Mbed TLS is now part of TrustedFirmware.org.

Mbed TLS 2.7.0, 2.1.10 and 1.3.22 released

Mbed TLS 2.7.0, 2.1.10 and 1.3.22 released


Mbed TLS version 2.7.0 has been released, in addition to maintenance releases of Mbed TLS 2.1 and Mbed TLS 1.3.

Mbed TLS 2.7.0 introduces the ability to provide cryptographic hardware acceleration for many more of the library's functions, as well as addressing several security issues and resolving many defects. Mbed TLS 2.1.10 and 1.3.22 are maintenance releases, and intentionally do not contain new features to avoid changing the library interface and allow users to change library versions easily.

These releases also address multiple security issues, including two significant security issues which have been assigned the CVE codes, CVE-2018-0487 and CVE-2018-0488 and for which security advisories are being provided.

End of life for Mbed TLS 1.3

Mbed TLS 1.3.0 was first shipped on 1st October 2013, and has now reached the end of its life. All users of Mbed TLS 1.3 are advised to upgrade to a later version of Mbed TLS wherever possible and should be aware that no further maintenance releases of Mbed TLS 1.3 are planned.

Users seeking assistance in upgrading to later versions of Mbed TLS are recommended to read the 'Upgrade to 2.0 Knowledgebase article'.


  • (2.7, 2.1, 1.3) Fixed a heap corruption issue in the implementation of the truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet could be used to selectively corrupt 6 bytes on the peer's heap, which could potentially lead to crash or remote code execution. The issue could be triggered remotely from either side in both TLS and DTLS. CVE-2018-0488

  • (2.7, 2.1, 1.3) Fixed a buffer overflow in RSA-PSS verification when the hash was too large for the key size, which could potentially lead to crash or remote code execution. Found by Seth Terashima, Qualcomm Product Security Initiative, Qualcomm Technologies Inc. CVE-2018-0487

  • (2.7, 2.1, 1.3) Fixed a buffer overflow in RSA-PSS verification when the unmasked data was all zeros.

  • (2.7, 2.1, 1.3) Fixed an unsafe bounds check in ssl_parse_client_psk_identity() when adding 64kb to the address of the SSL buffer and causing a wrap around.

  • (2.7, 2.1) Fixed a potential heap buffer overflow in mbedtls_ssl_write() when the maximum fragment length extension was disabled and application data passed to the function mbedtls_ssl_write() was larger than the internal message buffer.

    The exploitability of this issue depends on whether the application layer can be forced into sending such large packets. The issue was independently reported by Tim Nordell via e-mail and by Florin Petriuc and sjorsdewit. Fix proposed by Florin Petriuc in #1022. Fixes #707.

  • (2.7, 2.1, 1.3) Added a provision to prevent compiler optimizations breaking the time constancy of mbedtls_ssl_safer_memcmp().

  • (2.7, 2.1, 1.3) Added a provision to ensure that more buffers are cleared after use if they contain sensitive data. Changes were introduced in multiple places in the library.

  • (2.7, 2.1, 1.3) Added a provision to set the PEM buffer to zero before freeing it, to avoid decoded private keys being leaked to memory after release.

  • (2.7, 2.1, 1.3) Corrected dhm_check_range() to detect trivial subgroups which were potentially leaking 1 bit of the private key. Reported by prashantkspatil.

  • (2.7, 2.1, 1.3) Made mbedtls_mpi_read_binary() constant-time with respect to the input data. Previously, trailing zero bytes were detected and omitted for the sake of saving memory, but potentially led to slight timing differences. Reported by Marco Macchetti, Kudelski Group.

  • (2.7, 2.1, 1.3) Added provision to wipe the stack buffer temporarily holding the EC private exponent after keypair generation.

  • (2.7, 2.1, 1.3) Fixed a potential heap buffer over-read in the ALPN extension parsing (server-side). This could result in an application crash, but only if an ALPN name larger than 16 bytes had been configured on the server.

  • (2.7, 2.1, 1.3) Changed the default choice of DHE parameters from the ones in RFC 5114 to the ones in RFC 3526, which were transparently generated.


  • (2.7) Added support for alternative implementations of the CCM and CMAC modules to enable cryptographic hardware acceleration of them. Submitted by Steven Cooreman, Silicon Labs.

  • (2.7) Added support for alternative implementations of the GCM module, enabled by the configuration flag MBEDTLS_GCM_ALT, to enable cryptographic hardware acceleration of them.

  • (2.7) Added support for alternative implementations of the ECDSA module, controlled by the configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and MBEDTLS_ECDSA_GENKEY_ALT in config.h.

    The following functions from the ECDSA module can be replaced with alternative implementations: mbedtls_ecdsa_sign() mbedtls_ecdsa_verify() mbedtls_ecdsa_genkey()

  • (2.7) Added support for alternative implementations of ECDH, controlled by the configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h.

    The following functions from the ECDH module can be replaced with an alternative implementation:

    mbedtls_ecdh_gen_public() mbedtls_ecdh_compute_shared()

  • (2.7) Added support for alternative implementations of ECJPAKE, controlled by the configuration flag MBEDTLS_ECJPAKE_ALT.

  • (2.7) Added support for alternative implementations of the DHM module.

  • (2.7, 2.1) The selftest program can now execute a subset of the available tests controlled by command line arguments.

  • (2.7, 2.1) Added new unit tests for timing, to improve the self-test to be more robust when executed on a heavily loaded machine.

  • (2.7, 2.1, 1.3) Comments can now be added to the test data files used by the test suites.

API Changes

Mbed TLS 2.7.0 maintains source code compatibility with previous versions of Mbed TLS but there are some changes which make the ABI incompatible with the previous version, Mbed TLS 2.6.0.

  • (2.7) Extended the RSA interface with multiple functions to allow structure-independent setup and export of the RSA contexts. Notably, mbedtls_rsa_import() and mbedtls_rsa_complete() have been introduced for setting up RSA contexts from partial key material and having them completed to the needs of the implementation automatically. This allows setup of private RSA contexts from keys consisting of N,D,E only, even if P,Q are needed for the purpose or CRT and/or blinding.

  • (2.7) The configuration option MBEDTLS_RSA_ALT can be used to define alternative implementations of the RSA interface declared in rsa.h to enable cryptographic accelerators.

  • (2.7) The following functions in the message digest modules (MD2, MD4, MD5, SHA1, SHA256, SHA512) have been deprecated and replaced as follows:

    The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT.

    mbedtls_<MODULE>_starts() is replaced by mbedtls_<MODULE>_starts_ret() mbedtls_<MODULE>_update() is replaced by mbedtls_<MODULE>_update_ret() mbedtls_<MODULE>_finish() is replaced by mbedtls_<MODULE>_finish_ret() mbedtls_<MODULE>_process() is replaced by mbedtls_internal_<MODULE>_process()

New deprecations

  • (2.7) Use of RSA primitives with non-matching key-type have been deprecated (e.g. signing with a public key).

  • (2.7) Direct manipulation of structure fields of the RSA contexts has been deprecated. Users are advised to use the extended RSA API instead.

  • (2.7) Message digest functions that return void have been deprecated, and we now recommend use of their equivalent functions that return an error code. This includes mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update, mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> can be any of md2, md4, md5, sha1, sha256, sha512.

  • (2.7) Use of the DHE parameters from RFC 5114 have been deprecated, and superseded by parameters from RFC 3526 or the newly added parameters from RFC 7919.

  • (2.7) The hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. have been deprecated and supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN etc.

  • (2.7) The function mbedtls_ssl_conf_dh_param() for setting the default DHE parameters from hex strings has been deprecated and superseded by the function mbedtls_ssl_conf_dh_param_bin() which accepts the DHM parameters in binary form, matching the constants from the new standards.


  • (2.7, 2.1) Fixed ssl_parse_record_header() to silently discard invalid DTLS records as recommended in RFC 6347 Section

  • (2.7, 2.1, 1.3) Fixed a memory leak in mbedtls_ssl_set_hostname() when called multiple times. Found by projectgus and jethrogb. #836.

  • (2.7, 2.1, 1.3) Fixed the usage help text in the programs/ssl/ssl_server2 example. Found and fixed by Bei Lin.

  • (1.3) Fixed an issue with implicit cast compilation warnings with Microsoft Visual Studio in the net.c and x509.c modules and some sample applications.

  • (2.7, 2.1, 1.3) Fixed an issue with parsing the signature algorithm extension when renegotiating. Previously, renegotiated handshakes would only accept signatures using SHA-1 regardless of the peer's preferences or would alternatively always fail if SHA-1 was disabled.

  • (2.7, 2.1, 1.3) Fixed the leap year calculation in x509_date_is_valid() to ensure that invalid dates on leap years with 100 and 400 intervals are handled correctly. Found by Nicholas Wilson. #694

  • (2.7, 2.1, 1.3) Fixed some invalid RSA-PSS signatures with keys of size 8N+1 that were accepted. Generating these signatures required the private key.

  • (2.7, 2.1, 1.3) Fixed an out-of-memory problem when parsing 4096-bit PKCS8-encrypted RSA keys. Found independently by Florian in the mbed TLS forum and by Mishamax. #878, #1019.

  • (1.3) Added support for building the test suites on Windows. Contributed by Nicholas Wilson.

  • (2.7) Fixed compilation warnings regarding the use of a variable before assignment with the IAR Compiler. Found by gkerrien38.

  • (2.7, 2.1, 1.3) Fixed unchecked return codes from AES, DES and 3DES functions in pem_aes_decrypt(), pem_des_decrypt() and pem_des3_decrypt() respectively. If a call to one of the functions of the cryptographic primitive modules failed, the error may not be noticed by the function mbedtls_pem_read_buffer() causing it to return invalid values. Found by Guido Vranken. #756

  • (2.7, 2.1, 1.3) Added inclusion of the configuration file in md.h, to fix compiler warnings. Reported by aaronmdjones. #1001

  • (2.7, 2.1, 1.3) Corrected extraction of the signature type from the PK instance in X.509 CRT and CSR writing routines that prevented these functions to work with alternative RSA implementations. Raised by J.B. in the Mbed TLS forum. #1011

  • (2.7, 2.1, 1.3) No longer prints the X.509 version tag for v1 certificates, and omits extensions for certificates which are not v3.

  • (2.7, 2.1, 1.3) Fixed issues in the RSA test suites when MBEDTLS_NO_PLATFORM_ENTROPY is configured. #1023 #1024

  • (2.7, 2.1, 1.3) Fixes the internal function net_would_block() to avoid modification of errno through calling fcntl(). Found by nkolban. #845

  • (2.7, 2.1, 1.3) Fixes handling of handshake messages in mbedtls_ssl_read() in case MBEDTLS_SSL_RENEGOTIATION is disabled. Found by erja-gp.

  • (2.7, 2.1, 1.3) Added a check for invalid private parameters in mbedtls_ecdsa_sign(). Reported by Yolan Romailler.

  • (2.7, 2.1, 1.3) Fixes word size check in in pk.c to not depend on MBEDTLS_HAVE_INT64.

  • (2.7) Fix incorrect unit in benchmark output. #850

  • (2.7, 2.1) Added size-checks for record and handshake message content, to secure vulnerable code paths.

  • (2.7, 2.1, 1.3) Fixed a potential crash when calling mbedtls_ssl_cache_free() twice. Found by MilenkoMitrovic. #1104

  • (2.7, 2.1, 1.3) Fixed mbedtls_timing_alarm(0) on Unix and MinGW.

  • (2.7, 2.1, 1.3) Fixed use of uninitialized memory in mbedtls_timing_get_timer() when reset=1.

  • (2.7) Fixed potential memory leaks in mbedtls_gcm_self_test().

  • (2.7) Added missing return code checks in mbedtls_aes_self_test().

  • (2.7, 2.1, 1.3) Fixed issues in the RSA key generation program programs/x509/rsa_genkey and the RSA test suite where the failure of CTR DRBG initialization led to freeing an RSA context and several MPI's without proper initialization beforehand.

  • (2.7) Fixed an error message in programs/pkey/gen_key.c. Found and fixed by Chris Xue.

  • (2.7) Fixed the example programs/pkey/dh_server.c to ensure it works fully with dh_client.c. Found and fixed by Martijn de Milliano.

  • (2.7, 2.1, 1.3) Fixed an issue in the cipher decryption with the mode MBEDTLS_PADDING_ONE_AND_ZEROS that sometimes accepted invalid padding. Note, this padding mode is not used by the TLS protocol. Found and fixed by Micha Kraus.

  • (2.7) Fixed the entropy.c module to not call mbedtls_sha256_starts() or mbedtls_sha512_starts() during mbedtls_entropy_init() function.

  • (2.7) Fixed the entropy.c module to ensure that mbedtls_sha256_init() or mbedtls_sha512_init() is called before operating on the relevant context structure. Do not assume that zeroizing a context is a correct way to reset it. Found independently by ccli8.

  • (2.7) In mbedtls_entropy_free(), properly free the message digest context.

  • (1.3) Fix typo in ssl.h leading to a too small value of MBEDTLS_SSL_MAC_ADD in case CBC is disabled but ARC4 is enabled.


  • (2.7, 2.1, 1.3) Extended the cert_write example program by options to set the certificate version and the message digest, and further, to allow enabling/disabling of authority identifier, subject identifier and basic constraints extensions.

  • (2.7) Only check for necessary RSA structure fields in mbedtls_rsa_private. In particular, don't require P or Q if neither CRT nor blinding are used. Reported and fix proposed independently by satur9nine and sliai.

  • (2.7) Only execute AES-192 self-test if AES-192 is available. #963

  • (2.7) Tighten the RSA PKCS#1 v1.5 signature verification code and remove the undeclared dependency of the RSA module on the ASN.1 module.

  • (2.7) Updated all internal usage of deprecated message digest functions to the new ones with return codes. In particular, this modifies the mbedtls_md_info_t structure. Propagate errors from these functions everywhere except some locations in the ssl_tls.c module.

  • (2.7) Improve CTR_DRBG error handling by propagating underlying AES errors.

  • (2.7) Add MBEDTLS_ERR_XXX_HW_ACCEL_FAILED error codes for all cryptography modules where the software implementation can be replaced by a hardware implementation.

  • (2.7, 2.1, 1.3) Added explicit warnings for the use of MD2, MD4, MD5, SHA-1, DES and ARC4 in documentation within the library.

  • (1.3) Improved makefiles on Windows: don't run find, and call perl explicitly.

Who should update

All users affected by one of the issues should update.

Users of Mbed TLS 1.3 or any earlier version are recommended to upgrade to one of the maintained releases as Mbed TLS 1.3 has now reached its end-of-life.

Download links

Get your copy here:


The hashes for mbedtls-2.7.0-apache.tgz are:

SHA-1: 01ffebf679c8696cc941c41224fa73d8944d2c85
SHA-256: aeb66d6cd43aa1c79c145d15845c655627a7fc30d624148aaafbb6c36d7f55ef

The hashes for mbedtls-2.7.0-gpl.tgz are:

SHA-1: 6c8e62985c5a73318d391e1327830b3ff85f87a0
SHA-256: 2c6fe289b4b50bf67b4839e81b07fcf52a19f5129d0241d2aa4d49cb1ef11e4f

The hashes for mbedtls-2.1.10-apache.tgz are:

SHA-1: f11cfe5ba68cfa22f464e255e46b4701f640e395
SHA-256: 98c2e45a1a9e74317cceacf95857a9dab248f5dbc212a130d38403b10bd387f0

The hashes for mbedtls-2.1.10-gpl.tgz are:

SHA-1: b968ce5510186427bd0412d7fb596d89a708b1f5
SHA-256: f9bad02c31bc0c2848e109d0d95a40fafff45c53a3cee8665103decc93c6981e

The hashes for mbedtls-1.3.22-gpl.tgz are:

SHA-1: 52702f9a559fcbb2d249f59f8599e35682bda54a
SHA-256: ded041aa4acf9a3e4d0c85bf334b0860135da996e75afdcc3abf22f403d14457

Like this?




Last updated:
Feb 6, 2018


Want to stay up to date?

To sign up for Mbed TLS news, log in to or create an Mbed account and update your marketing preferences.