Allow compile-time alternate to mbedtls_zeroize()

Add a new macro MBEDTLS_UTILS_ZEROIZE that allows users to configure
mbedtls_zeroize() to an alternative definition when defined. If the
macro is not defined, then mbed TLS will use the default definition of
the function.

include/mbedtls/config.h

@@ -2852,6 +2852,14 @@
  */
 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 
+/**
+ * \def MBEDTLS_UTILS_ZEROIZE_ALT
+ *
+ * Uncomment the macro to let mbed TLS use your alternate implementation of
+ * mbedtls_zeroize().
+ */
+//#define MBEDTLS_UTILS_ZEROIZE_ALT
+
 /* \} name SECTION: Customisation configuration options */
 
 /* Target and application specific configurations */

library/utils.c

@@ -19,10 +19,17 @@
  *  This file is part of mbed TLS (https://tls.mbed.org)
  */
 
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
 #include "mbedtls/utils.h"
 
 #include <stddef.h>
 
+#if !defined(MBEDTLS_UTILS_ZEROIZE_ALT)
 /* This implementation should never be optimized out by the compiler */
 void mbedtls_zeroize( void *buf, size_t len )
 {
@@ -31,3 +38,4 @@ void mbedtls_zeroize( void *buf, size_t len )
     while( len-- )
         *p++ = 0;
 }
+#endif /* MBEDTLS_UTILS_ZEROIZE_ALT */