diff -up db-5.3.28/dist/aclocal/options.m4.openssl db-5.3.28/dist/aclocal/options.m4

--- db-5.3.28/dist/aclocal/options.m4.openssl	2013-09-09 17:35:02.000000000 +0200

+++ db-5.3.28/dist/aclocal/options.m4	2018-10-22 11:02:08.037182417 +0200

@@ -406,7 +406,7 @@ AC_ARG_WITH([cryptography],

 	AC_HELP_STRING([--with-cryptography=yes|no|ipp], [Build database cryptography support @<:@default=yes@:>@.]),

 	[], [with_cryptography=$enable_cryptography])

 case "$with_cryptography" in

-yes|no|ipp) ;;

+yes|no|ipp|openssl) ;;

 *) AC_MSG_ERROR([unknown --with-cryptography argument \'$with_cryptography\']) ;;

 esac

 db_cv_build_cryptography="$with_cryptography"

diff -up db-5.3.28/dist/configure.ac.openssl db-5.3.28/dist/configure.ac

--- db-5.3.28/dist/configure.ac.openssl	2018-10-22 11:02:08.019182151 +0200

+++ db-5.3.28/dist/configure.ac	2018-10-22 14:40:52.467991248 +0200

@@ -994,6 +994,18 @@ in the configured include path.]))

 		AC_DEFINE(HAVE_CRYPTO_IPP)

 		AH_TEMPLATE(HAVE_CRYPTO_IPP,

 		    [Define to 1 if using Intel IPP for cryptography.])

+    else

+        if test "$db_cv_build_cryptography" = "openssl"; then

+            AC_CHECK_HEADERS(openssl/conf.h openssl/evp.h, [], AC_MSG_ERROR([\

+Openssl header files required for OPENSSL cryptography support were not found \

+in the configured include path.]))

+            AC_DEFINE(HAVE_CRYPTO_OPENSSL)

+            AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new,

+                [LDFLAGS="-lcrypto $LDFLAGS"], AC_MSG_ERROR([\

+Libcrypto was not found in the configured library path.]))

+            AH_TEMPLATE(HAVE_CRYPTO_OPENSSL,

+                [Define to 1 if using OpenSSL for cryptography.])

+        fi

 	fi

 else

 	CRYPTO_OBJS="crypto_stub${o}"

diff -up db-5.3.28/dist/Makefile.in.openssl db-5.3.28/dist/Makefile.in

--- db-5.3.28/dist/Makefile.in.openssl	2018-10-22 11:02:07.997181825 +0200

+++ db-5.3.28/dist/Makefile.in	2018-10-22 11:30:39.442854972 +0200

@@ -305,9 +305,10 @@ CXX_OBJS=\

 	cxx_except@o@ cxx_lock@o@ cxx_logc@o@ cxx_mpool@o@ cxx_multi@o@ \

 	cxx_rid@o@ cxx_seq@o@ cxx_site@o@ cxx_txn@o@

+CRYPTO_OBJS_RIJNDAEL=\

+	rijndael-alg-fst@o@ rijndael-api-fst@o@

 CRYPTO_OBJS=\

-	aes_method@o@ crypto@o@ mt19937db@o@ rijndael-alg-fst@o@ \

-	rijndael-api-fst@o@

+	aes_method@o@ crypto@o@ mt19937db@o@

 JAVA_OBJS=\

 	db_java_wrap@o@

diff -up db-5.3.28/src/crypto/aes_method.c.openssl db-5.3.28/src/crypto/aes_method.c

--- db-5.3.28/src/crypto/aes_method.c.openssl	2013-09-09 17:35:07.000000000 +0200

+++ db-5.3.28/src/crypto/aes_method.c	2018-10-22 17:54:53.439276678 +0200

@@ -17,6 +17,10 @@

 #ifdef HAVE_CRYPTO_IPP

 #include <ippcp.h>

+#elif defined(HAVE_CRYPTO_OPENSSL)

+#define OPENSSL_AES_ERROR -101

+#include <openssl/conf.h>

+#include <openssl/evp.h>

 #endif

 static void __aes_err __P((ENV *, int));

@@ -119,11 +123,13 @@ __aes_decrypt(env, aes_data, iv, cipher,

 	AES_CIPHER *aes;

 #ifdef	HAVE_CRYPTO_IPP

 	IppStatus ipp_ret;

+#elif defined(HAVE_CRYPTO_OPENSSL)

+   EVP_CIPHER_CTX *ctx;

+   int temp_len;

 #else

 	cipherInstance c;

-#endif

 	int ret;

-

+#endif

 	aes = (AES_CIPHER *)aes_data;

 	if (iv == NULL || cipher == NULL)

 		return (EINVAL);

@@ -137,6 +143,32 @@ __aes_decrypt(env, aes_data, iv, cipher,

 		__aes_err(env, (int)ipp_ret);

 		return (EAGAIN);

 	}

+#elif defined(HAVE_CRYPTO_OPENSSL)

+    if(!(ctx = EVP_CIPHER_CTX_new())) {

+		__aes_err(env, OPENSSL_AES_ERROR);

+        return (EAGAIN);

+    }

+    if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, aes->key,

+        (unsigned char*)iv)) {

+		__aes_err(env, OPENSSL_AES_ERROR);

+        return (EAGAIN);

+    }

+

+    EVP_CIPHER_CTX_set_padding(ctx, 0);

+

+    if(1 != EVP_DecryptUpdate(ctx, (unsigned char*)cipher, &temp_len,

+        (unsigned char*)cipher, cipher_len)) {

+		__aes_err(env, OPENSSL_AES_ERROR);

+        return (EAGAIN);

+    }

+    cipher_len = temp_len;

+    if(1 != EVP_DecryptFinal_ex(ctx, ((unsigned char*)cipher) + temp_len,

+        &temp_len)) {

+		__aes_err(env, OPENSSL_AES_ERROR);

+        return (EAGAIN);

+    }

+    cipher_len += temp_len;

+    EVP_CIPHER_CTX_free(ctx);

 #else

 	/*

 	 * Initialize the cipher

@@ -174,6 +206,9 @@ __aes_encrypt(env, aes_data, iv, data, d

 	AES_CIPHER *aes;

 #ifdef	HAVE_CRYPTO_IPP

 	IppStatus ipp_ret;

+#elif defined(HAVE_CRYPTO_OPENSSL)

+   EVP_CIPHER_CTX *ctx;

+   int temp_len;

 #else

 	cipherInstance c;

 #endif

@@ -204,6 +239,32 @@ __aes_encrypt(env, aes_data, iv, data, d

 		__aes_err(env, (int)ipp_ret);

 		return (EAGAIN);

 	}

+#elif defined(HAVE_CRYPTO_OPENSSL)

+    if(!(ctx = EVP_CIPHER_CTX_new())) {

+		__aes_err(env, OPENSSL_AES_ERROR);

+        return (EAGAIN);

+    }

+    if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, aes->key,

+        (unsigned char*)tmp_iv)) {

+		__aes_err(env, OPENSSL_AES_ERROR);

+        return (EAGAIN);

+    }

+

+    EVP_CIPHER_CTX_set_padding(ctx, 0);

+

+    if(1 != EVP_EncryptUpdate(ctx, (unsigned char*)data, &temp_len,

+        (unsigned char*)data, data_len)) {

+		__aes_err(env, OPENSSL_AES_ERROR);

+        return (EAGAIN);

+    }

+    data_len = temp_len;

+    if(1 != EVP_EncryptFinal_ex(ctx, ((unsigned char*)data) + temp_len,

+        &temp_len)) {

+		__aes_err(env, OPENSSL_AES_ERROR);

+        return (EAGAIN);

+    }

+    data_len += temp_len;

+    EVP_CIPHER_CTX_free(ctx);

 #else

 	/*

 	 * Initialize the cipher

@@ -254,7 +315,7 @@ __aes_derivekeys(env, db_cipher, passwd,

 	SHA1_CTX ctx;

 #ifdef	HAVE_CRYPTO_IPP

 	IppStatus ipp_ret;

-#else

+#elif !defined(HAVE_CRYPTO_OPENSSL)

 	int ret;

 #endif

 	u_int32_t temp[DB_MAC_KEY/4];

@@ -278,6 +339,8 @@ __aes_derivekeys(env, db_cipher, passwd,

 		__aes_err(env, (int)ipp_ret);

 		return (EAGAIN);

 	}

+#elif defined(HAVE_CRYPTO_OPENSSL)

+    memcpy(aes->key, (unsigned char*) temp, DB_AES_CHUNK);

 #else

 	if ((ret = __db_makeKey(&aes->encrypt_ki, DIR_ENCRYPT,

 	    DB_AES_KEYLEN, (char *)temp)) != TRUE) {

@@ -320,6 +383,10 @@ __aes_err(env, err)

 	case ippStsUnderRunErr:

 		errstr = DB_STR("0185", "IPP AES srclen size error");

 		break;

+#elif defined(HAVE_CRYPTO_OPENSSL)

+	case OPENSSL_AES_ERROR:

+		errstr = DB_STR("0193", "AES unknown error");

+		break;

 #else

 	case BAD_KEY_DIR:

 		errstr = DB_STR("0186", "AES key direction is invalid");

diff -up db-5.3.28/src/dbinc/crypto.h.openssl db-5.3.28/src/dbinc/crypto.h

--- db-5.3.28/src/dbinc/crypto.h.openssl	2013-09-09 17:35:08.000000000 +0200

+++ db-5.3.28/src/dbinc/crypto.h	2018-10-22 11:02:08.038182432 +0200

@@ -59,7 +60,9 @@ struct __db_cipher {

 #ifdef HAVE_CRYPTO

+#ifndef HAVE_CRYPTO_OPENSSL

 #include "crypto/rijndael/rijndael-api-fst.h"

+#endif

 /*

  * Shared ciphering structure

@@ -77,6 +80,8 @@ typedef struct __cipher {

 typedef struct __aes_cipher {

 #ifdef	HAVE_CRYPTO_IPP

 	void		*ipp_ctx;	/* IPP key instance */

+#elif defined(HAVE_CRYPTO_OPENSSL)

+    unsigned char key[DB_AES_CHUNK];

 #else

 	keyInstance	decrypt_ki;	/* Decryption key instance */

 	keyInstance	encrypt_ki;	/* Encryption key instance */