From a4d20bd3879c206fe9f6b55d86bc640b25bf3a09 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 29 Jun 2018 23:35:02 +0200
Subject: [PATCH] For RSA PSS, document that salt length = hash length

This is the most common mode and the only mode that Mbed TLS functions
fully supports (mbedtls_rsa_rsassa_pss_verify_ext can verify
signatures with a different salt length).
---
 include/psa/crypto.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2477e58a5..ea209852a 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -807,7 +807,8 @@ typedef uint32_t psa_algorithm_t;
  *
  * This is the signature scheme defined by RFC 8017
  * (PKCS#1: RSA Cryptography Specifications) under the name
- * RSASSA-PSS, with the message generation function MGF1. The specified
+ * RSASSA-PSS, with the message generation function MGF1, and with
+ * a salt length equal to the length of the hash. The specified
  * hash algorithm is used to hash the input message, to create the
  * salted hash, and for the mask generation.
  *