Remove 'unsalted' PSS handling (#294)

Current new() and random() functions cause confusion. There is the
default from ASN.1 encoding of RSAPSS parameters (20). There is also
another default of (mod_size - 2 - hash_size). And there is a
recommendation to use salt_len of hash_size.

Drop old defaults and always use digest output size as the salt_len.
Clearly document new default.

* pss: specify salt_len when verifying the message

All RSA PSS standards (e.g. RFC 8017) clearly specify that RSA PSS
verification has an explicit salt length parameter (rather than
determining it from the message). Drop our 'automagic' code and pass
salt length when verifying the message. Old functions now default to
digest output size as a hash length.

* pss: remove possible non-constant time operation in PSS salt handling

The emsa_pss_get_salt() is possibly non-constant-time op. Change it to
be a contant-time operation.

---------

Signed-off-by: Dmitry Baryshkov <[email protected]>