diff --git a/old_nettle_compat.patch b/old_nettle_compat.patch
index ffe5f69..83300b9 100644
--- a/old_nettle_compat.patch
+++ b/old_nettle_compat.patch
@@ -19,28 +19,32 @@ Index: squid-4.8/src/HttpHeader.cc
 ===================================================================
 --- squid-4.8.orig/src/HttpHeader.cc
 +++ squid-4.8/src/HttpHeader.cc
-@@ -1301,7 +1301,7 @@ HttpHeader::getAuthToken(Http::HdrType i
+@@ -1301,8 +1301,8 @@ HttpHeader::getAuthToken(Http::HdrType i
      char *decodedAuthToken = result.rawAppendStart(BASE64_DECODE_LENGTH(fieldLen));
      struct base64_decode_ctx ctx;
      base64_decode_init(&ctx);
 -    size_t decodedLen = 0;
-+    size_t decodedLen = BASE64_DECODE_LENGTH(fieldLen);
-     if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
+-    if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, field) ||
++    unsigned decodedLen = BASE64_DECODE_LENGTH(fieldLen);
++    if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(decodedAuthToken), fieldLen, (uint8_t*)field) ||
              !base64_decode_final(&ctx)) {
          return nil;
+     }
 Index: squid-4.8/src/auth/basic/Config.cc
 ===================================================================
 --- squid-4.8.orig/src/auth/basic/Config.cc
 +++ squid-4.8/src/auth/basic/Config.cc
-@@ -176,7 +176,7 @@ Auth::Basic::Config::decodeCleartext(con
+@@ -176,8 +176,8 @@ Auth::Basic::Config::decodeCleartext(con
      struct base64_decode_ctx ctx;
      base64_decode_init(&ctx);
  
 -    size_t dstLen = 0;
-+    size_t dstLen = BASE64_DECODE_LENGTH(srcLen)+1;
-     if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
+-    if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, eek) && base64_decode_final(&ctx)) {
++    unsigned int dstLen = BASE64_DECODE_LENGTH(srcLen)+1;
++    if (base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(cleartext), srcLen, (const uint8_t*)eek) && base64_decode_final(&ctx)) {
          cleartext[dstLen] = '\0';
  
+         /*
 Index: squid-4.8/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc
 ===================================================================
 --- squid-4.8.orig/src/auth/negotiate/SSPI/negotiate_sspi_auth.cc
@@ -57,41 +61,70 @@ Index: squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
 ===================================================================
 --- squid-4.8.orig/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
 +++ squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth.cc
-@@ -681,7 +681,7 @@ main(int argc, char *const argv[])
+@@ -681,8 +681,8 @@ main(int argc, char *const argv[])
  
          struct base64_decode_ctx ctx;
          base64_decode_init(&ctx);
 -        size_t dstLen = 0;
-+        size_t dstLen = BASE64_DECODE_LENGTH(srcLen);
-         if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, b64Token) ||
+-        if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, b64Token) ||
++        unsigned dstLen = BASE64_DECODE_LENGTH(srcLen);
++        if (!base64_decode_update(&ctx, &dstLen, static_cast<uint8_t*>(input_token.value), srcLen, (const uint8_t*)b64Token) ||
                  !base64_decode_final(&ctx)) {
              debug((char *) "%s| %s: ERROR: Invalid base64 token [%s]\n", LogTime(), PROGRAM, b64Token);
+             fprintf(stdout, "BH Invalid negotiate request token\n");
+@@ -743,8 +743,8 @@ main(int argc, char *const argv[])
+             }
+             struct base64_encode_ctx tokCtx;
+             base64_encode_init(&tokCtx);
+-            size_t blen = base64_encode_update(&tokCtx, token, spnegoTokenLength, reinterpret_cast<const uint8_t*>(spnegoToken));
+-            blen += base64_encode_final(&tokCtx, token+blen);
++            size_t blen = base64_encode_update(&tokCtx, (uint8_t*)token, spnegoTokenLength, reinterpret_cast<const uint8_t*>(spnegoToken));
++            blen += base64_encode_final(&tokCtx, (uint8_t*)token+blen);
+             token[blen] = '\0';
+ 
+             if (check_gss_err(major_status, minor_status, "gss_accept_sec_context()", log, 1))
 Index: squid-4.8/src/auth/negotiate/wrapper/negotiate_wrapper.cc
 ===================================================================
 --- squid-4.8.orig/src/auth/negotiate/wrapper/negotiate_wrapper.cc
 +++ squid-4.8/src/auth/negotiate/wrapper/negotiate_wrapper.cc
-@@ -192,7 +192,7 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT
+@@ -192,8 +192,8 @@ processingLoop(FILE *FDKIN, FILE *FDKOUT
  
          struct base64_decode_ctx ctx;
          base64_decode_init(&ctx);
 -        size_t dstLen = 0;
-+        size_t dstLen = length+1;
-         if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), buf+3) ||
+-        if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), buf+3) ||
++        unsigned dstLen = length+1;
++        if (!base64_decode_update(&ctx, &dstLen, token, strlen(buf+3), (const uint8_t*)buf+3) ||
                  !base64_decode_final(&ctx)) {
              if (debug_enabled)
+                 fprintf(stderr, "%s| %s: Invalid base64 token [%s]\n", LogTime(), PROGRAM, buf+3);
 Index: squid-4.8/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
 ===================================================================
 --- squid-4.8.orig/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
 +++ squid-4.8/src/auth/ntlm/SMB_LM/ntlm_smb_lm_auth.cc
-@@ -517,7 +517,7 @@ manage_request()
+@@ -203,8 +203,8 @@ make_challenge(char *domain, char *domai
+ 
+     struct base64_encode_ctx ctx;
+     base64_encode_init(&ctx);
+-    size_t blen = base64_encode_update(&ctx, b64buf, len, reinterpret_cast<const uint8_t *>(&chal));
+-    blen += base64_encode_final(&ctx, b64buf+blen);
++    size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, len, reinterpret_cast<const uint8_t *>(&chal));
++    blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen);
+     b64buf[blen] = '\0';
+     return b64buf;
+ }
+@@ -516,9 +516,9 @@ manage_request()
+         /* figure out what we got */
          struct base64_decode_ctx ctx;
          base64_decode_init(&ctx);
-         size_t dstLen = 0;
--        int decodedLen = 0;
-+        int decodedLen = NTLM_BLOB_BUFFER_SIZE;
-         if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, buf+3) ||
+-        size_t dstLen = 0;
++        unsigned dstLen = NTLM_BLOB_BUFFER_SIZE;
+         int decodedLen = 0;
+-        if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, buf+3) ||
++        if (!base64_decode_update(&ctx, &dstLen, reinterpret_cast<uint8_t*>(decoded), strlen(buf)-3, (const uint8_t*)buf+3) ||
                  !base64_decode_final(&ctx)) {
              SEND("NA Packet format error, couldn't base64-decode");
+             return;
 Index: squid-4.8/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc
 ===================================================================
 --- squid-4.8.orig/src/auth/ntlm/SSPI/ntlm_sspi_auth.cc
@@ -108,28 +141,66 @@ Index: squid-4.8/src/auth/ntlm/fake/ntlm_fake_auth.cc
 ===================================================================
 --- squid-4.8.orig/src/auth/ntlm/fake/ntlm_fake_auth.cc
 +++ squid-4.8/src/auth/ntlm/fake/ntlm_fake_auth.cc
-@@ -153,7 +153,7 @@ main(int argc, char *argv[])
+@@ -153,9 +153,9 @@ main(int argc, char *argv[])
          ntlmhdr *packet;
          struct base64_decode_ctx ctx;
          base64_decode_init(&ctx);
 -        size_t dstLen = 0;
-+        size_t dstLen = HELPER_INPUT_BUFFER;
++        unsigned dstLen = HELPER_INPUT_BUFFER;
          if (buflen > 3 &&
-                 base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, buf+3) &&
+-                base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, buf+3) &&
++                base64_decode_update(&ctx, &dstLen, decodedBuf, buflen-3, (const uint8_t*)buf+3) &&
                  base64_decode_final(&ctx)) {
+             decodedLen = dstLen;
+             packet = (ntlmhdr*)decodedBuf;
+@@ -190,8 +190,8 @@ main(int argc, char *argv[])
+             struct base64_encode_ctx eCtx;
+             base64_encode_init(&eCtx);
+             char *data = static_cast<char *>(xcalloc(base64_encode_len(len), 1));
+-            size_t blen = base64_encode_update(&eCtx, data, len, reinterpret_cast<const uint8_t *>(&chal));
+-            blen += base64_encode_final(&eCtx, data+blen);
++            size_t blen = base64_encode_update(&eCtx, (uint8_t*)data, len, reinterpret_cast<const uint8_t *>(&chal));
++            blen += base64_encode_final(&eCtx, (uint8_t*)data+blen);
+             if (NTLM_packet_debug_enabled) {
+                 printf("TT %.*s\n", (int)blen, data);
+                 debug("sending 'TT' to squid with data:\n");
 Index: squid-4.8/tools/cachemgr.cc
 ===================================================================
 --- squid-4.8.orig/tools/cachemgr.cc
 +++ squid-4.8/tools/cachemgr.cc
-@@ -1103,7 +1103,7 @@ decode_pub_auth(cachemgr_request * req)
+@@ -1082,8 +1082,8 @@ make_pub_auth(cachemgr_request * req)
+     req->pub_auth = (char *) xmalloc(encodedLen);
+     struct base64_encode_ctx ctx;
+     base64_encode_init(&ctx);
+-    size_t blen = base64_encode_update(&ctx, req->pub_auth, bufLen, reinterpret_cast<uint8_t*>(buf));
+-    blen += base64_encode_final(&ctx, req->pub_auth + blen);
++    size_t blen = base64_encode_update(&ctx, (uint8_t*)req->pub_auth, bufLen, reinterpret_cast<uint8_t*>(buf));
++    blen += base64_encode_final(&ctx, (uint8_t*)req->pub_auth + blen);
+     req->pub_auth[blen] = '\0';
+     debug("cmgr: encoded: '%s'\n", req->pub_auth);
+ }
+@@ -1103,8 +1103,8 @@ decode_pub_auth(cachemgr_request * req)
      char *buf = static_cast<char*>(xmalloc(BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1));
      struct base64_decode_ctx ctx;
      base64_decode_init(&ctx);
 -    size_t decodedLen = 0;
-+    size_t decodedLen = BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1;
-     if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(buf), strlen(req->pub_auth), req->pub_auth) ||
+-    if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(buf), strlen(req->pub_auth), req->pub_auth) ||
++    unsigned decodedLen = BASE64_DECODE_LENGTH(strlen(req->pub_auth))+1;
++    if (!base64_decode_update(&ctx, &decodedLen, reinterpret_cast<uint8_t*>(buf), strlen(req->pub_auth), (uint8_t*)req->pub_auth) ||
              !base64_decode_final(&ctx)) {
          debug("cmgr: base64 decode failure. Incomplete auth token string.\n");
+         xfree(buf);
+@@ -1197,8 +1197,8 @@ make_auth_header(const cachemgr_request
+     char *str64 = static_cast<char *>(xmalloc(encodedLen));
+     struct base64_encode_ctx ctx;
+     base64_encode_init(&ctx);
+-    size_t blen = base64_encode_update(&ctx, str64, bufLen, reinterpret_cast<uint8_t*>(buf));
+-    blen += base64_encode_final(&ctx, str64+blen);
++    size_t blen = base64_encode_update(&ctx, (uint8_t*)str64, bufLen, reinterpret_cast<uint8_t*>(buf));
++    blen += base64_encode_final(&ctx, (uint8_t*)str64+blen);
+     str64[blen] = '\0';
+ 
+     stringLength += snprintf(buf, sizeof(buf), "Authorization: Basic %.*s\r\n", (int)blen, str64);
 Index: squid-4.8/include/base64.h
 ===================================================================
 --- squid-4.8.orig/include/base64.h
@@ -161,3 +232,207 @@ Index: squid-4.8/lib/base64.c
  
  /* base64-encode.c
  
+Index: squid-4.8/src/format/Format.cc
+===================================================================
+--- squid-4.8.orig/src/format/Format.cc
++++ squid-4.8/src/format/Format.cc
+@@ -557,8 +557,8 @@ Format::Format::assemble(MemBuf &mb, con
+ 
+                     struct base64_encode_ctx ctx;
+                     base64_encode_init(&ctx);
+-                    auto encLength = base64_encode_update(&ctx, buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent()));
+-                    encLength += base64_encode_final(&ctx, buf + encLength);
++                    auto encLength = base64_encode_update(&ctx, (uint8_t*)buf, rawLength, reinterpret_cast<const uint8_t*>(handshake.rawContent()));
++                    encLength += base64_encode_final(&ctx, (uint8_t*)buf + encLength);
+ 
+                     sb.rawAppendFinish(buf, encLength);
+                     out = sb.c_str();
+Index: squid-4.8/src/auth/digest/Config.cc
+===================================================================
+--- squid-4.8.orig/src/auth/digest/Config.cc
++++ squid-4.8/src/auth/digest/Config.cc
+@@ -111,8 +111,8 @@ authDigestNonceEncode(digest_nonce_h * n
+     nonce->key = xcalloc(base64_encode_len(sizeof(digest_nonce_data)), 1);
+     struct base64_encode_ctx ctx;
+     base64_encode_init(&ctx);
+-    size_t blen = base64_encode_update(&ctx, reinterpret_cast<char*>(nonce->key), sizeof(digest_nonce_data), reinterpret_cast<const uint8_t*>(&(nonce->noncedata)));
+-    blen += base64_encode_final(&ctx, reinterpret_cast<char*>(nonce->key)+blen);
++    size_t blen = base64_encode_update(&ctx, (uint8_t*)nonce->key, sizeof(digest_nonce_data), (uint8_t*)&(nonce->noncedata));
++    blen += base64_encode_final(&ctx, ((uint8_t*)(nonce->key))+blen);
+ }
+ 
+ digest_nonce_h *
+Index: squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc
+===================================================================
+--- squid-4.8.orig/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc
++++ squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_auth_test.cc
+@@ -203,8 +203,8 @@ squid_kerb_proxy_auth(char *proxy)
+             token = (char *) xcalloc(base64_encode_len(output_token.length), 1);
+             struct base64_encode_ctx ctx;
+             base64_encode_init(&ctx);
+-            size_t blen = base64_encode_update(&ctx, token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
+-            blen += base64_encode_final(&ctx, token+blen);
++            size_t blen = base64_encode_update(&ctx, (uint8_t*)token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
++            blen += base64_encode_final(&ctx, (uint8_t*)token+blen);
+         }
+     }
+ 
+Index: squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
+===================================================================
+--- squid-4.8.orig/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
++++ squid-4.8/src/auth/negotiate/kerberos/negotiate_kerberos_pac.cc
+@@ -245,8 +245,8 @@ getdomaingids(char *ad_groups, uint32_t
+             base64_encode_init(&ctx);
+             const uint32_t expectedSz = base64_encode_len(length+4) +1 /* terminator */;
+             char *b64buf = static_cast<char *>(xcalloc(expectedSz, 1));
+-            size_t blen = base64_encode_update(&ctx, b64buf, length+4, reinterpret_cast<uint8_t*>(ag));
+-            blen += base64_encode_final(&ctx, b64buf+blen);
++            size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, length+4, reinterpret_cast<uint8_t*>(ag));
++            blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen);
+             b64buf[expectedSz-1] = '\0';
+             if (!pstrcat(ad_groups, b64buf)) {
+                 debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
+@@ -334,8 +334,8 @@ getextrasids(char *ad_groups, uint32_t E
+                 base64_encode_init(&ctx);
+                 const uint32_t expectedSz = base64_encode_len(length) +1 /* terminator */;
+                 char *b64buf = static_cast<char *>(xcalloc(expectedSz, 1));
+-                size_t blen = base64_encode_update(&ctx, b64buf, length, reinterpret_cast<uint8_t*>(ag));
+-                blen += base64_encode_final(&ctx, b64buf+blen);
++                size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, length, reinterpret_cast<uint8_t*>(ag));
++                blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen);
+                 b64buf[expectedSz-1] = '\0';
+                 if (!pstrcat(ad_groups, reinterpret_cast<char*>(b64buf))) {
+                     debug((char *) "%s| %s: WARN: Too many groups ! size > %d : %s\n",
+Index: squid-4.8/src/adaptation/icap/ModXact.cc
+===================================================================
+--- squid-4.8.orig/src/adaptation/icap/ModXact.cc
++++ squid-4.8/src/adaptation/icap/ModXact.cc
+@@ -1369,10 +1369,10 @@ void Adaptation::Icap::ModXact::makeRequ
+         struct base64_encode_ctx ctx;
+         base64_encode_init(&ctx);
+         char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
+-        size_t resultLen = base64_encode_update(&ctx, base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
+-        resultLen += base64_encode_update(&ctx, base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":"));
+-        resultLen += base64_encode_update(&ctx, base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
+-        resultLen += base64_encode_final(&ctx, base64buf+resultLen);
++        size_t resultLen = base64_encode_update(&ctx, (uint8_t*)base64buf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
++        resultLen += base64_encode_update(&ctx, (uint8_t*)base64buf+resultLen, 1, reinterpret_cast<const uint8_t*>(":"));
++        resultLen += base64_encode_update(&ctx, (uint8_t*)base64buf+resultLen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
++        resultLen += base64_encode_final(&ctx, (uint8_t*)base64buf+resultLen);
+         buf.appendf("Proxy-Authorization: Basic %.*s\r\n", (int)resultLen, base64buf);
+     }
+ 
+@@ -1529,8 +1529,8 @@ void Adaptation::Icap::ModXact::makeUser
+     if (value) {
+         if (TheConfig.client_username_encode) {
+             char base64buf[base64_encode_len(MAX_LOGIN_SZ)];
+-            size_t resultLen = base64_encode_update(&ctx, base64buf, strlen(value), reinterpret_cast<const uint8_t*>(value));
+-            resultLen += base64_encode_final(&ctx, base64buf+resultLen);
++            size_t resultLen = base64_encode_update(&ctx, (uint8_t*)base64buf, strlen(value), reinterpret_cast<const uint8_t*>(value));
++            resultLen += base64_encode_final(&ctx, (uint8_t*)base64buf+resultLen);
+             buf.appendf("%s: %.*s\r\n", TheConfig.client_username_header, (int)resultLen, base64buf);
+         } else
+             buf.appendf("%s: %s\r\n", TheConfig.client_username_header, value);
+Index: squid-4.8/src/http.cc
+===================================================================
+--- squid-4.8.orig/src/http.cc
++++ squid-4.8/src/http.cc
+@@ -1697,9 +1697,9 @@ httpFixupAuthentication(HttpRequest * re
+             username = request->auth_user_request->username();
+ #endif
+ 
+-        blen = base64_encode_update(&ctx, loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username));
+-        blen += base64_encode_update(&ctx, loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1));
+-        blen += base64_encode_final(&ctx, loginbuf+blen);
++        blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, strlen(username), reinterpret_cast<const uint8_t*>(username));
++        blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, strlen(request->peer_login +1), reinterpret_cast<const uint8_t*>(request->peer_login +1));
++        blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen);
+         httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
+         return;
+     }
+@@ -1709,10 +1709,10 @@ httpFixupAuthentication(HttpRequest * re
+             (strcmp(request->peer_login, "PASS") == 0 ||
+              strcmp(request->peer_login, "PROXYPASS") == 0)) {
+ 
+-        blen = base64_encode_update(&ctx, loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
+-        blen += base64_encode_update(&ctx, loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":"));
+-        blen += base64_encode_update(&ctx, loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
+-        blen += base64_encode_final(&ctx, loginbuf+blen);
++        blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, request->extacl_user.size(), reinterpret_cast<const uint8_t*>(request->extacl_user.rawBuf()));
++        blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, 1, reinterpret_cast<const uint8_t*>(":"));
++        blen += base64_encode_update(&ctx, (uint8_t*)loginbuf+blen, request->extacl_passwd.size(), reinterpret_cast<const uint8_t*>(request->extacl_passwd.rawBuf()));
++        blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen);
+         httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
+         return;
+     }
+@@ -1741,8 +1741,8 @@ httpFixupAuthentication(HttpRequest * re
+     }
+ #endif /* HAVE_KRB5 && HAVE_GSSAPI */
+ 
+-    blen = base64_encode_update(&ctx, loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login));
+-    blen += base64_encode_final(&ctx, loginbuf+blen);
++    blen = base64_encode_update(&ctx, (uint8_t*)loginbuf, strlen(request->peer_login), reinterpret_cast<const uint8_t*>(request->peer_login));
++    blen += base64_encode_final(&ctx, (uint8_t*)loginbuf+blen);
+     httpHeaderPutStrf(hdr_out, header, "Basic %.*s", (int)blen, loginbuf);
+     return;
+ }
+@@ -1869,8 +1869,8 @@ HttpStateData::httpBuildRequestHeader(Ht
+             static char result[base64_encode_len(MAX_URL*2)]; // should be big enough for a single URI segment
+             struct base64_encode_ctx ctx;
+             base64_encode_init(&ctx);
+-            size_t blen = base64_encode_update(&ctx, result, request->url.userInfo().length(), reinterpret_cast<const uint8_t*>(request->url.userInfo().rawContent()));
+-            blen += base64_encode_final(&ctx, result+blen);
++            size_t blen = base64_encode_update(&ctx, (uint8_t*)result, request->url.userInfo().length(), reinterpret_cast<const uint8_t*>(request->url.userInfo().rawContent()));
++            blen += base64_encode_final(&ctx, (uint8_t*)result+blen);
+             result[blen] = '\0';
+             if (blen)
+                 httpHeaderPutStrf(hdr_out, Http::HdrType::AUTHORIZATION, "Basic %.*s", (int)blen, result);
+Index: squid-4.8/src/peer_proxy_negotiate_auth.cc
+===================================================================
+--- squid-4.8.orig/src/peer_proxy_negotiate_auth.cc
++++ squid-4.8/src/peer_proxy_negotiate_auth.cc
+@@ -562,8 +562,8 @@ char *peer_proxy_negotiate_auth(char *pr
+         static char b64buf[8192]; // XXX: 8KB only because base64_encode_bin() used to.
+         struct base64_encode_ctx ctx;
+         base64_encode_init(&ctx);
+-        size_t blen = base64_encode_update(&ctx, b64buf, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
+-        blen += base64_encode_final(&ctx, b64buf+blen);
++        size_t blen = base64_encode_update(&ctx, (uint8_t*)b64buf, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
++        blen += base64_encode_final(&ctx, (uint8_t*)b64buf+blen);
+         b64buf[blen] = '\0';
+ 
+         token = reinterpret_cast<char*>(b64buf);
+Index: squid-4.8/tools/squidclient/gssapi_support.cc
+===================================================================
+--- squid-4.8.orig/tools/squidclient/gssapi_support.cc
++++ squid-4.8/tools/squidclient/gssapi_support.cc
+@@ -134,8 +134,8 @@ GSSAPI_token(const char *server)
+             token = new char[base64_encode_len(output_token.length)];
+             struct base64_encode_ctx ctx;
+             base64_encode_init(&ctx);
+-            size_t blen = base64_encode_update(&ctx, token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
+-            blen += base64_encode_final(&ctx, token+blen);
++            size_t blen = base64_encode_update(&ctx, (uint8_t*)token, output_token.length, reinterpret_cast<const uint8_t*>(output_token.value));
++            blen += base64_encode_final(&ctx, (uint8_t*)token+blen);
+             token[blen] = '\0';
+         }
+     }
+Index: squid-4.8/tools/squidclient/squidclient.cc
+===================================================================
+--- squid-4.8.orig/tools/squidclient/squidclient.cc
++++ squid-4.8/tools/squidclient/squidclient.cc
+@@ -212,10 +212,10 @@ Authorization::commit(std::ostream &os)
+     const auto buf = new char[bcapacity];
+ 
+     size_t bsize = 0;
+-    bsize += base64_encode_update(&ctx, buf, strlen(user), reinterpret_cast<const uint8_t*>(user));
+-    bsize += base64_encode_update(&ctx, buf+bsize, 1, reinterpret_cast<const uint8_t*>(":"));
+-    bsize += base64_encode_update(&ctx, buf+bsize, strlen(password), reinterpret_cast<const uint8_t*>(password));
+-    bsize += base64_encode_final(&ctx, buf+bsize);
++    bsize += base64_encode_update(&ctx, (uint8_t*)buf, strlen(user), reinterpret_cast<const uint8_t*>(user));
++    bsize += base64_encode_update(&ctx, (uint8_t*)buf+bsize, 1, reinterpret_cast<const uint8_t*>(":"));
++    bsize += base64_encode_update(&ctx, (uint8_t*)buf+bsize, strlen(password), reinterpret_cast<const uint8_t*>(password));
++    bsize += base64_encode_final(&ctx, (uint8_t*)buf+bsize);
+     assert(bsize <= bcapacity); // paranoid and late but better than nothing
+ 
+     os << header << ": Basic ";