From 9387609c7b8444be545b4267264ac0ce3575644d Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Thu, 2 Mar 2017 22:51:49 +1030
Subject: [PATCH] daemon/pseudorand: be more paranoid with isaac64 output.

There's no reason to think that the seed isn't reproducable from the
output: we don't want to give away our siphash seed and allow hashbombing,
so seed isaac with the SHA of the seed.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 daemon/pseudorand.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/daemon/pseudorand.c b/daemon/pseudorand.c
index b8119ea2f..dc8f6b17b 100644
--- a/daemon/pseudorand.c
+++ b/daemon/pseudorand.c
@@ -1,5 +1,6 @@
 #include "pseudorand.h"
 #include <assert.h>
+#include <ccan/crypto/sha256/sha256.h>
 #include <ccan/crypto/siphash24/siphash24.h>
 #include <ccan/err/err.h>
 #include <ccan/isaac/isaac64.h>
@@ -16,11 +17,14 @@ static void init_if_needed(void)
 {
 	if (unlikely(!pseudorand_initted)) {
 		unsigned char seedbuf[16];
+		struct sha256 sha;
 
 		randombytes_buf(seedbuf, sizeof(seedbuf));
-
-		isaac64_init(&isaac64, seedbuf, sizeof(seedbuf));
 		memcpy(&siphashseed, seedbuf, sizeof(siphashseed));
+
+		/* In case isaac is reversible, don't leak seed. */
+		sha256(&sha, seedbuf, sizeof(seedbuf));
+		isaac64_init(&isaac64, sha.u.u8, sizeof(sha.u.u8));
 		pseudorand_initted = true;
 	}
 }