From fa1c6c0ff647c5a998715e97e671acfd355ebad8 Mon Sep 17 00:00:00 2001
From: Samuel Chiang <sachiang@amazon.com>
Date: Fri, 8 Nov 2024 11:49:29 -0800
Subject: [PATCH] Support Finished-based APIs for TLS 1.3 (#1952)

Another Ruby 3.1 test depending on certain SSL APIs to retain
information when using TLS1.3. This time it's the
`SSL_get(_peer)_finished` APIs that are involved. OpenSSL treats the
fields identically in 1.2 and 1.3 and uses the same API to update both
state machines.
We already have our own individual `ssl_get/send_finished` for TLS 1.2
and `tls13_add/process_finished` for TLS 1.3. I've added the field
updates within the corresponding TLS 1.3 functions so that these return
the correct value within a 1.3 setting.

### Call-outs:
The field buffer for `previous_server_finished` and
`previous_client_finished` has to grow past 12 since it's also used for
1.3 now. This breaks the original SSL Transfer assumption and we'll have
to bump the version while adding corresponding logic to account for the
updated size. I've regenerated the SSL Transfer bytes for the round trip
tests and also added a test for that as well. We're not bumping the
version number here since it's a pretty minuscule change. This doesn't
break compatibility with us parsing older versions of AWS-LC SSL
Transfers, but older versions of AWS-LC won't be able to parse the new
version.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
---
 include/openssl/ssl.h    |   5 +-
 ssl/internal.h           |   2 +-
 ssl/ssl_lib.cc           |   6 +-
 ssl/ssl_test.cc          | 181 ++++++++++++++++++++++++++++++---------
 ssl/ssl_transfer_asn1.cc |   4 +-
 ssl/tls13_both.cc        |  32 +++++++
 6 files changed, 181 insertions(+), 49 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index dbf01a0a8d..fd139802ce 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -5372,15 +5372,14 @@ OPENSSL_EXPORT int SSL_want(const SSL *ssl);
 
 // SSL_get_finished writes up to |count| bytes of the Finished message sent by
 // |ssl| to |buf|. It returns the total untruncated length or zero if none has
-// been sent yet. At TLS 1.3 and later, it returns zero.
+// been sent yet.
 //
 // Use |SSL_get_tls_unique| instead.
 OPENSSL_EXPORT size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count);
 
 // SSL_get_peer_finished writes up to |count| bytes of the Finished message
 // received from |ssl|'s peer to |buf|. It returns the total untruncated length
-// or zero if none has been received yet. At TLS 1.3 and later, it returns
-// zero.
+// or zero if none has been received yet.
 //
 // Use |SSL_get_tls_unique| instead.
 OPENSSL_EXPORT size_t SSL_get_peer_finished(const SSL *ssl, void *buf,
diff --git a/ssl/internal.h b/ssl/internal.h
index dcaa5aec75..4d7a387e1d 100644
--- a/ssl/internal.h
+++ b/ssl/internal.h
@@ -2864,7 +2864,7 @@ enum ssl_ech_status_t {
 #define SSL3_SEND_ALERT_SIZE 2
 #define TLS_SEQ_NUM_SIZE 8
 #define SSL3_CHANNEL_ID_SIZE 64
-#define PREV_FINISHED_MAX_SIZE 12
+#define PREV_FINISHED_MAX_SIZE EVP_MAX_MD_SIZE
 
 struct SSL3_STATE {
   static constexpr bool kAllowUniquePtr = true;
diff --git a/ssl/ssl_lib.cc b/ssl/ssl_lib.cc
index eeef8e75f1..023077a8c0 100644
--- a/ssl/ssl_lib.cc
+++ b/ssl/ssl_lib.cc
@@ -1701,8 +1701,7 @@ static size_t copy_finished(void *out, size_t out_len, const uint8_t *in,
 }
 
 size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
-  if (!ssl->s3->initial_handshake_complete ||
-      ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (!ssl->s3->initial_handshake_complete) {
     return 0;
   }
 
@@ -1716,8 +1715,7 @@ size_t SSL_get_finished(const SSL *ssl, void *buf, size_t count) {
 }
 
 size_t SSL_get_peer_finished(const SSL *ssl, void *buf, size_t count) {
-  if (!ssl->s3->initial_handshake_complete ||
-      ssl_protocol_version(ssl) >= TLS1_3_VERSION) {
+  if (!ssl->s3->initial_handshake_complete) {
     return 0;
   }
 
diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
index c58d526381..a06a0497d4 100644
--- a/ssl/ssl_test.cc
+++ b/ssl/ssl_test.cc
@@ -7864,17 +7864,23 @@ static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = {
      "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
      "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
      "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff",
-     "308201173082011302010102020303020240003081fa0201020408000000000000000104"
-     "0800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb44"
-     "4f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274d9"
-     "42e99e42a604020000020100020103040cb9b409f5129440622f87f84402010c040c1f49"
-     "e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402cc"
-     "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
-     "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
-     "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff"},
+     "308201803082017c02010102020303020240003082016202010204080000000000000001"
+     "040800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb"
+     "444f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274"
+     "d942e99e42a6040200000201000201030440b9b409f5129440622f87f84402010c040c1f"
+     "49e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402"
+     "cca80400043085668dcf02010c04401f49e2e989c66a263e9c227502010c020100020100"
+     "020100a05b3059020101020203030402cca80400043085668dcf9f0921094ebd7f91bf2a"
+     "8c60d276e4c27902010c020100020100020100a05b3059020101020203030402cca80400"
+     "043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f678682324fd809"
+     "8dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b1030101ffb2"
+     "0302011da206040474657374a7030101ff020108020100a0030101ff"},
     // In runner.go, the test case "Basic-Server-TLS-Sync-SSL_Transfer" is used
     // to generate below bytes by adding print statement on the output of
     // |SSL_to_bytes| in bssl_shim.cc.
+    // We've bumped the buffer size in the |previous_client/server_finished|
+    // fields. This verifies that the original size is parsable and reencoded
+    // with the new size.
     {"308201173082011302010102020303020240003081fa0201020408000000000000000104"
      "0800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb44"
      "4f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274d9"
@@ -7883,37 +7889,111 @@ static const EncodeDecodeKATTestParam kEncodeDecodeKATs[] = {
      "a80400043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f67868232"
      "4fd8098dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b10301"
      "01ffb20302011da206040474657374a7030101ff020108020100a0030101ff",
-     nullptr},
-    // In runner.go, the test case
-    // "TLS-TLS13-AES_128_GCM_SHA256-server-SSL_Transfer" is used to generate
-    // below bytes by adding print statement on the output of |SSL_to_bytes| in
-    // bssl_shim.cc.
+     "308201803082017c02010102020303020240003082016202010204080000000000000001"
+     "040800000000000000010420000004d29e62f41ded4bb33d0faa6ffada380e2c489dfbfb"
+     "444f574e475244010420cf3926d1ec5a562a642935a8050222b0aed93ffd9d1cac682274"
+     "d942e99e42a6040200000201000201030440b9b409f5129440622f87f84402010c040c1f"
+     "49e2e989c66a263e9c227502010c020100020100020100a05b3059020101020203030402"
+     "cca80400043085668dcf02010c04401f49e2e989c66a263e9c227502010c020100020100"
+     "020100a05b3059020101020203030402cca80400043085668dcf9f0921094ebd7f91bf2a"
+     "8c60d276e4c27902010c020100020100020100a05b3059020101020203030402cca80400"
+     "043085668dcf9f0921094ebd7f91bf2a8c60d276e4c279fd85a989402f678682324fd809"
+     "8dc19d900b856d0a77e048e3ced2a104020204d2a20402021c20a4020400b1030101ffb2"
+     "0302011da206040474657374a7030101ff020108020100a0030101ff"},
+     // In runner.go, the test case
+     // "TLS-TLS13-AES_128_GCM_SHA256-server-SSL_Transfer" is used to generate
+     // below bytes by adding print statement on the output of |SSL_to_bytes| in
+     // bssl_shim.cc.
+     // We've bumped the buffer size in the |previous_client/server_finished|
+     // fields. This verifies that the original size is parsable and reencoded
+     // with the new size.
     {"308203883082038402010102020304020240003082036a020102040800000000000000000"
-     "408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38a6"
-     "b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3888"
-     "3d33f236a04020000020100020101040c000000000000000000000000020100040c000000"
-     "000000000000000000020100020100020100020100a04e304c02010102020304040213010"
-     "40004200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da1"
-     "04020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374a"
-     "b03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
-     "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c0000000000000000000000000"
-     "0000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c16b"
-     "43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a178c"
-     "e69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c02180000000000000000"
-     "0000000000000000b503020120b88201700482016c040000b20002a30056355452010000a"
-     "027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda1002a4"
-     "d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072ab33c30"
-     "e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6bb111867a"
-     "87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e9044e9094"
-     "9975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c6738010100a0"
-     "27abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2ea52d3401d31"
-     "10a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d18796c97e8320"
-     "4daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573bcf0252dc4d39"
-     "0baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af57173f864070fdce2"
-     "41be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204030013013016020"
-     "101020117040e300c0201010201000201000101ffbb233021020101020403001301301602"
-     "0101020117040e300c0201010201000201000101ff020108020100a0030101ff",
-     nullptr}};
+      "408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38a6"
+      "b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3888"
+      "3d33f236a04020000020100020101040c000000000000000000000000020100040c000000"
+      "000000000000000000020100020100020100020100a04e304c02010102020304040213010"
+      "40004200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da1"
+      "04020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374a"
+      "b03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
+      "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c0000000000000000000000000"
+      "0000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c16b"
+      "43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a178c"
+      "e69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c02180000000000000000"
+      "0000000000000000b503020120b88201700482016c040000b20002a30056355452010000a"
+      "027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda1002a4"
+      "d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072ab33c30"
+      "e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6bb111867a"
+      "87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e9044e9094"
+      "9975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c6738010100a0"
+      "27abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2ea52d3401d31"
+      "10a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d18796c97e8320"
+      "4daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573bcf0252dc4d39"
+      "0baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af57173f864070fdce2"
+      "41be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204030013013016020"
+      "101020117040e300c0201010201000201000101ffbb233021020101020403001301301602"
+      "0101020117040e300c0201010201000201000101ff020108020100a0030101ff",
+      "308203f0308203ec0201010202030402024000308203d202010204080000000000000000"
+      "0408000000000000000004206beca5c14aff6b92757545948b883c6c175327814bedcf38"
+      "a6b2e4c43bc02d180420a32aee5b7705a19e4bb2b47f4918199c76cee7245f1311bc4ba3"
+      "8883d33f236a040200000201000201010440000000000000000000000000020100040c00"
+      "0000000000000000000000020100020100020100020100a04e304c020101020203040402"
+      "1301040004200b66320d0201000440000000000000000000000000020100020100020100"
+      "020100a04e304c0201010202030404021301040004200b66320d38c8fa1b0dfe9e37fcf2"
+      "bf0bafb43077fa020100020100020100020100a04e304c02010102020304040213010400"
+      "04200b66320d38c8fa1b0dfe9e37fcf2bf0bafb43077fa31ed2f1220dd245cef4c4da104"
+      "020204d2a205020302a300a4020400b20302011db9050203093a80a206040474657374ab"
+      "03020100ac03010100ad03010100ae03010100af03020100b032043034c0893be938bade"
+      "e7029ca3cfea4c821dde48e03f0d07641cba33b247bc161c000000000000000000000000"
+      "00000000b103020120b232043094b319ed2f41ee11aa73e141a238e5724c04f2aa8298c1"
+      "6b43c910c40cc98d1500000000000000000000000000000000b303020120b432043015a1"
+      "78ce69c0110ad36da8d58ca8428d9615ff07fc6a4e1bbab026c1bb0c0218000000000000"
+      "00000000000000000000b503020120b88201700482016c040000b20002a3005635545201"
+      "0000a027abfd1f1aa28cee6e8e2396112e8285f150768898158dbce97a1aef0a63fa6dda"
+      "1002a4d75942a3739c11e4b25827f529ab59d22e34e0cf0b59b9336eb60edbb1f686c072"
+      "ab33c30e784f876da5b4c7fddd67f4a2ffa995f8c9ccf2128200ae9668d626866b1b7c6b"
+      "b111867a87ed2a96122736595374f8fe5343e6ca492b278b67b1571423f2c1bcb673922e"
+      "9044e90949975ff72ab4a0eb659d8de664cac600042a2a0000040000b20002a3009e8c67"
+      "38010100a027abfd1f1aa28cee6e8e2396112e82851f15c84668b2f1d717681d1a3c6d2e"
+      "a52d3401d3110a04498246480b96a7e5b3c39ea6cef3a2a86b81896f1621950472d858d1"
+      "8796c97e83204daf94c1f30dfe763cd282fbee718a679dca8bff3cc8e11724062232e573"
+      "bcf0252dc4d390baa2b7f49a164b46d2d685e9fe826465cc135130f3e2e47838658af571"
+      "73f864070fdce241be58ecbd60d18128dfa28f4b1a00042a2a0000ba2330210201010204"
+      "030013013016020101020117040e300c0201010201000201000101ffbb23302102010102"
+      "04030013013016020101020117040e300c0201010201000201000101ff020108020100a0"
+      "030101ff"},
+    // In runner.go, the test case
+    // "TLS-ECH-Server-Cipher-HKDF-SHA256-AES-256-GCM-SSL_Transfer" is used
+    // to generate below bytes by adding print statement on the output of
+    // |SSL_to_bytes| in bssl_shim.cc.
+    {"308203e3308203df0201010202030402024000308203c502010204080000000000000000"
+     "04080000000000000000042028431b914ffdb44ea92ca53d5734976c6a16f141d44f180b"
+     "0816a5cb2b8e79030420bdaf544fa82d833d58c92213e44e850cc0b8147699b0b410d4aa"
+     "2a277030f3220402000002010002010104409e155007d04cd03cf4d8a95ce244dc978a87"
+     "e1808f0f6c6acb51ad7bf8063ae000000000000000000000000000000000000000000000"
+     "0000000000000000000002012004406680e8c36429d465ea520ae74a2062a5e07c39f34b"
+     "688024ae2edfab2898670700000000000000000000000000000000000000000000000000"
+     "00000000000000020120020100020100020100a04e304c02010102020304040213030400"
+     "0420df74ecd172087ad53083d505145ec4f6cf0ec5ed64b67ba526d55c918a0f8936a104"
+     "020204d2a205020302a300a4020400b20302011db9050203093a80a210040e7365637265"
+     "742e6578616d706c65ab03020100ac03010100ad03010100ae03010100af03020100b032"
+     "0430c40f9f95646fa700d58934e79c36b84ba3502d33df04248d56cded3444927e300000"
+     "0000000000000000000000000000b103020120b23204307a1a99bf276b5e5be57dd68968"
+     "411594e77b1a48cf2c03cc5c143985aa40b32e00000000000000000000000000000000b3"
+     "03020120b4320430cbf50af88bc5a610910139172a468663675882caacaf176aa961b12a"
+     "38a0df2a00000000000000000000000000000000b503020120b703020101b88201700482"
+     "016c040000b20002a300bbccf972010000a041e0b13ecd71dfb3d9e3cb451e37cfde8197"
+     "3a1b73106b6669b53475781f0203a3f32f45cef7742cf0efb86d850081254f20d3b6bd83"
+     "30bc70331464905bcd99383c33e42c7d34bfeb47b387bf43b5c796daa4581f8b0043b7eb"
+     "216911f8eebaf1e8bd5d05277943d5a319cc03d9555e414990099f56ee887145f34e8bff"
+     "27f06d1865aa64d548a22208318566959a097c080fa3e5e0d4b1d933132ef32929950004"
+     "5a5a0000040000b20002a3002ecba343010100a041e0b13ecd71dfb3d9e3cb451e37cfde"
+     "289f90201519fb0dff08aa9e14a9f4ee1434edce481e49d22f061529bb4d230258f3dac8"
+     "86c2c1100bee2ccc7be889a90b417270c30b3b770558ef6f3c444ddefd08e673f788931d"
+     "86542c4a1e7ec44b0957bb315c17851bd8498b1d1131a79e19c66463e0566985ef55deb5"
+     "48fe370058ba83566278d01b3a565075b8ef2a82bea17ae95fa91b7b3ffa611a7d8a6331"
+     "00045a5a0000ba15301302010102040300130330080201010201050400bb153013020101"
+     "02040300130330080201010201050400020108020100a0030101ff", nullptr}
+};
 
 class EncodeDecodeKATTest
     : public testing::TestWithParam<EncodeDecodeKATTestParam> {};
@@ -7948,7 +8028,7 @@ TEST_P(EncodeDecodeKATTest, RoundTrips) {
   encoded_ptr.reset(encoded);
   // Check the encoded bytes are the same as the test input.
   ASSERT_EQ(output_bytes.size(), encoded_len);
-  ASSERT_EQ(memcmp(output_bytes.data(), encoded, encoded_len), 0);
+  ASSERT_EQ(OPENSSL_memcmp(output_bytes.data(), encoded, encoded_len), 0);
 }
 
 TEST(SSLTest, ZeroSizedWriteFlushesHandshakeMessages) {
@@ -10208,6 +10288,29 @@ TEST_P(SSLVersionTest, PeerTmpKey) {
   }
 }
 
+TEST_P(SSLVersionTest, GetFinished) {
+  // Test that contents of |finished| and the peer's |finished| align.
+  ASSERT_TRUE(Connect());
+  for (SSL *ssl : {client_.get(), server_.get()}) {
+    SCOPED_TRACE(SSL_is_server(ssl) ? "server" : "client");
+    size_t finished_size = SSL_get_finished(ssl, nullptr, 0);
+    EXPECT_TRUE(finished_size);
+    bssl::UniquePtr<uint8_t> finished((uint8_t *)OPENSSL_malloc(finished_size));
+    ASSERT_TRUE(finished);
+    EXPECT_TRUE(SSL_get_finished(ssl, finished.get(), finished_size));
+
+    size_t peer_finished_size = SSL_get_peer_finished(ssl, nullptr, 0);
+    EXPECT_TRUE(peer_finished_size);
+    bssl::UniquePtr<uint8_t> peer_finished(
+        (uint8_t *)OPENSSL_malloc(peer_finished_size));
+    ASSERT_TRUE(peer_finished);
+    EXPECT_TRUE(SSL_get_finished(ssl, peer_finished.get(), peer_finished_size));
+
+    EXPECT_EQ(Bytes(finished.get(), finished_size),
+              Bytes(peer_finished.get(), peer_finished_size));
+  }
+}
+
 static void WriteHelloRequest(SSL *server) {
   // This function assumes TLS 1.2 with ChaCha20-Poly1305.
   ASSERT_EQ(SSL_version(server), TLS1_2_VERSION);
diff --git a/ssl/ssl_transfer_asn1.cc b/ssl/ssl_transfer_asn1.cc
index f2baa2dd2b..c8be3b9c9a 100644
--- a/ssl/ssl_transfer_asn1.cc
+++ b/ssl/ssl_transfer_asn1.cc
@@ -485,11 +485,11 @@ static int SSL3_STATE_from_bytes(SSL *ssl, CBS *cbs, const SSL_CTX *ctx) {
       !CBS_get_asn1_uint64(&s3, &early_data_reason) ||
       early_data_reason > ssl_early_data_reason_max_value ||
       !CBS_get_asn1(&s3, &previous_client_finished, CBS_ASN1_OCTETSTRING) ||
-      CBS_len(&previous_client_finished) != PREV_FINISHED_MAX_SIZE ||
+      CBS_len(&previous_client_finished) > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1_uint64(&s3, &previous_client_finished_len) ||
       previous_client_finished_len > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1(&s3, &previous_server_finished, CBS_ASN1_OCTETSTRING) ||
-      CBS_len(&previous_server_finished) != PREV_FINISHED_MAX_SIZE ||
+      CBS_len(&previous_server_finished) > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1_uint64(&s3, &previous_server_finished_len) ||
       previous_server_finished_len > PREV_FINISHED_MAX_SIZE ||
       !CBS_get_asn1_uint64(&s3, &empty_record_count) ||
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
index 9c84804e00..6e894f9f36 100644
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@@ -381,6 +381,22 @@ bool tls13_process_finished(SSL_HANDSHAKE *hs, const SSLMessage &msg,
     return false;
   }
 
+  if (verify_data.size() > sizeof(ssl->s3->previous_client_finished) ||
+      verify_data.size() > sizeof(ssl->s3->previous_server_finished)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return ssl_hs_error;
+  }
+
+  if (ssl->server) {
+    OPENSSL_memcpy(ssl->s3->previous_client_finished, verify_data.data(),
+                   verify_data.size());
+    ssl->s3->previous_client_finished_len = verify_data.size();
+  } else {
+    OPENSSL_memcpy(ssl->s3->previous_server_finished, verify_data.data(),
+                   verify_data.size());
+    ssl->s3->previous_server_finished_len = verify_data.size();
+  }
+
   return true;
 }
 
@@ -605,6 +621,22 @@ bool tls13_add_finished(SSL_HANDSHAKE *hs) {
     return false;
   }
 
+  if (verify_data_len > sizeof(ssl->s3->previous_client_finished) ||
+      verify_data_len > sizeof(ssl->s3->previous_server_finished)) {
+    OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+    return ssl_hs_error;
+  }
+
+  if (ssl->server) {
+    OPENSSL_memcpy(ssl->s3->previous_server_finished, verify_data,
+                   verify_data_len);
+    ssl->s3->previous_server_finished_len = verify_data_len;
+  } else {
+    OPENSSL_memcpy(ssl->s3->previous_client_finished, verify_data,
+                   verify_data_len);
+    ssl->s3->previous_client_finished_len = verify_data_len;
+  }
+
   ScopedCBB cbb;
   CBB body;
   if (!ssl->method->init_message(ssl, cbb.get(), &body, SSL3_MT_FINISHED) ||