diff --git a/old_nettle_compat.patch b/old_nettle_compat.patch
index a4f6ffd..d4a2095 100644
--- a/old_nettle_compat.patch
+++ b/old_nettle_compat.patch
@@ -15,81 +15,118 @@ Date:   Fri Feb 7 09:11:20 2014 +0100
     Base64 and base16 decoding: Use *dst_length as output only.
 
 
-Index: squid-3.5.21/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
+Index: squid-4.8/src/HttpHeader.cc
 ===================================================================
---- squid-3.5.21.orig/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
-+++ squid-3.5.21/helpers/negotiate_auth/kerberos/negotiate_kerberos_auth.cc
-@@ -667,7 +667,7 @@ main(int argc, char *const argv[])
+--- squid-4.8.orig/src/HttpHeader.cc
++++ squid-4.8/src/HttpHeader.cc
+@@ -1301,7 +1301,7 @@ HttpHeader::getAuthToken(Http::HdrType i
+     char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen));
+     struct base64_decode_ctx ctx;
+     base64_decode_init(&ctx);
+-    size_t decodedLen = 0;
++    size_t decodedLen = BASE64_DECODE_LENGTH(fieldLen);
+     if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
+             !base64_decode_final(&ctx)) {
+         return nil;
+Index: squid-4.8/src/auth/basic/Config.cc
+===================================================================
+--- squid-4.8.orig/src/auth/basic/Config.cc
++++ squid-4.8/src/auth/basic/Config.cc
+@@ -176,7 +176,7 @@ Auth::Basic::Config::decodeCleartext(con
+     struct base64_decode_ctx ctx;
+     base64_decode_init(&ctx);
+ 
+-    size_t dstLen = 0;
++    size_t dstLen = BASE64_DECODE_LENGTH(srcLen)+1;
+     if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
+         cleartext[dstLen] = '\0';
+ 
+Index: squid-4.8/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc
+===================================================================
+--- squid-4.8.orig/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc
++++ squid-4.8/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc
+@@ -131,6 +131,7 @@ token_decode(size_t *decodedLen, uint8_t
+ {
+     struct base64_decode_ctx ctx;
+     base64_decode_init(&ctx);
++    *decodedLen = BASE64_DECODE_LENGTH(strlen(srcLen));
+     if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), reinterpret_cast<const uint8_t*>(buf)) ||
+             !base64_decode_final(&ctx)) {
+         SEND("BH base64 decode failed");
+Index: squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
+===================================================================
+--- squid-4.8.orig/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
++++ squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
+@@ -681,7 +681,7 @@ main(int argc, char *const argv[])
  
          struct base64_decode_ctx ctx;
          base64_decode_init(&ctx);
--        unsigned int dstLen = 0;
-+        unsigned int dstLen = input_token.length;
+-        size_t dstLen = 0;
++        size_t dstLen = BASE64_DECODE_LENGTH(srcLen);
          if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, b64Token) ||
                  !base64_decode_final(&ctx)) {
              debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(), PROGRAM, b64Token);
-Index: squid-3.5.21/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
+Index: squid-4.8/src/auth/negotiate/wrapper/negotiate_wrapper.cc
 ===================================================================
---- squid-3.5.21.orig/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
-+++ squid-3.5.21/helpers/negotiate_auth/wrapper/negotiate_wrapper.cc
-@@ -341,7 +341,7 @@ main(int argc, char *const argv[])
+--- squid-4.8.orig/src/auth/negotiate/wrapper/negotiate_wrapper.cc
++++ squid-4.8/src/auth/negotiate/wrapper/negotiate_wrapper.cc
+@@ -192,7 +192,7 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT
  
          struct base64_decode_ctx ctx;
          base64_decode_init(&ctx);
--        unsigned int dstLen = 0;
-+        unsigned int dstLen = length;
-         if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), reinterpret_cast<const uint8_t*>(buf+3)) ||
+-        size_t dstLen = 0;
++        size_t dstLen = length+1;
+         if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), buf+3) ||
                  !base64_decode_final(&ctx)) {
-             if (debug)
-Index: squid-3.5.21/helpers/ntlm_auth/fake/ntlm_fake_auth.cc
+             if (debug_enabled)
+Index: squid-4.8/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
 ===================================================================
---- squid-3.5.21.orig/helpers/ntlm_auth/fake/ntlm_fake_auth.cc
-+++ squid-3.5.21/helpers/ntlm_auth/fake/ntlm_fake_auth.cc
-@@ -151,7 +151,7 @@ main(int argc, char *argv[])
-         buflen = strlen(buf);   /* keep this so we only scan the buffer for \0 once per loop */
-         struct base64_decode_ctx ctx;
-         base64_decode_init(&ctx);
--        unsigned int dstLen = 0;
-+        unsigned int dstLen = HELPER_INPUT_BUFFER;
-         if (buflen > 3 &&
-                 base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, reinterpret_cast<const uint8_t*>(buf+3)) &&
-                 base64_decode_final(&ctx)) {
-Index: squid-3.5.21/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
-===================================================================
---- squid-3.5.21.orig/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
-+++ squid-3.5.21/helpers/ntlm_auth/smb_lm/ntlm_smb_lm_auth.cc
+--- squid-4.8.orig/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
++++ squid-4.8/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
 @@ -517,7 +517,7 @@ manage_request()
-         /* figure out what we got */
          struct base64_decode_ctx ctx;
          base64_decode_init(&ctx);
--        unsigned int dstLen = 0;
-+        unsigned int dstLen = NTLM_BLOB_BUFFER_SIZE;
-         int decodedLen = 0;
-         if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, reinterpret_cast<const uint8_t*>(buf+3)) ||
+         size_t dstLen = 0;
+-        int decodedLen = 0;
++        int decodedLen = NTLM_BLOB_BUFFER_SIZE;
+         if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, buf+3) ||
                  !base64_decode_final(&ctx)) {
-Index: squid-3.5.21/src/HttpHeader.cc
+             SEND("NA Packet format error, couldn't base64-decode");
+Index: squid-4.8/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc
 ===================================================================
---- squid-3.5.21.orig/src/HttpHeader.cc
-+++ squid-3.5.21/src/HttpHeader.cc
-@@ -1535,7 +1535,7 @@ HttpHeader::getAuth(http_hdr_type id, co
-     static char decodedAuthToken[8192];
+--- squid-4.8.orig/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc
++++ squid-4.8/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc
+@@ -418,6 +418,7 @@ token_decode(size_t *decodedLen, uint8_t
+ {
      struct base64_decode_ctx ctx;
      base64_decode_init(&ctx);
--    unsigned int decodedLen = 0;
-+    unsigned int decodedLen = 8190;
-     if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), strlen(field), reinterpret_cast<const uint8_t*>(field)) ||
++    *decodedLen = BASE64_DECODE_LENGTH(strlen(buf))+1;
+     if (!base64_decode_update(&ctx, decodedLen, decoded, strlen(buf), reinterpret_cast<const uint8_t*>(buf)) ||
              !base64_decode_final(&ctx)) {
-         return NULL;
-Index: squid-3.5.21/src/auth/basic/Config.cc
+         SEND_BH("message=\"base64 decode failed\"");
+Index: squid-4.8/src/auth/ntlm/fake/ntlm_fake_auth.cc
 ===================================================================
---- squid-3.5.21.orig/src/auth/basic/Config.cc
-+++ squid-3.5.21/src/auth/basic/Config.cc
-@@ -173,7 +173,7 @@ Auth::Basic::Config::decodeCleartext(con
+--- squid-4.8.orig/src/auth/ntlm/fake/ntlm_fake_auth.cc
++++ squid-4.8/src/auth/ntlm/fake/ntlm_fake_auth.cc
+@@ -153,7 +153,7 @@ main(int argc, char *argv[])
+         ntlmhdr *packet;
+         struct base64_decode_ctx ctx;
+         base64_decode_init(&ctx);
+-        size_t dstLen = 0;
++        size_t dstLen = HELPER_INPUT_BUFFER;
+         if (buflen > 3 &&
+                 base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, buf+3) &&
+                 base64_decode_final(&ctx)) {
+Index: squid-4.8/tools/cachemgr.cc
+===================================================================
+--- squid-4.8.orig/tools/cachemgr.cc
++++ squid-4.8/tools/cachemgr.cc
+@@ -1103,7 +1103,7 @@ decode_pub_auth(cachemgr_request * req)
+     char *buf = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1));
      struct base64_decode_ctx ctx;
      base64_decode_init(&ctx);
- 
--    unsigned int dstLen = 0;
-+    unsigned int dstLen = BASE64_DECODE_LENGTH(srcLen)+1;
-     if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, (const uint8_t*)eek) && base64_decode_final(&ctx)) {
-         cleartext[dstLen] = '\0';
- 
+-    size_t decodedLen = 0;
++    size_t decodedLen = BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1;
+     if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(buf), strlen(req->pub_auth), req->pub_auth) ||
+             !base64_decode_final(&ctx)) {
+         debug("cmgr: base64 decode failure. Incomplete auth token string.\n");