1 /** 2 * \file ecdsa.h 3 * 4 * \brief This file contains ECDSA definitions and functions. 5 * 6 * The Elliptic Curve Digital Signature Algorithm (ECDSA) is defined in 7 * <em>Standards for Efficient Cryptography Group (SECG): 8 * SEC1 Elliptic Curve Cryptography</em>. 9 * The use of ECDSA for TLS is defined in <em>RFC-4492: Elliptic Curve 10 * Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)</em>. 11 * 12 */ 13 /* 14 * Copyright (C) 2006-2018, Arm Limited (or its affiliates), All Rights Reserved 15 * SPDX-License-Identifier: Apache-2.0 16 * 17 * Licensed under the Apache License, Version 2.0 (the "License"); you may 18 * not use this file except in compliance with the License. 19 * You may obtain a copy of the License at 20 * 21 * http://www.apache.org/licenses/LICENSE-2.0 22 * 23 * Unless required by applicable law or agreed to in writing, software 24 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 25 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 26 * See the License for the specific language governing permissions and 27 * limitations under the License. 28 * 29 * This file is part of Mbed TLS (https://tls.mbed.org) 30 */ 31 32 #ifndef MBEDTLS_ECDSA_H 33 #define MBEDTLS_ECDSA_H 34 35 #include "ecp.h" 36 #include "md.h" 37 38 /* 39 * RFC-4492 page 20: 40 * 41 * Ecdsa-Sig-Value ::= SEQUENCE { 42 * r INTEGER, 43 * s INTEGER 44 * } 45 * 46 * Size is at most 47 * 1 (tag) + 1 (len) + 1 (initial 0) + ECP_MAX_BYTES for each of r and s, 48 * twice that + 1 (tag) + 2 (len) for the sequence 49 * (assuming ECP_MAX_BYTES is less than 126 for r and s, 50 * and less than 124 (total len <= 255) for the sequence) 51 */ 52 #if MBEDTLS_ECP_MAX_BYTES > 124 53 #error "MBEDTLS_ECP_MAX_BYTES bigger than expected, please fix MBEDTLS_ECDSA_MAX_LEN" 54 #endif 55 /** The maximal size of an ECDSA signature in Bytes. */ 56 #define MBEDTLS_ECDSA_MAX_LEN ( 3 + 2 * ( 3 + MBEDTLS_ECP_MAX_BYTES ) ) 57 58 #ifdef __cplusplus 59 extern "C" { 60 #endif 61 62 /** 63 * \brief The ECDSA context structure. 64 * 65 * \warning Performing multiple operations concurrently on the same 66 * ECDSA context is not supported; objects of this type 67 * should not be shared between multiple threads. 68 */ 69 typedef mbedtls_ecp_keypair mbedtls_ecdsa_context; 70 71 #if defined(MBEDTLS_ECP_RESTARTABLE) 72 73 /** 74 * \brief Internal restart context for ecdsa_verify() 75 * 76 * \note Opaque struct, defined in ecdsa.c 77 */ 78 typedef struct mbedtls_ecdsa_restart_ver mbedtls_ecdsa_restart_ver_ctx; 79 80 /** 81 * \brief Internal restart context for ecdsa_sign() 82 * 83 * \note Opaque struct, defined in ecdsa.c 84 */ 85 typedef struct mbedtls_ecdsa_restart_sig mbedtls_ecdsa_restart_sig_ctx; 86 87 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 88 /** 89 * \brief Internal restart context for ecdsa_sign_det() 90 * 91 * \note Opaque struct, defined in ecdsa.c 92 */ 93 typedef struct mbedtls_ecdsa_restart_det mbedtls_ecdsa_restart_det_ctx; 94 #endif 95 96 /** 97 * \brief General context for resuming ECDSA operations 98 */ 99 typedef struct 100 { 101 mbedtls_ecp_restart_ctx ecp; /*!< base context for ECP restart and 102 shared administrative info */ 103 mbedtls_ecdsa_restart_ver_ctx *ver; /*!< ecdsa_verify() sub-context */ 104 mbedtls_ecdsa_restart_sig_ctx *sig; /*!< ecdsa_sign() sub-context */ 105 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 106 mbedtls_ecdsa_restart_det_ctx *det; /*!< ecdsa_sign_det() sub-context */ 107 #endif 108 } mbedtls_ecdsa_restart_ctx; 109 110 #else /* MBEDTLS_ECP_RESTARTABLE */ 111 112 /* Now we can declare functions that take a pointer to that */ 113 typedef void mbedtls_ecdsa_restart_ctx; 114 115 #endif /* MBEDTLS_ECP_RESTARTABLE */ 116 117 /** 118 * \brief This function computes the ECDSA signature of a 119 * previously-hashed message. 120 * 121 * \note The deterministic version implemented in 122 * mbedtls_ecdsa_sign_det() is usually preferred. 123 * 124 * \note If the bitlength of the message hash is larger than the 125 * bitlength of the group order, then the hash is truncated 126 * as defined in <em>Standards for Efficient Cryptography Group 127 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 128 * 4.1.3, step 5. 129 * 130 * \see ecp.h 131 * 132 * \param grp The context for the elliptic curve to use. 133 * This must be initialized and have group parameters 134 * set, for example through mbedtls_ecp_group_load(). 135 * \param r The MPI context in which to store the first part 136 * the signature. This must be initialized. 137 * \param s The MPI context in which to store the second part 138 * the signature. This must be initialized. 139 * \param d The private signing key. This must be initialized. 140 * \param buf The content to be signed. This is usually the hash of 141 * the original data to be signed. This must be a readable 142 * buffer of length \p blen Bytes. It may be \c NULL if 143 * \p blen is zero. 144 * \param blen The length of \p buf in Bytes. 145 * \param f_rng The RNG function. This must not be \c NULL. 146 * \param p_rng The RNG context to be passed to \p f_rng. This may be 147 * \c NULL if \p f_rng doesn't need a context parameter. 148 * 149 * \return \c 0 on success. 150 * \return An \c MBEDTLS_ERR_ECP_XXX 151 * or \c MBEDTLS_MPI_XXX error code on failure. 152 */ 153 int mbedtls_ecdsa_sign( mbedtls_ecp_group *grp, mbedtls_mpi *r, mbedtls_mpi *s, 154 const mbedtls_mpi *d, const unsigned char *buf, size_t blen, 155 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 156 157 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 158 /** 159 * \brief This function computes the ECDSA signature of a 160 * previously-hashed message, deterministic version. 161 * 162 * For more information, see <em>RFC-6979: Deterministic 163 * Usage of the Digital Signature Algorithm (DSA) and Elliptic 164 * Curve Digital Signature Algorithm (ECDSA)</em>. 165 * 166 * \note If the bitlength of the message hash is larger than the 167 * bitlength of the group order, then the hash is truncated as 168 * defined in <em>Standards for Efficient Cryptography Group 169 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 170 * 4.1.3, step 5. 171 * 172 * \see ecp.h 173 * 174 * \param grp The context for the elliptic curve to use. 175 * This must be initialized and have group parameters 176 * set, for example through mbedtls_ecp_group_load(). 177 * \param r The MPI context in which to store the first part 178 * the signature. This must be initialized. 179 * \param s The MPI context in which to store the second part 180 * the signature. This must be initialized. 181 * \param d The private signing key. This must be initialized 182 * and setup, for example through mbedtls_ecp_gen_privkey(). 183 * \param buf The hashed content to be signed. This must be a readable 184 * buffer of length \p blen Bytes. It may be \c NULL if 185 * \p blen is zero. 186 * \param blen The length of \p buf in Bytes. 187 * \param md_alg The hash algorithm used to hash the original data. 188 * 189 * \return \c 0 on success. 190 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX 191 * error code on failure. 192 */ 193 int mbedtls_ecdsa_sign_det( mbedtls_ecp_group *grp, mbedtls_mpi *r, 194 mbedtls_mpi *s, const mbedtls_mpi *d, 195 const unsigned char *buf, size_t blen, 196 mbedtls_md_type_t md_alg ); 197 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 198 199 /** 200 * \brief This function verifies the ECDSA signature of a 201 * previously-hashed message. 202 * 203 * \note If the bitlength of the message hash is larger than the 204 * bitlength of the group order, then the hash is truncated as 205 * defined in <em>Standards for Efficient Cryptography Group 206 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 207 * 4.1.4, step 3. 208 * 209 * \see ecp.h 210 * 211 * \param grp The ECP group to use. 212 * This must be initialized and have group parameters 213 * set, for example through mbedtls_ecp_group_load(). 214 * \param buf The hashed content that was signed. This must be a readable 215 * buffer of length \p blen Bytes. It may be \c NULL if 216 * \p blen is zero. 217 * \param blen The length of \p buf in Bytes. 218 * \param Q The public key to use for verification. This must be 219 * initialized and setup. 220 * \param r The first integer of the signature. 221 * This must be initialized. 222 * \param s The second integer of the signature. 223 * This must be initialized. 224 * 225 * \return \c 0 on success. 226 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the signature 227 * is invalid. 228 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX 229 * error code on failure for any other reason. 230 */ 231 int mbedtls_ecdsa_verify( mbedtls_ecp_group *grp, 232 const unsigned char *buf, size_t blen, 233 const mbedtls_ecp_point *Q, const mbedtls_mpi *r, 234 const mbedtls_mpi *s); 235 236 /** 237 * \brief This function computes the ECDSA signature and writes it 238 * to a buffer, serialized as defined in <em>RFC-4492: 239 * Elliptic Curve Cryptography (ECC) Cipher Suites for 240 * Transport Layer Security (TLS)</em>. 241 * 242 * \warning It is not thread-safe to use the same context in 243 * multiple threads. 244 * 245 * \note The deterministic version is used if 246 * #MBEDTLS_ECDSA_DETERMINISTIC is defined. For more 247 * information, see <em>RFC-6979: Deterministic Usage 248 * of the Digital Signature Algorithm (DSA) and Elliptic 249 * Curve Digital Signature Algorithm (ECDSA)</em>. 250 * 251 * \note If the bitlength of the message hash is larger than the 252 * bitlength of the group order, then the hash is truncated as 253 * defined in <em>Standards for Efficient Cryptography Group 254 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 255 * 4.1.3, step 5. 256 * 257 * \see ecp.h 258 * 259 * \param ctx The ECDSA context to use. This must be initialized 260 * and have a group and private key bound to it, for example 261 * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). 262 * \param md_alg The message digest that was used to hash the message. 263 * \param hash The message hash to be signed. This must be a readable 264 * buffer of length \p blen Bytes. 265 * \param hlen The length of the hash \p hash in Bytes. 266 * \param sig The buffer to which to write the signature. This must be a 267 * writable buffer of length at least twice as large as the 268 * size of the curve used, plus 9. For example, 73 Bytes if 269 * a 256-bit curve is used. A buffer length of 270 * #MBEDTLS_ECDSA_MAX_LEN is always safe. 271 * \param slen The address at which to store the actual length of 272 * the signature written. Must not be \c NULL. 273 * \param f_rng The RNG function. This must not be \c NULL if 274 * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, 275 * it is unused and may be set to \c NULL. 276 * \param p_rng The RNG context to be passed to \p f_rng. This may be 277 * \c NULL if \p f_rng is \c NULL or doesn't use a context. 278 * 279 * \return \c 0 on success. 280 * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or 281 * \c MBEDTLS_ERR_ASN1_XXX error code on failure. 282 */ 283 int mbedtls_ecdsa_write_signature( mbedtls_ecdsa_context *ctx, 284 mbedtls_md_type_t md_alg, 285 const unsigned char *hash, size_t hlen, 286 unsigned char *sig, size_t *slen, 287 int (*f_rng)(void *, unsigned char *, size_t), 288 void *p_rng ); 289 290 /** 291 * \brief This function computes the ECDSA signature and writes it 292 * to a buffer, in a restartable way. 293 * 294 * \see \c mbedtls_ecdsa_write_signature() 295 * 296 * \note This function is like \c mbedtls_ecdsa_write_signature() 297 * but it can return early and restart according to the limit 298 * set with \c mbedtls_ecp_set_max_ops() to reduce blocking. 299 * 300 * \param ctx The ECDSA context to use. This must be initialized 301 * and have a group and private key bound to it, for example 302 * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). 303 * \param md_alg The message digest that was used to hash the message. 304 * \param hash The message hash to be signed. This must be a readable 305 * buffer of length \p blen Bytes. 306 * \param hlen The length of the hash \p hash in Bytes. 307 * \param sig The buffer to which to write the signature. This must be a 308 * writable buffer of length at least twice as large as the 309 * size of the curve used, plus 9. For example, 73 Bytes if 310 * a 256-bit curve is used. A buffer length of 311 * #MBEDTLS_ECDSA_MAX_LEN is always safe. 312 * \param slen The address at which to store the actual length of 313 * the signature written. Must not be \c NULL. 314 * \param f_rng The RNG function. This must not be \c NULL if 315 * #MBEDTLS_ECDSA_DETERMINISTIC is unset. Otherwise, 316 * it is unused and may be set to \c NULL. 317 * \param p_rng The RNG context to be passed to \p f_rng. This may be 318 * \c NULL if \p f_rng is \c NULL or doesn't use a context. 319 * \param rs_ctx The restart context to use. This may be \c NULL to disable 320 * restarting. If it is not \c NULL, it must point to an 321 * initialized restart context. 322 * 323 * \return \c 0 on success. 324 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 325 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 326 * \return Another \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or 327 * \c MBEDTLS_ERR_ASN1_XXX error code on failure. 328 */ 329 int mbedtls_ecdsa_write_signature_restartable( mbedtls_ecdsa_context *ctx, 330 mbedtls_md_type_t md_alg, 331 const unsigned char *hash, size_t hlen, 332 unsigned char *sig, size_t *slen, 333 int (*f_rng)(void *, unsigned char *, size_t), 334 void *p_rng, 335 mbedtls_ecdsa_restart_ctx *rs_ctx ); 336 337 #if defined(MBEDTLS_ECDSA_DETERMINISTIC) 338 #if ! defined(MBEDTLS_DEPRECATED_REMOVED) 339 #if defined(MBEDTLS_DEPRECATED_WARNING) 340 #define MBEDTLS_DEPRECATED __attribute__((deprecated)) 341 #else 342 #define MBEDTLS_DEPRECATED 343 #endif 344 /** 345 * \brief This function computes an ECDSA signature and writes 346 * it to a buffer, serialized as defined in <em>RFC-4492: 347 * Elliptic Curve Cryptography (ECC) Cipher Suites for 348 * Transport Layer Security (TLS)</em>. 349 * 350 * The deterministic version is defined in <em>RFC-6979: 351 * Deterministic Usage of the Digital Signature Algorithm (DSA) 352 * and Elliptic Curve Digital Signature Algorithm (ECDSA)</em>. 353 * 354 * \warning It is not thread-safe to use the same context in 355 * multiple threads. 356 * 357 * \note If the bitlength of the message hash is larger than the 358 * bitlength of the group order, then the hash is truncated as 359 * defined in <em>Standards for Efficient Cryptography Group 360 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 361 * 4.1.3, step 5. 362 * 363 * \see ecp.h 364 * 365 * \deprecated Superseded by mbedtls_ecdsa_write_signature() in 366 * Mbed TLS version 2.0 and later. 367 * 368 * \param ctx The ECDSA context to use. This must be initialized 369 * and have a group and private key bound to it, for example 370 * via mbedtls_ecdsa_genkey() or mbedtls_ecdsa_from_keypair(). 371 * \param hash The message hash to be signed. This must be a readable 372 * buffer of length \p blen Bytes. 373 * \param hlen The length of the hash \p hash in Bytes. 374 * \param sig The buffer to which to write the signature. This must be a 375 * writable buffer of length at least twice as large as the 376 * size of the curve used, plus 9. For example, 73 Bytes if 377 * a 256-bit curve is used. A buffer length of 378 * #MBEDTLS_ECDSA_MAX_LEN is always safe. 379 * \param slen The address at which to store the actual length of 380 * the signature written. Must not be \c NULL. 381 * \param md_alg The message digest that was used to hash the message. 382 * 383 * \return \c 0 on success. 384 * \return An \c MBEDTLS_ERR_ECP_XXX, \c MBEDTLS_ERR_MPI_XXX or 385 * \c MBEDTLS_ERR_ASN1_XXX error code on failure. 386 */ 387 int mbedtls_ecdsa_write_signature_det( mbedtls_ecdsa_context *ctx, 388 const unsigned char *hash, size_t hlen, 389 unsigned char *sig, size_t *slen, 390 mbedtls_md_type_t md_alg ) MBEDTLS_DEPRECATED; 391 #undef MBEDTLS_DEPRECATED 392 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 393 #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ 394 395 /** 396 * \brief This function reads and verifies an ECDSA signature. 397 * 398 * \note If the bitlength of the message hash is larger than the 399 * bitlength of the group order, then the hash is truncated as 400 * defined in <em>Standards for Efficient Cryptography Group 401 * (SECG): SEC1 Elliptic Curve Cryptography</em>, section 402 * 4.1.4, step 3. 403 * 404 * \see ecp.h 405 * 406 * \param ctx The ECDSA context to use. This must be initialized 407 * and have a group and public key bound to it. 408 * \param hash The message hash that was signed. This must be a readable 409 * buffer of length \p size Bytes. 410 * \param hlen The size of the hash \p hash. 411 * \param sig The signature to read and verify. This must be a readable 412 * buffer of length \p slen Bytes. 413 * \param slen The size of \p sig in Bytes. 414 * 415 * \return \c 0 on success. 416 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. 417 * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid 418 * signature in \p sig, but its length is less than \p siglen. 419 * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX 420 * error code on failure for any other reason. 421 */ 422 int mbedtls_ecdsa_read_signature( mbedtls_ecdsa_context *ctx, 423 const unsigned char *hash, size_t hlen, 424 const unsigned char *sig, size_t slen ); 425 426 /** 427 * \brief This function reads and verifies an ECDSA signature, 428 * in a restartable way. 429 * 430 * \see \c mbedtls_ecdsa_read_signature() 431 * 432 * \note This function is like \c mbedtls_ecdsa_read_signature() 433 * but it can return early and restart according to the limit 434 * set with \c mbedtls_ecp_set_max_ops() to reduce blocking. 435 * 436 * \param ctx The ECDSA context to use. This must be initialized 437 * and have a group and public key bound to it. 438 * \param hash The message hash that was signed. This must be a readable 439 * buffer of length \p size Bytes. 440 * \param hlen The size of the hash \p hash. 441 * \param sig The signature to read and verify. This must be a readable 442 * buffer of length \p slen Bytes. 443 * \param slen The size of \p sig in Bytes. 444 * \param rs_ctx The restart context to use. This may be \c NULL to disable 445 * restarting. If it is not \c NULL, it must point to an 446 * initialized restart context. 447 * 448 * \return \c 0 on success. 449 * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if signature is invalid. 450 * \return #MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH if there is a valid 451 * signature in \p sig, but its length is less than \p siglen. 452 * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of 453 * operations was reached: see \c mbedtls_ecp_set_max_ops(). 454 * \return Another \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_ERR_MPI_XXX 455 * error code on failure for any other reason. 456 */ 457 int mbedtls_ecdsa_read_signature_restartable( mbedtls_ecdsa_context *ctx, 458 const unsigned char *hash, size_t hlen, 459 const unsigned char *sig, size_t slen, 460 mbedtls_ecdsa_restart_ctx *rs_ctx ); 461 462 /** 463 * \brief This function generates an ECDSA keypair on the given curve. 464 * 465 * \see ecp.h 466 * 467 * \param ctx The ECDSA context to store the keypair in. 468 * This must be initialized. 469 * \param gid The elliptic curve to use. One of the various 470 * \c MBEDTLS_ECP_DP_XXX macros depending on configuration. 471 * \param f_rng The RNG function to use. This must not be \c NULL. 472 * \param p_rng The RNG context to be passed to \p f_rng. This may be 473 * \c NULL if \p f_rng doesn't need a context argument. 474 * 475 * \return \c 0 on success. 476 * \return An \c MBEDTLS_ERR_ECP_XXX code on failure. 477 */ 478 int mbedtls_ecdsa_genkey( mbedtls_ecdsa_context *ctx, mbedtls_ecp_group_id gid, 479 int (*f_rng)(void *, unsigned char *, size_t), void *p_rng ); 480 481 /** 482 * \brief This function sets up an ECDSA context from an EC key pair. 483 * 484 * \see ecp.h 485 * 486 * \param ctx The ECDSA context to setup. This must be initialized. 487 * \param key The EC key to use. This must be initialized and hold 488 * a private-public key pair or a public key. In the former 489 * case, the ECDSA context may be used for signature creation 490 * and verification after this call. In the latter case, it 491 * may be used for signature verification. 492 * 493 * \return \c 0 on success. 494 * \return An \c MBEDTLS_ERR_ECP_XXX code on failure. 495 */ 496 int mbedtls_ecdsa_from_keypair( mbedtls_ecdsa_context *ctx, 497 const mbedtls_ecp_keypair *key ); 498 499 /** 500 * \brief This function initializes an ECDSA context. 501 * 502 * \param ctx The ECDSA context to initialize. 503 * This must not be \c NULL. 504 */ 505 void mbedtls_ecdsa_init( mbedtls_ecdsa_context *ctx ); 506 507 /** 508 * \brief This function frees an ECDSA context. 509 * 510 * \param ctx The ECDSA context to free. This may be \c NULL, 511 * in which case this function does nothing. If it 512 * is not \c NULL, it must be initialized. 513 */ 514 void mbedtls_ecdsa_free( mbedtls_ecdsa_context *ctx ); 515 516 #if defined(MBEDTLS_ECP_RESTARTABLE) 517 /** 518 * \brief Initialize a restart context. 519 * 520 * \param ctx The restart context to initialize. 521 * This must not be \c NULL. 522 */ 523 void mbedtls_ecdsa_restart_init( mbedtls_ecdsa_restart_ctx *ctx ); 524 525 /** 526 * \brief Free the components of a restart context. 527 * 528 * \param ctx The restart context to free. This may be \c NULL, 529 * in which case this function does nothing. If it 530 * is not \c NULL, it must be initialized. 531 */ 532 void mbedtls_ecdsa_restart_free( mbedtls_ecdsa_restart_ctx *ctx ); 533 #endif /* MBEDTLS_ECP_RESTARTABLE */ 534 535 #ifdef __cplusplus 536 } 537 #endif 538 539 #endif /* ecdsa.h */ 540