From d09dc33e7d0f148ff9c0afff905414cc13d636fc Mon Sep 17 00:00:00 2001
From: Alexander Barton <alex@barton.de>
Date: Mon, 1 Jan 2024 18:20:26 +0100
Subject: [PATCH 01/20] Respect "SSLConnect" option for incoming connections
Bug-Debian: https://bugs.debian.org/1067237

Don't accept incoming plain-text ("non SSL") server connections for
servers configured with "SSLConnect" enabled.

If "SSLConnect" is not set for an incoming connection the server still
accepts both plain-text and encrypted connections.

This change prevents an authenticated client-server being able to force
the server-server to send its password on a plain-text connection when
SSL/TLS was intended.

(cherry picked from commit 21c1751b045b0be49e584a4ba191a330e0c381bb)
---
 src/ngircd/irc-server.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

--- a/src/ngircd/irc-server.c
+++ b/src/ngircd/irc-server.c
@@ -87,6 +87,19 @@
 			return DISCONNECTED;
 		}
 
+#ifdef SSL_SUPPORT
+		/* Does this server require an SSL connection? */
+		if (Conf_Server[i].SSLConnect &&
+		    !(Conn_Options(Client_Conn(Client)) & CONN_SSL)) {
+			Log(LOG_ERR,
+			    "Connection %d: Server \"%s\" requires a secure connection!",
+			    Client_Conn(Client), Req->argv[0]);
+			Conn_Close(Client_Conn(Client), NULL,
+				   "Secure connection required", true);
+			return DISCONNECTED;
+		}
+#endif
+
 		/* Check server password */
 		if (strcmp(Conn_Password(Client_Conn(Client)),
 		    Conf_Server[i].pwd_in) != 0) {