diff --git a/ChangeLog b/ChangeLog
index a46100878..b627d0910 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -74,6 +74,7 @@ Bugfix
      irwir.
    * Enable Suite B with subset of ECP curves. Make sure the code compiles even
      if some curves are not defined. Fixes #1591 reported by dbedev.
+   * Fix misuse of signed arithmetic in the HAVEGE module. #2598
 
 API Changes
    * Extend the MBEDTLS_SSL_EXPORT_KEYS to export the handshake randbytes,
@@ -82,6 +83,7 @@ API Changes
    * Add DER-encoded test CRTs to library/certs.c, allowing
      the example programs ssl_server2 and ssl_client2 to be run
      if MBEDTLS_FS_IO and MBEDTLS_PEM_PARSE_C are unset. Fixes #2254.
+   * The HAVEGE state type now uses uint32_t elements instead of int.
 
 Changes
    * Server's RSA certificate in certs.c was SHA-1 signed. In the default
diff --git a/crypto b/crypto
index 86268e1d3..b6229e304 160000
--- a/crypto
+++ b/crypto
@@ -1 +1 @@
-Subproject commit 86268e1d302355ad8fd8e5ca5f1a7c7af8640678
+Subproject commit b6229e304e69e672dec653700467c696d32d19ae
diff --git a/include/mbedtls/havege.h b/include/mbedtls/havege.h
index 4c1c86087..749257a36 100644
--- a/include/mbedtls/havege.h
+++ b/include/mbedtls/havege.h
@@ -31,6 +31,7 @@
 #endif
 
 #include <stddef.h>
+#include <stdint.h>
 
 #define MBEDTLS_HAVEGE_COLLECT_SIZE 1024
 
@@ -43,9 +44,9 @@ extern "C" {
  */
 typedef struct mbedtls_havege_state
 {
-    int PT1, PT2, offset[2];
-    int pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
-    int WALK[8192];
+    uint32_t PT1, PT2, offset[2];
+    uint32_t pool[MBEDTLS_HAVEGE_COLLECT_SIZE];
+    uint32_t WALK[8192];
 }
 mbedtls_havege_state;