diff --git a/digest.c b/digest.c
index b2064b0e..06dca75b 100644
--- a/digest.c
+++ b/digest.c
@@ -67,15 +67,13 @@ static void buf_append_unq(struct oc_text_buf *buf, const char *str)
 static void buf_append_md5(struct oc_text_buf *buf, void *data, int len)
 {
 	unsigned char md5[16];
-	int i;
 
 	if (openconnect_md5(md5, data, len)) {
 		buf->error = -EIO;
 		return;
 	}
 
-	for (i = 0; i < 16; i++)
-		buf_append(buf, "%02x", md5[i]);
+	buf_append_hex(buf, md5, 16);
 }
 
 int digest_authorization(struct openconnect_info *vpninfo, int proxy,
diff --git a/dtls.c b/dtls.c
index 6f464fa7..df104ed5 100644
--- a/dtls.c
+++ b/dtls.c
@@ -68,17 +68,20 @@
 
 char *openconnect_bin2hex(const char *prefix, const uint8_t *data, unsigned len)
 {
-	char *v;
-	unsigned plen = strlen(prefix);
-	unsigned i;
-
-	v = malloc(len*2+plen+1);
-	if (v) {
-		snprintf(v, plen+1, "%s", prefix);
-		for (i = 0; i < len; i++)
-			sprintf(&v[i*2 + plen], "%02x", data[i]);
+	struct oc_text_buf *buf;
+	char *p = NULL;
+
+	buf = buf_alloc();
+	buf_append(buf, "%s", prefix);
+	buf_append_hex(buf, data, len);
+
+	if (!buf_error(buf)) {
+		p = buf->data;
+		buf->data = NULL;
 	}
-	return v;
+	buf_free(buf);
+
+	return p;
 }
 
 static int connect_dtls_socket(struct openconnect_info *vpninfo)
diff --git a/http.c b/http.c
index 18d7da2b..cde4b404 100644
--- a/http.c
+++ b/http.c
@@ -54,6 +54,15 @@ void buf_append_urlencoded(struct oc_text_buf *buf, char *str)
 	}
 }
 
+void buf_append_hex(struct oc_text_buf *buf, const void *str, unsigned len)
+{
+	const unsigned char *data = str;
+	unsigned i;
+
+	for (i = 0; i < len; i++)
+		buf_append(buf, "%02x", (unsigned)data[i]);
+}
+
 void buf_truncate(struct oc_text_buf *buf)
 {
 	if (!buf)
diff --git a/oath.c b/oath.c
index 1914c3a0..8d772abb 100644
--- a/oath.c
+++ b/oath.c
@@ -489,7 +489,6 @@ static char *regen_hotp_secret(struct openconnect_info *vpninfo)
 {
 	char *new_secret = NULL;
 	struct oc_text_buf *buf;
-	int i;
 
 	switch (vpninfo->hotp_secret_format) {
 	case HOTP_SECRET_BASE32:
@@ -502,9 +501,7 @@ static char *regen_hotp_secret(struct openconnect_info *vpninfo)
 	case HOTP_SECRET_HEX:
 		buf = buf_alloc();
 		buf_append(buf, "0x");
-		for (i=0; i < vpninfo->oath_secret_len; i++)
-			buf_append(buf, "%02x",
-				   (unsigned char)vpninfo->oath_secret[i]);
+		buf_append_hex(buf, vpninfo->oath_secret, vpninfo->oath_secret_len);
 		break;
 
 	case HOTP_SECRET_RAW:
diff --git a/openconnect-internal.h b/openconnect-internal.h
index ae901e01..f68c2d91 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -991,6 +991,7 @@ int buf_ensure_space(struct oc_text_buf *buf, int len);
 void  __attribute__ ((format (printf, 2, 3)))
 	buf_append(struct oc_text_buf *buf, const char *fmt, ...);
 void buf_append_bytes(struct oc_text_buf *buf, const void *bytes, int len);
+void buf_append_hex(struct oc_text_buf *buf, const void *str, unsigned len);
 int buf_append_utf16le(struct oc_text_buf *buf, const char *utf8);
 int get_utf8char(const char **utf8);
 void buf_append_from_utf16le(struct oc_text_buf *buf, const void *utf16);