From 5c04d6562755fcfecad9ed6ff8064d8bcf1bb1d2 Mon Sep 17 00:00:00 2001
From: tenox7 <as@tenoware.com>
Date: Sun, 17 Dec 2017 22:41:19 -0800
Subject: md5hash fucntion va support

---
 wfm.c | 48 ++++++++++++++++++++++++++++--------------------
 1 file changed, 28 insertions(+), 20 deletions(-)

diff --git a/wfm.c b/wfm.c
index 07dc0ce..a57f84e 100644
--- a/wfm.c
+++ b/wfm.c
@@ -68,25 +68,40 @@ void upload_status(void) {
 // Generate auth token
 // Used by access_check() to compare tokens and login() to generate token from a web form
 //
-char *md5hash(char *str) {
+char *md5hash(char *str, ...) {
+    va_list ap;
+    char buff[1024]={0};
     md5_state_t state;
     md5_byte_t digest[16]={0};
     char *outstr;
     int i;
 
-    outstr=(char*) malloc((sizeof(digest)*2)+2);
-    memset(outstr, 0, (sizeof(digest)*2)+2);
+    if(str) {
+        va_start(ap, str);
+        vsnprintf(buff, sizeof(buff), str, ap);
+        va_end(ap);
 
-    md5_init(&state);
-    md5_append(&state, (const md5_byte_t *)str, strlen(str));
-    md5_finish(&state, digest);
+        outstr=(char*) malloc((sizeof(digest)*2)+2);
+        memset(outstr, 0, (sizeof(digest)*2)+2);
 
-    for (i = 0; i < sizeof(digest); i++)
-            sprintf(outstr + i * 2, "%02x", digest[i]);
+        md5_init(&state);
+        md5_append(&state, (const md5_byte_t *)buff, strlen(buff));
+        md5_finish(&state, digest);
 
-    return outstr;
+        for (i = 0; i < sizeof(digest); i++)
+                sprintf(outstr + i * 2, "%02x", digest[i]);
+        
+        if(strlen(outstr))
+            return outstr;
+        else
+            return NULL;
+    }
+    else {
+        return NULL;
+    }
 }
 
+
 //
 // WFM Login Procedure
 // Called from WFM main procedure if no sufficient access permission available
@@ -94,17 +109,12 @@ char *md5hash(char *str) {
 void login(void) {
     char username[64]={0};
     char password[64]={0};
-    char userpass[256]={0};
-    char hostuserpass[256]={0};
 
     cgiFormStringNoNewlines("username", username, sizeof(username)); // only used if JavaScript is
     cgiFormStringNoNewlines("password", password, sizeof(password)); // not available in the browser
     
-    if(strlen(username) && strlen(password)) {
-        snprintf(userpass, sizeof(userpass), "%s:%s", username, password);
-        snprintf(hostuserpass, sizeof(hostuserpass), "%s:%s", cgiRemoteAddr, md5hash(userpass));
-        redirect("%s?directory=%s&login=server&token=%s", cgiScriptName, virt_dirname_urlencoded, md5hash(hostuserpass));  // generate MD5 as if it was the client
-    }
+    if(strlen(username) && strlen(password)) 
+        redirect("%s?directory=%s&login=server&token=%s", cgiScriptName, virt_dirname_urlencoded, md5hash("%s:%s", cgiRemoteAddr, md5hash("%s:%s", username, password)));  // generate MD5 as if it was the client
     else
         login_ui(); // display actual login page, which normally generates token in JavaScript
         
@@ -116,10 +126,9 @@ void login(void) {
 //
 void access_check(char *access_string) {
     char ipaddr[32]={0};
-    char user[32]={0};
+    char user[64]={0};
     char pass[64]={0};
     char type[4]={0};
-    char token_cfg[256]={0};
 
     if(sscanf(access_string, "access-ip=%2s:%30s", type, ipaddr)==2) {
 
@@ -134,9 +143,8 @@ void access_check(char *access_string) {
     else if(sscanf(access_string, "access-md5pw=%2[^':']:%30[^':']:%63s", type, user, pass)==3) {
         users_defined=1;
 
-        snprintf(token_cfg, sizeof(token_cfg), "%s:%s", cgiRemoteAddr, pass);
         // perform user auth by comparing user supplied token with system generated token
-        if(strcmp(md5hash(token_cfg), token)==0) {
+        if(strcmp(md5hash("%s:%s", cgiRemoteAddr, pass), token)==0) {
             if(strcmp(type, "ro")==0) 
                 access_level=PERM_RO;
             else if(strcmp(type, "rw")==0) 
-- 
cgit v1.2.3