Mbed TLS is now part of TrustedFirmware.org.

Mbed TLS 2.16.3 and 2.7.12 released


Maintenance releases for Mbed TLS 2.16 and Mbed TLS 2.7 are now available.


  • (2.16, 2.7) Fix a missing error detection in ECJPAKE. This could have caused a predictable shared secret if a hardware accelerator failed and the other side of the key exchange had a similar bug.
  • (2.16, 2.7) When writing a private EC key, use a constant size for the private value, as specified in RFC 5915. Previously, the value was written as an ASN.1 INTEGER, which caused the size of the key to leak about 1 bit of information on average and could cause the value to be 1 byte too large for the output buffer.
  • (2.16, 2.7) The deterministic ECDSA calculation reused the scheme's HMAC-DRBG to implement blinding. Because of this for the same key and message the same blinding value was generated. This reduced the effectiveness of the countermeasure and leaked information about the private key through side channels. Reported by Jack Lloyd.

API Changes

  • (2.16, 2.7) The new function mbedtls_ecdsa_sign_det_ext() is similar to mbedtls_ecdsa_sign_det() but allows passing an external RNG for the purpose of blinding.
  • (2.7) The new function mbedtls_ecp_gen_privkey() allows to generate a private key without generating the public part of the pair.


  • (2.16, 2.7) Fix to allow building test suites with any warning that detects unused functions. Fixes #1628.
  • (2.16, 2.7) Fix typo in net_would_block(). Fixes #528 reported by github-monoculture.
  • (2.16, 2.7) Remove redundant include file in timing.c. Fixes #2640 reported by irwir.
  • (2.16, 2.7) Fix Visual Studio Release x64 build configuration by inheriting PlatformToolset from the project configuration. Fixes #1430 reported by irwir.
  • (2.16, 2.7) Enable Suite B with subset of ECP curves. Make sure the code compiles even if some curves are not defined. Fixes #1591 reported by dbedev.
  • (2.16, 2.7) Fix misuse of signed arithmetic in the HAVEGE module. #2598
  • (2.16, 2.7) Update test certificates that were about to expire. Reported by Bernhard M. Wiedemann in #2357.
  • (2.16) Fix the build on ARMv5TE in ARM mode to not use assembly instructions that are only available in Thumb mode. Fix contributed by Aurelien Jarno in #2169.
  • (2.16) Fix propagation of restart contexts in restartable EC operations. This could previously lead to segmentation faults in builds using an address-sanitizer and enabling but not using MBEDTLS_ECP_RESTARTABLE.
  • (2.16, 2.7) Fix memory leak in in mpi_miller_rabin(). Contributed by Jens Wiklander jens.wiklander@linaro.org in #2363.
  • (2.16) Improve code clarity in x509_crt module, removing false-positive uninitialized variable warnings on some recent toolchains (GCC8, etc). Discovered and fixed by Andy Gross (Linaro), #2392.
  • (2.16) Fix bug in endianness conversion in bignum module. This lead to functionally incorrect code on bigendian systems which don't have BYTE_ORDER defined. Reported by Brendan Shanks. Fixes #2622.
  • (2.16) Fix undefined memset(NULL) call in test_suite_nist_kw.
  • (2.16, 2.7) Make NV seed test support MBEDTLS_ENTROPY_FORCE_SHA256.
  • (2.16) Zero length buffer check for undefined behavior in mbedtls_platform_zeroize(). Fixes ARMmbed/mbed-crypto#49.


  • (2.16) Make it easier to define MBEDTLS_PARAM_FAILED as assert (which config.h suggests). #2671
  • (2.16, 2.7) Make make clean clean all programs always. Fixes #1862.

Who should update

We recommend all affected users should update to take advantage of the bug fixes contained in this release at an appropriate point in their development lifecycle.

Download links

Get your copy here:


The hashes for mbedtls-2.16.3-apache.tgz are:

SHA-1: dce8550f8f9465f3aea44cb7d0f9d0ba8140034a
SHA-256: ec1bee6d82090ed6ea2690784ea4b294ab576a65d428da9fe8750f932d2da661

The hashes for mbedtls-2.16.3-gpl.tgz are:

SHA-1: 03220368f76e358986cc00a842ccc824f8407f83
SHA-256: fd01fe4b289116df7781d05e1ef712b6c98823c5334f4a27404f13a8d066ef6a

The hashes for mbedtls-2.7.12-apache.tgz are:

SHA-1: ce1af75d497cc03fe5c8e8e15fbf583d9dfbacd1
SHA-256: d3a36dbc9f607747daa6875c1ab2e41f49eff5fc99d3436b4f3ac90c89f3c143

The hashes for mbedtls-2.7.12-gpl.tgz are:

SHA-1: 957297531379ecbdb0f3fd32c08489db3b88d10e
SHA-256: 4f1782898d92547a55c84e7fcee27b1d857de706598b80e2723962658694bb6a

Like this?




Last updated:
Sep 23, 2019


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.