RSA: Require hashlen to match md_alg when applicable
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md b/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md
new file mode 100644
index 0000000..75fadd8
--- /dev/null
+++ b/docs/3.0-migration-guide.d/require-matching-hashlen-rsa.md
@@ -0,0 +1,13 @@
+RSA signature functions now require `hashlen` to match the expected value
+-------------------------------------------------------------------------
+
+This only affects users of the low-level RSA API; users of the high-level PK
+API or of the PSA Crypto API are not affected.
+
+All the functions in the RSA module that accept a `hashlen` parameter used to
+ignore it unless the `md_alg` parameter was `MBEDTLS_MD_NONE`, indicating raw
+data was signed. They now require this parameter's value to be equal to the
+output size of the hash algorithm used when signing a hash. (The requirements
+when signing raw data are unchanged.)
+
+The migration path is to pass the correct value to those functions.