fix(onetimeauth): prevent double final

index.js

@@ -1337,6 +1337,7 @@ exports.crypto_onetimeauth_init = function (state, k) {
 exports.crypto_onetimeauth_update = function (state, input) {
   assert(ArrayBuffer.isView(state), 'state must be a typed array')
   assert(ArrayBuffer.isView(input), 'input must be a typed array')
+  assert(!state.buffer.detached, 'state has already been finalized')
   assert(
     state.byteLength === binding.crypto_onetimeauth_STATEBYTES,
     "state must be 'crypto_onetimeauth_STATEBYTES' bytes"
@@ -1350,6 +1351,7 @@ exports.crypto_onetimeauth_update = function (state, input) {
 exports.crypto_onetimeauth_final = function (state, out) {
   assert(ArrayBuffer.isView(state), 'state must be a typed array')
   assert(ArrayBuffer.isView(out), 'out must be a typed array')
+  assert(!state.buffer.detached, 'state has already been finalized')
   assert(
     state.byteLength === binding.crypto_onetimeauth_STATEBYTES,
     "state must be 'crypto_onetimeauth_STATEBYTES' bytes"
@@ -1361,6 +1363,8 @@ exports.crypto_onetimeauth_final = function (state, out) {
 
   const res = binding.crypto_onetimeauth_final(state, out)
 
+  state.buffer.transfer()
+
   if (res !== 0) throw new Error('status: ' + res)
 }
 

test/crypto_onetimeauth.js

@@ -17,6 +17,41 @@ test('crypto_onetimeauth', function (t) {
   t.ok(sodium.crypto_onetimeauth_verify(mac, value, key), 'verifies')
 })
 
+test('crypto_onetimeauth - double final must not produce zero MAC', function (t) {
+  const key = Buffer.alloc(sodium.crypto_onetimeauth_KEYBYTES)
+  const state = Buffer.alloc(sodium.crypto_onetimeauth_STATEBYTES)
+  const out = Buffer.alloc(sodium.crypto_onetimeauth_BYTES)
+
+  sodium.randombytes_buf(key)
+  sodium.crypto_onetimeauth_init(state, key)
+  sodium.crypto_onetimeauth_update(state, Buffer.from('hello'))
+  sodium.crypto_onetimeauth_final(state, out)
+
+  const validMac = Buffer.from(out)
+  t.not(validMac, Buffer.alloc(validMac.length), 'first final produces valid MAC')
+
+  t.exception.all(function () {
+    sodium.crypto_onetimeauth_final(state, out)
+  }, 'second final throws instead of producing zero MAC')
+
+  t.alike(out, validMac, 'MAC was not overwritten by second final')
+})
+
+test('crypto_onetimeauth - update after final must throw', function (t) {
+  const key = Buffer.alloc(sodium.crypto_onetimeauth_KEYBYTES)
+  const state = Buffer.alloc(sodium.crypto_onetimeauth_STATEBYTES)
+  const out = Buffer.alloc(sodium.crypto_onetimeauth_BYTES)
+
+  sodium.randombytes_buf(key)
+  sodium.crypto_onetimeauth_init(state, key)
+  sodium.crypto_onetimeauth_update(state, Buffer.from('hello'))
+  sodium.crypto_onetimeauth_final(state, out)
+
+  t.exception.all(function () {
+    sodium.crypto_onetimeauth_update(state, Buffer.from('world'))
+  }, 'update after final throws')
+})
+
 test('crypto_onetimeauth_state', function (t) {
   const key = Buffer.alloc(sodium.crypto_onetimeauth_KEYBYTES, 'lo')
   const state = Buffer.alloc(sodium.crypto_onetimeauth_STATEBYTES)