BBS2chProxySecureSocket.cpp

@@ -59,6 +59,17 @@ int BBS2chProxySecureSocket::initializeCerts(const char *certPath, const char *k
 	}
 	gnutls_free(data.data);
 
+	time_t expire = gnutls_x509_crt_get_expiration_time(ca_cert);
+	time_t now = time(NULL);
+	if (now - expire >= 0) {
+		fprintf(stderr, "Error: CA certificate %s is expired\n", certPath);
+		gnutls_x509_crt_deinit(ca_cert);
+		gnutls_x509_privkey_deinit(ca_privkey);
+		return -1;
+	} else if (expire - now < 60*60*24*30) {
+		fprintf(stderr, "WARNING: CA certificate %s will expire in %d days\n", certPath, 1+(int)(expire-now)/(60*60*24));
+	}
+
 	gnutls_x509_privkey_init(&server_privkey);
 #ifdef USE_ECDSA_KEY
 	gnutls_x509_privkey_generate(server_privkey, GNUTLS_PK_EC, GNUTLS_CURVE_TO_BITS(GNUTLS_ECC_CURVE_SECP256R1), 0);
@@ -239,6 +250,19 @@ int BBS2chProxySecureSocket::initializeCerts(const char *certPath, const char *k
 	}
 	fclose(fp);
 
+	const ASN1_TIME *expire = X509_get0_notAfter(ca_cert);
+	if (X509_cmp_current_time(expire) < 0) {
+		fprintf(stderr, "Error: CA certificate %s is expired\n", certPath);
+		X509_free(ca_cert);
+		EVP_PKEY_free(ca_privkey);
+		return -1;
+	} else {
+		int day, sec;
+		ASN1_TIME_diff(&day, &sec, NULL, expire);
+		if (day < 30)
+			fprintf(stderr, "WARNING: CA certificate %s will expire in %d days\n", certPath, day+(sec?1:0));
+	}
+
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
 #if defined(USE_ECDSA_KEY)
 	server_privkey = EVP_EC_gen("P-256");

utils.h

@@ -3,7 +3,7 @@
 void *
 memmem_priv(const void *l, size_t l_len, const void *s, size_t s_len)
 {
-	register char *cur, *last;
+	char *cur, *last;
 	const char *cl = (const char *)l;
 	const char *cs = (const char *)s;