algorithms.c: Add a Keccak `set' method now there's upstream support.

[catacomb-python] / t / t-algorithms.py

diff --git a/t/t-algorithms.py b/t/t-algorithms.py
index f63565a..455e947 100644 (file)
--- a/t/t-algorithms.py
+++ b/t/t-algorithms.py
@@ -38,7 +38,7 @@ def bad_key_size(ksz):
   if isinstance(ksz, C.KeySZAny): return None
   elif isinstance(ksz, C.KeySZRange):
     if ksz.mod != 1: return ksz.min + 1
-    elif ksz.max != 0: return ksz.max + 1
+    elif ksz.max is not None: return ksz.max + 1
     elif ksz.min != 0: return ksz.min - 1
     else: return None
   elif isinstance(ksz, C.KeySZSet):
@@ -52,7 +52,7 @@ def different_key_size(ksz, sz):
   if isinstance(ksz, C.KeySZAny): return sz + 1
   elif isinstance(ksz, C.KeySZRange):
     if sz > ksz.min: return sz - ksz.mod
-    elif ksz.max == 0 or sz < ksz.max: return sz + ksz.mod
+    elif ksz.max is None or sz < ksz.max: return sz + ksz.mod
     else: return None
   elif isinstance(ksz, C.KeySZSet):
     for sz1 in sorted(ksz.set):
@@ -76,8 +76,7 @@ class HashBufferTestMixin (U.TestCase):
 
     ## Check overflow detection.
     h0, _ = makefn(w)
-    me.assertRaises((OverflowError, ValueError),
-                    hashfn, h0, 1 << 8*w)
+    me.assertRaises(OverflowError, hashfn, h0, 1 << 8*w)
 
   def check_hashbuffer_bufn(me, w, bigendp, makefn, hashfn):
     """Check `hashbufN'."""
@@ -95,8 +94,7 @@ class HashBufferTestMixin (U.TestCase):
     if w <= 3:
       n = 1 << 8*w
       h0, _ = makefn(w + n)
-      me.assertRaises((ValueError, OverflowError, TypeError),
-                      hashfn, h0, C.ByteString.zero(n))
+      me.assertRaises(ValueError, hashfn, h0, C.ByteString.zero(n))
 
   def check_hashbuffer(me, makefn):
     """Test the various `hash...' methods."""
@@ -106,10 +104,9 @@ class HashBufferTestMixin (U.TestCase):
     me.check_hashbuffer_hashn(2, True, makefn, lambda h, n: h.hashu16(n))
     me.check_hashbuffer_hashn(2, True, makefn, lambda h, n: h.hashu16b(n))
     me.check_hashbuffer_hashn(2, False, makefn, lambda h, n: h.hashu16l(n))
-    if hasattr(makefn(0)[0], "hashu24"):
-      me.check_hashbuffer_hashn(3, True, makefn, lambda h, n: h.hashu24(n))
-      me.check_hashbuffer_hashn(3, True, makefn, lambda h, n: h.hashu24b(n))
-      me.check_hashbuffer_hashn(3, False, makefn, lambda h, n: h.hashu24l(n))
+    me.check_hashbuffer_hashn(3, True, makefn, lambda h, n: h.hashu24(n))
+    me.check_hashbuffer_hashn(3, True, makefn, lambda h, n: h.hashu24b(n))
+    me.check_hashbuffer_hashn(3, False, makefn, lambda h, n: h.hashu24l(n))
     me.check_hashbuffer_hashn(4, True, makefn, lambda h, n: h.hashu32(n))
     me.check_hashbuffer_hashn(4, True, makefn, lambda h, n: h.hashu32b(n))
     me.check_hashbuffer_hashn(4, False, makefn, lambda h, n: h.hashu32l(n))
@@ -123,10 +120,9 @@ class HashBufferTestMixin (U.TestCase):
     me.check_hashbuffer_bufn(2, True, makefn, lambda h, x: h.hashbuf16(x))
     me.check_hashbuffer_bufn(2, True, makefn, lambda h, x: h.hashbuf16b(x))
     me.check_hashbuffer_bufn(2, False, makefn, lambda h, x: h.hashbuf16l(x))
-    if hasattr(makefn(0)[0], "hashbuf24"):
-      me.check_hashbuffer_bufn(3, True, makefn, lambda h, x: h.hashbuf24(x))
-      me.check_hashbuffer_bufn(3, True, makefn, lambda h, x: h.hashbuf24b(x))
-      me.check_hashbuffer_bufn(3, False, makefn, lambda h, x: h.hashbuf24l(x))
+    me.check_hashbuffer_bufn(3, True, makefn, lambda h, x: h.hashbuf24(x))
+    me.check_hashbuffer_bufn(3, True, makefn, lambda h, x: h.hashbuf24b(x))
+    me.check_hashbuffer_bufn(3, False, makefn, lambda h, x: h.hashbuf24l(x))
     me.check_hashbuffer_bufn(4, True, makefn, lambda h, x: h.hashbuf32(x))
     me.check_hashbuffer_bufn(4, True, makefn, lambda h, x: h.hashbuf32b(x))
     me.check_hashbuffer_bufn(4, False, makefn, lambda h, x: h.hashbuf32l(x))
@@ -145,7 +141,7 @@ class TestKeysize (U.TestCase):
     me.assertEqual(type(ksz), C.KeySZAny)
     me.assertEqual(ksz.default, 20)
     me.assertEqual(ksz.min, 0)
-    me.assertEqual(ksz.max, 0)
+    me.assertEqual(ksz.max, None)
     for n in [0, 12, 20, 5000]:
       me.assertTrue(ksz.check(n))
       me.assertEqual(ksz.best(n), n)
@@ -157,7 +153,7 @@ class TestKeysize (U.TestCase):
     me.assertEqual(type(ksz), C.KeySZAny)
     me.assertEqual(ksz.default, 32)
     me.assertEqual(ksz.min, 0)
-    me.assertEqual(ksz.max, 0)
+    me.assertEqual(ksz.max, None)
     for n in [0, 12, 20, 5000]:
       me.assertTrue(ksz.check(n))
       me.assertEqual(ksz.best(n), n)
@@ -167,7 +163,7 @@ class TestKeysize (U.TestCase):
     ksz = C.KeySZAny(15)
     me.assertEqual(ksz.default, 15)
     me.assertEqual(ksz.min, 0)
-    me.assertEqual(ksz.max, 0)
+    me.assertEqual(ksz.max, None)
     me.assertRaises(ValueError, lambda: C.KeySZAny(-8))
     me.assertEqual(C.KeySZAny(0).default, 0)
 
@@ -180,7 +176,7 @@ class TestKeysize (U.TestCase):
     me.assertEqual(ksz.default, 32)
     me.assertEqual(ksz.min, 10)
     me.assertEqual(ksz.max, 32)
-    me.assertEqual(set(ksz.set), set([10, 16, 32]))
+    me.assertEqual(ksz.set, set([10, 16, 32]))
     for x, best, pad in [(9, None, 10), (10, 10, 10), (11, 10, 16),
                          (15, 10, 16), (16, 16, 16), (17, 16, 32),
                          (31, 16, 32), (32, 32, 32), (33, 32, None)]:
@@ -194,12 +190,12 @@ class TestKeysize (U.TestCase):
     ## Check construction.
     ksz = C.KeySZSet(7)
     me.assertEqual(ksz.default, 7)
-    me.assertEqual(set(ksz.set), set([7]))
+    me.assertEqual(ksz.set, set([7]))
     me.assertEqual(ksz.min, 7)
     me.assertEqual(ksz.max, 7)
-    ksz = C.KeySZSet(7, [3, 6, 9])
+    ksz = C.KeySZSet(7, iter([3, 6, 9]))
     me.assertEqual(ksz.default, 7)
-    me.assertEqual(set(ksz.set), set([3, 6, 7, 9]))
+    me.assertEqual(ksz.set, set([3, 6, 7, 9]))
     me.assertEqual(ksz.min, 3)
     me.assertEqual(ksz.max, 9)
 
@@ -230,6 +226,11 @@ class TestKeysize (U.TestCase):
     me.assertEqual(ksz.min, 21)
     me.assertEqual(ksz.max, 35)
     me.assertEqual(ksz.mod, 7)
+    ksz = C.KeySZRange(28, 21, None, 7)
+    me.assertEqual(ksz.min, 21)
+    me.assertEqual(ksz.max, None)
+    me.assertEqual(ksz.mod, 7)
+    me.assertEqual(ksz.pad(36), 42)
     me.assertRaises(ValueError, C.KeySZRange, 29, 21, 35, 7)
     me.assertRaises(ValueError, C.KeySZRange, 28, 20, 35, 7)
     me.assertRaises(ValueError, C.KeySZRange, 28, 21, 34, 7)
@@ -316,6 +317,280 @@ TestCipher.generate_testcases((name, C.gcciphers[name]) for name in
    "blowfish-counter", "rc4", "seal", "salsa20/8", "shake128-xof"])
 
 ###--------------------------------------------------------------------------
+class TestAuthenticatedEncryption \
+        (HashBufferTestMixin, T.GenericTestMixin):
+  """Test authenticated encryption schemes."""
+
+  def _test_aead(me, aecls):
+
+    ## Check the class properties.
+    me.assertEqual(type(aecls.name), str)
+    me.assertTrue(isinstance(aecls.keysz, C.KeySZ))
+    me.assertTrue(isinstance(aecls.noncesz, C.KeySZ))
+    me.assertTrue(isinstance(aecls.tagsz, C.KeySZ))
+    me.assertEqual(type(aecls.blksz), int)
+    me.assertEqual(type(aecls.bufsz), int)
+    me.assertEqual(type(aecls.ohd), int)
+    me.assertEqual(type(aecls.flags), int)
+
+    ## Check round-tripping, with full precommitment.  First, select some
+    ## parameters.  (It's conceivable that some AEAD schemes are more
+    ## restrictive than advertised by the various properties, but this works
+    ## out OK in practice.)
+    k = T.span(aecls.keysz.default)
+    n = T.span(aecls.noncesz.default)
+    if aecls.flags&C.AEADF_NOAAD: h = T.span(0)
+    else: h = T.span(131)
+    m = T.span(253)
+    tsz = aecls.tagsz.default
+    key = aecls(k)
+
+    ## Next, encrypt a message, checking that things are proper as we go.
+    enc = key.enc(nonce = n, hsz = len(h), msz = len(m), tsz = tsz)
+    me.assertEqual(enc.hsz, len(h))
+    me.assertEqual(enc.msz, len(m))
+    me.assertEqual(enc.mlen, 0)
+    me.assertEqual(enc.tsz, tsz)
+    aad = enc.aad()
+    if aecls.flags&C.AEADF_AADNDEP: me.assertEqual(aad.hsz, len(h))
+    else: me.assertEqual(aad.hsz, None)
+    me.assertEqual(aad.hlen, 0)
+    if not aecls.flags&C.AEADF_NOAAD:
+      aad.hash(h[0:83])
+      me.assertEqual(aad.hlen, 83)
+      aad.hash(h[83:131])
+      me.assertEqual(aad.hlen, 131)
+    c0 = enc.encrypt(m[0:57])
+    me.assertEqual(enc.mlen, 57)
+    me.assertTrue(57 - aecls.bufsz <= len(c0) <= 57 + aecls.ohd)
+    c1 = enc.encrypt(m[57:189])
+    me.assertEqual(enc.mlen, 189)
+    me.assertTrue(132 - aecls.bufsz <= len(c1) <=
+                  132 + aecls.bufsz + aecls.ohd)
+    c2 = enc.encrypt(m[189:253])
+    me.assertEqual(enc.mlen, 253)
+    me.assertTrue(64 - aecls.bufsz <= len(c2) <=
+                  64 + aecls.bufsz + aecls.ohd)
+    c3, t = enc.done(aad = aad)
+    me.assertTrue(len(c3) <= aecls.bufsz + aecls.ohd)
+    c = c0 + c1 + c2 + c3
+    me.assertTrue(len(m) <= len(c) <= len(m) + aecls.ohd)
+    me.assertEqual(len(t), tsz)
+
+    ## And now decrypt it again, with different record boundaries.
+    dec = key.dec(nonce = n, hsz = len(h), csz = len(c), tsz = tsz)
+    me.assertEqual(dec.hsz, len(h))
+    me.assertEqual(dec.csz, len(c))
+    me.assertEqual(dec.clen, 0)
+    me.assertEqual(dec.tsz, tsz)
+    aad = dec.aad()
+    if aecls.flags&C.AEADF_AADNDEP: me.assertEqual(aad.hsz, len(h))
+    else: me.assertEqual(aad.hsz, None)
+    me.assertEqual(aad.hlen, 0)
+    aad.hash(h)
+    m0 = dec.decrypt(c[0:156])
+    me.assertTrue(156 - aecls.bufsz <= len(m0) <= 156)
+    m1 = dec.decrypt(c[156:])
+    me.assertTrue(len(c) - 156 - aecls.bufsz <= len(m1) <=
+                  len(c) - 156 + aecls.bufsz)
+    m2 = dec.done(tag = t, aad = aad)
+    me.assertEqual(m0 + m1 + m2, m)
+
+    ## And again, with the wrong tag.
+    dec = key.dec(nonce = n, hsz = len(h), csz = len(c), tsz = tsz)
+    aad = dec.aad(); aad.hash(h)
+    _ = dec.decrypt(c)
+    me.assertRaises(ValueError, dec.done, tag = t ^ tsz*C.bytes("55"))
+
+    ## Check that the all-in-one methods work.
+    me.assertEqual((c, t),
+                   key.encrypt(n = n, h = h, m = m, tsz = tsz))
+    me.assertEqual(m,
+                   key.decrypt(n = n, h = h, c = c, t = t))
+
+    ## Check that bad key, nonce, and tag lengths are rejected.
+    badlen = bad_key_size(aecls.keysz)
+    if badlen is not None: me.assertRaises(ValueError, aecls, T.span(badlen))
+    badlen = bad_key_size(aecls.noncesz)
+    if badlen is not None:
+      me.assertRaises(ValueError, key.enc, nonce = T.span(badlen),
+                      hsz = len(h), msz = len(m), tsz = tsz)
+      me.assertRaises(ValueError, key.dec, nonce = T.span(badlen),
+                      hsz = len(h), csz = len(c), tsz = tsz)
+      if not aecls.flags&C.AEADF_PCTSZ:
+        enc = key.enc(nonce = n, hsz = 0, msz = len(m))
+        _ = enc.encrypt(m)
+        me.assertRaises(ValueError, enc.done, tsz = badlen)
+    badlen = bad_key_size(aecls.tagsz)
+    if badlen is not None:
+      me.assertRaises(ValueError, key.enc, nonce = n,
+                      hsz = len(h), msz = len(m), tsz = badlen)
+      me.assertRaises(ValueError, key.dec, nonce = n,
+                      hsz = len(h), csz = len(c), tsz = badlen)
+
+    ## Check that we can't get a loose `aad' object from a scheme which has
+    ## nonce-dependent AAD processing.
+    if aecls.flags&C.AEADF_AADNDEP: me.assertRaises(ValueError, key.aad)
+
+    ## Check the menagerie of AAD hashing methods.
+    if not aecls.flags&C.AEADF_NOAAD:
+      def mkhash(hsz):
+        enc = key.enc(nonce = n, hsz = hsz, msz = 0, tsz = tsz)
+        aad = enc.aad()
+        return aad, lambda: enc.done(aad = aad)[1]
+      me.check_hashbuffer(mkhash)
+
+    ## Check that encryption/decryption works with the given precommitments.
+    def quick_enc_check(**kw):
+      enc = key.enc(**kw)
+      aad = enc.aad().hash(h)
+      c0 = enc.encrypt(m); c1, tt = enc.done(aad = aad, tsz = tsz)
+      me.assertEqual((c, t), (c0 + c1, tt))
+    def quick_dec_check(**kw):
+      dec = key.dec(**kw)
+      aad = dec.aad().hash(h)
+      m0 = dec.decrypt(c); m1 = dec.done(aad = aad, tag = t)
+      me.assertEqual(m, m0 + m1)
+
+    ## Check that we can get away without precommitting to the header length
+    ## if and only if the AEAD scheme says it will let us.
+    if aecls.flags&C.AEADF_PCHSZ:
+      me.assertRaises(ValueError, key.enc, nonce = n,
+                      msz = len(m), tsz = tsz)
+      me.assertRaises(ValueError, key.dec, nonce = n,
+                      csz = len(c), tsz = tsz)
+    else:
+      quick_enc_check(nonce = n, msz = len(m), tsz = tsz)
+      quick_dec_check(nonce = n, csz = len(c), tsz = tsz)
+
+    ## Check that we can get away without precommitting to the message/
+    ## ciphertext length if and only if the AEAD scheme says it will let us.
+    if aecls.flags&C.AEADF_PCMSZ:
+      me.assertRaises(ValueError, key.enc, nonce = n,
+                      hsz = len(h), tsz = tsz)
+      me.assertRaises(ValueError, key.dec, nonce = n,
+                      hsz = len(h), tsz = tsz)
+    else:
+      quick_enc_check(nonce = n, hsz = len(h), tsz = tsz)
+      quick_dec_check(nonce = n, hsz = len(h), tsz = tsz)
+
+    ## Check that we can get away without precommitting to the tag length if
+    ## and only if the AEAD scheme says it will let us.
+    if aecls.flags&C.AEADF_PCTSZ:
+      me.assertRaises(ValueError, key.enc, nonce = n,
+                      hsz = len(h), msz = len(m))
+      me.assertRaises(ValueError, key.dec, nonce = n,
+                      hsz = len(h), csz = len(c))
+    else:
+      quick_enc_check(nonce = n, hsz = len(h), msz = len(m))
+      quick_dec_check(nonce = n, hsz = len(h), csz = len(c))
+
+    ## Check that if we precommit to the header length, we're properly held
+    ## to the commitment.
+    if not aecls.flags&C.AEADF_NOAAD:
+
+      ## First, check encryption with underrun.  If we must supply AAD first,
+      ## then the underrun will be reported when we start trying to encrypt;
+      ## otherwise, checking is delayed until `done'.
+      enc = key.enc(nonce = n, hsz = len(h), msz = len(m), tsz = tsz)
+      aad = enc.aad().hash(h[0:83])
+      if aecls.flags&C.AEADF_AADFIRST:
+        me.assertRaises(ValueError, enc.encrypt, m)
+      else:
+        _ = enc.encrypt(m)
+        me.assertRaises(ValueError, enc.done, aad = aad)
+
+      ## Next, check decryption with underrun.  If we must supply AAD first,
+      ## then the underrun will be reported when we start trying to encrypt;
+      ## otherwise, checking is delayed until `done'.
+      dec = key.dec(nonce = n, hsz = len(h), csz = len(c), tsz = tsz)
+      aad = dec.aad().hash(h[0:83])
+      if aecls.flags&C.AEADF_AADFIRST:
+        me.assertRaises(ValueError, dec.decrypt, c)
+      else:
+        _ = dec.decrypt(c)
+        me.assertRaises(ValueError, dec.done, tag = t, aad = aad)
+
+      ## If AAD processing is nonce-dependent then an overrun will be
+      ## detected imediately.
+      if aecls.flags&C.AEADF_AADNDEP:
+        enc = key.enc(nonce = n, hsz = len(h), msz = len(m), tsz = tsz)
+        aad = enc.aad().hash(h[0:83])
+        me.assertRaises(ValueError, aad.hash, h[82:131])
+        dec = key.dec(nonce = n, hsz = len(h), csz = len(c), tsz = tsz)
+        aad = dec.aad().hash(h[0:83])
+        me.assertRaises(ValueError, aad.hash, h[82:131])
+
+    ## Some additional tests for nonce-dependent `aad' objects.
+    if aecls.flags&C.AEADF_AADNDEP:
+
+      ## Check that `aad' objects can't be used once their parents are gone.
+      enc = key.enc(nonce = n, hsz = len(h), msz = len(m), tsz = tsz)
+      aad = enc.aad()
+      del enc
+      me.assertRaises(ValueError, aad.hash, h)
+
+      ## Check that they can't be crossed over.
+      enc0 = key.enc(nonce = n, hsz = len(h), msz = len(m), tsz = tsz)
+      enc1 = key.enc(nonce = n, hsz = len(h), msz = len(m), tsz = tsz)
+      enc0.aad().hash(h)
+      aad1 = enc1.aad().hash(h)
+      _ = enc0.encrypt(m)
+      me.assertRaises(ValueError, enc0.done, tsz = tsz, aad = aad1)
+
+    ## Test copying AAD.
+    if not aecls.flags&C.AEADF_AADNDEP and not aecls.flags&C.AEADF_NOAAD:
+      aad0 = key.aad()
+      aad0.hash(h[0:83])
+      aad1 = aad0.copy()
+      aad2 = aad1.copy()
+      aad0.hash(h[83:131])
+      aad1.hash(h[83:131])
+      aad2.hash(h[83:131] ^ 48*C.bytes("ff"))
+      me.assertEqual(key.enc(nonce = n, hsz = len(h),
+                             msz = 0, tsz = tsz).done(aad = aad0),
+                     key.enc(nonce = n, hsz = len(h),
+                             msz = 0, tsz = tsz).done(aad = aad1))
+      me.assertNotEqual(key.enc(nonce = n, hsz = len(h),
+                                msz = 0, tsz = tsz).done(aad = aad0),
+                        key.enc(nonce = n, hsz = len(h),
+                                msz = 0, tsz = tsz).done(aad = aad2))
+
+    ## Check that if we precommit to the message length, we're properly held
+    ## to the commitment.  (Fortunately, this is way simpler than the AAD
+    ## case above.)  First, try an underrun.
+    enc = key.enc(nonce = n, hsz = 0, msz = len(m), tsz = tsz)
+    _ = enc.encrypt(m[0:183])
+    me.assertRaises(ValueError, enc.done, tsz = tsz)
+    dec = key.dec(nonce = n, hsz = 0, csz = len(c), tsz = tsz)
+    _ = dec.decrypt(c[0:183])
+    me.assertRaises(ValueError, dec.done, tag = t)
+
+    ## And now an overrun.
+    enc = key.enc(nonce = n, hsz = 0, msz = 183, tsz = tsz)
+    me.assertRaises(ValueError, enc.encrypt, m)
+    dec = key.dec(nonce = n, hsz = 0, csz = 183, tsz = tsz)
+    me.assertRaises(ValueError, dec.decrypt, c)
+
+    ## Finally, check that if we precommit to a tag length, we're properly
+    ## held to the commitment.  This depends on being able to find a tag size
+    ## which isn't the default.
+    tsz1 = different_key_size(aecls.tagsz, tsz)
+    if tsz1 is not None:
+      enc = key.enc(nonce = n, hsz = 0, msz = len(m), tsz = tsz1)
+      _ = enc.encrypt(m)
+      me.assertRaises(ValueError, enc.done, tsz = tsz)
+      dec = key.dec(nonce = n, hsz = len(h), csz = len(c), tsz = tsz1)
+      aad = dec.aad().hash(h)
+      _ = dec.decrypt(c)
+      me.assertRaises(ValueError, enc.done, tsz = tsz, aad = aad)
+
+TestAuthenticatedEncryption.generate_testcases \
+  ((name, C.gcaeads[name]) for name in
+   ["des3-ccm", "blowfish-ocb1", "square-ocb3", "rijndael-gcm",
+    "serpent-eax", "salsa20-naclbox", "chacha20-poly1305"])
+
+###--------------------------------------------------------------------------
 class BaseTestHash (HashBufferTestMixin):
   """Base class for testing hash functions."""
 
@@ -323,29 +598,28 @@ class BaseTestHash (HashBufferTestMixin):
     """
     Check hash class HCLS.
 
-    If NEED_BUFSZ is false, then don't insist that HCLS have working `bufsz',
-    `name', or `hashsz' attributes.  This test is mostly reused for MACs,
-    which don't have these attributes.
+    If NEED_BUFSZ is false, then don't insist that HCLS has a working `bufsz'
+    attribute.  This test is mostly reused for MACs, which don't have this
+    attribute.
     """
     ## Check the class properties.
-    if need_bufsz:
-      me.assertEqual(type(hcls.name), str)
-      me.assertEqual(type(hcls.bufsz), int)
-      me.assertEqual(type(hcls.hashsz), int)
+    me.assertEqual(type(hcls.name), str)
+    if need_bufsz: me.assertEqual(type(hcls.bufsz), int)
+    me.assertEqual(type(hcls.hashsz), int)
 
     ## Set some initial values.
     m = T.span(131)
     h = hcls().hash(m).done()
 
     ## Check that hash length comes out right.
-    if need_bufsz: me.assertEqual(len(h), hcls.hashsz)
+    me.assertEqual(len(h), hcls.hashsz)
 
     ## Check that we get the same answer if we split the message up.
     me.assertEqual(h, hcls().hash(m[0:73]).hash(m[73:131]).done())
 
     ## Check the `check' method.
     me.assertTrue(hcls().hash(m).check(h))
-    me.assertFalse(hcls().hash(m).check(h ^ len(h)*C.bytes("aa")))
+    me.assertFalse(hcls().hash(m).check(h ^ hcls.hashsz*C.bytes("aa")))
 
     ## Check the menagerie of random hashing methods.
     def mkhash(_):
@@ -375,6 +649,7 @@ class TestMessageAuthentication (BaseTestHash, T.GenericTestMixin):
     ## Test hashing.
     k = T.span(mcls.keysz.default)
     key = mcls(k)
+    me.assertEqual(key.hashsz, key.tagsz)
     me.check_hash(key, need_bufsz = False)
 
     ## Check that bad key lengths are rejected.
@@ -394,7 +669,7 @@ class TestPoly1305 (HashBufferTestMixin):
     me.assertEqual(C.poly1305.name, "poly1305")
     me.assertEqual(type(C.poly1305.keysz), C.KeySZSet)
     me.assertEqual(C.poly1305.keysz.default, 16)
-    me.assertEqual(set(C.poly1305.keysz.set), set([16]))
+    me.assertEqual(C.poly1305.keysz.set, set([16]))
     me.assertEqual(C.poly1305.tagsz, 16)
     me.assertEqual(C.poly1305.masksz, 16)
 
@@ -406,6 +681,9 @@ class TestPoly1305 (HashBufferTestMixin):
     t = key(u).hash(m).done()
 
     ## Check the key properties.
+    me.assertEqual(key.name, "poly1305")
+    me.assertEqual(key.tagsz, 16)
+    me.assertEqual(key.tagsz, 16)
     me.assertEqual(len(t), 16)
 
     ## Check that we get the same answer if we split the message up.
@@ -438,7 +716,7 @@ class TestHLatin (U.TestCase):
   """Test the `hsalsa20' and `hchacha20' functions."""
 
   def test_hlatin(me):
-    kk = [T.span(sz) for sz in [32]]
+    kk = [T.span(sz) for sz in [10, 16, 32]]
     n = T.span(16)
     bad_k = T.span(18)
     bad_n = T.span(13)
@@ -468,11 +746,21 @@ class TestKeccak (HashBufferTestMixin):
     st1.mix(m0).step()
     me.assertNotEqual(st0.extract(32), st1.extract(32))
 
+    ## Check state copying and `mix' vs `set'.
+    st1 = st0.copy()
+    mask = st1.extract(len(m1))
+    st0.mix(m1)
+    st1.set(m1 ^ mask)
+    me.assertEqual(st0.extract(32), st1.extract(32))
+
     ## Check error conditions.
     _ = st0.extract(200)
     me.assertRaises(ValueError, st0.extract, 201)
     st0.mix(T.span(200))
     me.assertRaises(ValueError, st0.mix, T.span(201))
+    st0.set(T.span(200))
+    me.assertRaises(ValueError, st0.set, T.span(201))
+    me.assertRaises(ValueError, st0.set, T.span(199))
 
   def check_shake(me, xcls, c, done_matches_xof = True):
     """
@@ -507,7 +795,7 @@ class TestKeccak (HashBufferTestMixin):
 
     ## Check masking.
     x = xcls().hash(m).xof()
-    me.assertEqual(x.mask(m), C.ByteString(m) ^ C.ByteString(h[0:len(m)]))
+    me.assertEqual(x.mask(m), m ^ h[0:len(m)])
 
     ## Check the `check' method.
     me.assertTrue(xcls().hash(m).check(h0))
@@ -516,14 +804,14 @@ class TestKeccak (HashBufferTestMixin):
     ## Check the menagerie of random hashing methods.
     def mkhash(_):
       x = xcls(func = func, perso = perso)
-      return x, lambda: x.done(100 - x.rate//2)
+      return x, x.done
     me.check_hashbuffer(mkhash)
 
     ## Check the state machine tracking.
     x = xcls(); me.assertEqual(x.state, "absorb")
     x.hash(m); me.assertEqual(x.state, "absorb")
     xx = x.copy()
-    h = xx.done(100 - x.rate//2)
+    h = xx.done(); me.assertEqual(len(h), 100 - x.rate//2)
     me.assertEqual(xx.state, "dead")
     me.assertRaises(ValueError, xx.done, 1)
     me.assertRaises(ValueError, xx.get, 1)
@@ -539,7 +827,7 @@ class TestKeccak (HashBufferTestMixin):
 
   def check_kmac(me, mcls, c):
     k = T.span(32)
-    me.check_shake(lambda func = None, perso = T.bin(""):
+    me.check_shake(lambda func = None, perso = None:
                      mcls(k, perso = perso),
                    c, done_matches_xof = False)