From 1818267d64d89fdbb415a2aec177686fbd4b7ce5 Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Wed, 6 Apr 2016 00:57:46 +0200
Subject: [PATCH] Return -1 if crypto_generichash_final() is called twice

---
 .../crypto_generichash/blake2/ref/blake2b-ref.c        |  8 ++++++++
 test/default/generichash2.c                            | 10 ++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c b/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c
index 676bc330..924c90af 100644
--- a/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c
+++ b/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c
@@ -54,6 +54,11 @@ static inline int blake2b_clear_lastnode( blake2b_state *S )
 }
 #endif
 
+static inline int blake2b_is_lastblock( const blake2b_state *S )
+{
+  return S->f[0] != 0;
+}
+
 static inline int blake2b_set_lastblock( blake2b_state *S )
 {
   if( S->last_node ) blake2b_set_lastnode( S );
@@ -327,6 +332,9 @@ int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen )
   if( !outlen || outlen > BLAKE2B_OUTBYTES ) {
     abort(); /* LCOV_EXCL_LINE */
   }
+  if( blake2b_is_lastblock( S ) ) {
+    return -1;
+  }
   if( S->buflen > BLAKE2B_BLOCKBYTES )
   {
     blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
diff --git a/test/default/generichash2.c b/test/default/generichash2.c
index 6447d7e0..c0048828 100644
--- a/test/default/generichash2.c
+++ b/test/default/generichash2.c
@@ -26,12 +26,18 @@ main(void)
         crypto_generichash_update(&st, in, i);
         crypto_generichash_update(&st, in, i);
         crypto_generichash_update(&st, in, i);
-        crypto_generichash_final(&st, out,
-                                 1 + i % crypto_generichash_BYTES_MAX);
+        if (crypto_generichash_final(&st, out,
+                                     1 + i % crypto_generichash_BYTES_MAX) != 0) {
+            printf("crypto_generichash_final() should have returned 0\n");
+        }
         for (j = 0; j < 1 + i % crypto_generichash_BYTES_MAX; ++j) {
             printf("%02x", (unsigned int)out[j]);
         }
         printf("\n");
+        if (crypto_generichash_final(&st, out,
+                                     1 + i % crypto_generichash_BYTES_MAX) != -1) {
+            printf("crypto_generichash_final() should have returned -1\n");
+        }
     }
 
     assert(crypto_generichash_init(&st, k, sizeof k, 0U) == -1);