Return -1 if crypto_generichash_final() is called twice

src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c

@@ -54,6 +54,11 @@ static inline int blake2b_clear_lastnode( blake2b_state *S )
 }
 #endif
 
+static inline int blake2b_is_lastblock( const blake2b_state *S )
+{
+  return S->f[0] != 0;
+}
+
 static inline int blake2b_set_lastblock( blake2b_state *S )
 {
   if( S->last_node ) blake2b_set_lastnode( S );
@@ -327,6 +332,9 @@ int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen )
   if( !outlen || outlen > BLAKE2B_OUTBYTES ) {
     abort(); /* LCOV_EXCL_LINE */
   }
+  if( blake2b_is_lastblock( S ) ) {
+    return -1;
+  }
   if( S->buflen > BLAKE2B_BLOCKBYTES )
   {
     blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );

test/default/generichash2.c

@@ -26,12 +26,18 @@ main(void)
         crypto_generichash_update(&st, in, i);
         crypto_generichash_update(&st, in, i);
         crypto_generichash_update(&st, in, i);
-        crypto_generichash_final(&st, out,
+        if (crypto_generichash_final(&st, out,
-                                 1 + i % crypto_generichash_BYTES_MAX);
+                                     1 + i % crypto_generichash_BYTES_MAX) != 0) {
+            printf("crypto_generichash_final() should have returned 0\n");
+        }
         for (j = 0; j < 1 + i % crypto_generichash_BYTES_MAX; ++j) {
             printf("%02x", (unsigned int)out[j]);
         }
         printf("\n");
+        if (crypto_generichash_final(&st, out,
+                                     1 + i % crypto_generichash_BYTES_MAX) != -1) {
+            printf("crypto_generichash_final() should have returned -1\n");
+        }
     }
 
     assert(crypto_generichash_init(&st, k, sizeof k, 0U) == -1);