clean-up secret hashing code

1 files changed, 26 insertions, 15 deletions

diff --git a/src/user/secret.go b/src/user/secret.go
index 3163242..5926416 100644
--- a/src/user/secret.go
+++ b/src/user/secret.go
@@ -34,26 +34,14 @@ func hashSecret(secret string) (string, error) {
 		keyLength:   12,
 		saltLength:  16,
 	}
-	salt := make([]byte, hc.saltLength)
-	_, err := rand.Read(salt)
+
+	salt, err := generateRandomBytes(hc.saltLength)
 	if err != nil {
 		return "", err
 	}
 
 	hash := hashArgon2(secret, salt, hc)
-	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
-	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
-	encodedHash := fmt.Sprintf(
-		"$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
-		argon2.Version,
-		hc.memory,
-		hc.iterations,
-		hc.parallelism,
-		b64Salt,
-		b64Hash,
-	)
-
-	return encodedHash, nil
+	return encodeHash(hash, salt, hc), nil
 }
 
 func compareSecretToHash(secret, encoded string) error {
@@ -75,6 +63,15 @@ func compareSecretToHash(secret, encoded string) error {
 	return nil
 }
 
+func generateRandomBytes(n uint32) ([]byte, error) {
+	b := make([]byte, n)
+	_, err := rand.Read(b)
+	if err != nil {
+		return nil, err
+	}
+	return b, nil
+}
+
 func hashArgon2(secret string, salt []byte, hc *hashconf) []byte {
 	hash := argon2.IDKey(
 		[]byte(secret),
@@ -87,6 +84,20 @@ func hashArgon2(secret string, salt []byte, hc *hashconf) []byte {
 	return hash
 }
 
+func encodeHash(hash, salt []byte, hc *hashconf) string {
+	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
+	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
+	return fmt.Sprintf(
+		"$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
+		argon2.Version,
+		hc.memory,
+		hc.iterations,
+		hc.parallelism,
+		b64Salt,
+		b64Hash,
+	)
+}
+
 func decodeHash(encoded string) (hc *hashconf, salt, decodedhash []byte, err error) {
 	params := strings.Split(encoded, "$")
 	// check we have enough params