> I guess you are talking about calculating 'hash' two times when > algorithm=md5- > sess. > No, I was in fact talking about the two blocks of xfree statements. Maybe we could somehow unify the blocks.
> > That is indeed unneeded. It should be like: > As far as I see it, the code seems perfect there. The two hash calculations are indeed required and your fix will break the authentication. When algorithm is MD5-sess, the response is calculated as: H( H(user ":" realm ":" password) ":" nonce ":" cnonce ) And when the algorithm is MD5, the response is: H(user ":" realm ":" password) Hence, we calculate H(user ":" realm ":" password) first and then use the same value when calculating the response in case of MD5-sess. I see no wasted cycles in here. -- Thanking You, Darshit Shah