2sha: Add SHA-224 and SHA-384 hash algorithms

This patch adds support for the SHA-224 and SHA-384 hash algorithms,
which are basically just variants of SHA-256 and SHA-512 (respectively)
with different initialization vectors and truncating a bit of the final
output. They are only added to serve vboot's role as all-purpose crypto
toolbox for callers (e.g. coreboot, where I need SHA-384 to support a
certain SoC boot descriptor right now) and not intended for actual use
as signature or firmware body hashes -- therefore, we only add the hash
algorithms themselves and don't create enum values for them in enum
vb2_crypto_algorithm or other structures.

Also clarify the difference between UNROLL_LOOPS and UNROLL_LOOPS_SHA512
in the Makefile, since it was totally not obvious to me.

BRANCH=None
BUG=None
TEST=make runtest and make runtest UNROLL_LOOPS=1

Cq-Depend: chromium:2191082
Signed-off-by: Julius Werner <jwerner@chromium.org>
Change-Id: Ic132d4dfe5967f03be4666b26c47d32c1235f4a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2183551
Reviewed-by: Joel Kitching <kitching@chromium.org>

9 files changed, 173 insertions, 31 deletions

diff --git a/Makefile b/Makefile
index b5b68b20..10c5c4bf 100644
--- a/Makefile
+++ b/Makefile
@@ -840,11 +840,18 @@ ${TLCL_OBJS}: CFLAGS += -DTPM_BLOCKING_CONTINUESELFTEST
 
 # CFLAGS += -DTPM_MANUAL_SELFTEST
 
+# NOTE: UNROLL_LOOPS *only* affects SHA256, *not* SHA512. This seems to have
+# been a conscious decision at some point (see b/35501356) but whether it still
+# holds up in all situations on all architectures today might need to be
+# reevaluated. For now, since we currently always use SHA256 for (non-recovery)
+# kernel bodies and don't unroll loops for firmware verification, it's not very
+# relevant in practice. To unroll SHA512, UNROLL_LOOPS_SHA512 would need to be
+# defined.
 ifneq ($(filter-out 0,$(UNROLL_LOOPS)),)
-$(info vboot hash algos built with unrolled loops (faster, larger code size))
+$(info vboot SHA256 built with unrolled loops (faster, larger code size))
 CFLAGS += -DUNROLL_LOOPS
 else
-$(info vboot hash algos built with tight loops (slower, smaller code size))
+$(info vboot SHA256 built with tight loops (slower, smaller code size))
 endif
 
 .PHONY: fwlib
diff --git a/firmware/2lib/2crypto.c b/firmware/2lib/2crypto.c
index 46071069..0c0978d2 100644
--- a/firmware/2lib/2crypto.c
+++ b/firmware/2lib/2crypto.c
@@ -37,9 +37,11 @@ const char *vb2_hash_names[VB2_HASH_ALG_COUNT] = {
 	[VB2_HASH_SHA1]		= VB2_SHA1_ALG_NAME,
 #endif
 #if VB2_SUPPORT_SHA256
+	[VB2_HASH_SHA224]	= VB2_SHA224_ALG_NAME,
 	[VB2_HASH_SHA256]	= VB2_SHA256_ALG_NAME,
 #endif
 #if VB2_SUPPORT_SHA512
+	[VB2_HASH_SHA384]	= VB2_SHA384_ALG_NAME,
 	[VB2_HASH_SHA512]	= VB2_SHA512_ALG_NAME,
 #endif
 };
diff --git a/firmware/2lib/2sha256.c b/firmware/2lib/2sha256.c
index 139745f4..c3612377 100644
--- a/firmware/2lib/2sha256.c
+++ b/firmware/2lib/2sha256.c
@@ -88,6 +88,11 @@ static const uint32_t sha256_h0[8] = {
 	0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19
 };
 
+static const uint32_t sha224_h0[8] = {
+	0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939,
+	0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4
+};
+
 static const uint32_t sha256_k[64] = {
 	0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5,
 	0x3956c25b, 0x59f111f1, 0x923f82a4, 0xab1c5ed5,
@@ -108,18 +113,21 @@ static const uint32_t sha256_k[64] = {
 };
 
 /* SHA-256 implementation */
-void vb2_sha256_init(struct vb2_sha256_context *ctx)
+void vb2_sha256_init(struct vb2_sha256_context *ctx,
+		     enum vb2_hash_algorithm algo)
 {
+	const uint32_t *h0 = algo == VB2_HASH_SHA224 ? sha224_h0 : sha256_h0;
+
 #ifndef UNROLL_LOOPS
 	int i;
 	for (i = 0; i < 8; i++) {
-		ctx->h[i] = sha256_h0[i];
+		ctx->h[i] = h0[i];
 	}
 #else
-	ctx->h[0] = sha256_h0[0]; ctx->h[1] = sha256_h0[1];
-	ctx->h[2] = sha256_h0[2]; ctx->h[3] = sha256_h0[3];
-	ctx->h[4] = sha256_h0[4]; ctx->h[5] = sha256_h0[5];
-	ctx->h[6] = sha256_h0[6]; ctx->h[7] = sha256_h0[7];
+	ctx->h[0] = h0[0]; ctx->h[1] = h0[1];
+	ctx->h[2] = h0[2]; ctx->h[3] = h0[3];
+	ctx->h[4] = h0[4]; ctx->h[5] = h0[5];
+	ctx->h[6] = h0[6]; ctx->h[7] = h0[7];
 #endif /* !UNROLL_LOOPS */
 
 	ctx->size = 0;
@@ -278,7 +286,8 @@ void vb2_sha256_update(struct vb2_sha256_context *ctx,
 	ctx->total_size += (block_nb + 1) << 6;
 }
 
-void vb2_sha256_finalize(struct vb2_sha256_context *ctx, uint8_t *digest)
+void vb2_sha256_finalize(struct vb2_sha256_context *ctx, uint8_t *digest,
+			 enum vb2_hash_algorithm algo)
 {
 	unsigned int block_nb;
 	unsigned int pm_size;
@@ -300,7 +309,7 @@ void vb2_sha256_finalize(struct vb2_sha256_context *ctx, uint8_t *digest)
 	vb2_sha256_transform(ctx, ctx->block, block_nb);
 
 #ifndef UNROLL_LOOPS
-	for (i = 0 ; i < 8; i++) {
+	for (i = 0 ; i < (algo == VB2_HASH_SHA224 ? 7 : 8); i++) {
 		UNPACK32(ctx->h[i], &digest[i << 2]);
 	}
 #else
@@ -311,7 +320,9 @@ void vb2_sha256_finalize(struct vb2_sha256_context *ctx, uint8_t *digest)
 	UNPACK32(ctx->h[4], &digest[16]);
 	UNPACK32(ctx->h[5], &digest[20]);
 	UNPACK32(ctx->h[6], &digest[24]);
-	UNPACK32(ctx->h[7], &digest[28]);
+	if (algo != VB2_HASH_SHA224) {
+		UNPACK32(ctx->h[7], &digest[28]);
+	}
 #endif /* !UNROLL_LOOPS */
 }
 
diff --git a/firmware/2lib/2sha512.c b/firmware/2lib/2sha512.c
index ee78ec2b..b72ebce0 100644
--- a/firmware/2lib/2sha512.c
+++ b/firmware/2lib/2sha512.c
@@ -106,6 +106,13 @@ static const uint64_t sha512_h0[8] = {
 	0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL
 };
 
+static const uint64_t sha384_h0[8] = {
+	0xcbbb9d5dc1059ed8ULL, 0x629a292a367cd507ULL,
+	0x9159015a3070dd17ULL, 0x152fecd8f70e5939ULL,
+	0x67332667ffc00b31ULL, 0x8eb44a8768581511ULL,
+	0xdb0c2e0d64f98fa7ULL, 0x47b5481dbefa4fa4ULL
+};
+
 static const uint64_t sha512_k[80] = {
 	0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL,
 	0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
@@ -151,18 +158,21 @@ static const uint64_t sha512_k[80] = {
 
 /* SHA-512 implementation */
 
-void vb2_sha512_init(struct vb2_sha512_context *ctx)
+void vb2_sha512_init(struct vb2_sha512_context *ctx,
+		     enum vb2_hash_algorithm algo)
 {
+	const uint64_t *h0 = algo == VB2_HASH_SHA384 ? sha384_h0 : sha512_h0;
+
 #ifdef UNROLL_LOOPS_SHA512
-	ctx->h[0] = sha512_h0[0]; ctx->h[1] = sha512_h0[1];
-	ctx->h[2] = sha512_h0[2]; ctx->h[3] = sha512_h0[3];
-	ctx->h[4] = sha512_h0[4]; ctx->h[5] = sha512_h0[5];
-	ctx->h[6] = sha512_h0[6]; ctx->h[7] = sha512_h0[7];
+	ctx->h[0] = h0[0]; ctx->h[1] = h0[1];
+	ctx->h[2] = h0[2]; ctx->h[3] = h0[3];
+	ctx->h[4] = h0[4]; ctx->h[5] = h0[5];
+	ctx->h[6] = h0[6]; ctx->h[7] = h0[7];
 #else
 	int i;
 
 	for (i = 0; i < 8; i++)
-		ctx->h[i] = sha512_h0[i];
+		ctx->h[i] = h0[i];
 #endif /* UNROLL_LOOPS_SHA512 */
 
 	ctx->size = 0;
@@ -308,7 +318,8 @@ void vb2_sha512_update(struct vb2_sha512_context *ctx,
 	ctx->total_size += (block_nb + 1) << 7;
 }
 
-void vb2_sha512_finalize(struct vb2_sha512_context *ctx, uint8_t *digest)
+void vb2_sha512_finalize(struct vb2_sha512_context *ctx, uint8_t *digest,
+			 enum vb2_hash_algorithm algo)
 {
 	unsigned int block_nb;
 	unsigned int pm_size;
@@ -337,10 +348,12 @@ void vb2_sha512_finalize(struct vb2_sha512_context *ctx, uint8_t *digest)
 	UNPACK64(ctx->h[3], &digest[24]);
 	UNPACK64(ctx->h[4], &digest[32]);
 	UNPACK64(ctx->h[5], &digest[40]);
-	UNPACK64(ctx->h[6], &digest[48]);
-	UNPACK64(ctx->h[7], &digest[56]);
+	if (algo != VB2_HASH_SHA384) {
+		UNPACK64(ctx->h[6], &digest[48]);
+		UNPACK64(ctx->h[7], &digest[56]);
+	}
 #else
-	for (i = 0 ; i < 8; i++)
+	for (i = 0 ; i < (algo == VB2_HASH_SHA384 ? 6 : 8); i++)
 		UNPACK64(ctx->h[i], &digest[i << 3]);
 #endif /* UNROLL_LOOPS_SHA512 */
 }
diff --git a/firmware/2lib/2sha_utility.c b/firmware/2lib/2sha_utility.c
index 0af117a4..3a6c230e 100644
--- a/firmware/2lib/2sha_utility.c
+++ b/firmware/2lib/2sha_utility.c
@@ -17,10 +17,14 @@ size_t vb2_digest_size(enum vb2_hash_algorithm hash_alg)
 		return VB2_SHA1_DIGEST_SIZE;
 #endif
 #if VB2_SUPPORT_SHA256
+	case VB2_HASH_SHA224:
+		return VB2_SHA224_DIGEST_SIZE;
 	case VB2_HASH_SHA256:
 		return VB2_SHA256_DIGEST_SIZE;
 #endif
 #if VB2_SUPPORT_SHA512
+	case VB2_HASH_SHA384:
+		return VB2_SHA384_DIGEST_SIZE;
 	case VB2_HASH_SHA512:
 		return VB2_SHA512_DIGEST_SIZE;
 #endif
@@ -37,10 +41,12 @@ size_t vb2_hash_block_size(enum vb2_hash_algorithm alg)
 		return VB2_SHA1_BLOCK_SIZE;
 #endif
 #if VB2_SUPPORT_SHA256
+	case VB2_HASH_SHA224:	/* SHA224 reuses SHA256 internal structures */
 	case VB2_HASH_SHA256:
 		return VB2_SHA256_BLOCK_SIZE;
 #endif
 #if VB2_SUPPORT_SHA512
+	case VB2_HASH_SHA384:	/* SHA384 reuses SHA512 internal structures */
 	case VB2_HASH_SHA512:
 		return VB2_SHA512_BLOCK_SIZE;
 #endif
@@ -63,13 +69,15 @@ vb2_error_t vb2_digest_init(struct vb2_digest_context *dc,
 		return VB2_SUCCESS;
 #endif
 #if VB2_SUPPORT_SHA256
+	case VB2_HASH_SHA224:
 	case VB2_HASH_SHA256:
-		vb2_sha256_init(&dc->sha256);
+		vb2_sha256_init(&dc->sha256, hash_alg);
 		return VB2_SUCCESS;
 #endif
 #if VB2_SUPPORT_SHA512
+	case VB2_HASH_SHA384:
 	case VB2_HASH_SHA512:
-		vb2_sha512_init(&dc->sha512);
+		vb2_sha512_init(&dc->sha512, hash_alg);
 		return VB2_SUCCESS;
 #endif
 	default:
@@ -88,11 +96,13 @@ vb2_error_t vb2_digest_extend(struct vb2_digest_context *dc, const uint8_t *buf,
 		return VB2_SUCCESS;
 #endif
 #if VB2_SUPPORT_SHA256
+	case VB2_HASH_SHA224:
 	case VB2_HASH_SHA256:
 		vb2_sha256_update(&dc->sha256, buf, size);
 		return VB2_SUCCESS;
 #endif
 #if VB2_SUPPORT_SHA512
+	case VB2_HASH_SHA384:
 	case VB2_HASH_SHA512:
 		vb2_sha512_update(&dc->sha512, buf, size);
 		return VB2_SUCCESS;
@@ -116,13 +126,15 @@ vb2_error_t vb2_digest_finalize(struct vb2_digest_context *dc, uint8_t *digest,
 		return VB2_SUCCESS;
 #endif
 #if VB2_SUPPORT_SHA256
+	case VB2_HASH_SHA224:
 	case VB2_HASH_SHA256:
-		vb2_sha256_finalize(&dc->sha256, digest);
+		vb2_sha256_finalize(&dc->sha256, digest, dc->hash_alg);
 		return VB2_SUCCESS;
 #endif
 #if VB2_SUPPORT_SHA512
+	case VB2_HASH_SHA384:
 	case VB2_HASH_SHA512:
-		vb2_sha512_finalize(&dc->sha512, digest);
+		vb2_sha512_finalize(&dc->sha512, digest, dc->hash_alg);
 		return VB2_SUCCESS;
 #endif
 	default:
diff --git a/firmware/2lib/include/2crypto.h b/firmware/2lib/include/2crypto.h
index 0413a624..14e1f14d 100644
--- a/firmware/2lib/include/2crypto.h
+++ b/firmware/2lib/include/2crypto.h
@@ -71,6 +71,10 @@ enum vb2_hash_algorithm {
 	VB2_HASH_SHA256 = 2,
 	VB2_HASH_SHA512 = 3,
 
+	/* SHA-224/SHA-384 are variants of SHA-256/SHA-512, respectively. */
+	VB2_HASH_SHA224 = 4,
+	VB2_HASH_SHA384 = 5,
+
 	/* Last index. Don't add anything below. */
 	VB2_HASH_ALG_COUNT,
 };
diff --git a/firmware/2lib/include/2sha.h b/firmware/2lib/include/2sha.h
index a8e654e3..e586a77d 100644
--- a/firmware/2lib/include/2sha.h
+++ b/firmware/2lib/include/2sha.h
@@ -75,6 +75,15 @@ struct vb2_sha512_context {
 	uint8_t block[2 * VB2_SHA512_BLOCK_SIZE];
 };
 
+/*
+ * SHA224/SHA384 are variants of SHA256/SHA512 that use almost all the same code
+ * (and the same context structures), so no separate "SUPPORT" flags for them.
+ */
+#define VB2_SHA224_DIGEST_SIZE 28
+#define VB2_SHA224_ALG_NAME "SHA224"
+#define VB2_SHA384_DIGEST_SIZE 48
+#define VB2_SHA384_ALG_NAME "SHA384"
+
 /* Hash algorithm independent digest context; includes all of the above. */
 struct vb2_digest_context {
 	/* Context union for all algorithms */
@@ -133,10 +142,13 @@ _Static_assert(VB2_HASH_ALG_COUNT <= UINT8_MAX, "vb2_hash.algo overflow!");
  * Initialize a hash context.
  *
  * @param ctx		Hash context
+ * @param algo		Hash algorithm (only for overloaded functions)
  */
 void vb2_sha1_init(struct vb2_sha1_context *ctx);
-void vb2_sha256_init(struct vb2_sha256_context *ctx);
-void vb2_sha512_init(struct vb2_sha512_context *ctx);
+void vb2_sha256_init(struct vb2_sha256_context *ctx,
+		     enum vb2_hash_algorithm algo);
+void vb2_sha512_init(struct vb2_sha512_context *ctx,
+		     enum vb2_hash_algorithm algo);
 
 /**
  * Update (extend) a hash.
@@ -160,10 +172,13 @@ void vb2_sha512_update(struct vb2_sha512_context *ctx,
  *
  * @param ctx		Hash context
  * @param digest	Destination for hash; must be VB_SHA*_DIGEST_SIZE bytes
+ * @param algo		Hash algorithm (only for overloaded functions)
  */
 void vb2_sha1_finalize(struct vb2_sha1_context *ctx, uint8_t *digest);
-void vb2_sha256_finalize(struct vb2_sha256_context *ctx, uint8_t *digest);
-void vb2_sha512_finalize(struct vb2_sha512_context *ctx, uint8_t *digest);
+void vb2_sha256_finalize(struct vb2_sha256_context *ctx, uint8_t *digest,
+			 enum vb2_hash_algorithm algo);
+void vb2_sha512_finalize(struct vb2_sha512_context *ctx, uint8_t *digest,
+			 enum vb2_hash_algorithm algo);
 
 /**
  * Hash-extend data
diff --git a/tests/hmac_test.c b/tests/hmac_test.c
index 92c52fc3..ed77d7bb 100644
--- a/tests/hmac_test.c
+++ b/tests/hmac_test.c
@@ -33,9 +33,15 @@ static void test_hmac_by_openssl(enum vb2_hash_algorithm alg,
 	case VB2_HASH_SHA1:
 		HMAC(EVP_sha1(), key, key_size, msg, msg_size, md, &md_size);
 		break;
+	case VB2_HASH_SHA224:
+		HMAC(EVP_sha224(), key, key_size, msg, msg_size, md, &md_size);
+		break;
 	case VB2_HASH_SHA256:
 		HMAC(EVP_sha256(), key, key_size, msg, msg_size, md, &md_size);
 		break;
+	case VB2_HASH_SHA384:
+		HMAC(EVP_sha384(), key, key_size, msg, msg_size, md, &md_size);
+		break;
 	case VB2_HASH_SHA512:
 		HMAC(EVP_sha512(), key, key_size, msg, msg_size, md, &md_size);
 		break;
@@ -44,6 +50,7 @@ static void test_hmac_by_openssl(enum vb2_hash_algorithm alg,
 	}
 	sprintf(test_name, "%s: HMAC-%s (key_size=%d)",
 		__func__, vb2_get_hash_algorithm_name(alg), key_size);
+	TEST_EQ(vb2_digest_size(alg), md_size, "HMAC size");
 	TEST_SUCC(hmac(alg, key, key_size, msg, msg_size, mac, mac_size),
 		  test_name);
 	TEST_SUCC(memcmp(mac, md, md_size), "HMAC digests match");
diff --git a/tests/vb2_sha_tests.c b/tests/vb2_sha_tests.c
index 9fcac1f3..b4a4bd06 100644
--- a/tests/vb2_sha_tests.c
+++ b/tests/vb2_sha_tests.c
@@ -84,11 +84,11 @@ static void sha256_tests(void)
 		"vb2_digest_buffer() too small");
 
 	/* Test multiple small extends */
-	vb2_sha256_init(&ctx);
+	vb2_sha256_init(&ctx, VB2_HASH_SHA256);
 	vb2_sha256_update(&ctx, (uint8_t *)"test1", 5);
 	vb2_sha256_update(&ctx, (uint8_t *)"test2", 5);
 	vb2_sha256_update(&ctx, (uint8_t *)"test3", 5);
-	vb2_sha256_finalize(&ctx, digest);
+	vb2_sha256_finalize(&ctx, digest, VB2_HASH_SHA256);
 	TEST_EQ(memcmp(digest, expect_multiple, sizeof(digest)), 0,
 		"SHA-256 multiple extends");
 
@@ -169,6 +169,76 @@ static void misc_tests(void)
 		"vb2_digest_finalize() invalid alg");
 }
 
+static void known_value_tests(void)
+{
+	const char sentinel[] = "keepme";
+	struct {
+		struct vb2_hash hash;
+		uint8_t overflow[8];
+	} test;
+
+#define TEST_KNOWN_VALUE(algo, str, value) \
+	TEST_EQ(vb2_digest_size(algo), sizeof(value) - 1, \
+		"Known hash size " #algo ": " #str); \
+	strcpy((char *)&test.hash.raw[sizeof(value) - 1], sentinel); \
+	TEST_SUCC(vb2_hash_calculate(str, sizeof(str) - 1, algo, &test.hash), \
+		  "Calculate known hash " #algo ": " #str); \
+	TEST_EQ(memcmp(test.hash.raw, value, sizeof(value) - 1), 0, \
+		"Known hash " #algo ": " #str); \
+	TEST_EQ(strcmp((char *)&test.hash.raw[sizeof(value) - 1], sentinel), 0,\
+		"Overflow known hash " #algo ": " #str);
+
+	TEST_KNOWN_VALUE(VB2_HASH_SHA1, "",
+		"\xda\x39\xa3\xee\x5e\x6b\x4b\x0d\x32\x55\xbf\xef\x95\x60\x18"
+		"\x90\xaf\xd8\x07\x09");
+	TEST_KNOWN_VALUE(VB2_HASH_SHA256, "",
+		"\xe3\xb0\xc4\x42\x98\xfc\x1c\x14\x9a\xfb\xf4\xc8\x99\x6f\xb9"
+		"\x24\x27\xae\x41\xe4\x64\x9b\x93\x4c\xa4\x95\x99\x1b\x78\x52"
+		"\xb8\x55");
+	TEST_KNOWN_VALUE(VB2_HASH_SHA512, "",
+		"\xcf\x83\xe1\x35\x7e\xef\xb8\xbd\xf1\x54\x28\x50\xd6\x6d\x80"
+		"\x07\xd6\x20\xe4\x05\x0b\x57\x15\xdc\x83\xf4\xa9\x21\xd3\x6c"
+		"\xe9\xce\x47\xd0\xd1\x3c\x5d\x85\xf2\xb0\xff\x83\x18\xd2\x87"
+		"\x7e\xec\x2f\x63\xb9\x31\xbd\x47\x41\x7a\x81\xa5\x38\x32\x7a"
+		"\xf9\x27\xda\x3e");
+	TEST_KNOWN_VALUE(VB2_HASH_SHA224, "",
+		"\xd1\x4a\x02\x8c\x2a\x3a\x2b\xc9\x47\x61\x02\xbb\x28\x82\x34"
+		"\xc4\x15\xa2\xb0\x1f\x82\x8e\xa6\x2a\xc5\xb3\xe4\x2f");
+	TEST_KNOWN_VALUE(VB2_HASH_SHA384, "",
+		"\x38\xb0\x60\xa7\x51\xac\x96\x38\x4c\xd9\x32\x7e\xb1\xb1\xe3"
+		"\x6a\x21\xfd\xb7\x11\x14\xbe\x07\x43\x4c\x0c\xc7\xbf\x63\xf6"
+		"\xe1\xda\x27\x4e\xde\xbf\xe7\x6f\x65\xfb\xd5\x1a\xd2\xf1\x48"
+		"\x98\xb9\x5b");
+
+	const char long_test_string[] = "abcdefghbcdefghicdefghijdefghijkefgh"
+		"ijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrs"
+		"mnopqrstnopqrstu";
+	TEST_KNOWN_VALUE(VB2_HASH_SHA1, long_test_string,
+		"\xa4\x9b\x24\x46\xa0\x2c\x64\x5b\xf4\x19\xf9\x95\xb6\x70\x91"
+		"\x25\x3a\x04\xa2\x59");
+	TEST_KNOWN_VALUE(VB2_HASH_SHA256, long_test_string,
+		"\xcf\x5b\x16\xa7\x78\xaf\x83\x80\x03\x6c\xe5\x9e\x7b\x04\x92"
+		"\x37\x0b\x24\x9b\x11\xe8\xf0\x7a\x51\xaf\xac\x45\x03\x7a\xfe"
+		"\xe9\xd1");
+	TEST_KNOWN_VALUE(VB2_HASH_SHA512, long_test_string,
+		"\x8e\x95\x9b\x75\xda\xe3\x13\xda\x8c\xf4\xf7\x28\x14\xfc\x14"
+		"\x3f\x8f\x77\x79\xc6\xeb\x9f\x7f\xa1\x72\x99\xae\xad\xb6\x88"
+		"\x90\x18\x50\x1d\x28\x9e\x49\x00\xf7\xe4\x33\x1b\x99\xde\xc4"
+		"\xb5\x43\x3a\xc7\xd3\x29\xee\xb6\xdd\x26\x54\x5e\x96\xe5\x5b"
+		"\x87\x4b\xe9\x09");
+	TEST_KNOWN_VALUE(VB2_HASH_SHA224, long_test_string,
+		"\xc9\x7c\xa9\xa5\x59\x85\x0c\xe9\x7a\x04\xa9\x6d\xef\x6d\x99"
+		"\xa9\xe0\xe0\xe2\xab\x14\xe6\xb8\xdf\x26\x5f\xc0\xb3");
+	TEST_KNOWN_VALUE(VB2_HASH_SHA384, long_test_string,
+		"\x09\x33\x0c\x33\xf7\x11\x47\xe8\x3d\x19\x2f\xc7\x82\xcd\x1b"
+		"\x47\x53\x11\x1b\x17\x3b\x3b\x05\xd2\x2f\xa0\x80\x86\xe3\xb0"
+		"\xf7\x12\xfc\xc7\xc7\x1a\x55\x7e\x2d\xb9\x66\xc3\xe9\xfa\x91"
+		"\x74\x60\x39");
+
+	/* vim helper to escape hex: <Shift+V>:s/\([a-f0-9]\{2\}\)/\\x\1/g */
+#undef TEST_KNOWN_VALUE
+}
+
 int main(int argc, char *argv[])
 {
 	/* Initialize long_msg with 'a' x 1,000,000 */
@@ -180,6 +250,7 @@ int main(int argc, char *argv[])
 	sha256_tests();
 	sha512_tests();
 	misc_tests();
+	known_value_tests();
 
 	free(long_msg);