Update nettle to version 3.0.

Requires some fixes in dnsmasq which can be dropped
with the next release.

src/patches/dnsmasq-2.71-support-nettle-3.0.patch

@@ -0,0 +1,65 @@
+From cdb755c5f16a6768c3e8b1f345fe15fc9244228d Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Wed, 18 Jun 2014 20:52:53 +0100
+Subject: [PATCH] Fix FTBFS with Nettle-3.0.
+
+---
+ CHANGELOG    |    3 +++
+ src/dnssec.c |   18 ++++++++++++------
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 2ffb75d..69bfc29 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -28,6 +28,12 @@
+ #include <nettle/nettle-meta.h>
+ #include <nettle/bignum.h>
+ 
++/* Nettle-3.0 moved to a new API for DSA. We use a name that's defined in the new API
++   to detect Nettle-3, and invoke the backwards compatibility mode. */
++#ifdef dsa_params_init
++#include <nettle/dsa-compat.h>
++#endif
++
+ 
+ #define SERIAL_UNDEF  -100
+ #define SERIAL_EQ        0
+@@ -121,8 +127,8 @@ static int hash_init(const struct nettle_hash *hash, void **ctxp, unsigned char
+   return 1;
+ }
+   
+-static int rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+-		      unsigned char *digest, int algo)
++static int dnsmasq_rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
++			      unsigned char *digest, int algo)
+ {
+   unsigned char *p;
+   size_t exp_len;
+@@ -173,8 +179,8 @@ static int rsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned
+   return 0;
+ }  
+ 
+-static int dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
+-		      unsigned char *digest, int algo)
++static int dnsmasq_dsa_verify(struct blockdata *key_data, unsigned int key_len, unsigned char *sig, size_t sig_len,
++			      unsigned char *digest, int algo)
+ {
+   unsigned char *p;
+   unsigned int t;
+@@ -293,10 +299,10 @@ static int verify(struct blockdata *key_data, unsigned int key_len, unsigned cha
+   switch (algo)
+     {
+     case 1: case 5: case 7: case 8: case 10:
+-      return rsa_verify(key_data, key_len, sig, sig_len, digest, algo);
++      return dnsmasq_rsa_verify(key_data, key_len, sig, sig_len, digest, algo);
+       
+     case 3: case 6: 
+-      return dsa_verify(key_data, key_len, sig, sig_len, digest, algo);
++      return dnsmasq_dsa_verify(key_data, key_len, sig, sig_len, digest, algo);
+  
+ #ifndef NO_NETTLE_ECC   
+     case 13: case 14:
+-- 
+1.7.10.4
+

src/patches/dnsmasq-2.71-use-nettle-with-minigmp.patch

@@ -0,0 +1,88 @@
+From 063efb330a3f341c2548e2cf1f67f83e49cd6395 Mon Sep 17 00:00:00 2001
+From: Simon Kelley <simon@thekelleys.org.uk>
+Date: Tue, 17 Jun 2014 19:49:31 +0100
+Subject: [PATCH] Build config: add -DNO_GMP for use with nettle/mini-gmp
+
+---
+ Makefile        |    2 +-
+ bld/pkg-wrapper |    9 +++++++--
+ src/config.h    |    7 +++++++
+ src/dnssec.c    |    3 ++-
+ 4 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index c58b50b..17eeb27 100644
+--- a/Makefile
++++ b/Makefile
+@@ -61,7 +61,7 @@ lua_cflags =    `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CON
+ lua_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_LUASCRIPT $(PKG_CONFIG) --libs lua5.1` 
+ nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --cflags nettle hogweed`
+ nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --libs nettle hogweed`
+-gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC $(PKG_CONFIG) --copy -lgmp`
++gmp_libs =      `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC NO_GMP --copy -lgmp`
+ sunos_libs =    `if uname | grep SunOS >/dev/null 2>&1; then echo -lsocket -lnsl -lposix4; fi`
+ version =     -DVERSION='\"`$(top)/bld/get-version $(top)`\"'
+ 
+diff --git a/bld/pkg-wrapper b/bld/pkg-wrapper
+index 9f9332d..0ddb678 100755
+--- a/bld/pkg-wrapper
++++ b/bld/pkg-wrapper
+@@ -11,9 +11,14 @@ in=`cat`
+ 
+ if grep "^\#[[:space:]]*define[[:space:]]*$search" config.h >/dev/null 2>&1 || \
+     echo $in | grep $search >/dev/null 2>&1; then
+-
++# Nasty, nasty, in --copy, arg 2 is another config to search for, use with NO_GMP
+     if [ $op = "--copy" ]; then
+-	pkg="$*"
++	if grep "^\#[[:space:]]*define[[:space:]]*$pkg" config.h >/dev/null 2>&1 || \
++            echo $in | grep $pkg >/dev/null 2>&1; then
++	    pkg=""
++	else 
++	    pkg="$*"
++	fi
+     elif grep "^\#[[:space:]]*define[[:space:]]*${search}_STATIC" config.h >/dev/null 2>&1 || \
+ 	      echo $in | grep ${search}_STATIC >/dev/null 2>&1; then
+ 	pkg=`$pkg  --static $op $*`
+diff --git a/src/config.h b/src/config.h
+index 2155544..ee6d218 100644
+--- a/src/config.h
++++ b/src/config.h
+@@ -105,6 +105,8 @@ HAVE_AUTH
+    define this to include the facility to act as an authoritative DNS
+    server for one or more zones.
+ 
++HAVE_DNSSEC
++   include DNSSEC validator.
+ 
+ NO_IPV6
+ NO_TFTP
+@@ -118,6 +120,11 @@ NO_AUTH
+    which are enabled  by default in the distributed source tree. Building dnsmasq
+    with something like "make COPTS=-DNO_SCRIPT" will do the trick.
+ 
++NO_NETTLE_ECC
++   Don't include the ECDSA cypher in DNSSEC validation. Needed for older Nettle versions.
++NO_GMP
++   Don't use and link against libgmp, Useful if nettle is built with --enable-mini-gmp.
++
+ LEASEFILE
+ CONFFILE
+ RESOLVFILE
+diff --git a/src/dnssec.c b/src/dnssec.c
+index 44d626b..2ffb75d 100644
+--- a/src/dnssec.c
++++ b/src/dnssec.c
+@@ -26,7 +26,8 @@
+ #  include <nettle/ecc-curve.h>
+ #endif
+ #include <nettle/nettle-meta.h>
+-#include <gmp.h>
++#include <nettle/bignum.h>
++
+ 
+ #define SERIAL_UNDEF  -100
+ #define SERIAL_EQ        0
+-- 
+1.7.10.4
+