From b1262a3bdb5ae7e478a04ec44143fbb4d9e9d16c Mon Sep 17 00:00:00 2001
From: Andres Amaya Garcia <andres.amayagarcia@arm.com>
Date: Wed, 25 Oct 2017 09:51:14 +0100
Subject: [PATCH] Allow compile-time alternate to mbedtls_zeroize()

Add a new macro MBEDTLS_UTILS_ZEROIZE that allows users to configure
mbedtls_zeroize() to an alternative definition when defined. If the
macro is not defined, then mbed TLS will use the default definition of
the function.
---
 include/mbedtls/config.h | 8 ++++++++
 library/utils.c          | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index 9585e6922..8c35b86cd 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2852,6 +2852,14 @@
  */
 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 
+/**
+ * \def MBEDTLS_UTILS_ZEROIZE_ALT
+ *
+ * Uncomment the macro to let mbed TLS use your alternate implementation of
+ * mbedtls_zeroize().
+ */
+//#define MBEDTLS_UTILS_ZEROIZE_ALT
+
 /* \} name SECTION: Customisation configuration options */
 
 /* Target and application specific configurations */
diff --git a/library/utils.c b/library/utils.c
index f943cb1c6..3819558f4 100644
--- a/library/utils.c
+++ b/library/utils.c
@@ -19,10 +19,17 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "mbedtls/utils.h"
 
 #include <stddef.h>
 
+#if !defined(MBEDTLS_UTILS_ZEROIZE_ALT)
 /* This implementation should never be optimized out by the compiler */
 void mbedtls_zeroize( void *buf, size_t len )
 {
@@ -31,3 +38,4 @@ void mbedtls_zeroize( void *buf, size_t len )
     while( len-- )
         *p++ = 0;
 }
+#endif /* MBEDTLS_UTILS_ZEROIZE_ALT */