nfqws: fixes backport from z2

	int ret = 0;

	gcm_context ctx;

	gcm_initialize();

	if (!(ret = gcm_setkey(&ctx, key, (const uint)key_len)))

	{

		ret = gcm_crypt_and_tag(&ctx, mode, iv, iv_len, adata, adata_len, input, output, input_length, atag, atag_len);

	uint64_t orig_add_len = ctx->add_len * 8;

	size_t i;

	if (tag_len != 0) memcpy(tag, ctx->base_ectr, tag_len);

	if (tag_len>16) return -1;

	if (tag_len) memcpy(tag, ctx->base_ectr, tag_len);

	if (orig_len || orig_add_len) {

		memset(work_buf, 0x00, 16);

	   prepare the gcm context with the keying material, we simply

	   invoke each of the three GCM sub-functions in turn...

	*/

	gcm_start(ctx, mode, iv, iv_len, add, add_len);

	gcm_update(ctx, length, input, output);

	gcm_finish(ctx, tag, tag_len);

	return(0);

	if (tag_len>16) return -1;

	int ret;

	if ((ret=gcm_start(ctx, mode, iv, iv_len, add, add_len))) return ret;

	if ((ret=gcm_update(ctx, length, input, output))) return ret;

	return gcm_finish(ctx, tag, tag_len);

}

	uchar check_tag[16];        // the tag generated and returned by decryption

	int diff;                   // an ORed flag to detect authentication errors

	size_t i;                   // our local iterator

	int ret;

	if (tag_len>16) return -1;

	/*

	   we use GCM_DECRYPT_AND_TAG (above) to perform our decryption

	   (which is an identical XORing to reverse the previous one)

	   and also to re-generate the matching authentication tag

	*/

	gcm_crypt_and_tag(ctx, AES_DECRYPT, iv, iv_len, add, add_len,

		input, output, length, check_tag, tag_len);

	if ((ret = gcm_crypt_and_tag(ctx, AES_DECRYPT, iv, iv_len, add, add_len, input, output, length, check_tag, tag_len))) return ret;

	// now we verify the authentication tag in 'constant time'

	for (diff = 0, i = 0; i < tag_len; i++)

		diff |= tag[i] ^ check_tag[i];

	if (diff != 0) {                   // see whether any bits differed?

	if (diff)

	{

		// see whether any bits differed?

		memset(output, 0, length);    // if so... wipe the output data

		return(GCM_AUTH_FAILURE);     // return GCM_AUTH_FAILURE

	}

	return(0);

	return 0;

}

/******************************************************************************

	uint8_t okm[], size_t okm_len)

{

	uint8_t prk[USHAMaxHashSize];

	return hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk) ||

		hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info,

			info_len, okm, okm_len);

	int ret;

	if ((ret=hkdfExtract(whichSha, salt, salt_len, ikm, ikm_len, prk))) return ret;

	return hkdfExpand(whichSha, prk, USHAHashSize(whichSha), info, info_len, okm, okm_len);

}

/*

		salt_len = USHAHashSize(whichSha);

		memset(nullSalt, '\0', salt_len);

	}

	else if (salt_len < 0) {

		return shaBadParam;

	}

	return hmac(whichSha, ikm, ikm_len, salt, salt_len, prk);

}

	size_t hash_len, N;

	unsigned char T[USHAMaxHashSize];

	size_t Tlen, where, i;

	int ret;

	if (info == 0) {

		info = (const unsigned char *)"";

		info_len = 0;

	}

	else if (info_len < 0) {

		return shaBadParam;

	}

	if (okm_len <= 0) return shaBadParam;

	if (!okm) return shaBadParam;

	if (!okm || !okm_len) return shaBadParam;

	hash_len = USHAHashSize(whichSha);

	if (prk_len < hash_len) return shaBadParam;

	for (i = 1; i <= N; i++) {

		HMACContext context;

		unsigned char c = i;

		int ret = hmacReset(&context, whichSha, prk, prk_len) ||

			hmacInput(&context, T, Tlen) ||

			hmacInput(&context, info, info_len) ||

			hmacInput(&context, &c, 1) ||

			hmacResult(&context, T);

		if (ret != shaSuccess) return ret;

		if ((ret=hmacReset(&context, whichSha, prk, prk_len))) return ret;

		if ((ret=hmacInput(&context, T, Tlen))) return ret;

		if ((ret=hmacInput(&context, info, info_len))) return ret;

		if ((ret=hmacInput(&context, &c, 1))) return ret;

		if ((ret=hmacResult(&context, T))) return ret;

		memcpy(okm + where, T,

			(i != N) ? hash_len : (okm_len - where));

		where += hash_len;

	if (!okm) return context->Corrupted = shaBadParam;

	if (!prk) prk = prkbuf;

	ret = hmacResult(&context->hmacContext, prk) ||

		hkdfExpand(context->whichSha, prk, context->hashSize, info,

			info_len, okm, okm_len);

	if (!(ret = hmacResult(&context->hmacContext, prk)))

		ret = hkdfExpand(context->whichSha, prk, context->hashSize, info, info_len, okm, okm_len);

	context->Computed = 1;

	return context->Corrupted = ret;

}

	uint8_t digest[USHAMaxHashSize])

{

	HMACContext context;

	return hmacReset(&context, whichSha, key, key_len) ||

		hmacInput(&context, message_array, length) ||

		hmacResult(&context, digest);

	int ret;

	if ((ret=hmacReset(&context, whichSha, key, key_len))) return ret;

	if ((ret=hmacInput(&context, message_array, length))) return ret;

	return hmacResult(&context, digest);

}

/*

	 */

	if (key_len > blocksize) {

		USHAContext tcontext;

		int err = USHAReset(&tcontext, whichSha) ||

			USHAInput(&tcontext, key, key_len) ||

			USHAResult(&tcontext, tempkey);

		if (err != shaSuccess) return err;

		if ((ret=USHAReset(&tcontext, whichSha)) || (ret=USHAInput(&tcontext, key, key_len)) || (ret=USHAResult(&tcontext, tempkey)))

			return ret;

		key = tempkey;

		key_len = hashsize;

	/* perform inner hash */

	/* init context for 1st pass */

	ret = USHAReset(&context->shaContext, whichSha) ||

	if (!(ret = USHAReset(&context->shaContext, whichSha)))

		/* and start with inner pad */

		USHAInput(&context->shaContext, k_ipad, blocksize);

		ret = USHAInput(&context->shaContext, k_ipad, blocksize);

	return context->Corrupted = ret;

}

	if (context->Corrupted) return context->Corrupted;

	if (context->Computed) return context->Corrupted = shaStateError;

	/* then final bits of datagram */

	return context->Corrupted =

		USHAFinalBits(&context->shaContext, bits, bit_count);

	return context->Corrupted = USHAFinalBits(&context->shaContext, bits, bit_count);

}

/*

	/* finish up 1st pass */

	/* (Use digest here as a temporary buffer.) */

	ret =

		USHAResult(&context->shaContext, digest) ||

	if (!(ret=USHAResult(&context->shaContext, digest)) &&

		/* perform outer SHA */

		/* init context for 2nd pass */

		USHAReset(&context->shaContext, context->whichSha) ||

		!(ret=USHAReset(&context->shaContext, context->whichSha)) &&

		/* start with outer pad */

		USHAInput(&context->shaContext, context->k_opad,

			context->blockSize) ||

		!(ret=USHAInput(&context->shaContext, context->k_opad, context->blockSize)) &&

		/* then results of 1st hash */

		USHAInput(&context->shaContext, digest, context->hashSize) ||

		!(ret=USHAInput(&context->shaContext, digest, context->hashSize)))

		/* finish up 2nd pass */

		USHAResult(&context->shaContext, digest);

		ret=USHAResult(&context->shaContext, digest);

	context->Computed = 1;

	return context->Corrupted = ret;

 * Add "length" to the length.

 * Set Corrupted when overflow has occurred.

 */

static uint32_t addTemp;

#define SHA224_256AddLength(context, length)               \

  (addTemp = (context)->Length_Low, (context)->Corrupted = \

    (((context)->Length_Low += (length)) < addTemp) &&     \

    (++(context)->Length_High == 0) ? shaInputTooLong :    \

                                      (context)->Corrupted )

static int SHA224_256AddLength(SHA256Context *context, uint32_t length)

{

	uint32_t addTemp = context->Length_Low;

	if (((context->Length_Low += length) < addTemp) && (++(context)->Length_High == 0)) context->Corrupted = shaInputTooLong;

	return context->Corrupted;

}

/* Local Function Prototypes */

static int SHA224_256Reset(SHA256Context *context, uint32_t *H0);