blob: 0bd6e1e0fc77d668b2e4998148413aefac4bc90d [file] [log] [blame]
Paul Bakker89e80c92012-03-20 13:50:09 +00001/**
2 * \file gcm.h
3 *
Rose Zadikd8c4f612018-03-27 11:43:04 +01004 * \brief This file contains GCM definitions and functions.
5 *
6 * The Galois/Counter Mode (GCM) for 128-bit block ciphers is defined
7 * in <em>D. McGrew, J. Viega, The Galois/Counter Mode of Operation
8 * (GCM), Natl. Inst. Stand. Technol.</em>
Rose Zadik17b4f7f2018-01-26 10:56:42 +00009 *
10 * For more information on GCM, see <em>NIST SP 800-38D: Recommendation for
11 * Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC</em>.
12 *
Darryl Greena40a1012018-01-05 15:33:17 +000013 */
14/*
Bence Szépkúti1e148272020-08-07 13:07:28 +020015 * Copyright The Mbed TLS Contributors
Manuel Pégourié-Gonnard37ff1402015-09-04 14:21:07 +020016 * SPDX-License-Identifier: Apache-2.0
17 *
18 * Licensed under the Apache License, Version 2.0 (the "License"); you may
19 * not use this file except in compliance with the License.
20 * You may obtain a copy of the License at
21 *
22 * http://www.apache.org/licenses/LICENSE-2.0
23 *
24 * Unless required by applicable law or agreed to in writing, software
25 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
26 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
27 * See the License for the specific language governing permissions and
28 * limitations under the License.
Paul Bakker89e80c92012-03-20 13:50:09 +000029 */
Rose Zadik17b4f7f2018-01-26 10:56:42 +000030
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020031#ifndef MBEDTLS_GCM_H
32#define MBEDTLS_GCM_H
Paul Bakker89e80c92012-03-20 13:50:09 +000033
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050034#if !defined(MBEDTLS_CONFIG_FILE)
Jaeden Ameroc49fbbf2019-07-04 20:01:14 +010035#include "mbedtls/config.h"
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050036#else
37#include MBEDTLS_CONFIG_FILE
38#endif
39
Jaeden Ameroc49fbbf2019-07-04 20:01:14 +010040#include "mbedtls/cipher.h"
Paul Bakker89e80c92012-03-20 13:50:09 +000041
42#include <stdint.h>
43
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020044#define MBEDTLS_GCM_ENCRYPT 1
45#define MBEDTLS_GCM_DECRYPT 0
Paul Bakker89e80c92012-03-20 13:50:09 +000046
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020047#define MBEDTLS_ERR_GCM_AUTH_FAILED -0x0012 /**< Authenticated decryption failed. */
Ron Eldor9924bdc2018-10-04 10:59:13 +030048
49/* MBEDTLS_ERR_GCM_HW_ACCEL_FAILED is deprecated and should not be used. */
Gilles Peskine7ecab3d2018-01-26 17:56:38 +010050#define MBEDTLS_ERR_GCM_HW_ACCEL_FAILED -0x0013 /**< GCM hardware accelerator failed. */
Ron Eldor9924bdc2018-10-04 10:59:13 +030051
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020052#define MBEDTLS_ERR_GCM_BAD_INPUT -0x0014 /**< Bad input parameters to function. */
Paul Bakker89e80c92012-03-20 13:50:09 +000053
Paul Bakker407a0da2013-06-27 14:29:21 +020054#ifdef __cplusplus
55extern "C" {
56#endif
57
Ron Eldor4e6d55d2018-02-07 16:36:15 +020058#if !defined(MBEDTLS_GCM_ALT)
59
Paul Bakker89e80c92012-03-20 13:50:09 +000060/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +000061 * \brief The GCM context structure.
Paul Bakker89e80c92012-03-20 13:50:09 +000062 */
Dawid Drozd428cc522018-07-24 10:02:47 +020063typedef struct mbedtls_gcm_context
64{
Rose Zadik17b4f7f2018-01-26 10:56:42 +000065 mbedtls_cipher_context_t cipher_ctx; /*!< The cipher context used. */
66 uint64_t HL[16]; /*!< Precalculated HTable low. */
67 uint64_t HH[16]; /*!< Precalculated HTable high. */
68 uint64_t len; /*!< The total length of the encrypted data. */
69 uint64_t add_len; /*!< The total length of the additional data. */
70 unsigned char base_ectr[16]; /*!< The first ECTR for tag. */
71 unsigned char y[16]; /*!< The Y working value. */
72 unsigned char buf[16]; /*!< The buf working value. */
73 int mode; /*!< The operation to perform:
74 #MBEDTLS_GCM_ENCRYPT or
75 #MBEDTLS_GCM_DECRYPT. */
Paul Bakker89e80c92012-03-20 13:50:09 +000076}
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +020077mbedtls_gcm_context;
Paul Bakker89e80c92012-03-20 13:50:09 +000078
Ron Eldor4e6d55d2018-02-07 16:36:15 +020079#else /* !MBEDTLS_GCM_ALT */
80#include "gcm_alt.h"
81#endif /* !MBEDTLS_GCM_ALT */
82
Paul Bakker89e80c92012-03-20 13:50:09 +000083/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +000084 * \brief This function initializes the specified GCM context,
85 * to make references valid, and prepares the context
86 * for mbedtls_gcm_setkey() or mbedtls_gcm_free().
Manuel Pégourié-Gonnardc34e8dd2015-04-28 21:42:17 +020087 *
Rose Zadik17b4f7f2018-01-26 10:56:42 +000088 * The function does not bind the GCM context to a particular
89 * cipher, nor set the key. For this purpose, use
90 * mbedtls_gcm_setkey().
91 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -050092 * \param ctx The GCM context to initialize. This must not be \c NULL.
Manuel Pégourié-Gonnardc34e8dd2015-04-28 21:42:17 +020093 */
94void mbedtls_gcm_init( mbedtls_gcm_context *ctx );
95
96/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +000097 * \brief This function associates a GCM context with a
98 * cipher algorithm and a key.
Paul Bakker89e80c92012-03-20 13:50:09 +000099 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500100 * \param ctx The GCM context. This must be initialized.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000101 * \param cipher The 128-bit block cipher to use.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500102 * \param key The encryption key. This must be a readable buffer of at
103 * least \p keybits bits.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000104 * \param keybits The key size in bits. Valid options are:
105 * <ul><li>128 bits</li>
106 * <li>192 bits</li>
107 * <li>256 bits</li></ul>
Paul Bakker89e80c92012-03-20 13:50:09 +0000108 *
Rose Zadikd8c4f612018-03-27 11:43:04 +0100109 * \return \c 0 on success.
110 * \return A cipher-specific error code on failure.
Paul Bakker89e80c92012-03-20 13:50:09 +0000111 */
Manuel Pégourié-Gonnardc34e8dd2015-04-28 21:42:17 +0200112int mbedtls_gcm_setkey( mbedtls_gcm_context *ctx,
113 mbedtls_cipher_id_t cipher,
114 const unsigned char *key,
Manuel Pégourié-Gonnardb8186a52015-06-18 14:58:58 +0200115 unsigned int keybits );
Paul Bakker89e80c92012-03-20 13:50:09 +0000116
117/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000118 * \brief This function performs GCM encryption or decryption of a buffer.
Paul Bakker89e80c92012-03-20 13:50:09 +0000119 *
Rose Zadikd8c4f612018-03-27 11:43:04 +0100120 * \note For encryption, the output buffer can be the same as the
121 * input buffer. For decryption, the output buffer cannot be
122 * the same as input buffer. If the buffers overlap, the output
123 * buffer must trail at least 8 Bytes behind the input buffer.
Paul Bakkerca4ab492012-04-18 14:23:57 +0000124 *
Gilles Peskine80f679b2018-06-01 17:55:41 +0200125 * \warning When this function performs a decryption, it outputs the
126 * authentication tag and does not verify that the data is
127 * authentic. You should use this function to perform encryption
128 * only. For decryption, use mbedtls_gcm_auth_decrypt() instead.
129 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500130 * \param ctx The GCM context to use for encryption or decryption. This
131 * must be initialized.
Gilles Peskine0a0e08a2018-06-07 14:46:02 +0200132 * \param mode The operation to perform:
133 * - #MBEDTLS_GCM_ENCRYPT to perform authenticated encryption.
134 * The ciphertext is written to \p output and the
135 * authentication tag is written to \p tag.
136 * - #MBEDTLS_GCM_DECRYPT to perform decryption.
137 * The plaintext is written to \p output and the
138 * authentication tag is written to \p tag.
139 * Note that this mode is not recommended, because it does
140 * not verify the authenticity of the data. For this reason,
141 * you should use mbedtls_gcm_auth_decrypt() instead of
142 * calling this function in decryption mode.
Gilles Peskine80f679b2018-06-01 17:55:41 +0200143 * \param length The length of the input data, which is equal to the length
144 * of the output data.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500145 * \param iv The initialization vector. This must be a readable buffer of
146 * at least \p iv_len Bytes.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000147 * \param iv_len The length of the IV.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500148 * \param add The buffer holding the additional data. This must be of at
149 * least that size in Bytes.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000150 * \param add_len The length of the additional data.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500151 * \param input The buffer holding the input data. If \p length is greater
152 * than zero, this must be a readable buffer of at least that
153 * size in Bytes.
154 * \param output The buffer for holding the output data. If \p length is greater
155 * than zero, this must be a writable buffer of at least that
156 * size in Bytes.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000157 * \param tag_len The length of the tag to generate.
Yonatan Goldschmidt6e2af092020-09-12 00:19:52 +0300158 * \param tag The buffer for holding the tag. This must be a writable
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500159 * buffer of at least \p tag_len Bytes.
Paul Bakker89e80c92012-03-20 13:50:09 +0000160 *
Gilles Peskine80f679b2018-06-01 17:55:41 +0200161 * \return \c 0 if the encryption or decryption was performed
162 * successfully. Note that in #MBEDTLS_GCM_DECRYPT mode,
163 * this does not indicate that the data is authentic.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500164 * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
165 * not valid or a cipher-specific error code if the encryption
Ron Eldor9924bdc2018-10-04 10:59:13 +0300166 * or decryption failed.
Paul Bakker89e80c92012-03-20 13:50:09 +0000167 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200168int mbedtls_gcm_crypt_and_tag( mbedtls_gcm_context *ctx,
Paul Bakker89e80c92012-03-20 13:50:09 +0000169 int mode,
170 size_t length,
171 const unsigned char *iv,
172 size_t iv_len,
173 const unsigned char *add,
174 size_t add_len,
175 const unsigned char *input,
176 unsigned char *output,
177 size_t tag_len,
178 unsigned char *tag );
179
180/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000181 * \brief This function performs a GCM authenticated decryption of a
182 * buffer.
Paul Bakker89e80c92012-03-20 13:50:09 +0000183 *
Rose Zadikd8c4f612018-03-27 11:43:04 +0100184 * \note For decryption, the output buffer cannot be the same as
185 * input buffer. If the buffers overlap, the output buffer
186 * must trail at least 8 Bytes behind the input buffer.
Paul Bakkerca4ab492012-04-18 14:23:57 +0000187 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500188 * \param ctx The GCM context. This must be initialized.
Gilles Peskine80f679b2018-06-01 17:55:41 +0200189 * \param length The length of the ciphertext to decrypt, which is also
190 * the length of the decrypted plaintext.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500191 * \param iv The initialization vector. This must be a readable buffer
192 * of at least \p iv_len Bytes.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000193 * \param iv_len The length of the IV.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500194 * \param add The buffer holding the additional data. This must be of at
195 * least that size in Bytes.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000196 * \param add_len The length of the additional data.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500197 * \param tag The buffer holding the tag to verify. This must be a
198 * readable buffer of at least \p tag_len Bytes.
Gilles Peskine80f679b2018-06-01 17:55:41 +0200199 * \param tag_len The length of the tag to verify.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500200 * \param input The buffer holding the ciphertext. If \p length is greater
201 * than zero, this must be a readable buffer of at least that
202 * size.
203 * \param output The buffer for holding the decrypted plaintext. If \p length
204 * is greater than zero, this must be a writable buffer of at
205 * least that size.
Paul Bakker89e80c92012-03-20 13:50:09 +0000206 *
Gilles Peskine80f679b2018-06-01 17:55:41 +0200207 * \return \c 0 if successful and authenticated.
208 * \return #MBEDTLS_ERR_GCM_AUTH_FAILED if the tag does not match.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500209 * \return #MBEDTLS_ERR_GCM_BAD_INPUT if the lengths or pointers are
210 * not valid or a cipher-specific error code if the decryption
211 * failed.
Paul Bakker89e80c92012-03-20 13:50:09 +0000212 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200213int mbedtls_gcm_auth_decrypt( mbedtls_gcm_context *ctx,
Paul Bakker89e80c92012-03-20 13:50:09 +0000214 size_t length,
215 const unsigned char *iv,
216 size_t iv_len,
217 const unsigned char *add,
218 size_t add_len,
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200219 const unsigned char *tag,
Paul Bakker89e80c92012-03-20 13:50:09 +0000220 size_t tag_len,
221 const unsigned char *input,
222 unsigned char *output );
223
224/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000225 * \brief This function starts a GCM encryption or decryption
226 * operation.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200227 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500228 * \param ctx The GCM context. This must be initialized.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000229 * \param mode The operation to perform: #MBEDTLS_GCM_ENCRYPT or
230 * #MBEDTLS_GCM_DECRYPT.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500231 * \param iv The initialization vector. This must be a readable buffer of
232 * at least \p iv_len Bytes.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000233 * \param iv_len The length of the IV.
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500234 * \param add The buffer holding the additional data, or \c NULL
235 * if \p add_len is \c 0.
236 * \param add_len The length of the additional data. If \c 0,
237 * \p add may be \c NULL.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200238 *
Rose Zadikd8c4f612018-03-27 11:43:04 +0100239 * \return \c 0 on success.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200240 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200241int mbedtls_gcm_starts( mbedtls_gcm_context *ctx,
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200242 int mode,
243 const unsigned char *iv,
244 size_t iv_len,
245 const unsigned char *add,
246 size_t add_len );
247
248/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000249 * \brief This function feeds an input buffer into an ongoing GCM
250 * encryption or decryption operation.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200251 *
Rose Zadikd8c4f612018-03-27 11:43:04 +0100252 * \note For decryption, the output buffer cannot be the same as
253 * input buffer. If the buffers overlap, the output buffer
254 * must trail at least 8 Bytes behind the input buffer.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200255 *
Gilles Peskinea56c4482021-04-15 17:22:35 +0200256 * \param ctx The GCM context. This must be initialized.
257 * \param input The buffer holding the input data. If \p input_length
258 * is greater than zero, this must be a readable buffer
259 * of at least \p input_length bytes.
260 * \param input_length The length of the input data in bytes.
261 * \param output The buffer for the output data. If \p output_length
262 * is greater than zero, this must be a writable buffer of
263 * of at least \p output_size bytes.
264 * This function may withhold the end of the output if
265 * it is a partial block for the underlying block cipher.
266 * That is, if the cumulated input passed to
267 * mbedtls_gcm_update() so far (including the current call)
268 * is 16 *n* + *p* with *p* < 16, this function may
269 * withhold the last *p* bytes, which will be output by
270 * a subsequent call to mbedtls_gcm_update() or
271 * mbedtls_gcm_finish().
272 * \param output_size The size of the output buffer in bytes.
273 * This must be at least \p input_length plus the length
274 * of the input withheld by the previous call to
275 * mbedtls_gcm_update(). Therefore:
276 * - With arbitrary inputs, \p output_size may need to
277 * be as large as `input_length + 15`.
278 * - If all input lengths are a multiple of 16, then
279 * \p output_size = \p input_length is sufficient.
280 * \param output_length On success, \p *output_length contains the actual
281 * length of the output written in \p output.
282 * On failure, the content of \p *output_length is
283 * unspecified.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200284 *
Rose Zadikd8c4f612018-03-27 11:43:04 +0100285 * \return \c 0 on success.
286 * \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200287 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200288int mbedtls_gcm_update( mbedtls_gcm_context *ctx,
Gilles Peskinea56c4482021-04-15 17:22:35 +0200289 const unsigned char *input, size_t input_length,
290 unsigned char *output, size_t output_size,
291 size_t *output_length );
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200292
293/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000294 * \brief This function finishes the GCM operation and generates
295 * the authentication tag.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200296 *
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000297 * It wraps up the GCM stream, and generates the
298 * tag. The tag can have a maximum length of 16 Bytes.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200299 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500300 * \param ctx The GCM context. This must be initialized.
Yonatan Goldschmidt6e2af092020-09-12 00:19:52 +0300301 * \param tag The buffer for holding the tag. This must be a writable
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500302 * buffer of at least \p tag_len Bytes.
303 * \param tag_len The length of the tag to generate. This must be at least
304 * four.
Gilles Peskine9461e452021-04-15 16:48:32 +0200305 * \param output The buffer for the final output.
306 * This must be a writable buffer of at least \p output_len
307 * bytes.
308 * With the built-in implementation, there is no final
309 * output and this can be \p NULL.
310 * Alternative implementations may return a partial block
311 * of output.
312 * \param output_len The size of the \p output buffer in bytes.
313 * With the built-in implementation, this can be \c 0.
314 * Alternative implementations may require a 15-byte buffer.
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000315 *
Rose Zadikd8c4f612018-03-27 11:43:04 +0100316 * \return \c 0 on success.
317 * \return #MBEDTLS_ERR_GCM_BAD_INPUT on failure.
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200318 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200319int mbedtls_gcm_finish( mbedtls_gcm_context *ctx,
Gilles Peskine9461e452021-04-15 16:48:32 +0200320 unsigned char *output, size_t output_len,
321 unsigned char *tag, size_t tag_len );
Paul Bakkerb9d3cfa2013-06-26 15:07:16 +0200322
323/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000324 * \brief This function clears a GCM context and the underlying
325 * cipher sub-context.
Manuel Pégourié-Gonnard4fe92002013-09-13 13:45:58 +0200326 *
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500327 * \param ctx The GCM context to clear. If this is \c NULL, the call has
328 * no effect. Otherwise, this must be initialized.
Manuel Pégourié-Gonnard4fe92002013-09-13 13:45:58 +0200329 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200330void mbedtls_gcm_free( mbedtls_gcm_context *ctx );
Manuel Pégourié-Gonnard4fe92002013-09-13 13:45:58 +0200331
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500332#if defined(MBEDTLS_SELF_TEST)
333
Manuel Pégourié-Gonnard4fe92002013-09-13 13:45:58 +0200334/**
Rose Zadik17b4f7f2018-01-26 10:56:42 +0000335 * \brief The GCM checkup routine.
Paul Bakker89e80c92012-03-20 13:50:09 +0000336 *
Rose Zadikd8c4f612018-03-27 11:43:04 +0100337 * \return \c 0 on success.
338 * \return \c 1 on failure.
Paul Bakker89e80c92012-03-20 13:50:09 +0000339 */
Manuel Pégourié-Gonnard2cf5a7c2015-04-08 12:49:31 +0200340int mbedtls_gcm_self_test( int verbose );
Paul Bakker89e80c92012-03-20 13:50:09 +0000341
Andrzej Kurekc470b6b2019-01-31 08:20:20 -0500342#endif /* MBEDTLS_SELF_TEST */
343
Paul Bakker89e80c92012-03-20 13:50:09 +0000344#ifdef __cplusplus
345}
346#endif
347
Jaeden Amero15263302017-09-21 12:53:48 +0100348
Paul Bakker89e80c92012-03-20 13:50:09 +0000349#endif /* gcm.h */