diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index b687ad125e..525dd1ad52 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -1267,8 +1267,66 @@ static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
 
 static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
 {
-    // TODO: Add back resumption keys calculation after MVP.
-    ((void) ssl);
+    int ret = 0;
+#if defined(MBEDTLS_SSL_CLI_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
+    {
+        /* Compute resumption_master_secret */
+        ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1,
+                    "mbedtls_ssl_tls13_generate_resumption_master_secret ", ret );
+            return ( ret );
+        }
+
+    }
+    else
+#endif /* MBEDTLS_SSL_CLI_C */
+
+#if defined(MBEDTLS_SSL_SRV_C)
+    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
+    {
+        mbedtls_ssl_key_set traffic_keys;
+        mbedtls_ssl_transform *transform_application;
+
+        ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1,
+               "mbedtls_ssl_tls13_key_schedule_stage_application", ret );
+            return( ret );
+        }
+
+        ret = mbedtls_ssl_tls13_generate_application_keys(
+                     ssl, &traffic_keys );
+        if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1,
+                  "mbedtls_ssl_tls13_generate_application_keys", ret );
+            return( ret );
+        }
+
+        transform_application =
+            mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
+        if( transform_application == NULL )
+            return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+        ret = mbedtls_ssl_tls13_populate_transform(
+            transform_application, ssl->conf->endpoint,
+            ssl->session_negotiate->ciphersuite,
+            &traffic_keys, ssl );
+        if( ret != 0 )
+            return( ret );
+
+        ssl->transform_application = transform_application;
+    }
+    else
+#endif /* MBEDTLS_SSL_SRV_C */
+    {
+        /* Should never happen */
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+    }
 
     return( 0 );
 }
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index df3221d8bb..d78af33a62 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1504,7 +1504,7 @@ int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
     if( ret != 0 )
         return( ret );
 
-    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
+    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
     return( 0 );
 
 }
@@ -1523,8 +1523,14 @@ int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
  */
 int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
 {
-    ((void) ssl);
-    return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
+
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for all traffic" ) );
+    mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
+    mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
+    mbedtls_ssl_tls13_handshake_wrapup( ssl );
+    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
+    return( 0 );
 }
 
 /*