diff --git a/programs/Makefile b/programs/Makefile
index 188c2beea..d004e2e06 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -56,34 +56,56 @@ ifdef ZLIB
 LOCAL_LDFLAGS += -lz
 endif
 
-APPS =	aes/aescrypt2$(EXEXT)		aes/crypt_and_hash$(EXEXT)	\
-	hash/hello$(EXEXT)		hash/generic_sum$(EXEXT)	\
-					pkey/dh_client$(EXEXT)		\
-	pkey/dh_genprime$(EXEXT)	pkey/dh_server$(EXEXT)		\
-	pkey/ecdh_curve25519$(EXEXT)					\
-	pkey/ecdsa$(EXEXT)		pkey/gen_key$(EXEXT)		\
-	pkey/key_app$(EXEXT)		pkey/key_app_writer$(EXEXT)	\
-	pkey/mpi_demo$(EXEXT)		pkey/pk_decrypt$(EXEXT)		\
-	pkey/pk_encrypt$(EXEXT)		pkey/pk_sign$(EXEXT)		\
-	pkey/pk_verify$(EXEXT)		pkey/rsa_genkey$(EXEXT)		\
-	pkey/rsa_decrypt$(EXEXT)	pkey/rsa_encrypt$(EXEXT)	\
-	pkey/rsa_sign$(EXEXT)		pkey/rsa_verify$(EXEXT)		\
-	pkey/rsa_sign_pss$(EXEXT)	pkey/rsa_verify_pss$(EXEXT)	\
-	ssl/dtls_client$(EXEXT)		ssl/dtls_server$(EXEXT)		\
-	ssl/ssl_client1$(EXEXT)		ssl/ssl_client2$(EXEXT)		\
-	ssl/ssl_server$(EXEXT)		ssl/ssl_server2$(EXEXT)		\
-	ssl/ssl_fork_server$(EXEXT)	ssl/mini_client$(EXEXT)		\
-	ssl/ssl_mail_client$(EXEXT)	random/gen_entropy$(EXEXT)	\
-	random/gen_random_havege$(EXEXT)				\
-	random/gen_random_ctr_drbg$(EXEXT)				\
-	test/benchmark$(EXEXT)                          		\
-	test/selftest$(EXEXT)		test/udp_proxy$(EXEXT)		\
-	test/zeroize$(EXEXT)						\
-	test/query_compile_time_config$(EXEXT)				\
-	util/pem2der$(EXEXT)		util/strerror$(EXEXT)		\
-	x509/cert_app$(EXEXT)		x509/crl_app$(EXEXT)		\
-	x509/cert_req$(EXEXT)		x509/cert_write$(EXEXT)		\
-	x509/req_app$(EXEXT)
+APPS = \
+	aes/aescrypt2$(EXEXT) \
+	aes/crypt_and_hash$(EXEXT) \
+	hash/hello$(EXEXT) \
+	hash/generic_sum$(EXEXT) \
+	pkey/dh_client$(EXEXT) \
+	pkey/dh_genprime$(EXEXT) \
+	pkey/dh_server$(EXEXT) \
+	pkey/ecdh_curve25519$(EXEXT) \
+	pkey/ecdsa$(EXEXT) \
+	pkey/gen_key$(EXEXT) \
+	pkey/key_app$(EXEXT) \
+	pkey/key_app_writer$(EXEXT) \
+	pkey/mpi_demo$(EXEXT) \
+	pkey/pk_decrypt$(EXEXT) \
+	pkey/pk_encrypt$(EXEXT) \
+	pkey/pk_sign$(EXEXT) \
+	pkey/pk_verify$(EXEXT) \
+	pkey/rsa_genkey$(EXEXT) \
+	pkey/rsa_decrypt$(EXEXT) \
+	pkey/rsa_encrypt$(EXEXT) \
+	pkey/rsa_sign$(EXEXT) \
+	pkey/rsa_verify$(EXEXT) \
+	pkey/rsa_sign_pss$(EXEXT) \
+	pkey/rsa_verify_pss$(EXEXT) \
+	ssl/dtls_client$(EXEXT) \
+	ssl/dtls_server$(EXEXT) \
+	ssl/ssl_client1$(EXEXT) \
+	ssl/ssl_client2$(EXEXT) \
+	ssl/ssl_server$(EXEXT) \
+	ssl/ssl_server2$(EXEXT) \
+	ssl/ssl_fork_server$(EXEXT) \
+	ssl/mini_client$(EXEXT) \
+	ssl/ssl_mail_client$(EXEXT) \
+	random/gen_entropy$(EXEXT) \
+	random/gen_random_havege$(EXEXT) \
+	random/gen_random_ctr_drbg$(EXEXT) \
+	test/benchmark$(EXEXT) \
+	test/selftest$(EXEXT) \
+	test/udp_proxy$(EXEXT) \
+	test/zeroize$(EXEXT) \
+	test/query_compile_time_config$(EXEXT) \
+	util/pem2der$(EXEXT) \
+	util/strerror$(EXEXT) \
+	x509/cert_app$(EXEXT) \
+	x509/crl_app$(EXEXT) \
+	x509/cert_req$(EXEXT) \
+	x509/cert_write$(EXEXT) \
+	x509/req_app$(EXEXT) \
+# End of APPS
 
 ifdef PTHREAD
 APPS +=	ssl/ssl_pthread_server$(EXEXT)
@@ -231,17 +253,17 @@ ssl/ssl_client1$(EXEXT): ssl/ssl_client1.c $(DEP)
 	echo "  CC    ssl/ssl_client1.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client1.c  $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-ssl/ssl_client2$(EXEXT): ssl/ssl_client2.c ssl/query_config.c $(DEP)
+ssl/ssl_client2$(EXEXT): ssl/ssl_client2.c test/query_config.c $(DEP)
 	echo "  CC    ssl/ssl_client2.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client2.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_client2.c test/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
 ssl/ssl_server$(EXEXT): ssl/ssl_server.c $(DEP)
 	echo "  CC    ssl/ssl_server.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server.c   $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-ssl/ssl_server2$(EXEXT): ssl/ssl_server2.c ssl/query_config.c $(DEP)
+ssl/ssl_server2$(EXEXT): ssl/ssl_server2.c test/query_config.c $(DEP)
 	echo "  CC    ssl/ssl_server2.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server2.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) ssl/ssl_server2.c test/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
 ssl/ssl_fork_server$(EXEXT): ssl/ssl_fork_server.c $(DEP)
 	echo "  CC    ssl/ssl_fork_server.c"
@@ -279,9 +301,9 @@ test/zeroize$(EXEXT): test/zeroize.c $(DEP)
 	echo "  CC    test/zeroize.c"
 	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/zeroize.c    $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
-test/query_compile_time_config$(EXEXT): test/query_compile_time_config.c ssl/query_config.c $(DEP)
+test/query_compile_time_config$(EXEXT): test/query_compile_time_config.c test/query_config.c $(DEP)
 	echo "  CC    test/query_compile_time_config.c"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_compile_time_config.c ssl/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) test/query_compile_time_config.c test/query_config.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
 util/pem2der$(EXEXT): util/pem2der.c $(DEP)
 	echo "  CC    util/pem2der.c"
diff --git a/programs/aes/CMakeLists.txt b/programs/aes/CMakeLists.txt
index f5a0caabb..6c4c7e10f 100644
--- a/programs/aes/CMakeLists.txt
+++ b/programs/aes/CMakeLists.txt
@@ -1,8 +1,8 @@
 add_executable(aescrypt2 aescrypt2.c)
-target_link_libraries(aescrypt2 mbedtls)
+target_link_libraries(aescrypt2 mbedcrypto)
 
 add_executable(crypt_and_hash crypt_and_hash.c)
-target_link_libraries(crypt_and_hash mbedtls)
+target_link_libraries(crypt_and_hash mbedcrypto)
 
 install(TARGETS aescrypt2 crypt_and_hash
         DESTINATION "bin"
diff --git a/programs/hash/CMakeLists.txt b/programs/hash/CMakeLists.txt
index eda975bb0..3c6cca9d4 100644
--- a/programs/hash/CMakeLists.txt
+++ b/programs/hash/CMakeLists.txt
@@ -1,8 +1,8 @@
 add_executable(hello hello.c)
-target_link_libraries(hello mbedtls)
+target_link_libraries(hello mbedcrypto)
 
 add_executable(generic_sum generic_sum.c)
-target_link_libraries(generic_sum mbedtls)
+target_link_libraries(generic_sum mbedcrypto)
 
 install(TARGETS hello generic_sum
         DESTINATION "bin"
diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt
index 5a37a4212..8456228db 100644
--- a/programs/pkey/CMakeLists.txt
+++ b/programs/pkey/CMakeLists.txt
@@ -2,61 +2,61 @@ add_executable(dh_client dh_client.c)
 target_link_libraries(dh_client mbedtls)
 
 add_executable(dh_genprime dh_genprime.c)
-target_link_libraries(dh_genprime mbedtls)
+target_link_libraries(dh_genprime mbedcrypto)
 
 add_executable(dh_server dh_server.c)
 target_link_libraries(dh_server mbedtls)
 
 add_executable(ecdh_curve25519 ecdh_curve25519.c)
-target_link_libraries(ecdh_curve25519 mbedtls)
+target_link_libraries(ecdh_curve25519 mbedcrypto)
 
 add_executable(ecdsa ecdsa.c)
-target_link_libraries(ecdsa mbedtls)
+target_link_libraries(ecdsa mbedcrypto)
 
 add_executable(gen_key gen_key.c)
-target_link_libraries(gen_key mbedtls)
+target_link_libraries(gen_key mbedcrypto)
 
 add_executable(key_app key_app.c)
-target_link_libraries(key_app mbedtls)
+target_link_libraries(key_app mbedcrypto)
 
 add_executable(key_app_writer key_app_writer.c)
-target_link_libraries(key_app_writer mbedtls)
+target_link_libraries(key_app_writer mbedcrypto)
 
 add_executable(mpi_demo mpi_demo.c)
-target_link_libraries(mpi_demo mbedtls)
+target_link_libraries(mpi_demo mbedcrypto)
 
 add_executable(rsa_genkey rsa_genkey.c)
-target_link_libraries(rsa_genkey mbedtls)
+target_link_libraries(rsa_genkey mbedcrypto)
 
 add_executable(rsa_sign rsa_sign.c)
-target_link_libraries(rsa_sign mbedtls)
+target_link_libraries(rsa_sign mbedcrypto)
 
 add_executable(rsa_verify rsa_verify.c)
-target_link_libraries(rsa_verify mbedtls)
+target_link_libraries(rsa_verify mbedcrypto)
 
 add_executable(rsa_sign_pss rsa_sign_pss.c)
-target_link_libraries(rsa_sign_pss mbedtls)
+target_link_libraries(rsa_sign_pss mbedcrypto)
 
 add_executable(rsa_verify_pss rsa_verify_pss.c)
-target_link_libraries(rsa_verify_pss mbedtls)
+target_link_libraries(rsa_verify_pss mbedcrypto)
 
 add_executable(rsa_encrypt rsa_encrypt.c)
-target_link_libraries(rsa_encrypt mbedtls)
+target_link_libraries(rsa_encrypt mbedcrypto)
 
 add_executable(rsa_decrypt rsa_decrypt.c)
-target_link_libraries(rsa_decrypt mbedtls)
+target_link_libraries(rsa_decrypt mbedcrypto)
 
 add_executable(pk_sign pk_sign.c)
-target_link_libraries(pk_sign mbedtls)
+target_link_libraries(pk_sign mbedcrypto)
 
 add_executable(pk_verify pk_verify.c)
-target_link_libraries(pk_verify mbedtls)
+target_link_libraries(pk_verify mbedcrypto)
 
 add_executable(pk_encrypt pk_encrypt.c)
-target_link_libraries(pk_encrypt mbedtls)
+target_link_libraries(pk_encrypt mbedcrypto)
 
 add_executable(pk_decrypt pk_decrypt.c)
-target_link_libraries(pk_decrypt mbedtls)
+target_link_libraries(pk_decrypt mbedcrypto)
 
 install(TARGETS dh_client dh_genprime dh_server key_app mpi_demo rsa_genkey rsa_sign rsa_verify rsa_encrypt rsa_decrypt pk_encrypt pk_decrypt pk_sign pk_verify gen_key
         DESTINATION "bin"
diff --git a/programs/pkey/key_app.c b/programs/pkey/key_app.c
index 793930991..19dcdfe49 100644
--- a/programs/pkey/key_app.c
+++ b/programs/pkey/key_app.c
@@ -40,7 +40,7 @@
     defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_FS_IO)
 #include "mbedtls/error.h"
 #include "mbedtls/rsa.h"
-#include "mbedtls/x509.h"
+#include "mbedtls/pk.h"
 
 #include <string.h>
 #endif
diff --git a/programs/pkey/rsa_genkey.c b/programs/pkey/rsa_genkey.c
index d556c1902..f2b7b5078 100644
--- a/programs/pkey/rsa_genkey.c
+++ b/programs/pkey/rsa_genkey.c
@@ -42,7 +42,6 @@
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/bignum.h"
-#include "mbedtls/x509.h"
 #include "mbedtls/rsa.h"
 
 #include <stdio.h>
@@ -149,19 +148,6 @@ int main( void )
         mbedtls_printf( " failed\n  ! mbedtls_mpi_write_file returned %d\n\n", ret );
         goto exit;
     }
-/*
-    mbedtls_printf( " ok\n  . Generating the certificate..." );
-
-    x509write_init_raw( &cert );
-    x509write_add_pubkey( &cert, &rsa );
-    x509write_add_subject( &cert, "CN='localhost'" );
-    x509write_add_validity( &cert, "2007-09-06 17:00:32",
-                                   "2010-09-06 17:00:32" );
-    x509write_create_selfsign( &cert, &rsa );
-    x509write_crtfile( &cert, "cert.der", X509_OUTPUT_DER );
-    x509write_crtfile( &cert, "cert.pem", X509_OUTPUT_PEM );
-    x509write_free_raw( &cert );
-*/
     mbedtls_printf( " ok\n\n" );
 
     exit_code = MBEDTLS_EXIT_SUCCESS;
diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c
index 42209e27c..5019f28f5 100644
--- a/programs/pkey/rsa_sign_pss.c
+++ b/programs/pkey/rsa_sign_pss.c
@@ -55,7 +55,7 @@ int main( void )
 #include "mbedtls/ctr_drbg.h"
 #include "mbedtls/md.h"
 #include "mbedtls/rsa.h"
-#include "mbedtls/x509.h"
+#include "mbedtls/pk.h"
 
 #include <stdio.h>
 #include <string.h>
diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c
index 148cd5110..de28337c8 100644
--- a/programs/pkey/rsa_verify_pss.c
+++ b/programs/pkey/rsa_verify_pss.c
@@ -55,7 +55,6 @@ int main( void )
 #include "mbedtls/pem.h"
 #include "mbedtls/pk.h"
 #include "mbedtls/md.h"
-#include "mbedtls/x509.h"
 
 #include <stdio.h>
 #include <string.h>
diff --git a/programs/random/CMakeLists.txt b/programs/random/CMakeLists.txt
index 30933d88d..630c66e9d 100644
--- a/programs/random/CMakeLists.txt
+++ b/programs/random/CMakeLists.txt
@@ -1,11 +1,11 @@
 add_executable(gen_random_havege gen_random_havege.c)
-target_link_libraries(gen_random_havege mbedtls)
+target_link_libraries(gen_random_havege mbedcrypto)
 
 add_executable(gen_random_ctr_drbg gen_random_ctr_drbg.c)
-target_link_libraries(gen_random_ctr_drbg mbedtls)
+target_link_libraries(gen_random_ctr_drbg mbedcrypto)
 
 add_executable(gen_entropy gen_entropy.c)
-target_link_libraries(gen_entropy mbedtls)
+target_link_libraries(gen_entropy mbedcrypto)
 
 install(TARGETS gen_random_havege gen_random_ctr_drbg gen_entropy
         DESTINATION "bin"
diff --git a/programs/ssl/CMakeLists.txt b/programs/ssl/CMakeLists.txt
index 803920cde..f28a47d87 100644
--- a/programs/ssl/CMakeLists.txt
+++ b/programs/ssl/CMakeLists.txt
@@ -34,14 +34,14 @@ add_executable(ssl_client1 ssl_client1.c)
 target_link_libraries(ssl_client1 ${libs})
 
 add_executable(ssl_client2 ssl_client2.c)
-target_sources(ssl_client2 PUBLIC query_config.c)
+target_sources(ssl_client2 PUBLIC ../test/query_config.c)
 target_link_libraries(ssl_client2 ${libs})
 
 add_executable(ssl_server ssl_server.c)
 target_link_libraries(ssl_server ${libs})
 
 add_executable(ssl_server2 ssl_server2.c)
-target_sources(ssl_server2 PUBLIC query_config.c)
+target_sources(ssl_server2 PUBLIC ../test/query_config.c)
 target_link_libraries(ssl_server2 ${libs})
 
 add_executable(ssl_fork_server ssl_fork_server.c)
diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt
index 282ef58aa..a26c096de 100644
--- a/programs/test/CMakeLists.txt
+++ b/programs/test/CMakeLists.txt
@@ -14,22 +14,22 @@ add_executable(selftest selftest.c)
 target_link_libraries(selftest ${libs})
 
 add_executable(benchmark benchmark.c)
-target_link_libraries(benchmark ${libs})
+target_link_libraries(benchmark mbedcrypto)
 
 if(TEST_CPP)
     add_executable(cpp_dummy_build cpp_dummy_build.cpp)
-    target_link_libraries(cpp_dummy_build ${libs})
+    target_link_libraries(cpp_dummy_build mbedcrypto)
 endif()
 
 add_executable(udp_proxy udp_proxy.c)
 target_link_libraries(udp_proxy ${libs})
 
 add_executable(zeroize zeroize.c)
-target_link_libraries(zeroize ${libs})
+target_link_libraries(zeroize mbedcrypto)
 
 add_executable(query_compile_time_config query_compile_time_config.c)
-target_sources(query_compile_time_config PUBLIC ../ssl/query_config.c)
-target_link_libraries(query_compile_time_config ${libs})
+target_sources(query_compile_time_config PUBLIC query_config.c)
+target_link_libraries(query_compile_time_config mbedcrypto)
 
 install(TARGETS selftest benchmark udp_proxy query_compile_time_config
         DESTINATION "bin"
diff --git a/programs/test/benchmark.c b/programs/test/benchmark.c
index b005c203a..8f89c70c6 100644
--- a/programs/test/benchmark.c
+++ b/programs/test/benchmark.c
@@ -686,12 +686,13 @@ int main( int argc, char *argv[] )
         mbedtls_ctr_drbg_context ctr_drbg;
 
         mbedtls_ctr_drbg_init( &ctr_drbg );
-
         if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
             mbedtls_exit(1);
         TIME_AND_TSC( "CTR_DRBG (NOPR)",
                 mbedtls_ctr_drbg_random( &ctr_drbg, buf, BUFSIZE ) );
+        mbedtls_ctr_drbg_free( &ctr_drbg );
 
+        mbedtls_ctr_drbg_init( &ctr_drbg );
         if( mbedtls_ctr_drbg_seed( &ctr_drbg, myrand, NULL, NULL, 0 ) != 0 )
             mbedtls_exit(1);
         mbedtls_ctr_drbg_set_prediction_resistance( &ctr_drbg, MBEDTLS_CTR_DRBG_PR_ON );
diff --git a/programs/ssl/query_config.c b/programs/test/query_config.c
similarity index 100%
rename from programs/ssl/query_config.c
rename to programs/test/query_config.c
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index 727054ee6..bd28e9a36 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -66,6 +66,8 @@
 #else
 #include <stdio.h>
 #include <stdlib.h>
+#define mbedtls_calloc     calloc
+#define mbedtls_free       free
 #define mbedtls_printf     printf
 #define mbedtls_snprintf   snprintf
 #define mbedtls_exit       exit
@@ -78,6 +80,86 @@
 #endif
 
 
+#if defined MBEDTLS_SELF_TEST
+/* Sanity check for malloc. This is not expected to fail, and is rather
+ * intended to display potentially useful information about the platform,
+ * in particular the behavior of malloc(0). */
+static int calloc_self_test( int verbose )
+{
+    int failures = 0;
+    void *empty1 = mbedtls_calloc( 0, 1 );
+    void *empty2 = mbedtls_calloc( 0, 1 );
+    void *buffer1 = mbedtls_calloc( 1, 1 );
+    void *buffer2 = mbedtls_calloc( 1, 1 );
+    uintptr_t old_buffer1;
+
+    if( empty1 == NULL && empty2 == NULL )
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(0): passed (NULL)\n" );
+    }
+    else if( empty1 == NULL || empty2 == NULL )
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(0): failed (mix of NULL and non-NULL)\n" );
+        ++failures;
+    }
+    else if( empty1 == empty2 )
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(0): passed (same non-null)\n" );
+    }
+    else
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(0): passed (distinct non-null)\n" );
+    }
+
+    if( buffer1 == NULL || buffer2 == NULL )
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(1): failed (NULL)\n" );
+        ++failures;
+    }
+    else if( buffer1 == buffer2 )
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(1): failed (same buffer twice)\n" );
+        ++failures;
+    }
+    else
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(1): passed\n" );
+    }
+
+    old_buffer1 = (uintptr_t) buffer1;
+    mbedtls_free( buffer1 );
+    buffer1 = mbedtls_calloc( 1, 1 );
+    if( buffer1 == NULL )
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(1 again): failed (NULL)\n" );
+        ++failures;
+    }
+    else
+    {
+        if( verbose )
+            mbedtls_printf( "  CALLOC(1 again): passed (%s address)\n",
+                            (uintptr_t) old_buffer1 == (uintptr_t) buffer1 ?
+                            "same" : "different" );
+    }
+
+    if( verbose )
+        mbedtls_printf( "\n" );
+    mbedtls_free( empty1 );
+    mbedtls_free( empty2 );
+    mbedtls_free( buffer1 );
+    mbedtls_free( buffer2 );
+    return( failures );
+}
+#endif /* MBEDTLS_SELF_TEST */
+
 static int test_snprintf( size_t n, const char ref_buf[10], int ref_ret )
 {
     int ret;
@@ -174,6 +256,7 @@ typedef struct
 
 const selftest_t selftests[] =
 {
+    {"calloc", calloc_self_test},
 #if defined(MBEDTLS_MD2_C)
     {"md2", mbedtls_md2_self_test},
 #endif
diff --git a/programs/util/CMakeLists.txt b/programs/util/CMakeLists.txt
index f9b660453..4c3fb0dfa 100644
--- a/programs/util/CMakeLists.txt
+++ b/programs/util/CMakeLists.txt
@@ -1,5 +1,5 @@
 set(libs
-    mbedtls
+    mbedcrypto
 )
 
 add_executable(strerror strerror.c)
diff --git a/programs/x509/CMakeLists.txt b/programs/x509/CMakeLists.txt
index 39b8b5bab..68dec99a0 100644
--- a/programs/x509/CMakeLists.txt
+++ b/programs/x509/CMakeLists.txt
@@ -1,5 +1,5 @@
 set(libs
-    mbedtls
+    mbedx509
 )
 
 if(USE_PKCS11_HELPER_LIBRARY)
@@ -11,7 +11,7 @@ if(ENABLE_ZLIB_SUPPORT)
 endif(ENABLE_ZLIB_SUPPORT)
 
 add_executable(cert_app cert_app.c)
-target_link_libraries(cert_app ${libs})
+target_link_libraries(cert_app ${libs} mbedtls)
 
 add_executable(crl_app crl_app.c)
 target_link_libraries(crl_app ${libs})
diff --git a/scripts/bump_version.sh b/scripts/bump_version.sh
index c39a86a5e..cf875c88d 100755
--- a/scripts/bump_version.sh
+++ b/scripts/bump_version.sh
@@ -132,7 +132,7 @@ done
 [ $VERBOSE ] && echo "Re-generating library/error.c"
 scripts/generate_errors.pl
 
-[ $VERBOSE ] && echo "Re-generating programs/ssl/query_config.c"
+[ $VERBOSE ] && echo "Re-generating programs/test/query_config.c"
 scripts/generate_query_config.pl
 
 [ $VERBOSE ] && echo "Re-generating library/version_features.c"
diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl
index f15e03a35..d94fdad62 100755
--- a/scripts/generate_query_config.pl
+++ b/scripts/generate_query_config.pl
@@ -21,7 +21,7 @@ use strict;
 my $config_file = "./include/mbedtls/config.h";
 
 my $query_config_format_file = "./scripts/data_files/query_config.fmt";
-my $query_config_file = "./programs/ssl/query_config.c";
+my $query_config_file = "./programs/test/query_config.c";
 
 # Excluded macros from the generated query_config.c. For example, macros that
 # have commas or function-like macros cannot be transformed into strings easily
diff --git a/scripts/generate_visualc_files.pl b/scripts/generate_visualc_files.pl
index 90ab609d7..0342f8f8d 100755
--- a/scripts/generate_visualc_files.pl
+++ b/scripts/generate_visualc_files.pl
@@ -117,7 +117,7 @@ sub gen_app {
     my $srcs = "\n    <ClCompile Include=\"..\\..\\programs\\$path.c\" \/>\r";
     if( $appname eq "ssl_client2" or $appname eq "ssl_server2" or
         $appname eq "query_compile_time_config" ) {
-        $srcs .= "\n    <ClCompile Include=\"..\\..\\programs\\ssl\\query_config.c\" \/>\r";
+        $srcs .= "\n    <ClCompile Include=\"..\\..\\programs\\test\\query_config.c\" \/>\r";
     }
 
     my $content = $template;
diff --git a/tests/configs/config-wrapper-malloc-0-null.h b/tests/configs/config-wrapper-malloc-0-null.h
new file mode 100644
index 000000000..ed74eda63
--- /dev/null
+++ b/tests/configs/config-wrapper-malloc-0-null.h
@@ -0,0 +1,39 @@
+/* config.h wrapper that forces calloc(0) to return NULL.
+ * Used for testing.
+ */
+/*
+ *  Copyright (C) 2019, ARM Limited, All Rights Reserved
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ *
+ *  This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#ifndef MBEDTLS_CONFIG_H
+/* Don't #define MBEDTLS_CONFIG_H, let config.h do it. */
+
+#include "mbedtls/config.h"
+
+#include <stdlib.h>
+static inline void *custom_calloc( size_t nmemb, size_t size )
+{
+    if( nmemb == 0 || size == 0 )
+        return( NULL );
+    return( calloc( nmemb, size ) );
+}
+
+#define MBEDTLS_PLATFORM_MEMORY
+#define MBEDTLS_PLATFORM_STD_CALLOC custom_calloc
+
+#endif /* MBEDTLS_CONFIG_H */
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index cc19ab2bb..2ade64dac 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1183,6 +1183,29 @@ component_test_platform_calloc_macro () {
     make test
 }
 
+component_test_malloc_0_null () {
+    msg "build: malloc(0) returns NULL (ASan+UBSan build)"
+    scripts/config.pl full
+    scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
+    make CC=gcc CFLAGS="'-DMBEDTLS_CONFIG_FILE=\"$PWD/tests/configs/config-wrapper-malloc-0-null.h\"' -O -Werror -Wall -Wextra -fsanitize=address,undefined" LDFLAGS='-fsanitize=address,undefined'
+
+    msg "test: malloc(0) returns NULL (ASan+UBSan build)"
+    make test
+
+    msg "selftest: malloc(0) returns NULL (ASan+UBSan build)"
+    # Just the calloc selftest. "make test" ran the others as part of the
+    # test suites.
+    if_build_succeeded programs/test/selftest calloc
+
+    msg "test ssl-opt.sh: malloc(0) returns NULL (ASan+UBSan build)"
+    # Run a subset of the tests. The choice is a balance between coverage
+    # and time (including time indirectly wasted due to flaky tests).
+    # The current choice is to skip tests whose description includes
+    # "proxy", which is an approximation of skipping tests that use the
+    # UDP proxy, which tend to be slower and flakier.
+    if_build_succeeded tests/ssl-opt.sh -e 'proxy'
+}
+
 component_test_make_shared () {
     msg "build/test: make shared" # ~ 40s
     make SHARED=1 all check
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 065ea33a2..f41e465c3 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -65,6 +65,6 @@ check()
 }
 
 check scripts/generate_errors.pl library/error.c
-check scripts/generate_query_config.pl programs/ssl/query_config.c
+check scripts/generate_query_config.pl programs/test/query_config.c
 check scripts/generate_features.pl library/version_features.c
 check scripts/generate_visualc_files.pl visualc/VS2010
diff --git a/visualc/VS2010/query_compile_time_config.vcxproj b/visualc/VS2010/query_compile_time_config.vcxproj
index bb2f7ad19..112fea8d0 100644
--- a/visualc/VS2010/query_compile_time_config.vcxproj
+++ b/visualc/VS2010/query_compile_time_config.vcxproj
@@ -20,7 +20,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\programs\test\query_compile_time_config.c" />
-    <ClCompile Include="..\..\programs\ssl\query_config.c" />
+    <ClCompile Include="..\..\programs\test\query_config.c" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="mbedTLS.vcxproj">
diff --git a/visualc/VS2010/ssl_client2.vcxproj b/visualc/VS2010/ssl_client2.vcxproj
index dd922c047..f23f9a16b 100644
--- a/visualc/VS2010/ssl_client2.vcxproj
+++ b/visualc/VS2010/ssl_client2.vcxproj
@@ -20,7 +20,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\programs\ssl\ssl_client2.c" />
-    <ClCompile Include="..\..\programs\ssl\query_config.c" />
+    <ClCompile Include="..\..\programs\test\query_config.c" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="mbedTLS.vcxproj">
diff --git a/visualc/VS2010/ssl_server2.vcxproj b/visualc/VS2010/ssl_server2.vcxproj
index d4629bd41..df1ee2825 100644
--- a/visualc/VS2010/ssl_server2.vcxproj
+++ b/visualc/VS2010/ssl_server2.vcxproj
@@ -20,7 +20,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="..\..\programs\ssl\ssl_server2.c" />
-    <ClCompile Include="..\..\programs\ssl\query_config.c" />
+    <ClCompile Include="..\..\programs\test\query_config.c" />
   </ItemGroup>
   <ItemGroup>
     <ProjectReference Include="mbedTLS.vcxproj">