srp_create_salted_verification_key can return incorrect size #14
Description
We're seeing a symptom where this code:
srp_create_salted_verification_key(algo, group, I, P, strlen(P),
&salt_buf, &salt_len, &ver_buf, &ver_len, 0, 0);
can return 3 or less in salt_len, not the expected 4. Based on how often it happens (1-4 times typical per ~500 tries) we're guessing that it's happening when the top 8 bits of the salt happen to be 0, and the value isn't getting zero-padded to 32 bits properly.
Calling the same function with the same values almost always fixes it, but we worry that we're effectively truncating the salt by doing so, since some values are now not possible, thus an attacker would know not to even try them.
This doesn't happen for the same inputs each time, either, which further indicates that it's the library's internal handling of the random numbers that's at fault here, not our call.