Respect "SSLConnect" option for incoming connections

Don't accept incoming plain-text ("non SSL") server connections for
servers configured with "SSLConnect" enabled.

If "SSLConnect" is not set for an incoming connection the server still
accepts both plain-text and encrypted connections.

This change prevents an authenticated client-server being able to force
the server-server to send its password on a plain-text connection when
SSL/TLS was intended.

diff --git a/src/ngircd/irc-server.c b/src/ngircd/irc-server.c
index b78d05022dae5a29a70c7036c1e5664c194868ae..6aa37574baf415eab29ae30d940200a888b9ebcc 100644 (file)
--- a/src/ngircd/irc-server.c
+++ b/src/ngircd/irc-server.c
@@ -1,6 +1,6 @@
 /*
  * ngIRCd -- The Next Generation IRC Daemon
- * Copyright (c)2001-2022 Alexander Barton (alex@barton.de) and Contributors.
+ * Copyright (c)2001-2024 Alexander Barton (alex@barton.de) and Contributors.
  *
  * This program is free software; you can redistribute it and/or modify
  * it under the terms of the GNU General Public License as published by
@@ -88,6 +88,19 @@ IRC_SERVER( CLIENT *Client, REQUEST *Req )
                        return DISCONNECTED;
                }
 
+#ifdef SSL_SUPPORT
+               /* Does this server require an SSL connection? */
+               if (Conf_Server[i].SSLConnect &&
+                   !(Conn_Options(Client_Conn(Client)) & CONN_SSL)) {
+                       Log(LOG_ERR,
+                           "Connection %d: Server \"%s\" requires a secure connection!",
+                           Client_Conn(Client), Req->argv[0]);
+                       Conn_Close(Client_Conn(Client), NULL,
+                                  "Secure connection required", true);
+                       return DISCONNECTED;
+               }
+#endif
+
                /* Check server password */
                if (strcmp(Conn_Password(Client_Conn(Client)),
                    Conf_Server[i].pwd_in) != 0) {