diff --git a/CMakeLists.txt b/CMakeLists.txt
index 08cb9b5..422a7c4 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -7,6 +7,8 @@
   set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O2 -Wall -Wextra -W -Wdeclaration-after-statement")
   set(CMAKE_C_FLAGS_DEBUG "-g3 -O0")
   set(CMAKE_C_FLAGS_COVERAGE "-g3 -O0 -fprofile-arcs -ftest-coverage -lgcov")
+  set(CMAKE_C_FLAGS_CHECK "${CMAKE_C_FLAGS} -O2 -Wall -Wextra -W -Wdeclaration-after-statement -Wlogical-op -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations")
+  set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS} -O2 -Wall -Wextra -W -Wdeclaration-after-statement -Wlogical-op -Wcast-qual -Wwrite-strings -Wmissing-prototypes -Wmissing-declarations")
 endif(CMAKE_COMPILER_IS_GNUCC)
  
 if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
diff --git a/ChangeLog b/ChangeLog
index 334d147..1d28f6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
 PolarSSL ChangeLog (Sorted per branch, date)
 
+= PolarSSL 1.3 branch
+Bugfix
+   * Fixed X.509 hostname comparison (with non-regular characters)
+   * SSL now gracefully handles missing RNG
+
 = PolarSSL 1.3.2 released on 2013-11-04
 Features
    * PK tests added to test framework
diff --git a/include/polarssl/bignum.h b/include/polarssl/bignum.h
index 8541403..9525775 100644
--- a/include/polarssl/bignum.h
+++ b/include/polarssl/bignum.h
@@ -58,7 +58,7 @@
 #define POLARSSL_ERR_MPI_NOT_ACCEPTABLE                    -0x000E  /**< The input arguments are not acceptable. */
 #define POLARSSL_ERR_MPI_MALLOC_FAILED                     -0x0010  /**< Memory allocation failed. */
 
-#define MPI_CHK(f) if( ( ret = f ) != 0 ) goto cleanup
+#define MPI_CHK(f) do { if( ( ret = f ) != 0 ) goto cleanup; } while( 0 )
 
 /*
  * Maximum size MPIs are allowed to grow to in number of limbs.
diff --git a/include/polarssl/compat-1.2.h b/include/polarssl/compat-1.2.h
index 64d1d63..0cc63ca 100644
--- a/include/polarssl/compat-1.2.h
+++ b/include/polarssl/compat-1.2.h
@@ -58,42 +58,42 @@
  */
 typedef sha256_context sha2_context;
 
-inline void sha2_starts( sha256_context *ctx, int is224 ) {
+static inline void sha2_starts( sha256_context *ctx, int is224 ) {
     sha256_starts( ctx, is224 );
 }
-inline void sha2_update( sha256_context *ctx, const unsigned char *input,
+static inline void sha2_update( sha256_context *ctx, const unsigned char *input,
                          size_t ilen ) {
     sha256_update( ctx, input, ilen );
 }
-inline void sha2_finish( sha256_context *ctx, unsigned char output[32] ) {
+static inline void sha2_finish( sha256_context *ctx, unsigned char output[32] ) {
     sha256_finish( ctx, output );
 }
-inline int sha2_file( const char *path, unsigned char output[32], int is224 ) {
+static inline int sha2_file( const char *path, unsigned char output[32], int is224 ) {
     return sha256_file( path, output, is224 );
 }
-inline void sha2( const unsigned char *input, size_t ilen,
+static inline void sha2( const unsigned char *input, size_t ilen,
                   unsigned char output[32], int is224 ) {
     sha256( input, ilen, output, is224 );
 }
-inline void sha2_hmac_starts( sha256_context *ctx, const unsigned char *key,
+static inline void sha2_hmac_starts( sha256_context *ctx, const unsigned char *key,
                               size_t keylen, int is224 ) {
     sha256_hmac_starts( ctx, key, keylen, is224 );
 }
-inline void sha2_hmac_update( sha256_context *ctx, const unsigned char *input, size_t ilen ) {
+static inline void sha2_hmac_update( sha256_context *ctx, const unsigned char *input, size_t ilen ) {
     sha256_hmac_update( ctx, input, ilen );
 }
-inline void sha2_hmac_finish( sha256_context *ctx, unsigned char output[32] ) {
+static inline void sha2_hmac_finish( sha256_context *ctx, unsigned char output[32] ) {
     sha256_hmac_finish( ctx, output );
 }
-inline void sha2_hmac_reset( sha256_context *ctx ) {
+static inline void sha2_hmac_reset( sha256_context *ctx ) {
     sha256_hmac_reset( ctx );
 }
-inline void sha2_hmac( const unsigned char *key, size_t keylen,
+static inline void sha2_hmac( const unsigned char *key, size_t keylen,
                        const unsigned char *input, size_t ilen,
                        unsigned char output[32], int is224 ) {
     sha256_hmac( key, keylen, input, ilen, output, is224 );
 }
-inline int sha2_self_test( int verbose ) {
+static inline int sha2_self_test( int verbose ) {
     return sha256_self_test( verbose );
 }
 #endif /* POLARSSL_SHA256_C */
@@ -107,42 +107,42 @@
  */
 typedef sha512_context sha4_context;
 
-inline void sha4_starts( sha512_context *ctx, int is384 ) {
+static inline void sha4_starts( sha512_context *ctx, int is384 ) {
     sha512_starts( ctx, is384 );
 }
-inline void sha4_update( sha512_context *ctx, const unsigned char *input,
+static inline void sha4_update( sha512_context *ctx, const unsigned char *input,
                          size_t ilen ) {
     sha512_update( ctx, input, ilen );
 }
-inline void sha4_finish( sha512_context *ctx, unsigned char output[64] ) {
+static inline void sha4_finish( sha512_context *ctx, unsigned char output[64] ) {
     sha512_finish( ctx, output );
 }
-inline int sha4_file( const char *path, unsigned char output[64], int is384 ) {
+static inline int sha4_file( const char *path, unsigned char output[64], int is384 ) {
     return sha512_file( path, output, is384 );
 }
-inline void sha4( const unsigned char *input, size_t ilen,
+static inline void sha4( const unsigned char *input, size_t ilen,
                   unsigned char output[32], int is384 ) {
     sha512( input, ilen, output, is384 );
 }
-inline void sha4_hmac_starts( sha512_context *ctx, const unsigned char *key,
+static inline void sha4_hmac_starts( sha512_context *ctx, const unsigned char *key,
                               size_t keylen, int is384 ) {
     sha512_hmac_starts( ctx, key, keylen, is384 );
 }
-inline void sha4_hmac_update( sha512_context *ctx, const unsigned char *input, size_t ilen ) {
+static inline void sha4_hmac_update( sha512_context *ctx, const unsigned char *input, size_t ilen ) {
     sha512_hmac_update( ctx, input, ilen );
 }
-inline void sha4_hmac_finish( sha512_context *ctx, unsigned char output[64] ) {
+static inline void sha4_hmac_finish( sha512_context *ctx, unsigned char output[64] ) {
     sha512_hmac_finish( ctx, output );
 }
-inline void sha4_hmac_reset( sha512_context *ctx ) {
+static inline void sha4_hmac_reset( sha512_context *ctx ) {
     sha512_hmac_reset( ctx );
 }
-inline void sha4_hmac( const unsigned char *key, size_t keylen,
+static inline void sha4_hmac( const unsigned char *key, size_t keylen,
                        const unsigned char *input, size_t ilen,
                        unsigned char output[64], int is384 ) {
     sha512_hmac( key, keylen, input, ilen, output, is384 );
 }
-inline int sha4_self_test( int verbose ) {
+static inline int sha4_self_test( int verbose ) {
     return sha512_self_test( verbose );
 }
 #endif /* POLARSSL_SHA512_C */
@@ -202,13 +202,13 @@
 #define POLARSSL_ERR_X509_CERT_INVALID_SERIAL POLARSSL_ERR_X509_INVALID_SERIAL
 #define POLARSSL_ERR_X509_CERT_UNKNOWN_VERSION POLARSSL_ERR_X509_UNKNOWN_VERSION
 
-inline int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial ) {
+static inline int x509parse_serial_gets( char *buf, size_t size, const x509_buf *serial ) {
     return x509_serial_gets( buf, size, serial );
 }
-inline int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn ) {
+static inline int x509parse_dn_gets( char *buf, size_t size, const x509_name *dn ) {
     return x509_dn_gets( buf, size, dn );
 }
-inline int x509parse_time_expired( const x509_time *time ) {
+static inline int x509parse_time_expired( const x509_time *time ) {
     return x509_time_expired( time );
 }
 #endif /* POLARSSL_X509_USE_C || POLARSSL_X509_CREATE_C */
@@ -218,33 +218,33 @@
 #include "x509_crt.h"
 typedef x509_crt x509_cert;
 
-inline int x509parse_crt_der( x509_cert *chain, const unsigned char *buf,
+static inline int x509parse_crt_der( x509_cert *chain, const unsigned char *buf,
                               size_t buflen ) {
     return x509_crt_parse_der( chain, buf, buflen );
 }
-inline int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) {
+static inline int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) {
     return x509_crt_parse( chain, buf, buflen );
 }
-inline int x509parse_crtfile( x509_cert *chain, const char *path ) {
+static inline int x509parse_crtfile( x509_cert *chain, const char *path ) {
     return x509_crt_parse_file( chain, path );
 }
-inline int x509parse_crtpath( x509_cert *chain, const char *path ) {
+static inline int x509parse_crtpath( x509_cert *chain, const char *path ) {
     return x509_crt_parse_path( chain, path );
 }
-inline int x509parse_cert_info( char *buf, size_t size, const char *prefix,
+static inline int x509parse_cert_info( char *buf, size_t size, const char *prefix,
                                 const x509_cert *crt ) {
     return x509_crt_info( buf, size, prefix, crt );
 }
-inline int x509parse_verify( x509_cert *crt, x509_cert *trust_ca,
+static inline int x509parse_verify( x509_cert *crt, x509_cert *trust_ca,
                              x509_crl *ca_crl, const char *cn, int *flags,
                              int (*f_vrfy)(void *, x509_cert *, int, int *),
                              void *p_vrfy ) {
     return x509_crt_verify( crt, trust_ca, ca_crl, cn, flags, f_vrfy, p_vrfy );
 }
-inline int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) {
+static inline int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) {
     return x509_crt_revoked( crt, crl );
 }
-inline void x509_free( x509_cert *crt ) {
+static inline void x509_free( x509_cert *crt ) {
     x509_crt_free( crt );
 }
 #endif /* POLARSSL_X509_CRT_PARSE_C */
@@ -252,13 +252,13 @@
 #if defined(POLARSSL_X509_CRL_PARSE_C)
 #define POLARSSL_X509_PARSE_C
 #include "x509_crl.h"
-inline int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) {
+static inline int x509parse_crl( x509_crl *chain, const unsigned char *buf, size_t buflen ) {
     return x509_crl_parse( chain, buf, buflen );
 }
-inline int x509parse_crlfile( x509_crl *chain, const char *path ) {
+static inline int x509parse_crlfile( x509_crl *chain, const char *path ) {
     return x509_crl_parse_file( chain, path );
 }
-inline int x509parse_crl_info( char *buf, size_t size, const char *prefix,
+static inline int x509parse_crl_info( char *buf, size_t size, const char *prefix,
                                const x509_crl *crl ) {
     return x509_crl_info( buf, size, prefix, crl );
 }
@@ -267,13 +267,13 @@
 #if defined(POLARSSL_X509_CSR_PARSE_C)
 #define POLARSSL_X509_PARSE_C
 #include "x509_csr.h"
-inline int x509parse_csr( x509_csr *csr, const unsigned char *buf, size_t buflen ) {
+static inline int x509parse_csr( x509_csr *csr, const unsigned char *buf, size_t buflen ) {
     return x509_csr_parse( csr, buf, buflen );
 }
-inline int x509parse_csrfile( x509_csr *csr, const char *path ) {
+static inline int x509parse_csrfile( x509_csr *csr, const char *path ) {
     return x509_csr_parse_file( csr, path );
 }
-inline int x509parse_csr_info( char *buf, size_t size, const char *prefix,
+static inline int x509parse_csr_info( char *buf, size_t size, const char *prefix,
                                const x509_csr *csr ) {
     return x509_csr_info( buf, size, prefix, csr );
 }
@@ -295,7 +295,7 @@
 #define POLARSSL_ERR_X509_CERT_INVALID_PUBKEY POLARSSL_ERR_PK_INVALID_PUBKEY
 
 #if defined(POLARSSL_FS_IO)
-inline int x509parse_keyfile( rsa_context *rsa, const char *path,
+static inline int x509parse_keyfile( rsa_context *rsa, const char *path,
                               const char *pwd ) {
     int ret;
     pk_context pk;
@@ -310,7 +310,7 @@
     pk_free( &pk );
     return( ret );
 }
-inline int x509parse_public_keyfile( rsa_context *rsa, const char *path ) {
+static inline int x509parse_public_keyfile( rsa_context *rsa, const char *path ) {
     int ret;
     pk_context pk;
     pk_init( &pk );
@@ -326,7 +326,7 @@
 }
 #endif /* POLARSSL_FS_IO */
 
-inline int x509parse_key( rsa_context *rsa, const unsigned char *key,
+static inline int x509parse_key( rsa_context *rsa, const unsigned char *key,
                           size_t keylen,
                           const unsigned char *pwd, size_t pwdlen ) {
     int ret;
@@ -343,7 +343,7 @@
     return( ret );
 }
 
-inline int x509parse_public_key( rsa_context *rsa,
+static inline int x509parse_public_key( rsa_context *rsa,
                                  const unsigned char *key, size_t keylen )
 {
     int ret;
@@ -363,7 +363,7 @@
 
 #if defined(POLARSSL_PK_WRITE_C) && defined(POLARSSL_RSA_C)
 #include "pk.h"
-inline int x509_write_pubkey_der( unsigned char *buf, size_t len, rsa_context *rsa ) {
+static inline int x509_write_pubkey_der( unsigned char *buf, size_t len, rsa_context *rsa ) {
     int ret;
     pk_context ctx;
     if( ( ret = pk_init_ctx( &ctx, pk_info_from_type( POLARSSL_PK_RSA ) ) ) != 0 ) return( ret );
@@ -372,7 +372,7 @@
     pk_free( &ctx );
     return( ret );
 }
-inline int x509_write_key_der( unsigned char *buf, size_t len, rsa_context *rsa ) {
+static inline int x509_write_key_der( unsigned char *buf, size_t len, rsa_context *rsa ) {
     int ret;
     pk_context ctx;
     if( ( ret = pk_init_ctx( &ctx, pk_info_from_type( POLARSSL_PK_RSA ) ) ) != 0 ) return( ret );
diff --git a/include/polarssl/pk.h b/include/polarssl/pk.h
index 251c690..958672b 100644
--- a/include/polarssl/pk.h
+++ b/include/polarssl/pk.h
@@ -188,7 +188,7 @@
                     size_t output_max_len );
 typedef int (*pk_rsa_alt_sign_func)( void *ctx,
                     int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                    int mode, int hash_id, unsigned int hashlen,
+                    int mode, md_type_t md_alg, unsigned int hashlen,
                     const unsigned char *hash, unsigned char *sig );
 typedef size_t (*pk_rsa_alt_key_len_func)( void *ctx );
 
diff --git a/include/polarssl/pkcs11.h b/include/polarssl/pkcs11.h
index c0515e6..707d00a 100644
--- a/include/polarssl/pkcs11.h
+++ b/include/polarssl/pkcs11.h
@@ -128,7 +128,7 @@
  */
 int pkcs11_sign( pkcs11_context *ctx,
                     int mode,
-                    int hash_id,
+                    md_type_t md_alg,
                     unsigned int hashlen,
                     const unsigned char *hash,
                     unsigned char *sig );
@@ -146,12 +146,12 @@
 
 static inline int ssl_pkcs11_sign( void *ctx, 
                      int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                     int mode, int hash_id, unsigned int hashlen,
+                     int mode, md_type_t md_alg, unsigned int hashlen,
                      const unsigned char *hash, unsigned char *sig )
 {
     ((void) f_rng);
     ((void) p_rng);
-    return pkcs11_sign( (pkcs11_context *) ctx, mode, hash_id,
+    return pkcs11_sign( (pkcs11_context *) ctx, mode, md_alg,
                         hashlen, hash, sig );
 }
 
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index e51e507..fdb27f6 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -101,7 +101,7 @@
 #define POLARSSL_ERR_SSL_CONN_EOF                          -0x7280  /**< The connection indicated an EOF. */
 #define POLARSSL_ERR_SSL_UNKNOWN_CIPHER                    -0x7300  /**< An unknown cipher was received. */
 #define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN                  -0x7380  /**< The server has no ciphersuites in common with the client. */
-#define POLARSSL_ERR_SSL_NO_SESSION_FOUND                  -0x7400  /**< No session to recover was found. */
+#define POLARSSL_ERR_SSL_NO_RNG                            -0x7400  /**< No RNG was provided to the SSL module. */
 #define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE             -0x7480  /**< No client certification received from the client, but required by the authentication mode. */
 #define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE             -0x7500  /**< Our own certificate(s) is/are too large to send in an SSL message.*/
 #define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED              -0x7580  /**< The own certificate is not set, but needed by the server. */
@@ -374,7 +374,7 @@
                         size_t output_max_len ); 
 typedef int (*rsa_sign_func)( void *ctx,
                      int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
-                     int mode, int hash_id, unsigned int hashlen,
+                     int mode, md_type_t md_alg, unsigned int hashlen,
                      const unsigned char *hash, unsigned char *sig );
 typedef size_t (*rsa_key_len_func)( void *ctx );
 
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index baaf822..c4060d1 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -82,6 +82,10 @@
 
 target_link_libraries(polarssl ${libs})
 
+if(ZLIB_FOUND)
+target_link_libraries(polarssl ${ZLIB_LIBRARIES})
+endif(ZLIB_FOUND)
+
 install(TARGETS polarssl
         DESTINATION ${LIB_INSTALL_DIR}
         PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE)
diff --git a/library/bignum.c b/library/bignum.c
index 9eceeba..945da17 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1863,40 +1863,27 @@
 };
 
 /*
- * Miller-Rabin primality test  (HAC 4.24)
+ * Small divisors test (X must be positive)
+ *
+ * Return values:
+ * 0: no small factor (possible prime, more tests needed)
+ * 1: certain prime
+ * POLARSSL_ERR_MPI_NOT_ACCEPTABLE: certain non-prime
+ * other negative: error
  */
-int mpi_is_prime( mpi *X,
-                  int (*f_rng)(void *, unsigned char *, size_t),
-                  void *p_rng )
+static int mpi_check_small_factors( const mpi *X )
 {
-    int ret, xs;
-    size_t i, j, n, s;
-    mpi W, R, T, A, RR;
+    int ret = 0;
+    size_t i;
+    t_uint r;
 
-    if( mpi_cmp_int( X, 0 ) == 0 ||
-        mpi_cmp_int( X, 1 ) == 0 )
-        return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
-
-    if( mpi_cmp_int( X, 2 ) == 0 )
-        return( 0 );
-
-    mpi_init( &W ); mpi_init( &R ); mpi_init( &T ); mpi_init( &A );
-    mpi_init( &RR );
-
-    xs = X->s; X->s = 1;
-
-    /*
-     * test trivial factors first
-     */
     if( ( X->p[0] & 1 ) == 0 )
         return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
 
     for( i = 0; small_prime[i] > 0; i++ )
     {
-        t_uint r;
-
         if( mpi_cmp_int( X, small_prime[i] ) <= 0 )
-            return( 0 );
+            return( 1 );
 
         MPI_CHK( mpi_mod_int( &r, X, small_prime[i] ) );
 
@@ -1904,6 +1891,24 @@
             return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
     }
 
+cleanup:
+    return( ret );
+}
+
+/*
+ * Miller-Rabin pseudo-primality test  (HAC 4.24)
+ */
+static int mpi_miller_rabin( const mpi *X,
+                             int (*f_rng)(void *, unsigned char *, size_t),
+                             void *p_rng )
+{
+    int ret;
+    size_t i, j, n, s;
+    mpi W, R, T, A, RR;
+
+    mpi_init( &W ); mpi_init( &R ); mpi_init( &T ); mpi_init( &A );
+    mpi_init( &RR );
+
     /*
      * W = |X| - 1
      * R = W >> lsb( W )
@@ -1971,9 +1976,6 @@
     }
 
 cleanup:
-
-    X->s = xs;
-
     mpi_free( &W ); mpi_free( &R ); mpi_free( &T ); mpi_free( &A );
     mpi_free( &RR );
 
@@ -1981,6 +1983,34 @@
 }
 
 /*
+ * Pseudo-primality test: small factors, then Miller-Rabin
+ */
+int mpi_is_prime( mpi *X,
+                  int (*f_rng)(void *, unsigned char *, size_t),
+                  void *p_rng )
+{
+    int ret;
+    const mpi XX = { 1, X->n, X->p }; /* Abs(X) */
+
+    if( mpi_cmp_int( &XX, 0 ) == 0 ||
+        mpi_cmp_int( &XX, 1 ) == 0 )
+        return( POLARSSL_ERR_MPI_NOT_ACCEPTABLE );
+
+    if( mpi_cmp_int( &XX, 2 ) == 0 )
+        return( 0 );
+
+    if( ( ret = mpi_check_small_factors( &XX ) ) != 0 )
+    {
+        if( ret == 1 )
+            return( 0 );
+
+        return( ret );
+    }
+
+    return( mpi_miller_rabin( &XX, f_rng, p_rng ) );
+}
+
+/*
  * Prime number generation
  */
 int mpi_gen_prime( mpi *X, size_t nbits, int dh_flag,
@@ -1989,6 +2019,7 @@
 {
     int ret;
     size_t k, n;
+    t_uint r;
     mpi Y;
 
     if( nbits < 3 || nbits > POLARSSL_MPI_MAX_BITS )
@@ -2018,26 +2049,45 @@
     }
     else
     {
-        MPI_CHK( mpi_sub_int( &Y, X, 1 ) );
+        /*
+         * An necessary condition for Y and X = 2Y + 1 to be prime
+         * is X = 2 mod 3 (which is equivalent to Y = 2 mod 3).
+         * Make sure it is satisfied, while keeping X = 3 mod 4
+         */
+        MPI_CHK( mpi_mod_int( &r, X, 3 ) );
+        if( r == 0 )
+            MPI_CHK( mpi_add_int( X, X, 8 ) );
+        else if( r == 1 )
+            MPI_CHK( mpi_add_int( X, X, 4 ) );
+
+        /* Set Y = (X-1) / 2, which is X / 2 because X is odd */
+        MPI_CHK( mpi_copy( &Y, X ) );
         MPI_CHK( mpi_shift_r( &Y, 1 ) );
 
         while( 1 )
         {
-            if( ( ret = mpi_is_prime( X, f_rng, p_rng ) ) == 0 )
+            /*
+             * First, check small factors for X and Y
+             * before doing Miller-Rabin on any of them
+             */
+            if( ( ret = mpi_check_small_factors(  X         ) ) == 0 &&
+                ( ret = mpi_check_small_factors( &Y         ) ) == 0 &&
+                ( ret = mpi_miller_rabin(  X, f_rng, p_rng  ) ) == 0 &&
+                ( ret = mpi_miller_rabin( &Y, f_rng, p_rng  ) ) == 0 )
             {
-                if( ( ret = mpi_is_prime( &Y, f_rng, p_rng ) ) == 0 )
-                    break;
-
-                if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
-                    goto cleanup;
+                break;
             }
 
             if( ret != POLARSSL_ERR_MPI_NOT_ACCEPTABLE )
                 goto cleanup;
 
-            MPI_CHK( mpi_add_int( &Y, X, 1 ) );
-            MPI_CHK( mpi_add_int(  X, X, 2 ) );
-            MPI_CHK( mpi_shift_r( &Y, 1 ) );
+            /*
+             * Next candidates. We want to preserve Y = (X-1) / 2 and
+             * Y = 1 mod 2 and Y = 2 mod 3 (eq X = 3 mod 4 and X = 2 mod 3)
+             * so up Y by 6 and X by 12.
+             */
+            MPI_CHK( mpi_add_int(  X,  X, 12 ) );
+            MPI_CHK( mpi_add_int( &Y, &Y, 6  ) );
         }
     }
 
diff --git a/library/error.c b/library/error.c
index 9d76f19..6ef104d 100644
--- a/library/error.c
+++ b/library/error.c
@@ -358,8 +358,8 @@
             snprintf( buf, buflen, "SSL - An unknown cipher was received" );
         if( use_ret == -(POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN) )
             snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" );
-        if( use_ret == -(POLARSSL_ERR_SSL_NO_SESSION_FOUND) )
-            snprintf( buf, buflen, "SSL - No session to recover was found" );
+        if( use_ret == -(POLARSSL_ERR_SSL_NO_RNG) )
+            snprintf( buf, buflen, "SSL - No RNG was provided to the SSL module" );
         if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) )
             snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
         if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) )
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 6f22b09..eb87d3c 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -57,7 +57,7 @@
 #if defined(POLARSSL_RSA_C)
 static size_t rsa_get_size( const void *ctx )
 {
-    return( 8 * ((rsa_context *) ctx)->len );
+    return( 8 * ((const rsa_context *) ctx)->len );
 }
 
 static int rsa_verify_wrap( void *ctx, md_type_t md_alg,
@@ -346,7 +346,7 @@
 
 static size_t rsa_alt_get_size( const void *ctx )
 {
-    rsa_alt_context *rsa_alt = (rsa_alt_context *) ctx;
+    const rsa_alt_context *rsa_alt = (const rsa_alt_context *) ctx;
 
     return( rsa_alt->key_len_func( rsa_alt->key ) );
 }
diff --git a/library/pkcs11.c b/library/pkcs11.c
index 9f68d78..8a99f28 100644
--- a/library/pkcs11.c
+++ b/library/pkcs11.c
@@ -30,6 +30,9 @@
 #include "polarssl/pkcs11.h"
 
 #if defined(POLARSSL_PKCS11_C)
+#include "polarssl/md.h"
+#include "polarssl/oid.h"
+#include "polarssl/x509_crt.h"
 
 #if defined(POLARSSL_MEMORY_C)
 #include "polarssl/memory.h"
@@ -101,7 +104,7 @@
     if( 0 != pkcs11_x509_cert_init( &cert, pkcs11_cert ) )
         goto cleanup;
 
-    priv_key->len = cert.rsa.len;
+    priv_key->len = pk_get_len(&cert.pk);
     priv_key->pkcs11h_cert = pkcs11_cert;
 
     ret = 0;
@@ -129,7 +132,7 @@
     if( NULL == ctx )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
-    if( RSA_PUBLIC == mode )
+    if( RSA_PRIVATE != mode )
         return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
 
     output_len = input_len = ctx->len;
@@ -158,79 +161,67 @@
 
 int pkcs11_sign( pkcs11_context *ctx,
                     int mode,
-                    int hash_id,
+                    md_type_t md_alg,
                     unsigned int hashlen,
                     const unsigned char *hash,
                     unsigned char *sig )
 {
-    size_t olen, asn_len;
+    size_t olen, asn_len = 0, oid_size = 0;
     unsigned char *p = sig;
+    const char *oid;
 
     if( NULL == ctx )
         return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
 
-    if( RSA_PUBLIC == mode )
+    if( RSA_PRIVATE != mode )
         return POLARSSL_ERR_RSA_BAD_INPUT_DATA;
 
     olen = ctx->len;
 
-    switch( hash_id )
+    if( md_alg != POLARSSL_MD_NONE )
     {
-        case SIG_RSA_RAW:
-            asn_len = 0;
-            memcpy( p, hash, hashlen );
-            break;
-
-        case SIG_RSA_MD2:
-            asn_len = OID_SIZE(ASN1_HASH_MDX);
-            memcpy( p, ASN1_HASH_MDX, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[13] = 2; break;
-
-        case SIG_RSA_MD4:
-            asn_len = OID_SIZE(ASN1_HASH_MDX);
-            memcpy( p, ASN1_HASH_MDX, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[13] = 4; break;
-
-        case SIG_RSA_MD5:
-            asn_len = OID_SIZE(ASN1_HASH_MDX);
-            memcpy( p, ASN1_HASH_MDX, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[13] = 5; break;
-
-        case SIG_RSA_SHA1:
-            asn_len = OID_SIZE(ASN1_HASH_SHA1);
-            memcpy( p, ASN1_HASH_SHA1, asn_len );
-            memcpy( p + 15, hash, hashlen );
-            break;
-
-        case SIG_RSA_SHA224:
-            asn_len = OID_SIZE(ASN1_HASH_SHA2X);
-            memcpy( p, ASN1_HASH_SHA2X, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[1] += hashlen; p[14] = 4; p[18] += hashlen; break;
-
-        case SIG_RSA_SHA256:
-            asn_len = OID_SIZE(ASN1_HASH_SHA2X);
-            memcpy( p, ASN1_HASH_SHA2X, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[1] += hashlen; p[14] = 1; p[18] += hashlen; break;
-
-        case SIG_RSA_SHA384:
-            asn_len = OID_SIZE(ASN1_HASH_SHA2X);
-            memcpy( p, ASN1_HASH_SHA2X, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[1] += hashlen; p[14] = 2; p[18] += hashlen; break;
-
-        case SIG_RSA_SHA512:
-            asn_len = OID_SIZE(ASN1_HASH_SHA2X);
-            memcpy( p, ASN1_HASH_SHA2X, asn_len );
-            memcpy( p + asn_len, hash, hashlen );
-            p[1] += hashlen; p[14] = 3; p[18] += hashlen; break;
-
-        default:
+        const md_info_t *md_info = md_info_from_type( md_alg );
+        if( md_info == NULL )
             return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
+
+        if( oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
+            return( POLARSSL_ERR_RSA_BAD_INPUT_DATA );
+
+        hashlen = md_get_size( md_info );
+    }
+
+    if( md_alg == POLARSSL_MD_NONE )
+    {
+        memcpy( p, hash, hashlen );
+    }
+    else
+    {
+        /*
+         * DigestInfo ::= SEQUENCE {
+         *   digestAlgorithm DigestAlgorithmIdentifier,
+         *   digest Digest }
+         *
+         * DigestAlgorithmIdentifier ::= AlgorithmIdentifier
+         *
+         * Digest ::= OCTET STRING
+         */
+        *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
+        *p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
+        *p++ = ASN1_SEQUENCE | ASN1_CONSTRUCTED;
+        *p++ = (unsigned char) ( 0x04 + oid_size );
+        *p++ = ASN1_OID;
+        *p++ = oid_size & 0xFF;
+        memcpy( p, oid, oid_size );
+        p += oid_size;
+        *p++ = ASN1_NULL;
+        *p++ = 0x00;
+        *p++ = ASN1_OCTET_STRING;
+        *p++ = hashlen;
+
+        /* Determine added ASN length */
+        asn_len = p - sig;
+
+        memcpy( p, hash, hashlen );
     }
 
     if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 0eaa531..3cde375 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -390,6 +390,12 @@
 
     SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
 
+    if( ssl->f_rng == NULL )
+    {
+        SSL_DEBUG_MSG( 1, ( "no RNG provided") );
+        return( POLARSSL_ERR_SSL_NO_RNG );
+    }
+
     if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
     {
         ssl->major_ver = ssl->min_major_ver;
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index e44bf72..12ccb12 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1594,6 +1594,12 @@
 
     SSL_DEBUG_MSG( 2, ( "=> write server hello" ) );
 
+    if( ssl->f_rng == NULL )
+    {
+        SSL_DEBUG_MSG( 1, ( "no RNG provided") );
+        return( POLARSSL_ERR_SSL_NO_RNG );
+    }
+
     /*
      *     0  .   0   handshake type
      *     1  .   3   handshake length
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 6a127b2..6382c53 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1273,11 +1273,15 @@
     {
         diff = n1[i] ^ n2[i];
 
-        if( ( n1[i] >= 'a' || n1[i] <= 'z' ) && ( diff == 0 || diff == 32 ) )
+        if( diff == 0 )
             continue;
 
-        if( ( n1[i] >= 'A' || n1[i] <= 'Z' ) && ( diff == 0 || diff == 32 ) )
+        if( diff == 32 &&
+            ( ( n1[i] >= 'a' && n1[i] <= 'z' ) ||
+              ( n1[i] >= 'A' && n1[i] <= 'Z' ) ) )
+        {
             continue;
+        }
 
         return( 1 );
     }
diff --git a/programs/pkey/dh_genprime.c b/programs/pkey/dh_genprime.c
index 2089fb6..f51465a 100644
--- a/programs/pkey/dh_genprime.c
+++ b/programs/pkey/dh_genprime.c
@@ -74,6 +74,8 @@
     printf( "         predefined DHM parameters from dhm.h instead!\n\n" );
     printf( "============================================================\n\n" );
 
+    printf( "  ! Generating large primes may take minutes!\n" );
+
     printf( "\n  . Seeding the random number generator..." );
     fflush( stdout );
 
diff --git a/programs/pkey/ecdsa.c b/programs/pkey/ecdsa.c
index 948066a..3cba7e8 100644
--- a/programs/pkey/ecdsa.c
+++ b/programs/pkey/ecdsa.c
@@ -60,7 +60,7 @@
 #else
 
 #if defined(VERBOSE)
-static void dump_buf( char *title, unsigned char *buf, size_t len )
+static void dump_buf( const char *title, unsigned char *buf, size_t len )
 {
     size_t i;
 
@@ -71,7 +71,7 @@
     printf( "\n" );
 }
 
-static void dump_pubkey( char *title, ecdsa_context *key )
+static void dump_pubkey( const char *title, ecdsa_context *key )
 {
     unsigned char buf[300];
     size_t len;
diff --git a/programs/util/pem2der.c b/programs/util/pem2der.c
index 9364356..f372684 100644
--- a/programs/util/pem2der.c
+++ b/programs/util/pem2der.c
@@ -50,8 +50,8 @@
  */
 struct options
 {
-    char *filename;             /* filename of the input file             */
-    char *output_file;          /* where to store the output              */
+    const char *filename;       /* filename of the input file             */
+    const char *output_file;    /* where to store the output              */
 } opt;
 
 int convert_pem_to_der( const unsigned char *input, size_t ilen,
@@ -61,11 +61,11 @@
     const unsigned char *s1, *s2, *end = input + ilen;
     size_t len = 0;
 
-    s1 = (unsigned char *) strstr( (char *) input, "-----BEGIN" );
+    s1 = (unsigned char *) strstr( (const char *) input, "-----BEGIN" );
     if( s1 == NULL )
         return( -1 );
 
-    s2 = (unsigned char *) strstr( (char *) input, "-----END" );
+    s2 = (unsigned char *) strstr( (const char *) input, "-----END" );
     if( s2 == NULL )
         return( -1 );
 
diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c
index dc45f94..2388dc9 100644
--- a/programs/x509/cert_req.c
+++ b/programs/x509/cert_req.c
@@ -62,15 +62,15 @@
  */
 struct options
 {
-    char *filename;             /* filename of the key file             */
+    const char *filename;       /* filename of the key file             */
     int debug_level;            /* level of debugging                   */
-    char *output_file;          /* where to store the constructed key file  */
-    char *subject_name;         /* subject name for certificate request */
+    const char *output_file;    /* where to store the constructed key file  */
+    const char *subject_name;   /* subject name for certificate request */
     unsigned char key_usage;    /* key usage flags                      */
     unsigned char ns_cert_type; /* NS cert type                         */
 } opt;
 
-int write_certificate_request( x509write_csr *req, char *output_file,
+int write_certificate_request( x509write_csr *req, const char *output_file,
                                int (*f_rng)(void *, unsigned char *, size_t),
                                void *p_rng )
 {
diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c
index f72f623..beac089 100644
--- a/programs/x509/cert_write.c
+++ b/programs/x509/cert_write.c
@@ -75,18 +75,18 @@
  */
 struct options
 {
-    char *issuer_crt;           /* filename of the issuer certificate   */
-    char *request_file;         /* filename of the certificate request  */
-    char *subject_key;          /* filename of the subject key file     */
-    char *issuer_key;           /* filename of the issuer key file      */
-    char *subject_pwd;          /* password for the subject key file    */
-    char *issuer_pwd;           /* password for the issuer key file     */
-    char *output_file;          /* where to store the constructed key file  */
-    char *subject_name;         /* subject name for certificate         */
-    char *issuer_name;          /* issuer name for certificate          */
-    char *not_before;           /* validity period not before           */
-    char *not_after;            /* validity period not after            */
-    char *serial;               /* serial number string                 */
+    const char *issuer_crt;     /* filename of the issuer certificate   */
+    const char *request_file;   /* filename of the certificate request  */
+    const char *subject_key;    /* filename of the subject key file     */
+    const char *issuer_key;     /* filename of the issuer key file      */
+    const char *subject_pwd;    /* password for the subject key file    */
+    const char *issuer_pwd;     /* password for the issuer key file     */
+    const char *output_file;    /* where to store the constructed key file  */
+    const char *subject_name;   /* subject name for certificate         */
+    const char *issuer_name;    /* issuer name for certificate          */
+    const char *not_before;     /* validity period not before           */
+    const char *not_after;      /* validity period not after            */
+    const char *serial;         /* serial number string                 */
     int selfsign;               /* selfsign the certificate             */
     int is_ca;                  /* is a CA certificate                  */
     int max_pathlen;            /* maximum CA path length               */
@@ -94,7 +94,7 @@
     unsigned char ns_cert_type; /* NS cert type                         */
 } opt;
 
-int write_certificate( x509write_cert *crt, char *output_file,
+int write_certificate( x509write_cert *crt, const char *output_file,
                        int (*f_rng)(void *, unsigned char *, size_t),
                        void *p_rng )
 {
diff --git a/scripts/data_files/error.fmt b/scripts/data_files/error.fmt
index 98b5765..969cd95 100644
--- a/scripts/data_files/error.fmt
+++ b/scripts/data_files/error.fmt
@@ -33,11 +33,8 @@
 
 #include <string.h>
 
-#if defined(EFIX64) || defined(EFI32)
-#include <stdio.h>
-#endif
-
-#if defined(_MSC_VER) && !defined  snprintf
+#if defined(_MSC_VER) && !defined  snprintf && !defined(EFIX64) && \
+    !defined(EFI32)
 #define  snprintf  _snprintf
 #endif
 
diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function
index c64d9be..67fb394 100644
--- a/tests/suites/main_test.function
+++ b/tests/suites/main_test.function
@@ -6,7 +6,7 @@
 SUITE_PRE_DEP
 #define TEST_SUITE_ACTIVE
 
-static int test_assert( int correct, char *test )
+static int test_assert( int correct, const char *test )
 {
     if( correct )
         return( 0 );
diff --git a/tests/suites/test_suite_mpi.data b/tests/suites/test_suite_mpi.data
index 287cc2d..b9e00f1 100644
--- a/tests/suites/test_suite_mpi.data
+++ b/tests/suites/test_suite_mpi.data
@@ -546,11 +546,19 @@
 depends_on:POLARSSL_GENPRIME
 mpi_is_prime:10:"47":0
 
-Test mpi_is_prime #1
+Test mpi_is_prime #1a
+depends_on:POLARSSL_GENPRIME
+mpi_is_prime:10:"83726728883146151979668243326097049289208482987685965276439157162337476477581":POLARSSL_ERR_MPI_NOT_ACCEPTABLE
+
+Test mpi_is_prime #1b
+depends_on:POLARSSL_GENPRIME
+mpi_is_prime:10:"81248637410584921454869308488899267096530643632730258201256092582281263244641":POLARSSL_ERR_MPI_NOT_ACCEPTABLE
+
+Test mpi_is_prime #2a
 depends_on:POLARSSL_GENPRIME
 mpi_is_prime:10:"827131507221654563937832686696200995595835694437983658840870036586124168186967796809117749047430768825822857042432722828096779098498192459819306321073968735177531164565305635281198148032612029767584644305912099":0
 
-Test mpi_is_prime #2
+Test mpi_is_prime #2b
 depends_on:POLARSSL_GENPRIME
 mpi_is_prime:10:"827131507221654563937832686696200995595835694437983658840870036586124168186967796809117749047430768825822857042432722828096779098498192459819306321073968735177531164565305635281198148032612029767584644305912001":POLARSSL_ERR_MPI_NOT_ACCEPTABLE