. We already have our own individual `ssl_get/send_finished` for TLS 1.2 and `tls13_add/process_finished` for TLS 1.3. I've added the field updates within the corresponding TLS 1.3 functions so that these return the correct value within a 1.3 setting. ### Call-outs: The field buffer for `previous_server_finished` and `previous_client_finished` has to grow past 12 since it's also used for 1.3 now. This breaks the original SSL Transfer assumption and we'll have to bump the version while adding corresponding logic to account for the updated size. I've regenerated the SSL Transfer bytes for the round trip tests and also added a test for that as well. We're not bumping the version number here since it's a pretty minuscule change. This doesn't break compatibility with us parsing older versions of AWS-LC SSL Transfers, but older versions of AWS-LC won't be able to parse the new version. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
aws · Nov 8, 2024 · fa1c6c0 · fa1c6c0
1 parent df6b7cd
commit fa1c6c0
Show file tree

Hide file tree

Showing 6 changed files with 181 additions and 49 deletions.
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
@@ -5372,15 +5372,14 @@ OPENSSL_EXPORT int SSL_want(const SSL *ssl);
 
 // SSL_get_finished writes up to |count| bytes of the Finished message sent by
 // |ssl| to |buf|. It returns the total untruncated length or zero if none has
-// been sent yet. At TLS 1.3 and later, it returns zero.
+// been sent yet.
 //
 // Use |SSL_get_tls_unique| instead.
 OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);
 
 // SSL_get_peer_finished writes up to |count| bytes of the Finished message
 // received from |ssl|'s peer to |buf|. It returns the total untruncated length
-// or zero if none has been received yet. At TLS 1.3 and later, it returns
-// zero.
+// or zero if none has been received yet.
 //
 // Use |SSL_get_tls_unique| instead.
 OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,

diff --git a/ssl/internal.h b/ssl/internal.h
@@ -2864,7 +2864,7 @@ enum ssl_ech_status_t {
 #define SSL3_SEND_ALERT_SIZE 2
 #define TLS_SEQ_NUM_SIZE 8
 #define SSL3_CHANNEL_ID_SIZE 64
-#define PREV_FINISHED_MAX_SIZE 12
+#define PREV_FINISHED_MAX_SIZE EVP_MAX_MD_SIZE
 
 struct SSL3_STATE {
   static constexpr bool kAllowUniquePtr = true;

diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
@@ -1701,8 +1701,7 @@ static size_t copy_finished(void *out, size_t out_len, const uint8_t *in,
 }
 
 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
-  if (!ssl->s3->initial_handshake_complete ||
-      ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (!ssl->s3->initial_handshake_complete) {
     return 0;
   }
 
@@ -1716,8 +1715,7 @@ size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
 }
 
 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
-  if (!ssl->s3->initial_handshake_complete ||
-      ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (!ssl->s3->initial_handshake_complete) {
     return 0;
   }
 

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
@@ -7864,17 +7864,23 @@ static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = {
      "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
      "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
      "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff",
-     "308201173082011302010102020303020240003081fa0201020408000000000000000104"
-     "0800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb44"
-     "4f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274d9"
-     "42e99e42a604020000020100020103040cb9b409f5129440622f87f84402010c040c1f49"
-     "e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402cc"
-     "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
-     "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
-     "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff"},
+     "308201803082017c02010102020303020240003082016202010204080000000000000001"
+     "040800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb"
+     "444f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274"
+     "d942e99e42a6040200000201000201030440b9b409f5129440622f87f84402010c040c1f"
+     "49e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402"
+     "cca80400043085668dcf02010c04401f49e2e989c66a263e9c227502010c020100020100"
+     "020100a05b3059020101020203030402cca80400043085668dcf9f0921094ebd7f91bf2a"
+     "8c60d276e4c27902010c020100020100020100a05b3059020101020203030402cca80400"
+     "043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f678682324fd809"
+     "8dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b1030101ffb2"
+     "0302011da206040474657374a7030101ff020108020100a0030101ff"},
     // In runner.go, the test case "Basic-Server-TLS-Sync-SSL_Transfer" is used
     // to generate below bytes by adding print statement on the output of
     // |SSL_to_bytes| in bssl_shim.cc.
+    // We've bumped the buffer size in the |previous_client/server_finished|
+    // fields. This verifies that the original size is parsable and reencoded
+    // with the new size.
     {"308201173082011302010102020303020240003081fa0201020408000000000000000104"
      "0800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb44"
      "4f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274d9"
@@ -7883,37 +7889,111 @@ static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = {
      "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
      "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
      "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff",
-     nullptr},
-    // In runner.go, the test case
-    // "TLS-TLS13-AES_128_GCM_SHA256-server-SSL_Transfer" is used to generate
-    // below bytes by adding print statement on the output of |SSL_to_bytes| in
-    // bssl_shim.cc.
+     "308201803082017c02010102020303020240003082016202010204080000000000000001"
+     "040800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb"
+     "444f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274"
+     "d942e99e42a6040200000201000201030440b9b409f5129440622f87f84402010c040c1f"
+     "49e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402"
+     "cca80400043085668dcf02010c04401f49e2e989c66a263e9c227502010c020100020100"
+     "020100a05b3059020101020203030402cca80400043085668dcf9f0921094ebd7f91bf2a"
+     "8c60d276e4c27902010c020100020100020100a05b3059020101020203030402cca80400"
+     "043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f678682324fd809"
+     "8dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b1030101ffb2"
+     "0302011da206040474657374a7030101ff020108020100a0030101ff"},
+     // In runner.go, the test case
+     // "TLS-TLS13-AES_128_GCM_SHA256-server-SSL_Transfer" is used to generate
+     // below bytes by adding print statement on the output of |SSL_to_bytes| in
+     // bssl_shim.cc.
+     // We've bumped the buffer size in the |previous_client/server_finished|
+     // fields. This verifies that the original size is parsable and reencoded
+     // with the new size.
     {"308203883082038402010102020304020240003082036a020102040800000000000000000"
-     "408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38a6"
-     "b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3888"
-     "3d33f236a04020000020100020101040c000000000000000000000000020100040c000000"
-     "000000000000000000020100020100020100020100a04e304c02010102020304040213010"
-     "40004200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da1"
-     "04020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374a"
-     "b03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
-     "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c0000000000000000000000000"
-     "0000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c16b"
-     "43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a178c"
-     "e69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c02180000000000000000"
-     "0000000000000000b503020120b88201700482016c040000b20002a30056355452010000a"
-     "027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda1002a4"
-     "d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072ab33c30"
-     "e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6bb111867a"
-     "87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e9044e9094"
-     "9975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c6738010100a0"
-     "27abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2ea52d3401d31"
-     "10a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d18796c97e8320"
-     "4daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573bcf0252dc4d39"
-     "0baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af57173f864070fdce2"
-     "41be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204030013013016020"
-     "101020117040e300c0201010201000201000101ffbb233021020101020403001301301602"
-     "0101020117040e300c0201010201000201000101ff020108020100a0030101ff",
-     nullptr}};
+      "408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38a6"
+      "b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3888"
+      "3d33f236a04020000020100020101040c000000000000000000000000020100040c000000"
+      "000000000000000000020100020100020100020100a04e304c02010102020304040213010"
+      "40004200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da1"
+      "04020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374a"
+      "b03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
+      "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c0000000000000000000000000"
+      "0000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c16b"
+      "43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a178c"
+      "e69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c02180000000000000000"
+      "0000000000000000b503020120b88201700482016c040000b20002a30056355452010000a"
+      "027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda1002a4"
+      "d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072ab33c30"
+      "e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6bb111867a"
+      "87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e9044e9094"
+      "9975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c6738010100a0"
+      "27abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2ea52d3401d31"
+      "10a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d18796c97e8320"
+      "4daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573bcf0252dc4d39"
+      "0baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af57173f864070fdce2"
+      "41be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204030013013016020"
+      "101020117040e300c0201010201000201000101ffbb233021020101020403001301301602"
+      "0101020117040e300c0201010201000201000101ff020108020100a0030101ff",
+      "308203f0308203ec0201010202030402024000308203d202010204080000000000000000"
+      "0408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38"
+      "a6b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3"
+      "8883d33f236a040200000201000201010440000000000000000000000000020100040c00"
+      "0000000000000000000000020100020100020100020100a04e304c020101020203040402"
+      "1301040004200b66320d0201000440000000000000000000000000020100020100020100"
+      "020100a04e304c0201010202030404021301040004200b66320d38c8fa1b0dfe9e37fcf2"
+      "bf0bafb43077fa020100020100020100020100a04e304c02010102020304040213010400"
+      "04200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da104"
+      "020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374ab"
+      "03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
+      "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c000000000000000000000000"
+      "00000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c1"
+      "6b43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a1"
+      "78ce69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c0218000000000000"
+      "00000000000000000000b503020120b88201700482016c040000b20002a3005635545201"
+      "0000a027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda"
+      "1002a4d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072"
+      "ab33c30e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6b"
+      "b111867a87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e"
+      "9044e90949975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c67"
+      "38010100a027abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2e"
+      "a52d3401d3110a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d1"
+      "8796c97e83204daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573"
+      "bcf0252dc4d390baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af571"
+      "73f864070fdce241be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204"
+      "030013013016020101020117040e300c0201010201000201000101ffbb23302102010102"
+      "04030013013016020101020117040e300c0201010201000201000101ff020108020100a0"
+      "030101ff"},
+    // In runner.go, the test case
+    // "TLS-ECH-Server-Cipher-HKDF-SHA256-AES-256-GCM-SSL_Transfer" is used
+    // to generate below bytes by adding print statement on the output of
+    // |SSL_to_bytes| in bssl_shim.cc.
+    {"308203e3308203df0201010202030402024000308203c502010204080000000000000000"
+     "04080000000000000000042028431b914ffdb44ea92ca53d5734976c6a16f141d44f180b"
+     "0816a5cb2b8e79030420bdaf544fa82d833d58c92213e44e850cc0b8147699b0b410d4aa"
+     "2a277030f3220402000002010002010104409e155007d04cd03cf4d8a95ce244dc978a87"
+     "e1808f0f6c6acb51ad7bf8063ae000000000000000000000000000000000000000000000"
+     "0000000000000000000002012004406680e8c36429d465ea520ae74a2062a5e07c39f34b"
+     "688024ae2edfab2898670700000000000000000000000000000000000000000000000000"
+     "00000000000000020120020100020100020100a04e304c02010102020304040213030400"
+     "0420df74ecd172087ad53083d505145ec4f6cf0ec5ed64b67ba526d55c918a0f8936a104"
+     "020204d2a205020302a300a4020400b20302011db9050203093a80a210040e7365637265"
+     "742e6578616d706c65ab03020100ac03010100ad03010100ae03010100af03020100b032"
+     "0430c40f9f95646fa700d58934e79c36b84ba3502d33df04248d56cded3444927e300000"
+     "0000000000000000000000000000b103020120b23204307a1a99bf276b5e5be57dd68968"
+     "411594e77b1a48cf2c03cc5c143985aa40b32e00000000000000000000000000000000b3"
+     "03020120b4320430cbf50af88bc5a610910139172a468663675882caacaf176aa961b12a"
+     "38a0df2a00000000000000000000000000000000b503020120b703020101b88201700482"
+     "016c040000b20002a300bbccf972010000a041e0b13ecd71dfb3d9e3cb451e37cfde8197"
+     "3a1b73106b6669b53475781f0203a3f32f45cef7742cf0efb86d850081254f20d3b6bd83"
+     "30bc70331464905bcd99383c33e42c7d34bfeb47b387bf43b5c796daa4581f8b0043b7eb"
+     "216911f8eebaf1e8bd5d05277943d5a319cc03d9555e414990099f56ee887145f34e8bff"
+     "27f06d1865aa64d548a22208318566959a097c080fa3e5e0d4b1d933132ef32929950004"
+     "5a5a0000040000b20002a3002ecba343010100a041e0b13ecd71dfb3d9e3cb451e37cfde"
+     "289f90201519fb0dff08aa9e14a9f4ee1434edce481e49d22f061529bb4d230258f3dac8"
+     "86c2c1100bee2ccc7be889a90b417270c30b3b770558ef6f3c444ddefd08e673f788931d"
+     "86542c4a1e7ec44b0957bb315c17851bd8498b1d1131a79e19c66463e0566985ef55deb5"
+     "48fe370058ba83566278d01b3a565075b8ef2a82bea17ae95fa91b7b3ffa611a7d8a6331"
+     "00045a5a0000ba15301302010102040300130330080201010201050400bb153013020101"
+     "02040300130330080201010201050400020108020100a0030101ff", nullptr}
+};
 
 class EncodeDecodeKATTest
     : public testing::TestWithParam<EncodeDecodeKATTestParam> {};
@@ -7948,7 +8028,7 @@ TEST_P(EncodeDecodeKATTest, RoundTrips) {
   encoded_ptr.reset(encoded);
   // Check the encoded bytes are the same as the test input.
   ASSERT_EQ(output_bytes.size(), encoded_len);
-  ASSERT_EQ(memcmp(output_bytes.data(), encoded, encoded_len), 0);
+  ASSERT_EQ(OPENSSL_memcmp(output_bytes.data(), encoded, encoded_len), 0);
 }
 
 TEST(SSLTest, ZeroSizedWriteFlushesHandshakeMessages) {
@@ -10208,6 +10288,29 @@ TEST_P(SSLVersionTest, PeerTmpKey) {
   }
 }
 
+TEST_P(SSLVersionTest, GetFinished) {
+  // Test that contents of |finished| and the peer's |finished| align.
+  ASSERT_TRUE(Connect());
+  for (SSL *ssl : {client_.get(), server_.get()}) {
+    SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
+    size_t finished_size = SSL_get_finished(ssl, nullptr, 0);
+    EXPECT_TRUE(finished_size);
+    bssl::UniquePtr<uint8_t> finished((uint8_t *)OPENSSL_malloc(finished_size));
+    ASSERT_TRUE(finished);
+    EXPECT_TRUE(SSL_get_finished(ssl, finished.get(), finished_size));
+
+    size_t peer_finished_size = SSL_get_peer_finished(ssl, nullptr, 0);
+    EXPECT_TRUE(peer_finished_size);
+    bssl::UniquePtr<uint8_t> peer_finished(
+        (uint8_t *)OPENSSL_malloc(peer_finished_size));
+    ASSERT_TRUE(peer_finished);
+    EXPECT_TRUE(SSL_get_finished(ssl, peer_finished.get(), peer_finished_size));
+
+    EXPECT_EQ(Bytes(finished.get(), finished_size),
+              Bytes(peer_finished.get(), peer_finished_size));
+  }
+}
+
 static void WriteHelloRequest(SSL *server) {
   // This function assumes TLS 1.2 with ChaCha20-Poly1305.
   ASSERT_EQ(SSL_version(server), TLS1_2_VERSION);

diff --git a/ssl/ssl_transfer_asn1.cc b/ssl/ssl_transfer_asn1.cc
@@ -485,11 +485,11 @@ static int SSL3_STATE_from_bytes(SSL *ssl, CBS *cbs, const SSL_CTX *ctx) {
       !CBS_get_asn1_uint64(&s3, &early_data_reason) ||
       early_data_reason > ssl_early_data_reason_max_value ||
       !CBS_get_asn1(&s3, &previous_client_finished, CBS_ASN1_OCTETSTRING) ||
-      CBS_len(&previous_client_finished) != PREV_FINISHED_MAX_SIZE ||
+      CBS_len(&previous_client_finished) > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1_uint64(&s3, &previous_client_finished_len) ||
       previous_client_finished_len > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1(&s3, &previous_server_finished, CBS_ASN1_OCTETSTRING) ||
-      CBS_len(&previous_server_finished) != PREV_FINISHED_MAX_SIZE ||
+      CBS_len(&previous_server_finished) > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1_uint64(&s3, &previous_server_finished_len) ||
       previous_server_finished_len > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1_uint64(&s3, &empty_record_count) ||

diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
@@ -381,6 +381,22 @@ bool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
     return false;
   }
 
+  if (verify_data.size() > sizeof(ssl->s3->previous_client_finished) ||
+      verify_data.size() > sizeof(ssl->s3->previous_server_finished)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return ssl_hs_error;
+  }
+
+  if (ssl->server) {
+    OPENSSL_memcpy(ssl->s3->previous_client_finished, verify_data.data(),
+                   verify_data.size());
+    ssl->s3->previous_client_finished_len = verify_data.size();
+  } else {
+    OPENSSL_memcpy(ssl->s3->previous_server_finished, verify_data.data(),
+                   verify_data.size());
+    ssl->s3->previous_server_finished_len = verify_data.size();
+  }
+
   return true;
 }
 
@@ -605,6 +621,22 @@ bool tls13_add_finished(SSL_HANDSHAKE *hs) {
     return false;
   }
 
+  if (verify_data_len > sizeof(ssl->s3->previous_client_finished) ||
+      verify_data_len > sizeof(ssl->s3->previous_server_finished)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return ssl_hs_error;
+  }
+
+  if (ssl->server) {
+    OPENSSL_memcpy(ssl->s3->previous_server_finished, verify_data,
+                   verify_data_len);
+    ssl->s3->previous_server_finished_len = verify_data_len;
+  } else {
+    OPENSSL_memcpy(ssl->s3->previous_client_finished, verify_data,
+                   verify_data_len);
+    ssl->s3->previous_client_finished_len = verify_data_len;
+  }
+
   ScopedCBB cbb;
   CBB body;
   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||