Support for multiple CRLs with same issuer name in X509_STORE. Modify

 Changes between 0.9.8b and 0.9.9  [xx XXX xxxx]

  *) Allow multiple CRLs to exist in an X509_STORE with matching issuer names.

     Modify get_crl() to find a valid (unexpired) CRL if possible.

     [Steve Henson]

  *) New function X509_CRL_match() to check if two CRLs are identical. Normally

     this would be called X509_CRL_cmp() but that name is already used by

     a function that just compares CRL issuer names. Cache several CRL 

	int doupdatedb=0;

	long crldays=0;

	long crlhours=0;

	long crlsec=0;

	long errorline= -1;

	char *configfile=NULL;

	char *md=NULL;

			if (--argc < 1) goto bad;

			crlhours= atol(*(++argv));

			}

		else if (strcmp(*argv,"-crlsec") == 0)

			{

			if (--argc < 1) goto bad;

			crlsec = atol(*(++argv));

			}

		else if (strcmp(*argv,"-infiles") == 0)

			{

			argc--;

				goto err;

				}

		if (!crldays && !crlhours)

		if (!crldays && !crlhours && !crlsec)

			{

			if (!NCONF_get_number(conf,section,

				ENV_DEFAULT_CRL_DAYS, &crldays))

				ENV_DEFAULT_CRL_HOURS, &crlhours))

				crlhours = 0;

			}

		if ((crldays == 0) && (crlhours == 0))

		if ((crldays == 0) && (crlhours == 0) && (crlsec == 0))

			{

			BIO_printf(bio_err,"cannot lookup how long until the next CRL is issued\n");

			goto err;

		if (!tmptm) goto err;

		X509_gmtime_adj(tmptm,0);

		X509_CRL_set_lastUpdate(crl, tmptm);	

		X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60);

		X509_gmtime_adj(tmptm,(crldays*24+crlhours)*60*60 + crlsec);

		X509_CRL_set_nextUpdate(crl, tmptm);	

		ASN1_TIME_free(tmptm);

		if (crlnumberfile != NULL)	/* we have a CRL number that need updating */

			if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;

		if (crlnumber)

			{

			BN_free(crlnumber);

			crlnumber = NULL;

			}

		if (!X509_CRL_sign(crl,pkey,dgst)) goto err;

		PEM_write_bio_X509_CRL(Sout,crl);

	if (free_key && key)

		OPENSSL_free(key);

	BN_free(serial);

	BN_free(crlnumber);

	free_index(db);

	EVP_PKEY_free(pkey);

	if (x509) X509_free(x509);

unsigned long	X509_NAME_hash(X509_NAME *x);

int		X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);

int		X509_CRL_match(const X509_CRL *a, const X509_CRL *b);

#ifndef OPENSSL_NO_FP_API

int		X509_print_ex_fp(FILE *bp,X509 *x, unsigned long nmflag, unsigned long cflag);

int		X509_print_fp(FILE *bp,X509 *x);

	X509_OBJECT *obj;

	idx = sk_X509_OBJECT_find(h, x);

	if (idx == -1) return NULL;

	if (x->type != X509_LU_X509) return sk_X509_OBJECT_value(h, idx);

	if ((x->type != X509_LU_X509) && (x->type != X509_LU_CRL))

		return sk_X509_OBJECT_value(h, idx);

	for (i = idx; i < sk_X509_OBJECT_num(h); i++)

		{

		obj = sk_X509_OBJECT_value(h, i);

		if (x509_object_cmp((const X509_OBJECT **)&obj, (const X509_OBJECT **)&x))

			return NULL;

		if ((x->type != X509_LU_X509) || !X509_cmp(obj->data.x509, x->data.x509))

		if (x->type == X509_LU_X509)

			{

			if (!X509_cmp(obj->data.x509, x->data.x509))

				return obj;

			}

		else if (x->type == X509_LU_CRL)

			{

			if (!X509_CRL_match(obj->data.crl, x->data.crl))

				return obj;

			}

		else

			return obj;

		}

	return NULL;

		return 0;

		}

	/* If CRL times not valid look through store */

	if (!check_crl_time(ctx, xobj.data.crl, 0))

		{

		int idx, i;

		X509_OBJECT *pobj;

		X509_OBJECT_free_contents(&xobj);

		idx = X509_OBJECT_idx_by_subject(ctx->ctx->objs,

							X509_LU_CRL, nm);

		if (idx == -1)

			return 0;

		*pcrl = NULL;

		for (i = idx; i < sk_X509_OBJECT_num(ctx->ctx->objs); i++)

			{

			pobj = sk_X509_OBJECT_value(ctx->ctx->objs, i);

			/* Check to see if it is a CRL and issuer matches */

			if (pobj->type != X509_LU_CRL)

				break;

			if (X509_NAME_cmp(nm,

					X509_CRL_get_issuer(pobj->data.crl)))

				break;

			/* Set *pcrl because the CRL will either be valid or

			 * a "best fit" CRL.

			 */

			*pcrl = pobj->data.crl;

			if (check_crl_time(ctx, *pcrl, 0))

				break;

			}

		if (*pcrl)

			CRYPTO_add(&(*pcrl)->references, 1, CRYPTO_LOCK_X509);

		}

	else 

		*pcrl = xobj.data.crl;

	if (crl)

		X509_CRL_free(crl);