commit 0f2cb86ff3a982f52d8687619a0c43a2010c1054
Author: John Denker <jsd@av8n.com>
Date:   Wed Aug 13 00:39:01 2014 -0700

    add some debugging printf statements

diff --git a/crypto/x509v3/v3_ncons.c b/crypto/x509v3/v3_ncons.c
index a01dc64..806b7a3 100644
--- a/crypto/x509v3/v3_ncons.c
+++ b/crypto/x509v3/v3_ncons.c
@@ -292,11 +292,30 @@ int NAME_CONSTRAINTS_check(X509 *x, NAME_CONSTRAINTS *nc)
 
 	}
 
+#define BUGME
+#ifdef BUGME
+static BIO *bio_err = NULL;
+static BIO *bio_err_setup(){
+        if (bio_err == NULL)
+              if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+                     BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        return bio_err;
+}
+#endif
+
 static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
 	{
 	GENERAL_SUBTREE *sub;
 	int i, r, match = 0;
 
+#ifdef BUGME
+        bio_err_setup();
+
+        fprintf(stderr, "==== Starting new group of %d: ",
+                sk_GENERAL_SUBTREE_num(nc->permittedSubtrees));
+        GENERAL_NAME_print(bio_err, gen);
+        fprintf(stderr, "...\n");
+#endif
 	/* Permitted subtrees: if any subtrees exist of matching the type
 	 * at least one subtree must match.
 	 */
@@ -304,6 +323,13 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc)
 	for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++)
 		{
 		sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i);
+#ifdef BUGME
+                fprintf(stderr, "====   checking against permissible %d: ", i);
+                GENERAL_NAME_print(bio_err, sub->base);
+                fprintf(stderr, "\n");
+                fprintf(stderr, "====     checking type (%d against %d)\n",
+                        gen->type, sub->base->type);
+#endif
 		if (gen->type != sub->base->type)
 			continue;
 		if (sub->minimum || sub->maximum)
@@ -387,7 +413,25 @@ static int nc_dn(X509_NAME *nm, X509_NAME *base)
 	return X509_V_OK;
 	}
 
+#ifdef BUGME
+/* forward reference */
+static int nc_dns_sub(ASN1_IA5STRING *dns, ASN1_IA5STRING *base);
+
+/* encapsulate within a debugging layer: */
+static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
+        {
+        int rslt;
+        fprintf(stderr, "====     checking DNS '%s' against '%s' ... ",
+           dns->data, base->data);
+        rslt = nc_dns_sub(dns, base);
+        fprintf(stderr, "result: %d\n", rslt);
+        return rslt;
+        }
+static int nc_dns_sub(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
+#else
+/* no debugging, no encapsulation */
 static int nc_dns(ASN1_IA5STRING *dns, ASN1_IA5STRING *base)
+#endif
 	{
 	char *baseptr = (char *)base->data;
 	char *dnsptr = (char *)dns->data;