To aid proof-of-concept work, insist on OpenSSL 1.1.1 or later.

Remove ssl_dane as now surplus to requirements.
2018-11-16 17:53:08 +00:00 · 2018-11-16 17:53:08 +00:00 · 5d353d9efb
parent 0fd6fd4c5c
commit 5d353d9efb
8 changed files with 12 additions and 278 deletions
--- a/.gitmodules
+++ b/.gitmodules
@ -10,7 +10,3 @@
 	path = stubby
 	url = https://github.com/getdnsapi/stubby.git
 	branch = develop
-[submodule "src/ssl_dane"]
-	path = src/ssl_dane
-	url = https://github.com/getdnsapi/ssl_dane
-	branch = getdns
--- a/configure.ac
+++ b/configure.ac
@ -440,28 +440,24 @@ AC_INCLUDES_DEFAULT
 ])
 fi

-AC_MSG_CHECKING([whether we need to compile/link DANE support])
-DANESSL_XTRA_OBJS=""
+AC_MSG_CHECKING([for OpenSSL >= 1.1.1])
 AC_LANG_PUSH(C)
 AC_COMPILE_IFELSE(
 	[AC_LANG_PROGRAM([
 		[#include <openssl/opensslv.h>]
-		[#if OPENSSL_VERSION_NUMBER <  0x1000000fL]
-		[#error "OpenSSL 1.0.0 or higher required for DANE library"]
-		[#elif defined(HAVE_SSL_DANE_ENABLE)]
-		[#error "OpenSSL has native DANE support"]
+		[#if OPENSSL_VERSION_NUMBER <  0x10101000L]
+		[#error "OpenSSL 1.1.1 or higher required"]
 		[#elif defined(LIBRESSL_VERSION_NUMBER)]
-		[#error "dane_ssl library does not work with LibreSSL"]
+		[#error "LibreSSL not supported"]
 		[#endif]
 	],[[]])],
 	[
-		AC_MSG_RESULT([yes])
-		AC_DEFINE([USE_DANESSL], [1], [Define this to use DANE functions from the ssl_dane/danessl library.])
-		DANESSL_XTRA_OBJS="danessl.lo"
-	],
-	[AC_MSG_RESULT([no])])
+                AC_MSG_RESULT([yes])
+        ],
+        [
+                AC_MSG_ERROR([OpenSSL 1.1.1 or later required])
+	])
 AC_LANG_POP(C)
-AC_SUBST(DANESSL_XTRA_OBJS)

 AC_ARG_ENABLE(sha1, AC_HELP_STRING([--disable-sha1], [Disable SHA1 RRSIG support, does not disable nsec3 support]))
 	case "$enable_sha1" in
--- a/src/Makefile.in
+++ b/src/Makefile.in
@ -98,9 +98,8 @@ TLS_OBJ=tls.lo
 YXML_OBJ=yxml.lo

 YAML_OBJ=convert_yaml_to_json.lo
-DANESSL_OBJ=danessl.lo

-GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@ @DANESSL_XTRA_OBJS@
+GETDNS_XTRA_OBJS=@GETDNS_XTRA_OBJS@
 STUBBY_XTRA_OBJS=@STUBBY_XTRA_OBJS@

 EXTENSION_OBJ=$(DEFAULT_EVENTLOOP_OBJ) libevent.lo libev.lo
@ -140,9 +139,6 @@ $(TLS_OBJ):
 $(YAML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -c $(stubbysrcdir)/src/yaml/$(@:.lo=.c) -o $@

-$(DANESSL_OBJ):
-	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) $(WNOERRORFLAG) -c $(srcdir)/ssl_dane/$(@:.lo=.c) -o $@
-
 $(YXML_OBJ):
 	$(LIBTOOL) --quiet --tag=CC --mode=compile $(CC) $(CFLAGS) -I$(srcdir)/yxml -DYXML_GETDNS -Wno-unused-parameter -c $(srcdir)/yxml/$(@:.lo=.c) -o $@

--- a/src/context.c
+++ b/src/context.c
@ -82,9 +82,6 @@ typedef unsigned short in_port_t;
 #include "list.h"
 #include "dict.h"
 #include "pubkey-pinning.h"
-#ifdef USE_DANESSL
-# include "ssl_dane/danessl.h"
-#endif
 #include "const-info.h"
 #include "tls.h"

@ -599,26 +596,6 @@ upstreams_create(getdns_context *context, size_t size)
 }


-#if defined(USE_DANESSL) && defined(STUB_DEBUG) && STUB_DEBUG
-static void _stub_debug_print_openssl_errors(void)
-{
-    unsigned long err;
-    char buffer[1024];
-    const char *file;
-    const char *data;
-    int line;
-    int flags;
-
-    while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
-        ERR_error_string_n(err, buffer, sizeof(buffer));
-        if (flags & ERR_TXT_STRING)
-            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d:%s\n", buffer, file, line, data);
-        else
-            DEBUG_STUB("DEBUG OpenSSL Error: %s:%s:%d\n", buffer, file, line);
-    }
-}
-#endif
-
 void
 _getdns_upstreams_dereference(getdns_upstreams *upstreams)
 {
@ -660,12 +637,6 @@ _getdns_upstreams_dereference(getdns_upstreams *upstreams)

 		if (upstream->tls_obj != NULL) {
 			_getdns_tls_connection_shutdown(upstream->tls_obj);
-#ifdef USE_DANESSL
-# if defined(STUB_DEBUG) && STUB_DEBUG
-			_stub_debug_print_openssl_errors();
-# endif
-			DANESSL_cleanup(upstream->tls_obj->ssl);
-#endif
 			_getdns_tls_connection_free(upstream->tls_obj);
 		}
 		if (upstream->fd != -1)
@ -779,12 +750,6 @@ _getdns_upstream_reset(getdns_upstream *upstream)
 	}
 	if (upstream->tls_obj != NULL) {
 		_getdns_tls_connection_shutdown(upstream->tls_obj);
-#ifdef USE_DANESSL
-# if defined(STUB_DEBUG) && STUB_DEBUG
-		_stub_debug_print_openssl_errors();
-# endif
-		DANESSL_cleanup(upstream->tls_obj->ssl);
-#endif
 		_getdns_tls_connection_free(upstream->tls_obj);
 		upstream->tls_obj = NULL;
 	}
@ -3579,7 +3544,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 		}

 		if (context->tls_ctx == NULL) {
-#ifdef HAVE_TLS_v1_2
 			context->tls_ctx = _getdns_tls_context_new();
 			if (context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
@ -3608,7 +3572,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				if (context->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) 
 					return GETDNS_RETURN_BAD_CONTEXT;
 			}
-#  if defined(HAVE_SSL_CTX_DANE_ENABLE)
 #   if defined(STUB_DEBUG) && STUB_DEBUG
 			int osr =
 #   else
@ -3617,22 +3580,6 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 				SSL_CTX_dane_enable(context->tls_ctx->ssl);
 			DEBUG_STUB("%s %-35s: DEBUG: SSL_CTX_dane_enable() -> %d\n"
 			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-#  elif defined(USE_DANESSL)
-#   if defined(STUB_DEBUG) && STUB_DEBUG
-			int osr =
-#   else
-			(void)
-#   endif
-				DANESSL_CTX_init(context->tls_ctx->ssl);
-			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_CTX_init() -> %d\n"
-			          , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-#  endif
-#else /* HAVE_TLS_v1_2 */
-			if (tls_only_is_in_transports_list(context) == 1)
-				return GETDNS_RETURN_BAD_CONTEXT;
-			/* A null tls_ctx will make TLS fail and fallback to the other
-			   transports will kick-in.*/
-#endif /* HAVE_TLS_v1_2 */
 		}
 	}

--- a/src/gldns/keyraw.c
+++ b/src/gldns/keyraw.c
@ -232,15 +232,6 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-#ifndef S_SPLINT_S
-	dsa->p = P;
-	dsa->q = Q;
-	dsa->g = G;
-	dsa->pub_key = Y;
-#endif /* splint */
-
-#else /* OPENSSL_VERSION_NUMBER */
 	if (!DSA_set0_pqg(dsa, P, Q, G)) {
 		/* QPG not yet attached, need to free */
 		BN_free(Q);
@ -257,7 +248,6 @@ gldns_key_buf2dsa_raw(unsigned char* key, size_t len)
 		BN_free(Y);
 		return NULL;
 	}
-#endif

 	return dsa;
 }
@ -310,20 +300,12 @@ gldns_key_buf2rsa_raw(unsigned char* key, size_t len)
 		BN_free(modulus);
 		return NULL;
 	}
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-#ifndef S_SPLINT_S
-	rsa->n = modulus;
-	rsa->e = exponent;
-#endif /* splint */
-
-#else /* OPENSSL_VERSION_NUMBER */
 	if (!RSA_set0_key(rsa, modulus, exponent, NULL)) {
 		BN_free(exponent);
 		BN_free(modulus);
 		RSA_free(rsa);
 		return NULL;
 	}
-#endif

 	return rsa;
 }
--- a/src/openssl/tls.c
+++ b/src/openssl/tls.c
@ -44,10 +44,6 @@

 #include "tls.h"

-#ifdef USE_DANESSL
-# include "ssl_dane/danessl.h"
-#endif
-
 static _getdns_tls_x509* _getdns_tls_x509_new(X509* cert)
 {
 	_getdns_tls_x509* res;
@ -156,19 +152,10 @@ add_WIN_cacerts_to_openssl_store(SSL_CTX* tls_ctx)

 void _getdns_tls_init()
 {
-#if OPENSSL_VERSION_NUMBER < 0x10100000 || defined(HAVE_LIBRESSL)
-	OpenSSL_add_all_algorithms();
-	SSL_library_init();
-
-# ifdef USE_DANESSL
-		(void) DANESSL_library_init();
-# endif
-#else
 	OPENSSL_init_crypto( OPENSSL_INIT_ADD_ALL_CIPHERS
 	                   | OPENSSL_INIT_ADD_ALL_DIGESTS
 	                   | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
 	(void)OPENSSL_init_ssl(0, NULL);
-#endif
 }

 _getdns_tls_context* _getdns_tls_context_new()
--- a/src/ssl_dane
+++ b/src/ssl_dane
@ -1 +0,0 @@
-Subproject commit dd093e585a237e0321d303ec35e84c393ef739f4
--- a/src/stub.c
+++ b/src/stub.c
@ -55,9 +55,6 @@
 #include "platform.h"
 #include "general.h"
 #include "pubkey-pinning.h"
-#ifdef USE_DANESSL
-# include "ssl_dane/danessl.h"
-#endif

 /* WSA TODO: 
 * STUB_TCP_RETRY added to deal with edge triggered event loops (versus
@ -829,9 +826,6 @@ tls_requested(getdns_network_req *netreq)
 	        1 : 0;
 }

-
-#if defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL)
-
 static int
 _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
 { 
@ -857,64 +851,6 @@ _getdns_tls_verify_always_ok(int ok, X509_STORE_CTX *ctx)
 	return 1; 
 }

-#else /* defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
-
-static int
-tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
-{
-	getdns_upstream *upstream;
-	getdns_return_t pinset_ret = GETDNS_RETURN_GOOD;
-	upstream = _getdns_upstream_from_x509_store(ctx);
-	if (!upstream)
-		return 0;
-
-	int err = X509_STORE_CTX_get_error(ctx);
-# if defined(STUB_DEBUG) && STUB_DEBUG
-	DEBUG_STUB("%s %-35s: FD:  %d Verify result: (%d) \"%s\"\n",
-	            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err,
-	            X509_verify_cert_error_string(err));
-# endif
-	if (!preverify_ok && !upstream->tls_fallback_ok)
-		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
-		    "%-40s : Verify failed: TLS - *Failure* -  (%d) \"%s\"\n",
-		    upstream->addr_str, err,
-		    X509_verify_cert_error_string(err));
-
-	/* No need to deal with hostname authentication, since this will be
-	 * dealt with in the DANE preprocessor paths.
-	 */
-
-	/* Deal with the pinset validation */
-	if (upstream->tls_pubkey_pinset)
-		pinset_ret = _getdns_verify_pinset_match(upstream->tls_pubkey_pinset, ctx);
-
-	if (pinset_ret != GETDNS_RETURN_GOOD) {
-		DEBUG_STUB("%s %-35s: FD:  %d, WARNING: Pinset validation failure!\n",
-	           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
-		preverify_ok = 0;
-		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-		if (upstream->tls_fallback_ok)
-			DEBUG_STUB("%s %-35s: FD:  %d, WARNING: Proceeding even though pinset validation failed!\n",
-			            STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
-		else
-			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR,
-			    "%-40s : Conn failed: TLS - *Failure* - Pinset validation failure\n",
-			    upstream->addr_str);
-	}
-	/* If nothing has failed yet and we had credentials, we have successfully authenticated*/
-	if (preverify_ok == 0)
-		upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-	else if (upstream->tls_auth_state == GETDNS_AUTH_NONE &&
-	         (upstream->tls_pubkey_pinset || upstream->tls_auth_name[0]))
-		upstream->tls_auth_state = GETDNS_AUTH_OK;
-
-	/* If fallback is allowed, proceed regardless of what the auth error is
-	   (might not be hostname or pinset related) */
-	return (upstream->tls_fallback_ok) ? 1 : preverify_ok;
-}
-
-#endif /* #else defined(HAVE_SSL_DANE_ENABLE) || defined(USE_DANESSL) */
-
 static _getdns_tls_connection*
 tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 {
@ -946,28 +882,11 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Hostname verification requested for: %s\n",
 		           STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name);
 		SSL_set_tlsext_host_name(tls->ssl, upstream->tls_auth_name);
-#if defined(HAVE_SSL_HN_AUTH)
-		/* Set up native OpenSSL hostname verification
-		 * ( doesn't work with USE_DANESSL, but we verify the
-		 *   name afterwards in such cases )
-		 */
+		/* Set up native OpenSSL hostname verification */
 		X509_VERIFY_PARAM *param;
 		param = SSL_get0_param(tls->ssl);
 		X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
 		X509_VERIFY_PARAM_set1_host(param, upstream->tls_auth_name, 0);
-#elif !defined(HAVE_X509_CHECK_HOST)
-		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_REQUIRED) {
-			DEBUG_STUB("%s %-35s: ERROR: Hostname Authentication not available from TLS library (check library version)\n",
-		           STUB_DEBUG_SETUP_TLS, __FUNC__);
-			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR, 
-			    "%-40s : ERROR: Hostname Authentication not available from TLS library (check library version)\n",
-			    upstream->addr_str);
-			upstream->tls_hs_state = GETDNS_HS_FAILED;
-			_getdns_tls_connection_free(tls);
-			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-			return NULL;
-		}
-#endif
 		/* Allow fallback to opportunistic if settings permit it*/
 		if (dnsreq->netreqs[0]->tls_auth_min != GETDNS_AUTHENTICATION_REQUIRED)
 			upstream->tls_fallback_ok = 1;
@ -1006,7 +925,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
-#if defined(HAVE_SSL_DANE_ENABLE)
+
 	int osr;
 # if defined(STUB_DEBUG) && STUB_DEBUG
 	osr =
@ -1033,44 +952,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		if (osr > 0)
 			++n_pins;
 	}
-#elif defined(USE_DANESSL)
-	if (upstream->tls_pubkey_pinset) {
-		const char *auth_names[2] = { upstream->tls_auth_name, NULL };
-		int osr;
-# if defined(STUB_DEBUG) && STUB_DEBUG
-		osr =
-# else
-		(void)
-# endif
-			DANESSL_init(tls->ssl,
-		    *upstream->tls_auth_name ? upstream->tls_auth_name : NULL,
-		    *upstream->tls_auth_name ? auth_names : NULL
-		    );
-		DEBUG_STUB("%s %-35s: DEBUG: DANESSL_init(\"%s\") -> %d\n"
-			  , STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->tls_auth_name, osr);
-		SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
-		sha256_pin_t *pin_p;
-		size_t n_pins = 0;
-		for (pin_p = upstream->tls_pubkey_pinset; pin_p; pin_p = pin_p->next) {
-			osr = DANESSL_add_tlsa(tls->ssl, 3, 1, "sha256",
-			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
-			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
-				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-			if (osr > 0)
-				++n_pins;
-			osr = DANESSL_add_tlsa(tls->ssl, 2, 1, "sha256",
-			    (unsigned char *)pin_p->pin, SHA256_DIGEST_LENGTH);
-			DEBUG_STUB("%s %-35s: DEBUG: DANESSL_add_tlsa() -> %d\n"
-				  , STUB_DEBUG_SETUP_TLS, __FUNC__, osr);
-			if (osr > 0)
-				++n_pins;
-		}
-	} else {
-		SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, _getdns_tls_verify_always_ok);
-	}
-#else
-	SSL_set_verify(tls->ssl, SSL_VERIFY_PEER, tls_verify_callback);
-#endif

 	/* Session resumption. There are trade-offs here. Want to do it when
 	   possible only if we have the right type of connection. Note a change
@ -1127,23 +1008,6 @@ tls_do_handshake(getdns_upstream *upstream)
 		X509 *peer_cert = SSL_get_peer_certificate(upstream->tls_obj->ssl);
 		long verify_result = SSL_get_verify_result(upstream->tls_obj->ssl);

-/* In case of DANESSL use, and a tls_auth_name was given alongside a pinset,
- * we need to verify auth_name explicitely (otherwise it will not be checked,
- * because this is not required with DANE with an EE match).
- * This is not needed with native OpenSSL DANE, because EE name checks have
- * to be disabled explicitely.
- */
-#if defined(HAVE_X509_CHECK_HOST) && (defined(USE_DANESSL) || !defined(HAVE_SSL_HN_AUTH))
-		int xch;
-		if (peer_cert && verify_result == X509_V_OK
-		    && upstream->tls_auth_name[0]
-		    && (xch = X509_check_host(peer_cert,
-				    upstream->tls_auth_name,
-				    strlen(upstream->tls_auth_name),
-				    X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS,
-				    NULL)) <= 0)
-			verify_result = X509_V_ERR_HOSTNAME_MISMATCH;
-#endif
 		upstream->tls_auth_state = peer_cert && verify_result == X509_V_OK
 		                         ? GETDNS_AUTH_OK : GETDNS_AUTH_FAILED;
 		if (!peer_cert)
@ -1161,7 +1025,6 @@ tls_do_handshake(getdns_upstream *upstream)
 		/* Since we don't have DANE validation yet, DANE validation
 		 * failures are always pinset validation failures
 		 */
-#if defined(HAVE_SSL_DANE_ENABLE)
 		else if (verify_result == X509_V_ERR_DANE_NO_MATCH)
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
@ -1172,21 +1035,6 @@ tls_do_handshake(getdns_upstream *upstream)
 			    ( upstream->tls_fallback_ok
 			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ));
-#elif defined(USE_DANESSL)
-		else if (verify_result == X509_V_ERR_CERT_UNTRUSTED
-		    && upstream->tls_pubkey_pinset
-		    && !DANESSL_get_match_cert(
-			    upstream->tls_obj->ssl, NULL, NULL, NULL))
-			_getdns_upstream_log(upstream,
-			    GETDNS_LOG_UPSTREAM_STATS,
-			    ( upstream->tls_fallback_ok
-			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : TLS - %s -  "
-			    "Pinset validation failure\n", upstream->addr_str,
-			    ( upstream->tls_fallback_ok
-			    ? "Tolerated because of Opportunistic profile"
-			    : "*Failure*" ));
-#endif
 		else if (verify_result != X509_V_OK)
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS,
@ -1198,23 +1046,6 @@ tls_do_handshake(getdns_upstream *upstream)
 			    ? "Tolerated because of Opportunistic profile"
 			    : "*Failure*" ), verify_result,
 			    X509_verify_cert_error_string(verify_result));
-#if !defined(HAVE_SSL_HN_AUTH) && !defined(HAVE_X509_CHECK_HOST)
-		else if (*upstream->tls_auth_name) {
-			_getdns_upstream_log(upstream,
-			    GETDNS_LOG_UPSTREAM_STATS,
-			    ( upstream->tls_fallback_ok
-			    ? GETDNS_LOG_INFO : GETDNS_LOG_ERR),
-			    "%-40s : Verify failed : TLS - %s -  "
-			    "Hostname Authentication not available from TLS "
-			    "library (check library version)\n",
-			    upstream->addr_str,
-			    ( upstream->tls_fallback_ok
-			    ? "Tolerated because of Opportunistic profile"
-			    : "*Failure*" ));
-
-			upstream->tls_auth_state = GETDNS_AUTH_FAILED;
-		}
-#endif
 		else
 			_getdns_upstream_log(upstream,
 			    GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_DEBUG,
				`@ -1 +0,0 @@`
				`Subproject commit dd093e585a237e0321d303ec35e84c393ef739f4`