Respect "SSLConnect" option for incoming connections

Don't accept incoming plain-text ("non SSL") server connections for
servers configured with "SSLConnect" enabled.

If "SSLConnect" is not set for an incoming connection the server still
accepts both plain-text and encrypted connections.

This change prevents an authenticated client-server being able to force
the server-server to send its password on a plain-text connection when
SSL/TLS was intended.

1 files changed, 14 insertions, 1 deletions

diff --git a/src/ngircd/irc-server.c b/src/ngircd/irc-server.c
index b78d0502..6aa37574 100644
--- a/src/ngircd/irc-server.c
+++ b/src/ngircd/irc-server.c
@@ -1,6 +1,6 @@
 /*
  * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2022 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -88,6 +88,19 @@ IRC_SERVER( CLIENT *Client, REQUEST *Req )
 			return DISCONNECTED;
 		}
 
+#ifdef SSL_SUPPORT
+		/* Does this server require an SSL connection? */
+		if (Conf_Server[i].SSLConnect &&
+		    !(Conn_Options(Client_Conn(Client)) & CONN_SSL)) {
+			Log(LOG_ERR,
+			    "Connection %d: Server \"%s\" requires a secure connection!",
+			    Client_Conn(Client), Req->argv[0]);
+			Conn_Close(Client_Conn(Client), NULL,
+				   "Secure connection required", true);
+			return DISCONNECTED;
+		}
+#endif
+
 		/* Check server password */
 		if (strcmp(Conn_Password(Client_Conn(Client)),
 		    Conf_Server[i].pwd_in) != 0) {