First, thanks a lot for the great project, we use picohash in DuckDB and are generally very happy. We recently found what we think is a bug in pico hash though:
Here's a snippet of code we use to compute a hmac256 from a message and a secret, straight from the README:
This works fine, unless the secret is longer than ctx->block_length, which is 64. Then, picohash_init_hmac uses another code path which first hashes the key and calls ctx->_hmac.hash_reset(ctx). The problem is that at that point ctx->_hmac.hash_reset has not been set yet, the init function (in our case picohash_init_sha256 (as it should I think) only sets ctx->_reset. picohash_init_hmacdoes set ctx->_hmac.hash_reset to something meaningful but only later in the function.
I think the way to fix this is to just replace the call to ctx->_hmac.hash_reset(ctx) with a call to ctx->_reset in line 739.
First, thanks a lot for the great project, we use picohash in DuckDB and are generally very happy. We recently found what we think is a bug in pico hash though:
Here's a snippet of code we use to compute a hmac256 from a message and a secret, straight from the README:
This works fine, unless the secret is longer than
ctx->block_length
, which is 64. Then,picohash_init_hmac
uses another code path which first hashes the key and callsctx->_hmac.hash_reset(ctx)
. The problem is that at that pointctx->_hmac.hash_reset
has not been set yet, the init function (in our casepicohash_init_sha256
(as it should I think) only setsctx->_reset
.picohash_init_hmac
does setctx->_hmac.hash_reset
to something meaningful but only later in the function.I think the way to fix this is to just replace the call to
ctx->_hmac.hash_reset(ctx)
with a call toctx->_reset
in line 739.Happy to send a PR if I'm not wrong :)