Merge remote-tracking branch 'origin/pr/2531' into development

Ensure tests pass when the submodule is used by updating the list of
crypto tests to include test_suite_oid in both tests/CMakeLists.txt and
tests/Makefile.

* origin/pr/2531:
  Add changeLog entry
  Add certificate policy of type any policy id
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 19ab4eb..ecfa40e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -195,6 +195,9 @@
     enable_testing()
 
     add_subdirectory(tests)
+    if(USE_CRYPTO_SUBMODULE)
+        add_subdirectory(crypto/tests)
+    endif()
 
     # additional convenience targets for Unix only
     if(UNIX)
diff --git a/ChangeLog b/ChangeLog
index 5eebec1..5d9927c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,32 @@
 mbed TLS ChangeLog (Sorted per branch, date)
 
-= mbed TLS 2.x.x branch released xxxx-xx-xx
+= mbed TLS x.x.x branch released xxxx-xx-xx
+
+Features
+   * Add the Any Policy certificate policy oid, as defined in
+     rfc 5280 section 4.2.1.4.
+
+Bugfix
+   * Fix private key DER output in the key_app_writer example. File contents
+     were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
+     Christian Walther in #2239.
+
+Changes
+   * Server's RSA certificate in certs.c was SHA-1 signed. In the default
+     mbedTLS configuration only SHA-2 signed certificates are accepted.
+     This certificate is used in the demo server programs, which lead the
+     client programs to fail at the peer's certificate verification
+     due to an unacceptable hash signature. The certificate has been
+     updated to one that is SHA-256 signed. Fix contributed by
+     Illya Gerasymchuk.
+   * Return from various debugging routines immediately if the
+     provided SSL context is unset.
+   * Remove dead code from bignum.c in the default configuration.
+     Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
+   * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
+     Contributed by Peter Kolbus (Garmin).
+
+= mbed TLS 2.17.0 branch released 2019-03-19
 
 Features
    * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`
@@ -12,8 +38,6 @@
    * Add MBEDTLS_REMOVE_3DES_CIPHERSUITES to allow removing 3DES ciphersuites
      from the default list (enabled by default). See
      https://sweet32.info/SWEET32_CCS16.pdf.
-   * Add the Any Policy certificate policy oid, as defined in
-     rfc 5280 section 4.2.1.4.
 
 API Changes
    * Add a new X.509 API call `mbedtls_x509_parse_der_nocopy()`.
@@ -51,9 +75,6 @@
      extensions in CSRs and CRTs that caused these bitstrings to not be encoded
      correctly as trailing zeroes were not accounted for as unused bits in the
      leading content octet. Fixes #1610.
-   * Fix private key DER output in the key_app_writer example. File contents
-     were shifted by one byte, creating an invalid ASN.1 tag. Fixed by
-     Christian Walther in #2239.
 
 Changes
    * Reduce RAM consumption during session renegotiation by not storing
@@ -80,19 +101,6 @@
      been disabled for lack of a sufficiently recent version of GnuTLS on the CI.
    * Ciphersuites based on 3DES now have the lowest priority by default when
      they are enabled.
-   * Server's RSA certificate in certs.c was SHA-1 signed. In the default
-     mbedTLS configuration only SHA-2 signed certificates are accepted.
-     This certificate is used in the demo server programs, which lead the
-     client programs to fail at the peer's certificate verification
-     due to an unacceptable hash signature. The certificate has been
-     updated to one that is SHA-256 signed. Fix contributed by
-     Illya Gerasymchuk.
-   * Return from various debugging routines immediately if the
-     provided SSL context is unset.
-   * Remove dead code from bignum.c in the default configuration.
-     Found by Coverity, reported and fixed by Peter Kolbus (Garmin). Fixes #2309.
-   * Add test for minimal value of MBEDTLS_MPI_WINDOW_SIZE to all.sh.
-     Contributed by Peter Kolbus (Garmin).
 
 = mbed TLS 2.16.0 branch released 2018-12-21
 
diff --git a/Makefile b/Makefile
index 87b5a0c..a5b8b61 100644
--- a/Makefile
+++ b/Makefile
@@ -19,6 +19,9 @@
 
 tests: lib
 	$(MAKE) -C tests
+ifdef USE_CRYPTO_SUBMODULE
+	$(MAKE) CRYPTO_INCLUDES:="-I../../include -I../include" -C crypto/tests
+endif
 
 ifndef WINDOWS
 install: no_test
@@ -103,6 +106,9 @@
 
 check: lib tests
 	$(MAKE) -C tests check
+ifdef USE_CRYPTO_SUBMODULE
+	$(MAKE) CRYPTO_INCLUDES:="-I../../include -I../include" -C crypto/tests check
+endif
 
 test: check
 
diff --git a/crypto b/crypto
index a78c958..82b3b83 160000
--- a/crypto
+++ b/crypto
@@ -1 +1 @@
-Subproject commit a78c958b17d75ddf63d8dd17255b6379dcbf259f
+Subproject commit 82b3b83d540ec9611277ca3e9b645b335f80846a
diff --git a/doxygen/input/doc_mainpage.h b/doxygen/input/doc_mainpage.h
index d9177fb..4eff836 100644
--- a/doxygen/input/doc_mainpage.h
+++ b/doxygen/input/doc_mainpage.h
@@ -24,7 +24,7 @@
  */
 
 /**
- * @mainpage mbed TLS v0.0.0 source code documentation
+ * @mainpage mbed TLS v2.17.0 source code documentation
  *
  * This documentation describes the internal structure of mbed TLS.  It was
  * automatically generated from specially formatted comment blocks in
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index b0190e4..ce58d6b 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -28,7 +28,7 @@
 # identify the project. Note that if you do not use Doxywizard you need
 # to put quotes around the project name if it contains spaces.
 
-PROJECT_NAME           = "mbed TLS v0.0.0"
+PROJECT_NAME           = "mbed TLS v2.17.0"
 
 # The PROJECT_NUMBER tag can be used to enter a project or revision number.
 # This could be handy for archiving the generated documentation or
diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h
index 962d3db..c1450db 100644
--- a/include/mbedtls/check_config.h
+++ b/include/mbedtls/check_config.h
@@ -525,26 +525,25 @@
 #error "MBEDTLS_PSA_CRYPTO_SPM defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) && defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C)
-#error "Only one of MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C or MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C can be defined"
-#endif
-
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&            \
-    !( defined(MBEDTLS_PSA_CRYPTO_C) &&                 \
-       ( defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) ||  \
-         defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) ) )
+    ! defined(MBEDTLS_PSA_CRYPTO_C)
 #error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C) &&            \
-    !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) &&           \
-       defined(MBEDTLS_FS_IO) )
-#error "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C defined, but not all prerequisites"
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&      \
+    !( defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \
+       defined(MBEDTLS_ENTROPY_NV_SEED) )
+#error "MBEDTLS_PSA_INJECT_ENTROPY defined, but not all prerequisites"
 #endif
 
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) &&             \
-    ! defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
-#error "MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C defined, but not all prerequisites"
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY) &&              \
+    !defined(MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES)
+#error "MBEDTLS_PSA_INJECT_ENTROPY is not compatible with actual entropy sources"
+#endif
+
+#if defined(MBEDTLS_PSA_ITS_FILE_C) && \
+    !defined(MBEDTLS_FS_IO)
+#error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites"
 #endif
 
 #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) ||         \
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 3a2fed5..31a3059 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -1237,14 +1237,17 @@
 //#define MBEDTLS_PSA_CRYPTO_SPM
 
 /**
- * \def MBEDTLS_PSA_HAS_ITS_IO
+ * \def MBEDTLS_PSA_INJECT_ENTROPY
  *
- * Enable the non-volatile secure storage usage.
+ * Enable support for entropy injection at first boot. This feature is
+ * required on systems that do not have a built-in entropy source (TRNG).
+ * This feature is currently not supported on systems that have a built-in
+ * entropy source.
  *
- * This is crucial on systems that do not have a HW TRNG support.
+ * Requires: MBEDTLS_PSA_CRYPTO_STORAGE_C, MBEDTLS_ENTROPY_NV_SEED
  *
  */
-//#define MBEDTLS_PSA_HAS_ITS_IO
+//#define MBEDTLS_PSA_INJECT_ENTROPY
 
 /**
  * \def MBEDTLS_RSA_NO_CRT
@@ -2741,40 +2744,26 @@
  *
  * Enable the Platform Security Architecture persistent key storage.
  *
- * Module:  library/psa_crypto_storage.c
+ * Module:  crypto/library/psa_crypto_storage.c
  *
- * Requires: MBEDTLS_PSA_CRYPTO_C and one of either
- * MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C or MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
- * (but not both)
- *
+ * Requires: MBEDTLS_PSA_CRYPTO_C,
+ *           either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
+ *           the PSA ITS interface
  */
 //#define MBEDTLS_PSA_CRYPTO_STORAGE_C
 
 /**
- * \def MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
+ * \def MBEDTLS_PSA_ITS_FILE_C
  *
- * Enable persistent key storage over files for the
- * Platform Security Architecture cryptography API.
+ * Enable the emulation of the Platform Security Architecture
+ * Internal Trusted Storage (PSA ITS) over files.
  *
- * Module:  library/psa_crypto_storage_file.c
+ * Module:  crypto/library/psa_its_file.c
  *
- * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_FS_IO
+ * Requires: MBEDTLS_FS_IO
  *
  */
-//#define MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
-
-/**
- * \def MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
- *
- * Enable persistent key storage over PSA ITS for the
- * Platform Security Architecture cryptography API.
- *
- * Module:  library/psa_crypto_storage_its.c
- *
- * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_HAS_ITS_IO
- *
- */
-//#define MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
+//#define MBEDTLS_PSA_ITS_FILE_C
 
 /**
  * \def MBEDTLS_RIPEMD160_C
diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h
index 3f2e12c..79b42b2 100644
--- a/include/mbedtls/version.h
+++ b/include/mbedtls/version.h
@@ -38,8 +38,8 @@
  * The version number x.y.z is split into three parts.
  * Major, Minor, Patchlevel
  */
-#define MBEDTLS_VERSION_MAJOR  0
-#define MBEDTLS_VERSION_MINOR  0
+#define MBEDTLS_VERSION_MAJOR  2
+#define MBEDTLS_VERSION_MINOR  17
 #define MBEDTLS_VERSION_PATCH  0
 
 /**
@@ -47,9 +47,9 @@
  *    MMNNPP00
  *    Major version | Minor version | Patch version
  */
-#define MBEDTLS_VERSION_NUMBER         0x00000000
-#define MBEDTLS_VERSION_STRING         "0.0.0"
-#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 0.0.0"
+#define MBEDTLS_VERSION_NUMBER         0x02110000
+#define MBEDTLS_VERSION_STRING         "2.17.0"
+#define MBEDTLS_VERSION_STRING_FULL    "mbed TLS 2.17.0"
 
 #if defined(MBEDTLS_VERSION_C)
 
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index bd58b8a..fb43fd0 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -182,20 +182,20 @@
 if(USE_SHARED_MBEDTLS_LIBRARY)
     if(NOT USE_CRYPTO_SUBMODULE)
         add_library(mbedcrypto SHARED ${src_crypto})
-        set_target_properties(mbedcrypto PROPERTIES VERSION 0.0.0 SOVERSION 3)
+        set_target_properties(mbedcrypto PROPERTIES VERSION 2.17.0 SOVERSION 3)
         target_link_libraries(mbedcrypto ${libs})
         target_include_directories(mbedcrypto PUBLIC ${CMAKE_SOURCE_DIR}/include/)
     endif()
 
     add_library(mbedx509 SHARED ${src_x509})
-    set_target_properties(mbedx509 PROPERTIES VERSION 0.0.0 SOVERSION 0)
+    set_target_properties(mbedx509 PROPERTIES VERSION 2.17.0 SOVERSION 0)
     target_link_libraries(mbedx509 ${libs} mbedcrypto)
     target_include_directories(mbedx509
         PUBLIC ${CMAKE_SOURCE_DIR}/include/
         PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/)
 
     add_library(mbedtls SHARED ${src_tls})
-    set_target_properties(mbedtls PROPERTIES VERSION 0.0.0 SOVERSION 12)
+    set_target_properties(mbedtls PROPERTIES VERSION 2.17.0 SOVERSION 12)
     target_link_libraries(mbedtls ${libs} mbedx509)
     target_include_directories(mbedtls
         PUBLIC ${CMAKE_SOURCE_DIR}/include/
diff --git a/library/version_features.c b/library/version_features.c
index 161788c..1be0e0f 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -429,9 +429,9 @@
 #if defined(MBEDTLS_PSA_CRYPTO_SPM)
     "MBEDTLS_PSA_CRYPTO_SPM",
 #endif /* MBEDTLS_PSA_CRYPTO_SPM */
-#if defined(MBEDTLS_PSA_HAS_ITS_IO)
-    "MBEDTLS_PSA_HAS_ITS_IO",
-#endif /* MBEDTLS_PSA_HAS_ITS_IO */
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+    "MBEDTLS_PSA_INJECT_ENTROPY",
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
 #if defined(MBEDTLS_RSA_NO_CRT)
     "MBEDTLS_RSA_NO_CRT",
 #endif /* MBEDTLS_RSA_NO_CRT */
@@ -708,12 +708,9 @@
 #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
     "MBEDTLS_PSA_CRYPTO_STORAGE_C",
 #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C)
-    "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C",
-#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C)
-    "MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C",
-#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C */
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+    "MBEDTLS_PSA_ITS_FILE_C",
+#endif /* MBEDTLS_PSA_ITS_FILE_C */
 #if defined(MBEDTLS_RIPEMD160_C)
     "MBEDTLS_RIPEMD160_C",
 #endif /* MBEDTLS_RIPEMD160_C */
diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c
index f2f7b46..f272676 100644
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -1186,13 +1186,13 @@
     }
 #endif /* MBEDTLS_PSA_CRYPTO_SPM */
 
-#if defined(MBEDTLS_PSA_HAS_ITS_IO)
-    if( strcmp( "MBEDTLS_PSA_HAS_ITS_IO", config ) == 0 )
+#if defined(MBEDTLS_PSA_INJECT_ENTROPY)
+    if( strcmp( "MBEDTLS_PSA_INJECT_ENTROPY", config ) == 0 )
     {
-        MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_HAS_ITS_IO );
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_INJECT_ENTROPY );
         return( 0 );
     }
-#endif /* MBEDTLS_PSA_HAS_ITS_IO */
+#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
 
 #if defined(MBEDTLS_RSA_NO_CRT)
     if( strcmp( "MBEDTLS_RSA_NO_CRT", config ) == 0 )
@@ -1930,21 +1930,13 @@
     }
 #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
 
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C)
-    if( strcmp( "MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C", config ) == 0 )
+#if defined(MBEDTLS_PSA_ITS_FILE_C)
+    if( strcmp( "MBEDTLS_PSA_ITS_FILE_C", config ) == 0 )
     {
-        MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C );
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_ITS_FILE_C );
         return( 0 );
     }
-#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C */
-
-#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C)
-    if( strcmp( "MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C", config ) == 0 )
-    {
-        MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C );
-        return( 0 );
-    }
-#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C */
+#endif /* MBEDTLS_PSA_ITS_FILE_C */
 
 #if defined(MBEDTLS_RIPEMD160_C)
     if( strcmp( "MBEDTLS_RIPEMD160_C", config ) == 0 )
diff --git a/scripts/config.pl b/scripts/config.pl
index 84069d2..6300362 100755
--- a/scripts/config.pl
+++ b/scripts/config.pl
@@ -41,10 +41,9 @@
 #   MBEDTLS_USE_PSA_CRYPTO
 #       - experimental, and more an alternative implementation than a feature
 #   MBEDTLS_PSA_CRYPTO_STORAGE_C
-#   MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
-#   MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
+#   MBEDTLS_PSA_ITS_FILE_C
 #   MBEDTLS_PSA_CRYPTO_SPM
-#   MBEDTLS_PSA_HAS_ITS_IO
+#   MBEDTLS_PSA_INJECT_ENTROPY
 #   and any symbol beginning _ALT
 #
 
@@ -109,10 +108,9 @@
 MBEDTLS_NO_64BIT_MULTIPLICATION
 MBEDTLS_USE_PSA_CRYPTO
 MBEDTLS_PSA_CRYPTO_STORAGE_C
-MBEDTLS_PSA_CRYPTO_STORAGE_FILE_C
-MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
+MBEDTLS_PSA_ITS_FILE_C
 MBEDTLS_PSA_CRYPTO_SPM
-MBEDTLS_PSA_HAS_ITS_IO
+MBEDTLS_PSA_INJECT_ENTROPY
 _ALT\s*$
 );
 
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 1b7ea78..52dac48 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -60,77 +60,79 @@
     set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /WX-")
 endif(MSVC)
 
-add_test_suite(aes aes.ecb)
-add_test_suite(aes aes.cbc)
-add_test_suite(aes aes.cfb)
-add_test_suite(aes aes.ofb)
-add_test_suite(aes aes.rest)
-add_test_suite(aes aes.xts)
-add_test_suite(arc4)
-add_test_suite(aria)
-add_test_suite(asn1write)
-add_test_suite(base64)
-add_test_suite(blowfish)
-add_test_suite(camellia)
-add_test_suite(ccm)
-add_test_suite(chacha20)
-add_test_suite(chachapoly)
-add_test_suite(cipher cipher.aes)
-add_test_suite(cipher cipher.arc4)
-add_test_suite(cipher cipher.blowfish)
-add_test_suite(cipher cipher.camellia)
-add_test_suite(cipher cipher.ccm)
-add_test_suite(cipher cipher.chacha20)
-add_test_suite(cipher cipher.chachapoly)
-add_test_suite(cipher cipher.des)
-add_test_suite(cipher cipher.gcm)
-add_test_suite(cipher cipher.misc)
-add_test_suite(cipher cipher.null)
-add_test_suite(cipher cipher.padding)
-add_test_suite(cmac)
-add_test_suite(ctr_drbg)
+if(NOT USE_CRYPTO_SUBMODULE)
+    add_test_suite(aes aes.ecb)
+    add_test_suite(aes aes.cbc)
+    add_test_suite(aes aes.cfb)
+    add_test_suite(aes aes.ofb)
+    add_test_suite(aes aes.rest)
+    add_test_suite(aes aes.xts)
+    add_test_suite(arc4)
+    add_test_suite(aria)
+    add_test_suite(asn1write)
+    add_test_suite(base64)
+    add_test_suite(blowfish)
+    add_test_suite(camellia)
+    add_test_suite(ccm)
+    add_test_suite(chacha20)
+    add_test_suite(chachapoly)
+    add_test_suite(cipher cipher.aes)
+    add_test_suite(cipher cipher.arc4)
+    add_test_suite(cipher cipher.blowfish)
+    add_test_suite(cipher cipher.camellia)
+    add_test_suite(cipher cipher.ccm)
+    add_test_suite(cipher cipher.chacha20)
+    add_test_suite(cipher cipher.chachapoly)
+    add_test_suite(cipher cipher.des)
+    add_test_suite(cipher cipher.gcm)
+    add_test_suite(cipher cipher.misc)
+    add_test_suite(cipher cipher.null)
+    add_test_suite(cipher cipher.padding)
+    add_test_suite(cmac)
+    add_test_suite(ctr_drbg)
+    add_test_suite(des)
+    add_test_suite(dhm)
+    add_test_suite(ecdh)
+    add_test_suite(ecdsa)
+    add_test_suite(ecjpake)
+    add_test_suite(ecp)
+    add_test_suite(entropy)
+    add_test_suite(error)
+    add_test_suite(gcm gcm.aes128_en)
+    add_test_suite(gcm gcm.aes192_en)
+    add_test_suite(gcm gcm.aes256_en)
+    add_test_suite(gcm gcm.aes128_de)
+    add_test_suite(gcm gcm.aes192_de)
+    add_test_suite(gcm gcm.aes256_de)
+    add_test_suite(gcm gcm.camellia)
+    add_test_suite(gcm gcm.misc)
+    add_test_suite(hkdf)
+    add_test_suite(hmac_drbg hmac_drbg.misc)
+    add_test_suite(hmac_drbg hmac_drbg.no_reseed)
+    add_test_suite(hmac_drbg hmac_drbg.nopr)
+    add_test_suite(hmac_drbg hmac_drbg.pr)
+    add_test_suite(md)
+    add_test_suite(mdx)
+    add_test_suite(memory_buffer_alloc)
+    add_test_suite(mpi)
+    add_test_suite(nist_kw)
+    add_test_suite(oid)
+    add_test_suite(pem)
+    add_test_suite(pkcs1_v15)
+    add_test_suite(pkcs1_v21)
+    add_test_suite(pkcs5)
+    add_test_suite(pk)
+    add_test_suite(pkparse)
+    add_test_suite(pkwrite)
+    add_test_suite(poly1305)
+    add_test_suite(shax)
+    add_test_suite(timing)
+    add_test_suite(rsa)
+    add_test_suite(xtea)
+endif()
 add_test_suite(debug)
-add_test_suite(des)
-add_test_suite(dhm)
-add_test_suite(ecdh)
-add_test_suite(ecdsa)
-add_test_suite(ecjpake)
-add_test_suite(ecp)
-add_test_suite(entropy)
-add_test_suite(error)
-add_test_suite(gcm gcm.aes128_en)
-add_test_suite(gcm gcm.aes192_en)
-add_test_suite(gcm gcm.aes256_en)
-add_test_suite(gcm gcm.aes128_de)
-add_test_suite(gcm gcm.aes192_de)
-add_test_suite(gcm gcm.aes256_de)
-add_test_suite(gcm gcm.camellia)
-add_test_suite(gcm gcm.misc)
-add_test_suite(hkdf)
-add_test_suite(hmac_drbg hmac_drbg.misc)
-add_test_suite(hmac_drbg hmac_drbg.no_reseed)
-add_test_suite(hmac_drbg hmac_drbg.nopr)
-add_test_suite(hmac_drbg hmac_drbg.pr)
-add_test_suite(md)
-add_test_suite(mdx)
-add_test_suite(memory_buffer_alloc)
-add_test_suite(mpi)
-add_test_suite(nist_kw)
-add_test_suite(oid)
-add_test_suite(pem)
-add_test_suite(pkcs1_v15)
-add_test_suite(pkcs1_v21)
-add_test_suite(pkcs5)
-add_test_suite(pk)
-add_test_suite(pkparse)
-add_test_suite(pkwrite)
-add_test_suite(poly1305)
-add_test_suite(shax)
 add_test_suite(ssl)
-add_test_suite(timing)
-add_test_suite(rsa)
 add_test_suite(version)
-add_test_suite(xtea)
 add_test_suite(x509parse)
 add_test_suite(x509write)
 
diff --git a/tests/Makefile b/tests/Makefile
index 598bed6..f5cc409 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -66,6 +66,53 @@
 # constructed by stripping path 'suites/' and extension .data.
 APPS = $(basename $(subst suites/,,$(wildcard suites/test_suite_*.data)))
 
+ifdef USE_CRYPTO_SUBMODULE
+APPS := $(filter-out \
+		test_suite_aes.% \
+		test_suite_arc4 \
+		test_suite_aria \
+		test_suite_asn1write \
+		test_suite_base64 \
+		test_suite_blowfish \
+		test_suite_camellia \
+		test_suite_ccm \
+		test_suite_chacha20 \
+		test_suite_chachapoly \
+		test_suite_cipher.% \
+		test_suite_cmac \
+		test_suite_ctr_drbg \
+		test_suite_des \
+		test_suite_dhm \
+		test_suite_ecdh \
+		test_suite_ecdsa \
+		test_suite_ecjpake \
+		test_suite_ecp \
+		test_suite_entropy \
+		test_suite_error \
+		test_suite_gcm.% \
+		test_suite_hkdf \
+		test_suite_hmac_drbg.% \
+		test_suite_md \
+		test_suite_mdx \
+		test_suite_memory_buffer_alloc \
+		test_suite_mpi \
+		test_suite_nist_kw \
+		test_suite_oid \
+		test_suite_pem \
+		test_suite_pk \
+		test_suite_pkcs1_v15 \
+		test_suite_pkcs1_v21 \
+		test_suite_pkcs5 \
+		test_suite_pkparse \
+		test_suite_pkwrite \
+		test_suite_poly1305 \
+		test_suite_rsa \
+		test_suite_shax \
+		test_suite_timing \
+		test_suite_xtea \
+		,$(APPS))
+endif
+
 # Construct executable name by adding OS specific suffix $(EXEXT).
 BINARIES := $(addsuffix $(EXEXT),$(APPS))
 
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 3f5d1d9..301dc52 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -406,6 +406,9 @@
     if [ ! -f "./tests/seedfile" ]; then
         dd if=/dev/urandom of=./tests/seedfile bs=32 count=1
     fi
+    if [ ! -f "./crypto/tests/seedfile" ]; then
+        dd if=/dev/urandom of=./crypto/tests/seedfile bs=32 count=1
+    fi
 }
 
 pre_setup_keep_going () {
diff --git a/tests/suites/test_suite_version.data b/tests/suites/test_suite_version.data
index 7165f36..a4575ab 100644
--- a/tests/suites/test_suite_version.data
+++ b/tests/suites/test_suite_version.data
@@ -1,8 +1,8 @@
 Check compiletime library version
-check_compiletime_version:"0.0.0"
+check_compiletime_version:"2.17.0"
 
 Check runtime library version
-check_runtime_version:"0.0.0"
+check_runtime_version:"2.17.0"
 
 Check for MBEDTLS_VERSION_C
 check_feature:"MBEDTLS_VERSION_C":0