Closed aead closed 7 years ago
The problem is within hydro_hash_init_with_tweak. You're not allowed to update the hash with the key, because if the msg length is 0 the hydro_hash_blake2s_final
will compute the wrong hash.
Replacing the key-processing
uint8_t block[hydro_hash_BLOCKBYTES];
memset(block, 0, sizeof block);
mem_cpy(block, key, key_len);
hydro_hash_update(state, block, sizeof block);
hydro_memzero(block, sizeof block);
with:
mem_cpy(state->buf, key, key_len);
state->buf_off = hydro_hash_BLOCKBYTES;
Should fix the problem - of course this requires new test vectors...
Good catch 👍
Your change wouldn't work if the message size was 1 or more blocks.
But https://github.com/jedisct1/libhydrogen/commit/3ed17947e8ebfc6ab25500e28ff956db1db5d03c should fix it.
Thanks!
Following test:
fails, while this test passes successfully: