For RSA PSS, document that salt length = hash length
This is the most common mode and the only mode that Mbed TLS functions
fully supports (mbedtls_rsa_rsassa_pss_verify_ext can verify
signatures with a different salt length).
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2477e58..ea20985 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -807,7 +807,8 @@
*
* This is the signature scheme defined by RFC 8017
* (PKCS#1: RSA Cryptography Specifications) under the name
- * RSASSA-PSS, with the message generation function MGF1. The specified
+ * RSASSA-PSS, with the message generation function MGF1, and with
+ * a salt length equal to the length of the hash. The specified
* hash algorithm is used to hash the input message, to create the
* salted hash, and for the mask generation.
*