Fix discussion of RSA-PSS salt length
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/docs/architecture/psa-migration/psa-limitations.md b/docs/architecture/psa-migration/psa-limitations.md
index 01fd188..53dd4a8 100644
--- a/docs/architecture/psa-migration/psa-limitations.md
+++ b/docs/architecture/psa-migration/psa-limitations.md
@@ -118,11 +118,15 @@
- PSA:
- algorithm specification:
- hash alg used for message hashing, encoding and MGF1
- - salt length can be either "standard" (== hashlen) or "any"
+ - salt length can be either "standard" (<= hashlen, see note) or "any"
- signature generation:
- - salt length: always using the maximum legal value and random salt
+ - salt length: always <= hashlen (see note) and random salt
- verification:
- - salt length: either == hashlen, or any depending on algorithm
+ - salt length: either <= hashlen (see note), or any depending on algorithm
+
+Note: above, "<= hashlen" means that hashlen is used if possible, but if it
+doesn't fit because the key is too short, then the maximum lenght that fits is
+used.
The RSA/PK API is in principle more flexible than the PSA Crypto API. The
following sub-sections study whether and how this matters in practice.
@@ -158,7 +162,7 @@
It is unclear what parameters people use in practice. It looks like by default
OpenSSL picks saltlen = keylen - hashlen - 2 (tested with openssl 1.1.1f).
The `certool` command provided by GnuTLS seems to be picking saltlen = hashlen
-by default (tested with GnuTLS 3.6.13). FIPS 186-4 recommends saltlen >=
+by default (tested with GnuTLS 3.6.13). FIPS 186-4 recommends 0 <= saltlen <=
hashlen.
### Use in TLS