X-Git-Url: http://git.ozlabs.org/?p=ccan;a=blobdiff_plain;f=ccan%2Fcrypto%2Fshachain%2Fshachain.c;h=2c9cb3d5464c42855d7e9d3dc0c18455ed6907ea;hp=c66196f71d881ce5e19b9bc088d66b9d2fc8b03b;hb=4bb69fe6d568f84bd682cf6f86bae168313deb91;hpb=954082d1b37e2e0be7816f53255965a99dd1b2ee diff --git a/ccan/crypto/shachain/shachain.c b/ccan/crypto/shachain/shachain.c index c66196f7..2c9cb3d5 100644 --- a/ccan/crypto/shachain/shachain.c +++ b/ccan/crypto/shachain/shachain.c @@ -10,10 +10,32 @@ static void change_bit(unsigned char *arr, size_t index) arr[index / CHAR_BIT] ^= (1 << (index % CHAR_BIT)); } -/* We can only ever *unset* bits, so to must only have bits in from. */ +static unsigned int count_trailing_zeroes(shachain_index_t index) +{ +#if HAVE_BUILTIN_CTZLL + return index ? (unsigned int)__builtin_ctzll(index) : SHACHAIN_BITS; +#else + unsigned int i; + + for (i = 0; i < SHACHAIN_BITS; i++) { + if (index & (1ULL << i)) + break; + } + return i; +#endif +} + static bool can_derive(shachain_index_t from, shachain_index_t to) { - return (~from & to) == 0; + shachain_index_t mask; + + /* Corner case: can always derive from seed. */ + if (from == 0) + return true; + + /* Leading bits must be the same */ + mask = ~((1ULL << count_trailing_zeroes(from))-1); + return ((from ^ to) & mask) == 0; } static void derive(shachain_index_t from, shachain_index_t to, @@ -28,12 +50,12 @@ static void derive(shachain_index_t from, shachain_index_t to, /* We start with the first hash. */ *hash = *from_hash; - /* This represents the bits set in from, and not to. */ + /* This represents the bits set in to, and not from. */ branches = from ^ to; for (i = ilog64(branches) - 1; i >= 0; i--) { if (((branches >> i) & 1)) { change_bit(hash->u.u8, i); - sha256(hash, hash, 1); + sha256(hash, hash, sizeof(*hash)); } } } @@ -41,37 +63,50 @@ static void derive(shachain_index_t from, shachain_index_t to, void shachain_from_seed(const struct sha256 *seed, shachain_index_t index, struct sha256 *hash) { - derive((shachain_index_t)-1ULL, index, seed, hash); + derive(0, index, seed, hash); } -void shachain_init(struct shachain *shachain) +void shachain_init(struct shachain *chain) { - shachain->num_valid = 0; + chain->num_valid = 0; + chain->min_index = 0; } -void shachain_add_hash(struct shachain *chain, +bool shachain_add_hash(struct shachain *chain, shachain_index_t index, const struct sha256 *hash) { - int i; + unsigned int i, pos; - for (i = 0; i < chain->num_valid; i++) { - /* If we could derive this value, we don't need it, - * not any others (since they're in order). */ - if (can_derive(index, chain->known[i].index)) - break; + /* You have to insert them in order! */ + assert(index == chain->min_index - 1 || + (index == (shachain_index_t)(UINT64_MAX >> (64 - SHACHAIN_BITS)) + && chain->num_valid == 0)); + + pos = count_trailing_zeroes(index); + + /* All derivable answers must be valid. */ + /* FIXME: Is it sufficient to check just the next answer? */ + for (i = 0; i < pos; i++) { + struct sha256 expect; + + /* Make sure the others derive as expected! */ + derive(index, chain->known[i].index, hash, &expect); + if (memcmp(&expect, &chain->known[i].hash, sizeof(expect))) + return false; } - /* This can happen if you skip indices! */ - assert(i < sizeof(chain->known) / sizeof(chain->known[0])); - chain->known[i].index = index; - chain->known[i].hash = *hash; - chain->num_valid = i+1; + chain->known[pos].index = index; + chain->known[pos].hash = *hash; + if (pos + 1 > chain->num_valid) + chain->num_valid = pos + 1; + chain->min_index = index; + return true; } bool shachain_get_hash(const struct shachain *chain, shachain_index_t index, struct sha256 *hash) { - int i; + unsigned int i; for (i = 0; i < chain->num_valid; i++) { /* If we can get from key to index only by resetting bits,