From c338cef74b3876e38a2c4e2db9187bcb9e87ef39 Mon Sep 17 00:00:00 2001
From: Steven Cooreman <steven.cooreman@silabs.com>
Date: Mon, 26 Apr 2021 11:24:44 +0200
Subject: [PATCH] Add notes to the documentation about CMAC_ALT algorithm
 support

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
---
 include/mbedtls/cmac.h   | 11 +++++++++++
 include/mbedtls/config.h |  5 +++++
 2 files changed, 16 insertions(+)

diff --git a/include/mbedtls/cmac.h b/include/mbedtls/cmac.h
index b67305ce50..00aeaa8c3c 100644
--- a/include/mbedtls/cmac.h
+++ b/include/mbedtls/cmac.h
@@ -77,6 +77,12 @@ struct mbedtls_cmac_context_t
  *                      the input data.
  *                      Must be called with an initialized cipher context.
  *
+ * \note                When the CMAC implementation is supplied by an alternate
+ *                      implementation (through #MBEDTLS_CMAC_ALT), some ciphers
+ *                      may not be supported by that implementation, and thus
+ *                      return an error. Alternate implementations must support
+ *                      AES-128 and AES-256, and may support AES-192 and 3DES.
+ *
  * \param ctx           The cipher context used for the CMAC operation, initialized
  *                      as one of the following types: MBEDTLS_CIPHER_AES_128_ECB,
  *                      MBEDTLS_CIPHER_AES_192_ECB, MBEDTLS_CIPHER_AES_256_ECB,
@@ -154,6 +160,11 @@ int mbedtls_cipher_cmac_reset( mbedtls_cipher_context_t *ctx );
  *                      The CMAC result is calculated as
  *                      output = generic CMAC(cmac key, input buffer).
  *
+ * \note                When the CMAC implementation is supplied by an alternate
+ *                      implementation (through #MBEDTLS_CMAC_ALT), some ciphers
+ *                      may not be supported by that implementation, and thus
+ *                      return an error. Alternate implementations must support
+ *                      AES-128 and AES-256, and may support AES-192 and 3DES.
  *
  * \param cipher_info   The cipher information.
  * \param key           The CMAC key.
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index c3132a5e12..fc35427d1f 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -2615,6 +2615,11 @@
  * Enable the CMAC (Cipher-based Message Authentication Code) mode for block
  * ciphers.
  *
+ * \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying
+ *       implementation of the CMAC algorithm is provided by an alternate
+ *       implementation, that alternate implementation may opt to not support
+ *       AES-192 or 3DES as underlying block ciphers for the CMAC operation.
+ *
  * Module:  library/cmac.c
  *
  * Requires: MBEDTLS_AES_C or MBEDTLS_DES_C