## Signature functions now require the hash length to match the expected value

This affects users of the PK API as well as users of the low-level API in the RSA module. Users of the PSA API or of the ECDSA module are unaffected.

All the functions in the RSA module that accept a `hashlen`

parameter used to ignore it unless the `md_alg`

parameter was `MBEDTLS_MD_NONE`

, indicating raw data was signed. The `hashlen`

parameter is now always the size that is read from the `hash`

input buffer. This length must be equal to the output size of the hash algorithm used when signing a hash. (The requirements when signing raw data are unchanged.) This affects the following functions:

`mbedtls_rsa_pkcs1_sign`

, `mbedtls_rsa_pkcs1_verify`

`mbedtls_rsa_rsassa_pkcs1_v15_sign`

, `mbedtls_rsa_rsassa_pkcs1_v15_verify`

`mbedtls_rsa_rsassa_pss_sign`

, `mbedtls_rsa_rsassa_pss_verify`

`mbedtls_rsa_rsassa_pss_sign_ext`

, `mbedtls_rsa_rsassa_pss_verify_ext`

The signature functions in the PK module no longer accept 0 as the `hash_len`

parameter. The `hash_len`

parameter is now always the size that is read from the `hash`

input buffer. This affects the following functions:

`mbedtls_pk_sign`

, `mbedtls_pk_verify`

`mbedtls_pk_sign_restartable`

, `mbedtls_pk_verify_restartable`

`mbedtls_pk_verify_ext`

The migration path is to pass the correct value to those functions.