In the paper for Fortuna the authors say that you can use any good digest algorithm (obviously as long as its output is 256 bit) and then they recommend double SHA-256.
Why? What's the benefit? What happens if I use single SHA-256 or RIPEMD-256, for example?
Ferguson and Schneier define SHAd-256 in their book Practical Cryptography in Chapter 6.3.1 Length Extensions.
For any hash function SHA-X, where X is 1, 256, 384 or 512 we define SHAd-X as the function that maps m to SHA-X(SHA-X(m)). In particular, SHAd-256 is just the function m ↦ SHA-256(SHA-256(m)).
They clearly defined SHAd-256 to prevent length extension attacks.
I don't know why Ferguson and Schneier also used SHAd-256 when they designed Fortuna, but I assume that they preferred a hash function invulnerable to length extensions over a vulnerable one even if it might not matter for a particular use.
