random-seed: hash together old seed and new seed before writing out file

If we're consuming an on-disk seed, we usually write out a new one after
consuming it. In that case, we might be at early boot and the randomness
could be rather poor, and the kernel doesn't guarantee that it'll use
the new randomness right away for us. In order to prevent the new
entropy from getting any worse, hash together the old seed and the new
seed, and replace the final bytes of the new seed with the hash output.
This way, entropy strictly increases and never regresses.

Fixes: https://github.com/systemd/systemd/issues/21983


Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>