From a16c65f3c4c93e24eda9cf7f14d5da4062c6ca10 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 20 Dec 2022 11:53:37 +0100
Subject: sha256: add helper than hashes a buffer *and* its size

We use this pattern all the time in order to thward extension attacks,
add a helper to make it shorter.
---
 src/random-seed/random-seed.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

(limited to 'src/random-seed')

diff --git a/src/random-seed/random-seed.c b/src/random-seed/random-seed.c
index 90890e33f2..a50fdc12ae 100644
--- a/src/random-seed/random-seed.c
+++ b/src/random-seed/random-seed.c
@@ -194,8 +194,7 @@ static int load_seed_file(
                         return log_oom();
 
                 sha256_init_ctx(hash_state);
-                sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from new seed. */
-                sha256_process_bytes(buf, k, hash_state);
+                sha256_process_bytes_and_size(buf, k, hash_state); /* Hash with length to distinguish from new seed. */
 
                 *ret_hash_state = hash_state;
         }
@@ -288,8 +287,7 @@ static int save_seed_file(
         if (hash_state) {
                 uint8_t hash[SHA256_DIGEST_SIZE];
 
-                sha256_process_bytes(&k, sizeof(k), hash_state); /* Hash length to distinguish from old seed. */
-                sha256_process_bytes(buf, k, hash_state);
+                sha256_process_bytes_and_size(buf, k, hash_state); /* Hash with length to distinguish from old seed. */
                 sha256_finish_ctx(hash_state, hash);
                 l = MIN((size_t)k, sizeof(hash));
                 memcpy((uint8_t *)buf + k - l, hash, l);
@@ -370,8 +368,7 @@ static int refresh_boot_seed(void) {
 
         /* Hash the old seed in so that we never regress in entropy. */
         sha256_init_ctx(&hash_state);
-        sha256_process_bytes(&n, sizeof(n), &hash_state);
-        sha256_process_bytes(seed_file_bytes, n, &hash_state);
+        sha256_process_bytes_and_size(seed_file_bytes, n, &hash_state);
 
         /* We're doing this opportunistically, so if the seeding dance before didn't manage to initialize the
          * RNG, there's no point in doing it here. Secondly, getrandom(GRND_NONBLOCK) has been around longer
@@ -392,8 +389,7 @@ static int refresh_boot_seed(void) {
         assert(n == sizeof(buffer));
 
         /* Hash the new seed into the state containing the old one to generate our final seed. */
-        sha256_process_bytes(&n, sizeof(n), &hash_state);
-        sha256_process_bytes(buffer, n, &hash_state);
+        sha256_process_bytes_and_size(buffer, n, &hash_state);
         sha256_finish_ctx(&hash_state, buffer);
 
         if (lseek(seed_fd, 0, SEEK_SET) < 0)
-- 
cgit v1.2.1