changed all password fields to std::string and reworked the way how the enc modules handle the passwords

git-svn-id: http://anope.svn.sourceforge.net/svnroot/anope/trunk@2740 5417fbe8-f217-4b02-8779-1006273d7864

19 files changed, 200 insertions, 283 deletions

diff --git a/src/core/db_plain.cpp b/src/core/db_plain.cpp
index 5cc6ab42b..3d220516c 100644
--- a/src/core/db_plain.cpp
+++ b/src/core/db_plain.cpp
@@ -388,12 +388,7 @@ static void LoadNickCore(const std::vector<std::string> &params)
 		return;
 	}
 
-	size_t tmp = params[1].find(':'); // XXX till we store the hash method internally with the nickcore
-	const char *pass = params[1].c_str() + tmp + 1;
-	char passbuf[PASSMAX];
-	memset(&passbuf, 0, sizeof(passbuf));
-	b64_decode(pass, passbuf, PASSMAX);
-	strscpy(nc->pass, passbuf, PASSMAX);
+	nc->pass.assign(params[1]);
 
 	for (int i = 0; LangInfos[i].LanguageId != -1; ++i)
 		if (params[2] == LangInfos[i].Name)
@@ -854,10 +849,7 @@ class DBPlain : public Module
 				}
 				else
 				{
-					//XXX forced plain till we store hashm in pw
-					char temppass[5000];
-					b64_encode(nc->pass, strlen(nc->pass), temppass, 5000);
-					db << "NC " << nc->display << " plain:" << temppass << " ";
+					db << "NC " << nc->display << " " << nc->pass << " ";
 				}
 				for (j = 0; LangInfos[j].LanguageId != -1; ++j)
 					if (nc->language ==  LangInfos[j].LanguageId)
diff --git a/src/core/enc_md5.c b/src/core/enc_md5.c
index 989fe693e..5c03e9a6d 100644
--- a/src/core/enc_md5.c
+++ b/src/core/enc_md5.c
@@ -338,87 +338,61 @@ class EMD5 : public Module
 
 		ModuleManager::Attach(I_OnEncrypt, this);
 		ModuleManager::Attach(I_OnEncryptInPlace, this);
-		ModuleManager::Attach(I_OnEncryptCheckLen, this);
 		ModuleManager::Attach(I_OnDecrypt, this);
 		ModuleManager::Attach(I_OnCheckPassword, this);
-
 	}
 
 
-	EventReturn OnEncrypt(const char *src, int len, char *dest, int size)
+	EventReturn OnEncrypt(const std::string &src, std::string &dest)
 	{
 		MD5_CTX context;
-		char tmp[33];
-	
-		if (size < 16)
-			return EVENT_STOP;
-	
+		char digest[PASSMAX];
+		std::string buf = "md5:";
+		char cpass[1000];
+
 		MD5Init(&context);
-		MD5Update(&context, (unsigned char *)src, len);
-		MD5Final((unsigned char *)dest, &context);
-		
-		if(debug) 
-		{
-			memset(tmp,0,33);
-			binary_to_hex((unsigned char *)dest,tmp,16);
-			/* Dont log source if we were encrypting in place :) */
-			if (memcmp(src, dest, 16) != 0) 
-			{
-				alog("enc_md5: hashed from [%s] to [%s]",src,tmp); 
-			} else {
-				alog("enc_md5: hashed password to [%s]",tmp); 
-			}
-		}
-		
+		MD5Update(&context, (unsigned char*)src.c_str(), src.size());
+		MD5Final((unsigned char*)digest, &context);
+
+		b64_encode(digest, 16, cpass, 1000);
+		buf.append(cpass);
+		if (debug > 1)
+			alog("debug: (enc_md5) hashed password %s to %s ", src.c_str(), buf.c_str());
+		dest.assign(buf);
 		return EVENT_ALLOW;
 	}
 
-
-	EventReturn OnEncryptInPlace(char *buf, int size)
+	EventReturn OnEncryptInPlace(std::string &buf)
 	{
-		return OnEncrypt(buf, strlen(buf), buf, size);
+		return this->OnEncrypt(buf, buf);
 	}
 
-
-	EventReturn OnEncryptCheckLen(int passlen, int bufsize)
-	{
-		if (bufsize < 16)
-		{
-			fatal("enc_md5: md5_check_len(): buffer too small (%d)", bufsize);
-			return EVENT_STOP;
-		}
-		return EVENT_ALLOW;
-	}
-
-
-	EventReturn OnDecrypt(const char *src, char *dest, int size)
+	EventReturn OnDecrypt(const std::string &hashm, const std::string &src, std::string &dest)
 	{
+		if (hashm != "md5")
+			return EVENT_CONTINUE;
 		return EVENT_STOP;
 	}
 
-
-	EventReturn OnCheckPassword(const char *plaintext, char *password)
+	EventReturn OnCheckPassword(const std::string &hashm, std::string &plaintext, std::string &password)
 	{
-		char buf[BUFSIZE];
-
-		if (OnEncrypt(plaintext, strlen(plaintext), buf, sizeof(buf)) == EVENT_STOP)
-			return EVENT_STOP;
-		if (memcmp(buf, password, 16) == 0)
+		if (hashm != "md5")
+			return EVENT_CONTINUE;
+		std::string buf;
+		this->OnEncrypt(plaintext, buf);
+		if (!password.compare(buf))
 		{
 			/* if we are NOT the first module in the list, 
 			 * we want to re-encrypt the pass with the new encryption
 			 */
-			if (stricmp(Config.EncModuleList.begin()->c_str(), this->name.c_str()))
+			if (Config.EncModuleList.front().compare(this->name))
 			{
-				enc_encrypt(plaintext, strlen(password), password, PASSMAX -1 );
+				enc_encrypt(plaintext, password);
 			}
 			return EVENT_ALLOW;
 		}
-		return EVENT_CONTINUE;
+		return EVENT_STOP;
 	}
 };
 
-/*************************************************************************/
-
-
 MODULE_INIT(EMD5)
diff --git a/src/core/enc_none.c b/src/core/enc_none.c
index 4ba478789..77b775217 100644
--- a/src/core/enc_none.c
+++ b/src/core/enc_none.c
@@ -20,60 +20,59 @@ class ENone : public Module
 
 		ModuleManager::Attach(I_OnEncrypt, this);
 		ModuleManager::Attach(I_OnEncryptInPlace, this);
-		ModuleManager::Attach(I_OnEncryptCheckLen, this);
 		ModuleManager::Attach(I_OnDecrypt, this);
 		ModuleManager::Attach(I_OnCheckPassword, this);
 	}
 
-	EventReturn OnEncrypt(const char *src,int len,char *dest,int size)
-	{
-		if(size>=len)
-		{
-			memset(dest,0,size);
-			strlcpy(dest,src,len + 1);
-			return EVENT_ALLOW;
-		}
-		return EVENT_STOP;
-	}
-
-	EventReturn OnEncryptInPlace(char *buf, int size)
+	EventReturn OnEncrypt(const std::string &src, std::string &dest)
 	{
+		std::string buf = "plain:";
+		char cpass[1000];
+		b64_encode(src.c_str(), src.size(), cpass, 1000);
+		buf.append(cpass);
+		if (debug > 1)
+			alog("debug: (enc_none) hashed password from [%s] to [%s]", src.c_str(), buf.c_str());
+		dest.assign(buf);
 		return EVENT_ALLOW;
 	}
 
-	EventReturn OnEncryptCheckLen(int passlen, int bufsize)
+	EventReturn OnEncryptInPlace(std::string &buf)
 	{
-		if(bufsize>=passlen)
-		{
-			return EVENT_ALLOW;
-		}
-		return EVENT_STOP;
+		return this->OnEncrypt(buf, buf);
 	}
 
-	EventReturn OnDecrypt(const char *src, char *dest, int size) {
-		memset(dest,0,size);
-		strlcpy(dest,src,size);
+	EventReturn OnDecrypt(const std::string &hashm, const std::string &src, std::string &dest)
+	{
+		if (hashm != "plain")
+			return EVENT_CONTINUE;
+		char cpass[1000];
+		size_t pos = src.find(":");
+		std::string buf(src.begin()+pos+1, src.end());
+		b64_decode(buf.c_str(), static_cast<char *>(cpass), 1000);
+		dest.assign(cpass);
 		return EVENT_ALLOW;
 	}
 
-	EventReturn OnCheckPassword(const char *plaintext, char *password) 
+	EventReturn OnCheckPassword(const std::string &hashm, std::string &plaintext, std::string &password) 
 	{
-		if(strcmp(plaintext,password)==0)
+		if (hashm != "plain")
+			return EVENT_CONTINUE;
+		std::string buf;
+		this->OnEncrypt(plaintext, buf);
+		if(!password.compare(buf))
 		{
 			/* if we are NOT the first module in the list, 
 			 * we want to re-encrypt the pass with the new encryption
 			 */
-			if (stricmp(Config.EncModuleList.begin()->c_str(), this->name.c_str()))
+			if (Config.EncModuleList.front().compare(this->name))
 			{
-				enc_encrypt(plaintext, strlen(password), password, PASSMAX -1 );
+				enc_encrypt(plaintext, password);
 			}
 			return EVENT_ALLOW;
 		}
-		return EVENT_CONTINUE;
+		return EVENT_STOP;
 	}
 
 };
-/* EOF */
-
 
 MODULE_INIT(ENone)
diff --git a/src/core/enc_old.c b/src/core/enc_old.c
index c4691b60b..00134e681 100644
--- a/src/core/enc_old.c
+++ b/src/core/enc_old.c
@@ -336,96 +336,68 @@ class EOld : public Module
 
 		ModuleManager::Attach(I_OnEncrypt, this);
 		ModuleManager::Attach(I_OnEncryptInPlace, this);
-		ModuleManager::Attach(I_OnEncryptCheckLen, this);
 		ModuleManager::Attach(I_OnDecrypt, this);
 		ModuleManager::Attach(I_OnCheckPassword, this);
 
 	}
 
-
-	/* Encrypt `src' of length `len' and store the result in `dest'.  If the
-	 * resulting string would be longer than `size', return -1 and leave `dest'
-	 * unchanged; else return 0.
-	 */
-	EventReturn OnEncrypt(const char *src, int len, char *dest, int size)
+	EventReturn OnEncrypt(const std::string &src, std::string &dest)
 	{
 
 		MD5_CTX context;
-		char digest[33];
-		char tmp[33];
+		char digest[33], digest2[33];
+		char cpass[1000];
 		int i;
-
-		if (size < 16)
-			return EVENT_STOP;
+		std::string buf = "old:";
 
 		memset(&context, 0, sizeof(context));
 		memset(&digest, 0, sizeof(digest));
 
 		MD5Init(&context);
-		MD5Update(&context, (unsigned char *)src, len);
+		MD5Update(&context, (unsigned char *)src.c_str(), src.size());
 		MD5Final((unsigned char *)digest, &context);
 		for (i = 0; i < 32; i += 2)
-			dest[i / 2] = XTOI(digest[i]) << 4 | XTOI(digest[i + 1]);
-
-		if(debug)
-		{
-			memset(tmp,0,33);
-			binary_to_hex((unsigned char *)dest,tmp,16);
-			alog("enc_old: Converted [%s] to [%s]",src,tmp); 
-		}
+			digest2[i / 2] = XTOI(digest[i]) << 4 | XTOI(digest[i + 1]);
 
+		b64_encode(digest2, 16, cpass, 1000);
+		buf.append(cpass);
+		if (debug > 1)
+			alog("debug: (enc_old) hashed password from [%s] to [%s]", src.c_str(), buf.c_str());
+		dest.assign(buf);
 		return EVENT_ALLOW;
 	}
 
-
-	/* Shortcut for encrypting a null-terminated string in place. */
-	EventReturn OnEncryptInPlace(char *buf, int size)
+	EventReturn OnEncryptInPlace(std::string &buf)
 	{
-		return OnEncrypt(buf, strlen(buf), buf, size);
+		return this->OnEncrypt(buf, buf);
 	}
 
-	EventReturn OnEncryptCheckLen(int passlen, int bufsize)
+	EventReturn OnDecrypt(const std::string &hashm, const std::string &src, std::string &dest )
 	{
-		if (bufsize < 16)
-		{
-			fatal("enc_old: old_check_len(): buffer too small (%d)", bufsize);
-			return EVENT_STOP;
-		}
-		return EVENT_ALLOW;
+		if (hashm != "old")
+			return EVENT_CONTINUE;
+		return EVENT_STOP;
 	}
 
-
-	/* Compare a plaintext string against an encrypted password.  Return 1 if
-	 * they match, 0 if not, and -1 if something went wrong. */
-
-	EventReturn OnCheckPassword(const char *plaintext, char *password)
+	EventReturn OnCheckPassword(const std::string &hashm, std::string &plaintext, std::string &password)
 	{
-		char buf[BUFSIZE];
-
-		if (OnEncrypt(plaintext, strlen(plaintext), buf, sizeof(buf)) == EVENT_STOP)
-			return EVENT_STOP;
-		if (memcmp(buf, password, 16) == 0)
+		if (hashm != "old")
+			return EVENT_CONTINUE;
+		std::string buf;
+		this->OnEncrypt(plaintext, buf);
+		if (!password.compare(buf))
 		{
-			/* when we are NOT the first module in the list, 
+			/* if we are NOT the first module in the list, 
 			 * we want to re-encrypt the pass with the new encryption
 			 */
-			if (stricmp(Config.EncModuleList.begin()->c_str(), this->name.c_str()))
+			if (Config.EncModuleList.front().compare(this->name))
 			{
-				enc_encrypt(plaintext, strlen(password), password, PASSMAX -1 );
+				enc_encrypt(plaintext, password);
 			}
-			return EVENT_ALLOW; 
+			return EVENT_ALLOW;
 		}
-		return EVENT_CONTINUE;
-	}
-
-	EventReturn OnDecrypt(const char *src, char *dest, int size)
-	{
-		return EVENT_STOP; // 0
+		return EVENT_STOP;
 	}
-
 };
 
-/*************************************************************************/
-
-
 MODULE_INIT(EOld)
diff --git a/src/core/enc_sha1.c b/src/core/enc_sha1.c
index f3466ddf5..bcf289f0a 100644
--- a/src/core/enc_sha1.c
+++ b/src/core/enc_sha1.c
@@ -174,9 +174,7 @@ void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
 }
 
 /*****************************************************************************/
-
-
-/*************************************************************************/
+/*****************************************************************************/
 
 /* Module stuff. */
 
@@ -198,84 +196,59 @@ class ESHA1 : public Module
 	}
 
 
-	EventReturn OnEncrypt(const char *src, int len, char *dest, int size)
+	EventReturn OnEncrypt(const std::string &src, std::string &dest)
 	{
 		SHA1_CTX context;
-		unsigned char tmp[41];
+		char digest[PASSMAX];
+		std::string buf = "sha1:";
+		char cpass[1000];
 
-		if (size < 20)
-			return EVENT_STOP; 
-
-		memset(dest,0,size);
+		memset(digest,0,32);
 
 		SHA1Init(&context);
-		SHA1Update(&context, (unsigned char *)src, len);
-		SHA1Final((unsigned char *)dest, &context);
-
-		if(debug) 
-		{
-			memset(tmp,0,41);
-			binary_to_hex((unsigned char *)dest,(char *)tmp,20);
-			/* Dont log source if we were encrypting in place :) */
-			if (memcmp(src, dest, 20) != 0) 
-			{
-				alog("enc_sha1: hashed from [%s] to [%s]",src,tmp); 
-			} else {
-				alog("enc_sha1: hashed password to [%s]",tmp); 
-			}
-		}
-		return EVENT_ALLOW; 
-	}
-
-
-	EventReturn OnEncryptInPlace(char *buf, int size)
-	{
-		char tmp[41];
-
-		memset(tmp,0,41);
-		if(OnEncrypt(buf, strlen(buf), tmp, size)==EVENT_ALLOW) 
-		{
-			memcpy(buf, tmp, size);
-			return EVENT_ALLOW;
-		}
-		return EVENT_STOP; 
+		SHA1Update(&context, (unsigned char *)src.c_str(), src.size());
+		SHA1Final((unsigned char *)digest, &context);
+
+		b64_encode(digest, 20, cpass, 1000);
+		buf.append(cpass);
+		if (debug > 1)
+			alog("debug: (enc_sha1) hashed password from [%s] to [%s] ", src.c_str(), buf.c_str());
+		dest.assign(buf);
+		return EVENT_ALLOW;
 	}
 
 
-	EventReturn OnEncryptCheckLen(int passlen, int bufsize)
+	EventReturn OnEncryptInPlace(std::string &buf)
 	{
-		if (bufsize < 20)
-		{
-			fatal("enc_sha1: sha1_check_len(): buffer too small (%d)", bufsize);
-			return EVENT_STOP; 
-		}
-		return EVENT_ALLOW;
+		return this->OnEncrypt(buf, buf);
 	}
 
-
-	EventReturn OnDecrypt(const char *src, char *dest, int size)
+	EventReturn OnDecrypt(const std::string &hashm, std::string &src, std::string &dest)
 	{
-		return EVENT_STOP; 
+		if (hashm != "sha1")
+			return EVENT_CONTINUE;
+		return EVENT_STOP;
 	}
 
 
-	EventReturn OnCheckPassword(const char *plaintext, char *password)
+	EventReturn OnCheckPassword(const std::string &hashm, std::string &plaintext, std::string &password)
 	{
-		char buf[BUFSIZE];
-		if (OnEncrypt(plaintext, strlen(plaintext), buf, sizeof(buf)) == EVENT_STOP)
-			return EVENT_STOP;
-		if (memcmp(buf, password, 20) == 0)
+		if (hashm != "sha1")
+			return EVENT_CONTINUE;
+		std::string buf;
+		this->OnEncrypt(plaintext, buf);
+		if (!password.compare(buf))
 		{
 			/* when we are NOT the first module in the list, 
 			 * we want to re-encrypt the pass with the new encryption
 			 */
-			if (stricmp(Config.EncModuleList.begin()->c_str(), this->name.c_str()))
+			if (Config.EncModuleList.front().compare(this->name))
 			{
-				enc_encrypt(plaintext, strlen(password), password, PASSMAX -1 );
+				enc_encrypt(plaintext, password);
 			}
 			return EVENT_ALLOW;
 		}
-		return EVENT_CONTINUE;
+		return EVENT_STOP;
 	}
 
 };
diff --git a/src/core/ns_getpass.c b/src/core/ns_getpass.c
index a56b32aba..6c1422d48 100644
--- a/src/core/ns_getpass.c
+++ b/src/core/ns_getpass.c
@@ -25,7 +25,7 @@ class CommandNSGetPass : public Command
 	CommandReturn Execute(User *u, const std::vector<ci::string> &params)
 	{
 		const char *nick = params[0].c_str();
-		char tmp_pass[PASSMAX];
+		std::string tmp_pass;
 		NickAlias *na;
 		NickRequest *nr = NULL;
 
@@ -36,7 +36,7 @@ class CommandNSGetPass : public Command
 				alog("%s: %s!%s@%s used GETPASS on %s", Config.s_NickServ, u->nick.c_str(), u->GetIdent().c_str(), u->host, nick);
 				if (Config.WallGetpass)
 					ircdproto->SendGlobops(findbot(Config.s_NickServ), "\2%s\2 used GETPASS on \2%s\2", u->nick.c_str(), nick);
-				notice_lang(Config.s_NickServ, u, NICK_GETPASS_PASSCODE_IS, nick, nr->passcode);
+				notice_lang(Config.s_NickServ, u, NICK_GETPASS_PASSCODE_IS, nick, nr->passcode.c_str());
 			}
 			else
 				notice_lang(Config.s_NickServ, u, NICK_X_NOT_REGISTERED, nick);
@@ -47,12 +47,12 @@ class CommandNSGetPass : public Command
 			notice_lang(Config.s_NickServ, u, ACCESS_DENIED);
 		else
 		{
-			if (enc_decrypt(na->nc->pass, tmp_pass, PASSMAX - 1) == 1)
+			if (enc_decrypt(na->nc->pass, tmp_pass) == 1)
 			{
 				alog("%s: %s!%s@%s used GETPASS on %s", Config.s_NickServ, u->nick.c_str(), u->GetIdent().c_str(), u->host, nick);
 				if (Config.WallGetpass)
 					ircdproto->SendGlobops(findbot(Config.s_NickServ), "\2%s\2 used GETPASS on \2%s\2", u->nick.c_str(), nick);
-				notice_lang(Config.s_NickServ, u, NICK_GETPASS_PASSWORD_IS, nick, tmp_pass);
+				notice_lang(Config.s_NickServ, u, NICK_GETPASS_PASSWORD_IS, nick, tmp_pass.c_str());
 			}
 			else
 				notice_lang(Config.s_NickServ, u, NICK_GETPASS_UNAVAILABLE);
@@ -83,8 +83,8 @@ class NSGetPass : public Module
 
 		this->AddCommand(NICKSERV, new CommandNSGetPass());
 
-		char tmp_pass[PASSMAX];
-		if (!enc_decrypt("tmp", tmp_pass, PASSMAX - 1))
+		std::string tmp_pass = "tmp";
+		if (!enc_decrypt(tmp_pass, tmp_pass))
 			throw ModuleException("Incompatible with the encryption module being used");
 
 		ModuleManager::Attach(I_OnNickServHelp, this);
diff --git a/src/core/ns_ghost.c b/src/core/ns_ghost.c
index 152e40d6d..2c2d5b309 100644
--- a/src/core/ns_ghost.c
+++ b/src/core/ns_ghost.c
@@ -26,7 +26,7 @@ class CommandNSGhost : public Command
 	CommandReturn Execute(User *u, const std::vector<ci::string> &params)
 	{
 		const char *nick = params[0].c_str();
-		const char *pass = params.size() > 1 ? params[1].c_str() : NULL;
+		std::string pass = params.size() > 1 ? params[1].c_str() : NULL;
 		NickAlias *na = findnick(nick);
 
 		if (!finduser(nick))
@@ -39,7 +39,7 @@ class CommandNSGhost : public Command
 			notice_lang(Config.s_NickServ, u, NICK_X_SUSPENDED, na->nick);
 		else if (!stricmp(nick, u->nick.c_str()))
 			notice_lang(Config.s_NickServ, u, NICK_NO_GHOST_SELF);
-		else if (pass)
+		else if (!pass.empty())
 		{
 			int res = enc_check_password(pass, na->nc->pass);
 			if (res == 1)
diff --git a/src/core/ns_group.c b/src/core/ns_group.c
index e9ab9f35e..ebd790007 100644
--- a/src/core/ns_group.c
+++ b/src/core/ns_group.c
@@ -27,7 +27,7 @@ class CommandNSGroup : public Command
 	{
 		NickAlias *na, *target;
 		const char *nick = params[0].c_str();
-		const char *pass = params[1].c_str();
+		std::string pass = params[1].c_str();
 		std::list<std::pair<std::string, std::string> >::iterator it;
 
 		if (Config.NSEmailReg && findrequestnick(u->nick.c_str()))
diff --git a/src/core/ns_identify.c b/src/core/ns_identify.c
index 937604ad8..376adc718 100644
--- a/src/core/ns_identify.c
+++ b/src/core/ns_identify.c
@@ -28,7 +28,7 @@ class CommandNSIdentify : public Command
 
 	CommandReturn Execute(User *u, const std::vector<ci::string> &params)
 	{
-		const char *pass = params[0].c_str();
+		std::string pass = params[0].c_str();
 		NickAlias *na;
 		NickRequest *nr;
 		int res;
diff --git a/src/core/ns_recover.c b/src/core/ns_recover.c
index c2b8a15aa..a32b02417 100644
--- a/src/core/ns_recover.c
+++ b/src/core/ns_recover.c
@@ -26,7 +26,7 @@ class CommandNSRecover : public Command
 	CommandReturn Execute(User *u, const std::vector<ci::string> &params)
 	{
 		const char *nick = params[0].c_str();
-		const char *pass = params.size() > 1 ? params[1].c_str() : NULL;
+		std::string pass = params.size() > 1 ? params[1].c_str() : NULL;
 		NickAlias *na;
 		User *u2;
 
@@ -40,7 +40,7 @@ class CommandNSRecover : public Command
 			notice_lang(Config.s_NickServ, u, NICK_X_SUSPENDED, na->nick);
 		else if (!stricmp(nick, u->nick.c_str()))
 			notice_lang(Config.s_NickServ, u, NICK_NO_RECOVER_SELF);
-		else if (pass)
+		else if (!pass.empty())
 		{
 			int res = enc_check_password(pass, na->nc->pass);
 
diff --git a/src/core/ns_register.c b/src/core/ns_register.c
index 5f603219d..c07d2dbd2 100644
--- a/src/core/ns_register.c
+++ b/src/core/ns_register.c
@@ -31,9 +31,9 @@ class CommandNSConfirm : public Command
 			return MOD_CONT;
 		}
 
-		char tmp_pass[PASSMAX];
+		std::string tmp_pass;
 
-		memcpy(na->nc->pass, nr->password, PASSMAX);
+		na->nc->pass = nr->password;
 
 		na->nc->memos.memomax = Config.MSMaxMemos;
 
@@ -71,8 +71,8 @@ class CommandNSConfirm : public Command
 			ircdproto->SendAccountLogin(u, u->nc);
 			ircdproto->SetAutoIdentificationToken(u);
 
-			if (enc_decrypt(na->nc->pass, tmp_pass, PASSMAX - 1) == 1)
-				notice_lang(Config.s_NickServ, u, NICK_PASSWORD_IS, tmp_pass);
+			if (enc_decrypt(na->nc->pass, tmp_pass) == 1)
+				notice_lang(Config.s_NickServ, u, NICK_PASSWORD_IS, tmp_pass.c_str());
 
 			u->lastnickreg = time(NULL);
 		}
@@ -97,13 +97,13 @@ class CommandNSConfirm : public Command
 	CommandReturn DoConfirm(User *u, const std::vector<ci::string> &params)
 	{
 		NickRequest *nr = NULL;
-		const char *passcode = !params.empty() ? params[0].c_str() : NULL;
+		std::string passcode = !params.empty() ? params[0].c_str() : "";
 
 		nr = findrequestnick(u->nick.c_str());
 
 		if (Config.NSEmailReg)
 		{
-			if (!passcode)
+			if (passcode.empty())
 			{
 				this->OnSyntaxError(u, "");
 				return MOD_CONT;
@@ -115,7 +115,7 @@ class CommandNSConfirm : public Command
 				{
 					/* If an admin, their nick is obviously already regged, so look at the passcode to get the nick
 					   of the user they are trying to validate, and push that user through regardless of passcode */
-					nr = findrequestnick(passcode);
+					nr = findrequestnick(passcode.c_str());
 					if (nr)
 					{
 						ActuallyConfirmNick(u, nr, true);
@@ -127,7 +127,7 @@ class CommandNSConfirm : public Command
 				return MOD_CONT;
 			}
 
-			if (stricmp(nr->passcode, passcode))
+			if (nr->passcode.compare(passcode))
 			{
 				notice_lang(Config.s_NickServ, u, NICK_CONFIRM_INVALID);
 				return MOD_CONT;
@@ -262,7 +262,7 @@ class CommandNSRegister : public CommandNSConfirm
 		}
 		else if (!stricmp(u->nick.c_str(), pass) || (Config.StrictPasswords && strlen(pass) < 5))
 			notice_lang(Config.s_NickServ, u, MORE_OBSCURE_PASSWORD);
-		else if (enc_encrypt_check_len(strlen(pass), PASSMAX - 1))
+		else if (strlen(pass) > PASSMAX)
 			notice_lang(Config.s_NickServ, u, PASSWORD_TOO_LONG);
 		else if (email && !MailValidate(email))
 			notice_lang(Config.s_NickServ, u, MAIL_X_INVALID, email);
@@ -272,9 +272,9 @@ class CommandNSRegister : public CommandNSConfirm
 				passcode[idx] = chars[1 + static_cast<int>((static_cast<float>(max - min)) * getrandom16() / 65536.0) + min];
 			passcode[idx] = '\0';
 			nr = new NickRequest(u->nick);
-			nr->passcode = sstrdup(passcode);
-			strscpy(nr->password, pass, PASSMAX);
-			enc_encrypt_in_place(nr->password, PASSMAX);
+			nr->passcode = passcode;
+			nr->password = pass;
+			enc_encrypt_in_place(nr->password);
 			if (email)
 				nr->email = sstrdup(email);
 			nr->requested = time(NULL);
@@ -405,7 +405,7 @@ int do_sendregmail(User *u, NickRequest *nr)
 	fprintf(mail->pipe, "\n\n");
 	fprintf(mail->pipe, getstring(NICK_REG_MAIL_LINE_1), nr->nick);
 	fprintf(mail->pipe, "\n\n");
-	fprintf(mail->pipe, getstring(NICK_REG_MAIL_LINE_2), Config.s_NickServ, nr->passcode);
+	fprintf(mail->pipe, getstring(NICK_REG_MAIL_LINE_2), Config.s_NickServ, nr->passcode.c_str());
 	fprintf(mail->pipe, "\n\n");
 	fprintf(mail->pipe, "%s", getstring(NICK_REG_MAIL_LINE_3));
 	fprintf(mail->pipe, "\n\n");
diff --git a/src/core/ns_release.c b/src/core/ns_release.c
index c5f33cf65..d63e24e15 100644
--- a/src/core/ns_release.c
+++ b/src/core/ns_release.c
@@ -26,7 +26,7 @@ class CommandNSRelease : public Command
 	CommandReturn Execute(User *u, const std::vector<ci::string> &params)
 	{
 		const char *nick = params[0].c_str();
-		const char *pass = params.size() > 1 ? params[1].c_str() : NULL;
+		std::string pass = params.size() > 1 ? params[1].c_str() : "";
 		NickAlias *na;
 
 		if (!(na = findnick(nick)))
@@ -37,7 +37,7 @@ class CommandNSRelease : public Command
 			notice_lang(Config.s_NickServ, u, NICK_X_SUSPENDED, na->nick);
 		else if (!(na->HasFlag(NS_KILL_HELD)))
 			notice_lang(Config.s_NickServ, u, NICK_RELEASE_NOT_HELD, nick);
-		else if (pass)
+		else if (!pass.empty())
 		{
 			int res = enc_check_password(pass, na->nc->pass);
 			if (res == 1)
diff --git a/src/core/ns_saset.c b/src/core/ns_saset.c
index a4207a27b..172e1469f 100644
--- a/src/core/ns_saset.c
+++ b/src/core/ns_saset.c
@@ -55,6 +55,7 @@ private:
 	CommandReturn DoSetPassword(User *u, const std::vector<ci::string> &params, NickCore *nc)
 	{
 		ci::string param = params.size() > 2 ? params[2] : "";
+		std::string buf, tmp_pass;
 
 		if (param.empty())
 		{
@@ -63,7 +64,6 @@ private:
 		}
 
 		int len = param.size();
-		char tmp_pass[PASSMAX];
 
 		if (Config.NSSecureAdmins && u->nc != nc && nc->IsServicesOper())
 		{
@@ -75,21 +75,21 @@ private:
 			notice_lang(Config.s_NickServ, u, MORE_OBSCURE_PASSWORD);
 			return MOD_CONT;
 		}
-		else if (enc_encrypt_check_len(len, PASSMAX - 1))
+		else if (len > PASSMAX)
 		{
 			notice_lang(Config.s_NickServ, u, PASSWORD_TOO_LONG);
 			return MOD_CONT;
 		}
-
-		if (enc_encrypt(param.c_str(), len, nc->pass, PASSMAX - 1) < 0)
+		buf = param.c_str(); /* conversion from ci::string to std::string */
+		if (enc_encrypt(buf, nc->pass))
 		{
 			alog("%s: Failed to encrypt password for %s (set)", Config.s_NickServ, nc->display);
 			notice_lang(Config.s_NickServ, u, NICK_SASET_PASSWORD_FAILED, nc->display);
 			return MOD_CONT;
 		}
 
-		if (enc_decrypt(nc->pass, tmp_pass, PASSMAX - 1) == 1)
-			notice_lang(Config.s_NickServ, u, NICK_SASET_PASSWORD_CHANGED_TO, nc->display, tmp_pass);
+		if (enc_decrypt(nc->pass, tmp_pass) == 1)
+			notice_lang(Config.s_NickServ, u, NICK_SASET_PASSWORD_CHANGED_TO, nc->display, tmp_pass.c_str());
 		else
 			notice_lang(Config.s_NickServ, u, NICK_SASET_PASSWORD_CHANGED, nc->display);
 
diff --git a/src/core/ns_sendpass.c b/src/core/ns_sendpass.c
index 1b4e10839..06684e03b 100644
--- a/src/core/ns_sendpass.c
+++ b/src/core/ns_sendpass.c
@@ -36,8 +36,8 @@ class CommandNSSendPass : public Command
 		else
 		{
 			char buf[BUFSIZE];
-			char tmp_pass[PASSMAX];
-			if (enc_decrypt(na->nc->pass,tmp_pass,PASSMAX - 1) == 1)
+			std::string tmp_pass;
+			if (enc_decrypt(na->nc->pass,tmp_pass) == 1)
 			{
 				MailInfo *mail;
 
@@ -50,7 +50,7 @@ class CommandNSSendPass : public Command
 				fprintf(mail->pipe, "\n\n");
 				fprintf(mail->pipe, getstring(na, NICK_SENDPASS_LINE_1), na->nick);
 				fprintf(mail->pipe, "\n\n");
-				fprintf(mail->pipe, getstring(na, NICK_SENDPASS_LINE_2), tmp_pass);
+				fprintf(mail->pipe, getstring(na, NICK_SENDPASS_LINE_2), tmp_pass.c_str());
 				fprintf(mail->pipe, "\n\n");
 				fprintf(mail->pipe, "%s", getstring(na, NICK_SENDPASS_LINE_3));
 				fprintf(mail->pipe, "\n\n");
@@ -97,8 +97,8 @@ class NSSendPass : public Module
 		if (!Config.UseMail)
 			throw ModuleException("Not using mail, whut.");
 
-		char tmp_pass[PASSMAX];
-		if (!enc_decrypt("tmp", tmp_pass, PASSMAX - 1))
+		std::string tmp_pass = "tmp";
+		if (!enc_decrypt(tmp_pass, tmp_pass))
 			throw ModuleException("Incompatible with the encryption module being used");
 
 		ModuleManager::Attach(I_OnNickServHelp, this);
diff --git a/src/core/ns_set.c b/src/core/ns_set.c
index 0e1051e3e..de8d3eea5 100644
--- a/src/core/ns_set.c
+++ b/src/core/ns_set.c
@@ -56,6 +56,7 @@ class CommandNSSet : public Command
 	CommandReturn DoSetPassword(User *u, const std::vector<ci::string> &params, NickCore *nc)
 	{
 		ci::string param = params.size() > 1 ? params[1] : "";
+		std::string buf, tmp_pass;
 
 		if (param.empty())
 		{
@@ -64,28 +65,28 @@ class CommandNSSet : public Command
 		}
 
 		int len = param.size();
-		char tmp_pass[PASSMAX];
 
 		if (nc->display == param || (Config.StrictPasswords && len < 5))
 		{
 			notice_lang(Config.s_NickServ, u, MORE_OBSCURE_PASSWORD);
 			return MOD_CONT;
 		}
-		else if (enc_encrypt_check_len(len, PASSMAX - 1))
+		else if (len > PASSMAX)
 		{
 			notice_lang(Config.s_NickServ, u, PASSWORD_TOO_LONG);
 			return MOD_CONT;
 		}
 
-		if (enc_encrypt(param.c_str(), len, nc->pass, PASSMAX - 1) < 0)
+		buf = param.c_str(); /* conversion from ci::string to std::string */
+		if (enc_encrypt(buf, nc->pass) < 0)
 		{
 			alog("%s: Failed to encrypt password for %s (set)", Config.s_NickServ, nc->display);
 			notice_lang(Config.s_NickServ, u, NICK_SET_PASSWORD_FAILED);
 			return MOD_CONT;
 		}
 
-		if (enc_decrypt(nc->pass, tmp_pass, PASSMAX - 1) == 1)
-			notice_lang(Config.s_NickServ, u, NICK_SET_PASSWORD_CHANGED_TO, tmp_pass);
+		if (enc_decrypt(nc->pass, tmp_pass) == 1)
+			notice_lang(Config.s_NickServ, u, NICK_SET_PASSWORD_CHANGED_TO, tmp_pass.c_str());
 		else
 			notice_lang(Config.s_NickServ, u, NICK_SET_PASSWORD_CHANGED);
 
diff --git a/src/encrypt.c b/src/encrypt.c
index 6faac199c..628079297 100644
--- a/src/encrypt.c
+++ b/src/encrypt.c
@@ -21,10 +21,10 @@
  * Encrypt string `src' of length `len', placing the result in buffer
  * `dest' of size `size'.  Returns 0 on success, -1 on error.
  **/
-int enc_encrypt(const char *src, int len, char *dest, int size)
+int enc_encrypt(const std::string &src, std::string &dest)
 {
 	EventReturn MOD_RESULT;
-	FOREACH_RESULT(I_OnEncrypt, OnEncrypt(src, len, dest, size));
+	FOREACH_RESULT(I_OnEncrypt, OnEncrypt(src, dest));
 	if (MOD_RESULT == EVENT_ALLOW)
 		return 0;
 	return -1;
@@ -35,28 +35,10 @@ int enc_encrypt(const char *src, int len, char *dest, int size)
  * placing the result in the same buffer.  Returns 0 on success, -1 on
  * error.
  **/
-int enc_encrypt_in_place(char *buf, int size)
+int enc_encrypt_in_place(std::string &buf)
 {
 	EventReturn MOD_RESULT;
-	FOREACH_RESULT(I_OnEncryptInPlace, OnEncryptInPlace(buf, size));
-	if (MOD_RESULT == EVENT_ALLOW)
-	        return 0;
-	return -1;
-
-}
-
-/** 
- * Check whether the result of encrypting a password of length `passlen'
- * will fit in a buffer of size `bufsize'.  Returns 0 if the encrypted
- * password would fit in the buffer, otherwise returns the maximum length
- * password that would fit (this value will be smaller than `passlen').
- * If the result of encrypting even a 1-byte password would exceed the
- * specified buffer size, generates a fatal error.
- **/
-int enc_encrypt_check_len(int passlen, int bufsize)
-{
-	EventReturn MOD_RESULT;
-	FOREACH_RESULT(I_OnEncryptCheckLen, OnEncryptCheckLen(passlen, bufsize));
+	FOREACH_RESULT(I_OnEncryptInPlace, OnEncryptInPlace(buf));
 	if (MOD_RESULT == EVENT_ALLOW)
 	        return 0;
 	return -1;
@@ -68,10 +50,18 @@ int enc_encrypt_check_len(int passlen, int bufsize)
  * allow decryption, and -1 if another failure occurred (e.g. destination
  * buffer too small).
  **/
-int enc_decrypt(const char *src, char *dest, int size)
+int enc_decrypt(std::string &src, std::string &dest)
 {
+	size_t pos = src.find(":");
+	if (pos == std::string::npos)
+	{
+		alog("Error: enc_decrypt() called with invalid password string (%s)", src.c_str());
+		return -1;
+	}
+	std::string hashm(src.begin(), src.begin()+pos);
+
 	EventReturn MOD_RESULT;
-	FOREACH_RESULT(I_OnDecrypt, OnDecrypt(src, dest, size));
+	FOREACH_RESULT(I_OnDecrypt, OnDecrypt(hashm, src, dest));
 	if (MOD_RESULT == EVENT_ALLOW)
 	        return 1;
 	return -1;
@@ -84,10 +74,19 @@ int enc_decrypt(const char *src, char *dest, int size)
  *   0 if the password does not match
  *   0 if an error occurred while checking
  **/
-int enc_check_password(const char *plaintext, char *password)
+int enc_check_password(std::string &plaintext, std::string &password)
 {
+	std::string hashm;
+	size_t pos = password.find(":");
+	if (pos == std::string::npos)
+	{
+		alog("Error: enc_check_password() called with invalid password string (%s)", password.c_str());
+		return 0;
+	}
+	hashm.assign(password.begin(), password.begin()+pos);
+
 	EventReturn MOD_RESULT;
-	FOREACH_RESULT(I_OnCheckPassword, OnCheckPassword(plaintext, password));
+	FOREACH_RESULT(I_OnCheckPassword, OnCheckPassword(hashm, plaintext, password));
 	if (MOD_RESULT == EVENT_ALLOW)
 	        return 1;
 	return 0;
diff --git a/src/nickalias.cpp b/src/nickalias.cpp
index 9d4678209..5ab62eafa 100644
--- a/src/nickalias.cpp
+++ b/src/nickalias.cpp
@@ -9,8 +9,7 @@ NickRequest::NickRequest(const std::string &nickname)
 		throw CoreException("Empty nick passed to NickRequest constructor");
 
 	next = prev = NULL;
-	passcode = email = NULL;
-	*password = 0;
+	email = NULL;
 	requested = lastmail = 0;
 
 	this->nick = sstrdup(nickname.c_str());
@@ -24,8 +23,6 @@ NickRequest::~NickRequest()
 	nrlists[HASH(this->nick)] = this->next;
 	if (this->nick)
 		delete [] this->nick;
-	if (this->passcode)
-		delete [] this->passcode;
 	if (this->email)
 		delete [] this->email;
 }
diff --git a/src/nickserv.c b/src/nickserv.c
index ee68f7fe1..2aba04bdd 100644
--- a/src/nickserv.c
+++ b/src/nickserv.c
@@ -188,9 +188,8 @@ void get_core_stats(long *nrec, long *memuse)
 
 			if (nc->display)
 				mem += strlen(nc->display) + 1;
-			if (nc->pass)
-				mem += strlen(nc->pass) + 1;
-
+			if (!nc->pass.empty())
+				mem += (nc->pass.capacity() + (2 * sizeof(size_t)) + (2 * sizeof(void*)));
 			if (nc->url)
 				mem += strlen(nc->url) + 1;
 			if (nc->email)
diff --git a/src/tools/db-convert.c b/src/tools/db-convert.c
index 4a82d0f82..926d263c2 100644
--- a/src/tools/db-convert.c
+++ b/src/tools/db-convert.c
@@ -353,7 +353,7 @@ int main(int argc, char *argv[])
 		NickCore *nc;
 		char **access;
 		Memo *memos;
-		int j;
+		int j, len;
 		char cpass[5000]; // if it's ever this long, I will commit suicide
 		for (nc = nclists[i]; nc; nc = nc->next)
 		{
@@ -370,7 +370,18 @@ int main(int argc, char *argv[])
 			}
 
 			// Enc pass
-			b64_encode(nc->pass, hashm == "plain" ? strlen(nc->pass) : 32, (char *)cpass, 5000);
+			if (hashm == "plain")
+				len = strlen(nc->pass);
+			else if (hashm == "md5")
+				len = 16;
+			else if (hashm == "sha1")
+				len = 20;
+			else if (hashm == "old")
+				len = 16;
+			else 
+				len = 32;
+			
+			b64_encode(nc->pass, len, (char *)cpass, 5000);
 
 			fs << "NC " << nc->display << " " << hashm << ":" << cpass << " ";
 			fs << " " << GetLanguageID(nc->language) << " " << nc->memos.memomax << " " << nc->channelcount << std::endl;