For RSA PSS, document that salt length = hash length This is the most common mode and the only mode that Mbed TLS functions fully supports (mbedtls_rsa_rsassa_pss_verify_ext can verify signatures with a different salt length).

commit: a4d20bd3879c206fe9f6b55d86bc640b25bf3a09 [log] [tgz]
author: Gilles Peskine <Gilles.Peskine@arm.com> Fri Jun 29 23:35:02 2018 +0200
committer: itayzafrir <itay.zafrir@arm.com> Wed Sep 12 16:41:12 2018 +0300
tree: 15a5cd02635ecea44d09387815c7cd730a9cde4a
parent: f969b3ac74dcabea70a7a80ee09bf56581c3adbb [diff]
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2477e58..ea20985 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h

@@ -807,7 +807,8 @@
  *
  * This is the signature scheme defined by RFC 8017
  * (PKCS#1: RSA Cryptography Specifications) under the name
- * RSASSA-PSS, with the message generation function MGF1. The specified
+ * RSASSA-PSS, with the message generation function MGF1, and with
+ * a salt length equal to the length of the hash. The specified
  * hash algorithm is used to hash the input message, to create the
  * salted hash, and for the mask generation.
  *
commit	a4d20bd3879c206fe9f6b55d86bc640b25bf3a09	[log] [tgz]
author	Gilles Peskine <Gilles.Peskine@arm.com>	Fri Jun 29 23:35:02 2018 +0200
committer	itayzafrir <itay.zafrir@arm.com>	Wed Sep 12 16:41:12 2018 +0300
tree	15a5cd02635ecea44d09387815c7cd730a9cde4a
parent	f969b3ac74dcabea70a7a80ee09bf56581c3adbb [diff]