[BREAKING] Remove support for openssl older than 1.1.1 (#1397)

Openssl 1.1.1 is end-of-life in September 2023.
This PR removes support for versions of openssl OLDER than 1.1.1
1.1.1 should still be usable after this change is merged.

I don't see any value in supporting 1.1.1, but didn't see a reason to
purge support for 1.1.1 when there are so few checks for >= 3.0.

Note that this does also remove CI support for Ubuntu 16.04. The
official version of OpenSSL from Ubuntu for this release is listed here:
https://launchpad.net/ubuntu/+source/openssl as 1.0.2g

Since no newer releases of coturn will be backported by Canonical to
Ubuntu 16.04, anyone using Coturn on this operating system will have to
download and compile it themselves. They may build their own version of
OpenSSL if they somehow cannot upgrade to a newer version of Ubuntu.

My position is that these users should prefer to upgrade to a newer
operating system than worry about chasing newer releases of Coturn.

Co-authored-by: Pavel Punsky <[email protected]>

.github/workflows/linux.yml

@@ -18,9 +18,7 @@ jobs:
       fail-fast: false
       matrix:
         os:
-          - amazonlinux:2  # EOL 2025-06
           - amazonlinux:2023
-          - ubuntu:16.04
           - ubuntu:18.04
           - ubuntu:20.04
           - ubuntu:22.04

.github/workflows/ubuntu_tests.yml

@@ -0,0 +1,36 @@
+name: Ubuntu
+
+on:
+  push:
+  pull_request:
+    types: [ opened, reopened, synchronize ]
+
+# make GHA actions use node16 to use ancient container images
+# See https://github.blog/changelog/2024-03-07-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
+# Unclear how long this will work though
+env:
+  ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true
+
+jobs:
+  builds:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ 'ubuntu:18.04', 'ubuntu:20.04', 'ubuntu:22.04' ]
+    runs-on: ubuntu-latest
+    container: ${{ matrix.os }}
+    steps:
+    - uses: actions/checkout@v3
+    - name: Install dependencies
+      # Set env variable or otherwise tzdata package requires interaction
+      env:
+        DEBIAN_FRONTEND: noninteractive
+      uses: ./.github/workflows/actions/ubuntu-build-deps
+    - name: configure
+      run: ./configure
+    - name: make
+      run: make
+    - name: make check
+      run: make check
+    - name: apps tests
+      run: cd examples && ./run_tests.sh && ./run_tests_conf.sh && ./run_tests_prom.sh

src/apps/common/apputils.h

@@ -57,13 +57,7 @@ extern int IS_TURN_SERVER;
 
 /* ALPN */
 
-#define OPENSSL_FIRST_ALPN_VERSION (0x10002003L)
-
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_FIRST_ALPN_VERSION
 #define ALPN_SUPPORTED 1
-#else
-#define ALPN_SUPPORTED 0
-#endif
 
 /* TLS */
 
@@ -97,7 +91,7 @@ extern int IS_TURN_SERVER;
 
 #endif
 
-#if defined(TURN_NO_DTLS) || (!defined(DTLS_CTRL_LISTEN) && (OPENSSL_VERSION_NUMBER < 0x10100000L))
+#if defined(TURN_NO_DTLS)
 
 #define DTLS_SUPPORTED 0
 #define DTLSv1_2_SUPPORTED 0
@@ -114,11 +108,7 @@ extern int IS_TURN_SERVER;
 
 #endif
 
-#if OPENSSL_VERSION_NUMBER >= OPENSSL_FIRST_ALPN_VERSION
 #define SSL_SESSION_ECDH_AUTO_SUPPORTED 1
-#else
-#define SSL_SESSION_ECDH_AUTO_SUPPORTED 0
-#endif
 
 /////////// SSL //////////////////////////
 

src/apps/relay/dbdrivers/dbd_mysql.c

@@ -106,12 +106,8 @@ char *decryptPassword(char *in, const unsigned char *mykey) {
   struct ctr_state state;
   init_ctr(&state, iv);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   CRYPTO_ctr128_encrypt(encryptedText, outdata, newTotalSize, &key, state.ivec, state.ecount, &state.num,
                         (block128_f)AES_encrypt);
-#else
-  AES_ctr128_encrypt(encryptedText, outdata, newTotalSize, &key, state.ivec, state.ecount, &state.num);
-#endif
 
   strcat(last, (char *)outdata);
   out = (char *)malloc(sizeof(char) * (strlen(last) + 1)); // add 1 to allocate space for terminating '\0'

src/apps/relay/dtls_listener.c

@@ -201,12 +201,7 @@ static int generate_cookie(SSL *ssl, unsigned char *cookie, unsigned int *cookie
   return 1;
 }
 
-static int verify_cookie(SSL *ssl,
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-                         const
-#endif
-                         unsigned char *cookie,
-                         unsigned int cookie_len) {
+static int verify_cookie(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len) {
   unsigned int resultlength = 0;
   unsigned char result[COOKIE_SECRET_LENGTH];
 
@@ -284,14 +279,8 @@ static ioa_socket_handle dtls_server_input_handler(dtls_listener_relay_server_ty
 
   SSL_set_bio(connecting_ssl, NULL, wbio);
   SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
-                                      | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
-#endif
-#else
 #if defined(SSL_OP_NO_RENEGOTIATION)
                                       | SSL_OP_NO_RENEGOTIATION
-#endif
 #endif
   );
   SSL_set_max_cert_list(connecting_ssl, 655350);
@@ -555,14 +544,8 @@ static int create_new_connected_udp_socket(dtls_listener_relay_server_type *serv
     SSL_set_bio(connecting_ssl, NULL, wbio);
 
     SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
-                                        | SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
-#endif
-#else
 #if defined(SSL_OP_NO_RENEGOTIATION)
                                         | SSL_OP_NO_RENEGOTIATION
-#endif
 #endif
     );
 

src/apps/relay/mainrelay.c

@@ -40,10 +40,6 @@
 #define MAX_TRIES 3
 #endif
 
-#if (!defined OPENSSL_VERSION_1_1_1)
-#define OPENSSL_VERSION_1_1_1 0x10101000L
-#endif
-
 ////// TEMPORARY data //////////
 
 static int use_lt_credentials = 0;
@@ -1736,12 +1732,8 @@ void encrypt_aes_128(unsigned char *in, const unsigned char *mykey) {
   struct ctr_state state;
   init_ctr(&state, iv);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   CRYPTO_ctr128_encrypt(in, out, strlen((char *)in), &key, state.ivec, state.ecount, &state.num,
                         (block128_f)AES_encrypt);
-#else
-  AES_ctr128_encrypt(in, out, strlen((char *)in), &key, state.ivec, state.ecount, &state.num);
-#endif
 
   totalSize += strlen((char *)in);
   size = strlen((char *)in);
@@ -1832,12 +1824,8 @@ void decrypt_aes_128(char *in, const unsigned char *mykey) {
   struct ctr_state state;
   init_ctr(&state, iv);
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
   CRYPTO_ctr128_encrypt(encryptedText, outdata, newTotalSize, &key, state.ivec, state.ecount, &state.num,
                         (block128_f)AES_encrypt);
-#else
-  AES_ctr128_encrypt(encryptedText, outdata, newTotalSize, &key, state.ivec, state.ecount, &state.num);
-#endif
 
   strcat(last, (char *)outdata);
   printf("%s\n", last);
@@ -3360,65 +3348,10 @@ int main(int argc, char **argv) {
 ////////// OpenSSL locking ////////////////////////////////////////
 
 #if defined(OPENSSL_THREADS)
-#if OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0
-
-// array larger than anything that OpenSSL may need:
-static TURN_MUTEX_DECLARE(mutex_buf[256]);
-static int mutex_buf_initialized = 0;
-
-void coturn_locking_function(int mode, int n, const char *file, int line);
-void coturn_locking_function(int mode, int n, const char *file, int line) {
-  UNUSED_ARG(file);
-  UNUSED_ARG(line);
-  if (mutex_buf_initialized && (n < CRYPTO_num_locks())) {
-    if (mode & CRYPTO_LOCK) {
-      TURN_MUTEX_LOCK(&(mutex_buf[n]));
-    } else {
-      TURN_MUTEX_UNLOCK(&(mutex_buf[n]));
-    }
-  }
-}
-
-void coturn_id_function(CRYPTO_THREADID *ctid);
-void coturn_id_function(CRYPTO_THREADID *ctid) {
-  UNUSED_ARG(ctid);
-  CRYPTO_THREADID_set_numeric(ctid, (unsigned long)pthread_self());
-}
-
-static int THREAD_setup(void) {
-  int i;
-  for (i = 0; i < CRYPTO_num_locks(); i++) {
-    TURN_MUTEX_INIT(&(mutex_buf[i]));
-  }
-
-  mutex_buf_initialized = 1;
-  CRYPTO_THREADID_set_callback(coturn_id_function);
-  CRYPTO_set_locking_callback(coturn_locking_function);
-  return 1;
-}
-
-int THREAD_cleanup(void) {
-  int i;
-
-  if (!mutex_buf_initialized) {
-    return 0;
-  }
-
-  CRYPTO_THREADID_set_callback(NULL);
-  CRYPTO_set_locking_callback(NULL);
-  for (i = 0; i < CRYPTO_num_locks(); i++) {
-    TURN_MUTEX_DESTROY(&(mutex_buf[i]));
-  }
-
-  mutex_buf_initialized = 0;
-  return 1;
-}
-#else
 static int THREAD_setup(void) { return 1; }
 
 int THREAD_cleanup(void);
 int THREAD_cleanup(void) { return 1; }
-#endif /* OPENSSL_VERSION_NUMBER < OPENSSL_VERSION_1_1_0 */
 #endif /* defined(OPENSSL_THREADS) */
 
 static void adjust_key_file_name(char *fn, const char *file_title, int critical) {
@@ -3494,16 +3427,7 @@ static DH *get_dh566(void) {
   if ((dh = DH_new()) == NULL) {
     return (NULL);
   }
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-  dh->p = BN_bin2bn(dh566_p, sizeof(dh566_p), NULL);
-  dh->g = BN_bin2bn(dh566_g, sizeof(dh566_g), NULL);
-  if ((dh->p == NULL) || (dh->g == NULL)) {
-    DH_free(dh);
-    return (NULL);
-  }
-#else
   DH_set0_pqg(dh, BN_bin2bn(dh566_p, sizeof(dh566_p), NULL), NULL, BN_bin2bn(dh566_g, sizeof(dh566_g), NULL));
-#endif
   return (dh);
 }
 
@@ -3531,16 +3455,7 @@ static DH *get_dh1066(void) {
   if ((dh = DH_new()) == NULL) {
     return (NULL);
   }
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-  dh->p = BN_bin2bn(dh1066_p, sizeof(dh1066_p), NULL);
-  dh->g = BN_bin2bn(dh1066_g, sizeof(dh1066_g), NULL);
-  if ((dh->p == NULL) || (dh->g == NULL)) {
-    DH_free(dh);
-    return (NULL);
-  }
-#else
   DH_set0_pqg(dh, BN_bin2bn(dh1066_p, sizeof(dh1066_p), NULL), NULL, BN_bin2bn(dh1066_g, sizeof(dh1066_g), NULL));
-#endif
   return (dh);
 }
 
@@ -3577,16 +3492,7 @@ static DH *get_dh2066(void) {
   if ((dh = DH_new()) == NULL) {
     return (NULL);
   }
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-  dh->p = BN_bin2bn(dh2066_p, sizeof(dh2066_p), NULL);
-  dh->g = BN_bin2bn(dh2066_g, sizeof(dh2066_g), NULL);
-  if ((dh->p == NULL) || (dh->g == NULL)) {
-    DH_free(dh);
-    return (NULL);
-  }
-#else
   DH_set0_pqg(dh, BN_bin2bn(dh2066_p, sizeof(dh2066_p), NULL), NULL, BN_bin2bn(dh2066_g, sizeof(dh2066_g), NULL));
-#endif
   return (dh);
 }
 
@@ -3749,11 +3655,6 @@ static void set_ctx(SSL_CTX **out, const char *protocol, const SSL_METHOD *metho
     }
 
     if (set_auto_curve) {
-#if SSL_SESSION_ECDH_AUTO_SUPPORTED
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-      SSL_CTX_set_ecdh_auto(ctx, 1);
-#endif
-#endif
       set_auto_curve = 0;
     }
   }
@@ -3906,22 +3807,6 @@ static void openssl_load_certificates(void) {
 
   TURN_MUTEX_LOCK(&turn_params.tls_mutex);
   if (!turn_params.no_tls) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    set_ctx(&turn_params.tls_ctx, "TLS", TLSv1_2_server_method()); /*openssl-1.0.2 version specific API */
-    if (turn_params.no_tlsv1) {
-      SSL_CTX_set_options(turn_params.tls_ctx, SSL_OP_NO_TLSv1);
-    }
-#if TLSv1_1_SUPPORTED
-    if (turn_params.no_tlsv1_1) {
-      SSL_CTX_set_options(turn_params.tls_ctx, SSL_OP_NO_TLSv1_1);
-    }
-#if TLSv1_2_SUPPORTED
-    if (turn_params.no_tlsv1_2) {
-      SSL_CTX_set_options(turn_params.tls_ctx, SSL_OP_NO_TLSv1_2);
-    }
-#endif
-#endif
-#else // OPENSSL_VERSION_NUMBER < 0x10100000L
     set_ctx(&turn_params.tls_ctx, "TLS", TLS_server_method());
     if (turn_params.no_tlsv1) {
       SSL_CTX_set_min_proto_version(turn_params.tls_ctx, TLS1_1_VERSION);
@@ -3934,31 +3819,13 @@ static void openssl_load_certificates(void) {
       SSL_CTX_set_min_proto_version(turn_params.tls_ctx, TLS1_3_VERSION);
     }
 #endif
-#endif // OPENSSL_VERSION_NUMBER < 0x10100000L
     TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "TLS cipher suite: %s\n", turn_params.cipher_list);
   }
 
   if (!turn_params.no_dtls) {
 #if !DTLS_SUPPORTED
     TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "ERROR: DTLS is not supported.\n");
-#elif OPENSSL_VERSION_NUMBER < 0x10000000L
-    TURN_LOG_FUNC(
-        TURN_LOG_LEVEL_WARNING,
-        "WARNING: TURN Server was compiled with rather old OpenSSL version, DTLS may not be working correctly.\n");
-#else
-#if OPENSSL_VERSION_NUMBER < 0x10100000L // before openssl-1.1.0 no version independent API
-#if DTLSv1_2_SUPPORTED
-    set_ctx(&turn_params.dtls_ctx, "DTLS", DTLSv1_2_server_method()); // openssl-1.0.2
-    if (turn_params.no_tlsv1_2) {
-      SSL_CTX_set_options(turn_params.dtls_ctx, SSL_OP_NO_DTLSv1_2);
-    }
 #else
-    set_ctx(&turn_params.dtls_ctx, "DTLS", DTLSv1_server_method()); // < openssl-1.0.2
-#endif
-    if (turn_params.no_tlsv1 || turn_params.no_tlsv1_1) {
-      SSL_CTX_set_options(turn_params.dtls_ctx, SSL_OP_NO_DTLSv1);
-    }
-#else  // OPENSSL_VERSION_NUMBER < 0x10100000L
     set_ctx(&turn_params.dtls_ctx, "DTLS", DTLS_server_method());
     if (turn_params.no_tlsv1 || turn_params.no_tlsv1_1) {
       SSL_CTX_set_min_proto_version(turn_params.dtls_ctx, DTLS1_2_VERSION);
@@ -3966,7 +3833,6 @@ static void openssl_load_certificates(void) {
     if (turn_params.no_tlsv1_2) {
       SSL_CTX_set_max_proto_version(turn_params.dtls_ctx, DTLS1_VERSION);
     }
-#endif // OPENSSL_VERSION_NUMBER < 0x10100000L
     setup_dtls_callbacks(turn_params.dtls_ctx);
     TURN_LOG_FUNC(TURN_LOG_LEVEL_INFO, "DTLS cipher suite: %s\n", turn_params.cipher_list);
 #endif

src/apps/relay/mainrelay.h

@@ -87,9 +87,7 @@
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 #include <openssl/modes.h>
-#endif
 
 #if !defined(TURN_NO_SYSTEMD)
 #include <systemd/sd-daemon.h>

src/apps/relay/netengine.c

@@ -33,8 +33,7 @@
 #include "ns_turn_ioalib.h"
 
 //////////// Backward compatibility with OpenSSL 1.0.x //////////////
-#if (OPENSSL_VERSION_NUMBER < 0x10100001L ||                                                                           \
-     (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3040000fL))
+#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER <= 0x3040000fL
 #define SSL_CTX_up_ref(ctx) CRYPTO_add(&(ctx)->references, 1, CRYPTO_LOCK_SSL_CTX)
 #endif
 

src/apps/relay/ns_ioalib_engine_impl.c

@@ -1371,30 +1371,9 @@ ioa_socket_handle create_ioa_socket_from_fd(ioa_engine_handle e, ioa_socket_raw
 }
 
 static void ssl_info_callback(SSL *ssl, int where, int ret) {
-
   UNUSED_ARG(ret);
   UNUSED_ARG(ssl);
   UNUSED_ARG(where);
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#if defined(SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS)
-  if (0 != (where & SSL_CB_HANDSHAKE_START)) {
-    ioa_socket_handle s = (ioa_socket_handle)SSL_get_app_data(ssl);
-    if (s) {
-      ++(s->ssl_renegs);
-    }
-  } else if (0 != (where & SSL_CB_HANDSHAKE_DONE)) {
-    if (ssl->s3) {
-      ioa_socket_handle s = (ioa_socket_handle)SSL_get_app_data(ssl);
-      if (s) {
-        if (s->ssl_renegs > SSL_MAX_RENEG_NUMBER) {
-          ssl->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS;
-        }
-      }
-    }
-  }
-#endif
-#endif
 }
 
 typedef void (*ssl_info_callback_t)(const SSL *ssl, int type, int val);
@@ -1835,7 +1814,7 @@ int ssl_read(evutil_socket_t fd, SSL *ssl, ioa_network_buffer_handle nbh, int ve
   BIO *rbio = BIO_new_mem_buf(buffer, old_buffer_len);
   BIO_set_mem_eof_return(rbio, -1);
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined LIBRESSL_VERSION_NUMBER && LIBRESSL_VERSION_NUMBER < 0x3040000fL)
+#if defined LIBRESSL_VERSION_NUMBER && LIBRESSL_VERSION_NUMBER < 0x3040000fL
   ssl->rbio = rbio;
 #else
   SSL_set0_rbio(ssl, rbio);
@@ -1934,7 +1913,7 @@ int ssl_read(evutil_socket_t fd, SSL *ssl, ioa_network_buffer_handle nbh, int ve
   if (ret > 0) {
     ioa_network_buffer_add_offset_size(nbh, (uint16_t)buf_size, 0, (size_t)ret);
   }
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || (defined LIBRESSL_VERSION_NUMBER && LIBRESSL_VERSION_NUMBER < 0x3040000fL)
+#if defined LIBRESSL_VERSION_NUMBER && LIBRESSL_VERSION_NUMBER < 0x3040000fL
   ssl->rbio = NULL;
   BIO_free(rbio);
 #else

src/apps/uclient/mainuclient.c

@@ -496,40 +496,16 @@ int main(int argc, char **argv) {
     }
 
     if (use_tcp) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-#if TLSv1_2_SUPPORTED
-      root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_2_client_method());
-#elif TLSv1_1_SUPPORTED
-      root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_1_client_method());
-#else
-      root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLSv1_client_method());
-#endif
-      SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
-#else // OPENSSL_VERSION_NUMBER >= 0x10100000L
       root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(TLS_client_method());
       SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
-#endif
       root_tls_ctx_num++;
     } else {
 #if !DTLS_SUPPORTED
       fprintf(stderr, "ERROR: DTLS is not supported.\n");
       exit(-1);
 #else
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-      if (OPENSSL_VERSION_NUMBER < 0x10000000L) {
-        TURN_LOG_FUNC(TURN_LOG_LEVEL_WARNING,
-                      "WARNING: OpenSSL version is rather old, DTLS may not be working correctly.\n");
-      }
-#if DTLSv1_2_SUPPORTED
-      root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(DTLSv1_2_client_method());
-#else
-      root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(DTLSv1_client_method());
-#endif
-      SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
-#else // OPENSSL_VERSION_NUMBER >= 0x10100000L
       root_tls_ctx[root_tls_ctx_num] = SSL_CTX_new(DTLS_client_method());
       SSL_CTX_set_cipher_list(root_tls_ctx[root_tls_ctx_num], csuite);
-#endif
 #endif
       root_tls_ctx_num++;
     }

src/client/ns_turn_msg.c

@@ -187,21 +187,12 @@ bool stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm,
 
   if (shatype == SHATYPE_SHA256) {
 #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    unsigned int keylen = 0;
-    EVP_MD_CTX ctx;
-    EVP_DigestInit(&ctx, EVP_sha256());
-    EVP_DigestUpdate(&ctx, str, strl);
-    EVP_DigestFinal(&ctx, key, &keylen);
-    EVP_MD_CTX_cleanup(&ctx);
-#else
     unsigned int keylen = 0;
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     EVP_DigestInit(ctx, EVP_sha256());
     EVP_DigestUpdate(ctx, str, strl);
     EVP_DigestFinal(ctx, key, &keylen);
     EVP_MD_CTX_free(ctx);
-#endif
     ret = true;
 #else
     fprintf(stderr, "SHA256 is not supported\n");
@@ -209,21 +200,12 @@ bool stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm,
 #endif
   } else if (shatype == SHATYPE_SHA384) {
 #if !defined(OPENSSL_NO_SHA384) && defined(SHA384_DIGEST_LENGTH)
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    unsigned int keylen = 0;
-    EVP_MD_CTX ctx;
-    EVP_DigestInit(&ctx, EVP_sha384());
-    EVP_DigestUpdate(&ctx, str, strl);
-    EVP_DigestFinal(&ctx, key, &keylen);
-    EVP_MD_CTX_cleanup(&ctx);
-#else
     unsigned int keylen = 0;
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     EVP_DigestInit(ctx, EVP_sha384());
     EVP_DigestUpdate(ctx, str, strl);
     EVP_DigestFinal(ctx, key, &keylen);
     EVP_MD_CTX_free(ctx);
-#endif
     ret = true;
 #else
     fprintf(stderr, "SHA384 is not supported\n");
@@ -231,41 +213,19 @@ bool stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm,
 #endif
   } else if (shatype == SHATYPE_SHA512) {
 #if !defined(OPENSSL_NO_SHA512) && defined(SHA512_DIGEST_LENGTH)
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    unsigned int keylen = 0;
-    EVP_MD_CTX ctx;
-    EVP_DigestInit(&ctx, EVP_sha512());
-    EVP_DigestUpdate(&ctx, str, strl);
-    EVP_DigestFinal(&ctx, key, &keylen);
-    EVP_MD_CTX_cleanup(&ctx);
-#else
     unsigned int keylen = 0;
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     EVP_DigestInit(ctx, EVP_sha512());
     EVP_DigestUpdate(ctx, str, strl);
     EVP_DigestFinal(ctx, key, &keylen);
     EVP_MD_CTX_free(ctx);
-#endif
     ret = true;
 #else
     fprintf(stderr, "SHA512 is not supported\n");
     ret = false;
 #endif
   } else {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    unsigned int keylen = 0;
-    EVP_MD_CTX ctx;
-    EVP_MD_CTX_init(&ctx);
-#if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
-    if (FIPS_mode()) {
-      EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-    }
-#endif // defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
-    EVP_DigestInit_ex(&ctx, EVP_md5(), NULL);
-    EVP_DigestUpdate(&ctx, str, strl);
-    EVP_DigestFinal(&ctx, key, &keylen);
-    EVP_MD_CTX_cleanup(&ctx);
-#elif OPENSSL_VERSION_NUMBER >= 0x30000000L
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
     unsigned int keylen = 0;
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
     if (EVP_default_properties_is_fips_enabled(NULL)) {
@@ -275,7 +235,7 @@ bool stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm,
     EVP_DigestUpdate(ctx, str, strl);
     EVP_DigestFinal(ctx, key, &keylen);
     EVP_MD_CTX_free(ctx);
-#else // OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x30000000L
+#else // OPENSSL_VERSION_NUMBER < 0x30000000L
     unsigned int keylen = 0;
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 #if defined EVP_MD_CTX_FLAG_NON_FIPS_ALLOW && !defined(LIBRESSL_VERSION_NUMBER)
@@ -287,7 +247,7 @@ bool stun_produce_integrity_key_str(const uint8_t *uname, const uint8_t *realm,
     EVP_DigestUpdate(ctx, str, strl);
     EVP_DigestFinal(ctx, key, &keylen);
     EVP_MD_CTX_free(ctx);
-#endif // OPENSSL_VERSION_NUMBER < 0X10100000L
+#endif // OPENSSL_VERSION_NUMBER >= 0X30000000L
     ret = true;
   }
 
@@ -323,23 +283,6 @@ static void generate_enc_password(const char *pwd, char *result, const unsigned
   result[3 + PWD_SALT_SIZE + PWD_SALT_SIZE] = '$';
   unsigned char *out = (unsigned char *)(result + 3 + PWD_SALT_SIZE + PWD_SALT_SIZE + 1);
   {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    EVP_MD_CTX ctx;
-#if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
-    EVP_DigestInit(&ctx, EVP_sha256());
-#else
-    EVP_DigestInit(&ctx, EVP_sha1());
-#endif
-    EVP_DigestUpdate(&ctx, salt, PWD_SALT_SIZE);
-    EVP_DigestUpdate(&ctx, pwd, strlen(pwd));
-    {
-      unsigned char hash[129];
-      unsigned int keylen = 0;
-      EVP_DigestFinal(&ctx, hash, &keylen);
-      readable_string(hash, out, keylen);
-    }
-    EVP_MD_CTX_cleanup(&ctx);
-#else
     EVP_MD_CTX *ctx = EVP_MD_CTX_new();
 #if !defined(OPENSSL_NO_SHA256) && defined(SHA256_DIGEST_LENGTH)
     EVP_DigestInit(ctx, EVP_sha256());
@@ -355,7 +298,6 @@ static void generate_enc_password(const char *pwd, char *result, const unsigned
       readable_string(hash, out, keylen);
     }
     EVP_MD_CTX_free(ctx);
-#endif
   }
 }
 
@@ -2312,12 +2254,7 @@ static bool encode_oauth_token_gcm(const uint8_t *server_name, encoded_oauth_tok
       return false;
     }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    EVP_CIPHER_CTX ctx;
-    EVP_CIPHER_CTX *ctxp = &ctx;
-#else
     EVP_CIPHER_CTX *ctxp = EVP_CIPHER_CTX_new();
-#endif
     EVP_CIPHER_CTX_init(ctxp);
 
     /* Initialize the encryption operation. */
@@ -2367,11 +2304,7 @@ static bool encode_oauth_token_gcm(const uint8_t *server_name, encoded_oauth_tok
 
     etoken->size = 2 + OAUTH_GCM_NONCE_SIZE + outl;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    EVP_CIPHER_CTX_cleanup(ctxp);
-#else
     EVP_CIPHER_CTX_free(ctxp);
-#endif
 
     return true;
   }
@@ -2411,12 +2344,7 @@ static bool decode_oauth_token_gcm(const uint8_t *server_name, const encoded_oau
       return false;
     }
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    EVP_CIPHER_CTX ctx;
-    EVP_CIPHER_CTX *ctxp = &ctx;
-#else
     EVP_CIPHER_CTX *ctxp = EVP_CIPHER_CTX_new();
-#endif
     EVP_CIPHER_CTX_init(ctxp);
     /* Initialize the decryption operation. */
     if (1 != EVP_DecryptInit_ex(ctxp, cipher, NULL, NULL, NULL)) {
@@ -2459,21 +2387,13 @@ static bool decode_oauth_token_gcm(const uint8_t *server_name, const encoded_oau
 
     int tmp_outl = 0;
     if (EVP_DecryptFinal_ex(ctxp, decoded_field + outl, &tmp_outl) < 1) {
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-      EVP_CIPHER_CTX_cleanup(ctxp);
-#else
       EVP_CIPHER_CTX_free(ctxp);
-#endif
       OAUTH_ERROR("%s: token integrity check failed\n", __FUNCTION__);
       return false;
     }
     outl += tmp_outl;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
-    EVP_CIPHER_CTX_cleanup(ctxp);
-#else
     EVP_CIPHER_CTX_free(ctxp);
-#endif
 
     size_t len = 0;