+static int
+_avl_cmp_nodes_by_hash(const struct avl_tree_node *n1,
+ const struct avl_tree_node *n2)
+{
+ return hashes_cmp(SD_NODE(n1)->hash, SD_NODE(n2)->hash);
+}
+
+/* Inserts a new node into the security descriptor index tree. Returns true
+ * if successful (not a duplicate). */
+static bool
+insert_sd_node(struct wim_sd_set *set, struct sd_node *new)
+{
+ return NULL == avl_tree_insert(&set->root, &new->index_node,
+ _avl_cmp_nodes_by_hash);
+}
+
+/* Returns the index of the security descriptor having a SHA1 message digest of
+ * @hash. If not found, return -1. */
+static s32
+lookup_sd(struct wim_sd_set *set, const u8 hash[SHA1_HASH_SIZE])
+{
+ struct avl_tree_node *res;
+ struct sd_node dummy;
+
+ copy_hash(dummy.hash, hash);
+ res = avl_tree_lookup_node(set->root, &dummy.index_node,
+ _avl_cmp_nodes_by_hash);
+ if (!res)
+ return -1;
+ return SD_NODE(res)->security_id;
+}
+
+/*
+ * Adds a security descriptor to the indexed security descriptor set as well as
+ * the corresponding `struct wim_security_data', and returns the new security
+ * ID; or, if there is an existing security descriptor that is the same, return
+ * the security ID for it. If a new security descriptor cannot be allocated,
+ * return -1.