Rewrite the SHA-256 and SHA-1 hash function modules.

The new structure of those modules is along similar lines to the
recent rewrite of AES, with selection of HW vs SW implementation being
done by the main vtable instead of a subsidiary function pointer
within it, freedom for each implementation to define its state
structure however is most convenient, and space to drop in other
hardware-accelerated implementations.

I've removed the centralised test for compiler SHA-NI support in
ssh.h, and instead duplicated it between the two SHA modules, on the
grounds that once you start considering an open-ended set of hardware
accelerators, the two hashes _need_ not go together.

I've also added an extra test in cryptsuite that checks the point at
which the end-of-hash padding switches to adding an extra cipher
block. That was just because I was rewriting that padding code, was
briefly worried that I might have got an off-by-one error in that part
of it, and couldn't see any existing test that gave me confidence I
hadn't.

ssh.h

@@ -558,8 +558,6 @@ struct ssh_cipher {
     const ssh_cipheralg *vt;
 };
 
-bool supports_sha_ni(void);
-
 struct ssh_cipheralg {
     ssh_cipher *(*new)(const ssh_cipheralg *alg);
     void (*free)(ssh_cipher *);
@@ -819,7 +817,11 @@ extern const ssh2_ciphers ssh2_arcfour;
 extern const ssh2_ciphers ssh2_ccp;
 extern const ssh_hashalg ssh_md5;
 extern const ssh_hashalg ssh_sha1;
+extern const ssh_hashalg ssh_sha1_hw;
+extern const ssh_hashalg ssh_sha1_sw;
 extern const ssh_hashalg ssh_sha256;
+extern const ssh_hashalg ssh_sha256_hw;
+extern const ssh_hashalg ssh_sha256_sw;
 extern const ssh_hashalg ssh_sha384;
 extern const ssh_hashalg ssh_sha512;
 extern const ssh_kexes ssh_diffiehellman_group1;
@@ -867,29 +869,6 @@ extern const char sshver[];
  */
 extern bool ssh_fallback_cmd(Backend *backend);
 
-/*
- * Check of compiler version
- */
-#ifdef _FORCE_SHA_NI
-#   define COMPILER_SUPPORTS_SHA_NI
-#elif defined(__clang__)
-#   if __has_attribute(target) && __has_include(<shaintrin.h>) && (defined(__x86_64__) || defined(__i386))
-#       define COMPILER_SUPPORTS_SHA_NI
-#   endif
-#elif defined(__GNUC__)
-#    if ((__GNUC__ >= 5) && (defined(__x86_64__) || defined(__i386)))
-#       define COMPILER_SUPPORTS_SHA_NI
-#    endif
-#elif defined (_MSC_VER)
-#   if (defined(_M_X64) || defined(_M_IX86)) && _MSC_VER >= 1900
-#      define COMPILER_SUPPORTS_SHA_NI
-#   endif
-#endif
-
-#ifdef _FORCE_SOFTWARE_SHA
-#   undef COMPILER_SUPPORTS_SHA_NI
-#endif
-
 /*
  * The PRNG type, defined in sshprng.c. Visible data fields are
  * 'savesize', which suggests how many random bytes you should request

test/cryptsuite.py

@@ -1172,6 +1172,46 @@ class crypt(MyTestBase):
         self.assertEqualBin(data2, expected_data2[:127])
         self.assertEqualBin(data3, expected_data3)
 
+    def testHashPadding(self):
+        # A consistency test for hashes that use MD5/SHA-1/SHA-2 style
+        # padding of the message into a whole number of fixed-size
+        # blocks. We test-hash a message of every length up to twice
+        # the block length, to make sure there's no off-by-1 error in
+        # the code that decides how much padding to put on.
+
+        # Source: generated using Python hashlib as an independent
+        # implementation. The function below will do it, called with
+        # parameters such as (hashlib.sha256,128).
+        #
+        # def gen_testcase(hashclass, maxlen):
+        #    return hashclass(b''.join(hashclass(text[:i]).digest()
+        #             for i in range(maxlen))).hexdigest()
+
+        text = """
+Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do
+eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad
+minim veniam, quis nostrud exercitation ullamco laboris nisi ut
+aliquip ex ea commodo consequat. Duis aute irure dolor in
+reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla
+pariatur. Excepteur sint occaecat cupidatat non proident, sunt in
+culpa qui officia deserunt mollit anim id est laborum.
+        """.replace('\n', ' ').strip()
+
+        def test(hashname, maxlen, expected):
+            assert len(text) >= maxlen
+            buf = b''.join(hash_str(hashname, text[:i])
+                           for i in range(maxlen))
+            self.assertEqualBin(hash_str(hashname, buf), unhex(expected))
+
+        test('md5', 128, '8169d766cc3b8df182b3ce756ae19a15')
+        test('sha1', 128, '3691759577deb3b70f427763a9c15acb9dfc0259')
+        test('sha256', 128, 'ec539c4d678412c86c13ee4eb9452232'
+             '35d4eed3368d876fdf10c9df27396640')
+        test('sha512', 256,
+             'cb725b4b4ec0ac1174d69427b4d97848b7db4fc01181f99a8049a4d721862578'
+             'f91e026778bb2d389a9dd88153405189e6ba438b213c5387284103d2267fd055'
+        )
+
 class standard_test_vectors(MyTestBase):
     def testAES(self):
         def vector(cipher, key, plaintext, ciphertext):