This is a lot of code for something that boils down to:
void otp(size_t len, uint8_t *key, uint8_t *message) { for (size_t i = 0; i < len; i++) { message[i] ^= key[i]; } } Everything else (other than ensuring len(key) == len(message) is not just unnecessary, but actively detracts from it being an actual implementation of a one-time pad. Even saying "boils down to" here is probably misleading: this isn't just a simplified version; other than grabbing an appropriate-length key from a truly random source it is entirely complete. That omitted part is likely little more than
char *key = malloc(len); assert(key != NULL); assert(read(fd, key, len) == len); I haven't looked at what your "hash table" does because whatever it's doing is wholly unnecessary, extremely likely to be a source of bugs causing catastrophic loss of security, and almost certainly violates the fundamental definition of what constitutes a one-time pad.
A one-time pad must have truly random keys. Characters typed on a keyboard are not truly random. The output of /dev/random is not truly random. Getting truly random bits is hard, but there do exist external devices that will collect them for you (assuming you trust the device). Those keys must be the same length as your message (or longer, I suppose).
And lastly, while it's not a strict necessity, cryptography is generally best performed on bits and bytes and not some notion of "characters". Attempting to do the latter is setting yourself up for serious bugs leading to catastrophic failure.