7809d0
diff -up db-5.3.28/dist/aclocal/options.m4.openssl db-5.3.28/dist/aclocal/options.m4
7809d0
--- db-5.3.28/dist/aclocal/options.m4.openssl	2013-09-09 17:35:02.000000000 +0200
7809d0
+++ db-5.3.28/dist/aclocal/options.m4	2018-10-22 11:02:08.037182417 +0200
7809d0
@@ -406,7 +406,7 @@ AC_ARG_WITH([cryptography],
7809d0
 	AC_HELP_STRING([--with-cryptography=yes|no|ipp], [Build database cryptography support @<:@default=yes@:>@.]),
7809d0
 	[], [with_cryptography=$enable_cryptography])
7809d0
 case "$with_cryptography" in
7809d0
-yes|no|ipp) ;;
7809d0
+yes|no|ipp|openssl) ;;
7809d0
 *) AC_MSG_ERROR([unknown --with-cryptography argument \'$with_cryptography\']) ;;
7809d0
 esac
7809d0
 db_cv_build_cryptography="$with_cryptography"
7809d0
diff -up db-5.3.28/dist/configure.ac.openssl db-5.3.28/dist/configure.ac
7809d0
--- db-5.3.28/dist/configure.ac.openssl	2018-10-22 11:02:08.019182151 +0200
7809d0
+++ db-5.3.28/dist/configure.ac	2018-10-22 14:40:52.467991248 +0200
7809d0
@@ -994,6 +994,18 @@ in the configured include path.]))
7809d0
 		AC_DEFINE(HAVE_CRYPTO_IPP)
7809d0
 		AH_TEMPLATE(HAVE_CRYPTO_IPP,
7809d0
 		    [Define to 1 if using Intel IPP for cryptography.])
7809d0
+    else
7809d0
+        if test "$db_cv_build_cryptography" = "openssl"; then
7809d0
+            AC_CHECK_HEADERS(openssl/conf.h openssl/evp.h, [], AC_MSG_ERROR([\
7809d0
+Openssl header files required for OPENSSL cryptography support were not found \
7809d0
+in the configured include path.]))
7809d0
+            AC_DEFINE(HAVE_CRYPTO_OPENSSL)
7809d0
+            AC_CHECK_LIB(crypto, EVP_CIPHER_CTX_new,
7809d0
+                [LDFLAGS="-lcrypto $LDFLAGS"], AC_MSG_ERROR([\
7809d0
+Libcrypto was not found in the configured library path.]))
7809d0
+            AH_TEMPLATE(HAVE_CRYPTO_OPENSSL,
7809d0
+                [Define to 1 if using OpenSSL for cryptography.])
7809d0
+        fi
7809d0
 	fi
7809d0
 else
7809d0
 	CRYPTO_OBJS="crypto_stub${o}"
7809d0
diff -up db-5.3.28/dist/Makefile.in.openssl db-5.3.28/dist/Makefile.in
7809d0
--- db-5.3.28/dist/Makefile.in.openssl	2018-10-22 11:02:07.997181825 +0200
7809d0
+++ db-5.3.28/dist/Makefile.in	2018-10-22 11:30:39.442854972 +0200
7809d0
@@ -305,9 +305,10 @@ CXX_OBJS=\
7809d0
 	cxx_except@o@ cxx_lock@o@ cxx_logc@o@ cxx_mpool@o@ cxx_multi@o@ \
7809d0
 	cxx_rid@o@ cxx_seq@o@ cxx_site@o@ cxx_txn@o@
7809d0
 
7809d0
+CRYPTO_OBJS_RIJNDAEL=\
7809d0
+	rijndael-alg-fst@o@ rijndael-api-fst@o@
7809d0
 CRYPTO_OBJS=\
7809d0
-	aes_method@o@ crypto@o@ mt19937db@o@ rijndael-alg-fst@o@ \
7809d0
-	rijndael-api-fst@o@
7809d0
+	aes_method@o@ crypto@o@ mt19937db@o@
7809d0
 
7809d0
 JAVA_OBJS=\
7809d0
 	db_java_wrap@o@
7809d0
diff -up db-5.3.28/src/crypto/aes_method.c.openssl db-5.3.28/src/crypto/aes_method.c
7809d0
--- db-5.3.28/src/crypto/aes_method.c.openssl	2013-09-09 17:35:07.000000000 +0200
7809d0
+++ db-5.3.28/src/crypto/aes_method.c	2018-10-22 17:54:53.439276678 +0200
7809d0
@@ -17,6 +17,10 @@
7809d0
 
7809d0
 #ifdef HAVE_CRYPTO_IPP
7809d0
 #include <ippcp.h>
7809d0
+#elif defined(HAVE_CRYPTO_OPENSSL)
7809d0
+#define OPENSSL_AES_ERROR -101
7809d0
+#include <openssl/conf.h>
7809d0
+#include <openssl/evp.h>
7809d0
 #endif
7809d0
 
7809d0
 static void __aes_err __P((ENV *, int));
7809d0
@@ -119,11 +123,13 @@ __aes_decrypt(env, aes_data, iv, cipher,
7809d0
 	AES_CIPHER *aes;
7809d0
 #ifdef	HAVE_CRYPTO_IPP
7809d0
 	IppStatus ipp_ret;
7809d0
+#elif defined(HAVE_CRYPTO_OPENSSL)
7809d0
+   EVP_CIPHER_CTX *ctx;
7809d0
+   int temp_len;
7809d0
 #else
7809d0
 	cipherInstance c;
7809d0
-#endif
7809d0
 	int ret;
7809d0
-
7809d0
+#endif
7809d0
 	aes = (AES_CIPHER *)aes_data;
7809d0
 	if (iv == NULL || cipher == NULL)
7809d0
 		return (EINVAL);
7809d0
@@ -137,6 +143,32 @@ __aes_decrypt(env, aes_data, iv, cipher,
7809d0
 		__aes_err(env, (int)ipp_ret);
7809d0
 		return (EAGAIN);
7809d0
 	}
7809d0
+#elif defined(HAVE_CRYPTO_OPENSSL)
7809d0
+    if(!(ctx = EVP_CIPHER_CTX_new())) {
7809d0
+		__aes_err(env, OPENSSL_AES_ERROR);
7809d0
+        return (EAGAIN);
7809d0
+    }
7809d0
+    if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, aes->key,
7809d0
+        (unsigned char*)iv)) {
7809d0
+		__aes_err(env, OPENSSL_AES_ERROR);
7809d0
+        return (EAGAIN);
7809d0
+    }
7809d0
+
7809d0
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
7809d0
+
7809d0
+    if(1 != EVP_DecryptUpdate(ctx, (unsigned char*)cipher, &temp_len,
7809d0
+        (unsigned char*)cipher, cipher_len)) {
7809d0
+		__aes_err(env, OPENSSL_AES_ERROR);
7809d0
+        return (EAGAIN);
7809d0
+    }
7809d0
+    cipher_len = temp_len;
7809d0
+    if(1 != EVP_DecryptFinal_ex(ctx, ((unsigned char*)cipher) + temp_len,
7809d0
+        &temp_len)) {
7809d0
+		__aes_err(env, OPENSSL_AES_ERROR);
7809d0
+        return (EAGAIN);
7809d0
+    }
7809d0
+    cipher_len += temp_len;
7809d0
+    EVP_CIPHER_CTX_free(ctx);
7809d0
 #else
7809d0
 	/*
7809d0
 	 * Initialize the cipher
7809d0
@@ -174,6 +206,9 @@ __aes_encrypt(env, aes_data, iv, data, d
7809d0
 	AES_CIPHER *aes;
7809d0
 #ifdef	HAVE_CRYPTO_IPP
7809d0
 	IppStatus ipp_ret;
7809d0
+#elif defined(HAVE_CRYPTO_OPENSSL)
7809d0
+   EVP_CIPHER_CTX *ctx;
7809d0
+   int temp_len;
7809d0
 #else
7809d0
 	cipherInstance c;
7809d0
 #endif
7809d0
@@ -204,6 +239,32 @@ __aes_encrypt(env, aes_data, iv, data, d
7809d0
 		__aes_err(env, (int)ipp_ret);
7809d0
 		return (EAGAIN);
7809d0
 	}
7809d0
+#elif defined(HAVE_CRYPTO_OPENSSL)
7809d0
+    if(!(ctx = EVP_CIPHER_CTX_new())) {
7809d0
+		__aes_err(env, OPENSSL_AES_ERROR);
7809d0
+        return (EAGAIN);
7809d0
+    }
7809d0
+    if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_128_cbc(), NULL, aes->key,
7809d0
+        (unsigned char*)tmp_iv)) {
7809d0
+		__aes_err(env, OPENSSL_AES_ERROR);
7809d0
+        return (EAGAIN);
7809d0
+    }
7809d0
+
7809d0
+    EVP_CIPHER_CTX_set_padding(ctx, 0);
7809d0
+
7809d0
+    if(1 != EVP_EncryptUpdate(ctx, (unsigned char*)data, &temp_len,
7809d0
+        (unsigned char*)data, data_len)) {
7809d0
+		__aes_err(env, OPENSSL_AES_ERROR);
7809d0
+        return (EAGAIN);
7809d0
+    }
7809d0
+    data_len = temp_len;
7809d0
+    if(1 != EVP_EncryptFinal_ex(ctx, ((unsigned char*)data) + temp_len,
7809d0
+        &temp_len)) {
7809d0
+		__aes_err(env, OPENSSL_AES_ERROR);
7809d0
+        return (EAGAIN);
7809d0
+    }
7809d0
+    data_len += temp_len;
7809d0
+    EVP_CIPHER_CTX_free(ctx);
7809d0
 #else
7809d0
 	/*
7809d0
 	 * Initialize the cipher
7809d0
@@ -254,7 +315,7 @@ __aes_derivekeys(env, db_cipher, passwd,
7809d0
 	SHA1_CTX ctx;
7809d0
 #ifdef	HAVE_CRYPTO_IPP
7809d0
 	IppStatus ipp_ret;
7809d0
-#else
7809d0
+#elif !defined(HAVE_CRYPTO_OPENSSL)
7809d0
 	int ret;
7809d0
 #endif
7809d0
 	u_int32_t temp[DB_MAC_KEY/4];
7809d0
@@ -278,6 +339,8 @@ __aes_derivekeys(env, db_cipher, passwd,
7809d0
 		__aes_err(env, (int)ipp_ret);
7809d0
 		return (EAGAIN);
7809d0
 	}
7809d0
+#elif defined(HAVE_CRYPTO_OPENSSL)
7809d0
+    memcpy(aes->key, (unsigned char*) temp, DB_AES_CHUNK);
7809d0
 #else
7809d0
 	if ((ret = __db_makeKey(&aes->encrypt_ki, DIR_ENCRYPT,
7809d0
 	    DB_AES_KEYLEN, (char *)temp)) != TRUE) {
7809d0
@@ -320,6 +383,10 @@ __aes_err(env, err)
7809d0
 	case ippStsUnderRunErr:
7809d0
 		errstr = DB_STR("0185", "IPP AES srclen size error");
7809d0
 		break;
7809d0
+#elif defined(HAVE_CRYPTO_OPENSSL)
7809d0
+	case OPENSSL_AES_ERROR:
7809d0
+		errstr = DB_STR("0193", "AES unknown error");
7809d0
+		break;
7809d0
 #else
7809d0
 	case BAD_KEY_DIR:
7809d0
 		errstr = DB_STR("0186", "AES key direction is invalid");
7809d0
diff -up db-5.3.28/src/dbinc/crypto.h.openssl db-5.3.28/src/dbinc/crypto.h
7809d0
--- db-5.3.28/src/dbinc/crypto.h.openssl	2013-09-09 17:35:08.000000000 +0200
7809d0
+++ db-5.3.28/src/dbinc/crypto.h	2018-10-22 11:02:08.038182432 +0200
7809d0
@@ -59,7 +60,9 @@ struct __db_cipher {
7809d0
 
7809d0
 #ifdef HAVE_CRYPTO
7809d0
 
7809d0
+#ifndef HAVE_CRYPTO_OPENSSL
7809d0
 #include "crypto/rijndael/rijndael-api-fst.h"
7809d0
+#endif
7809d0
 
7809d0
 /*
7809d0
  * Shared ciphering structure
7809d0
@@ -77,6 +80,8 @@ typedef struct __cipher {
7809d0
 typedef struct __aes_cipher {
7809d0
 #ifdef	HAVE_CRYPTO_IPP
7809d0
 	void		*ipp_ctx;	/* IPP key instance */
7809d0
+#elif defined(HAVE_CRYPTO_OPENSSL)
7809d0
+    unsigned char key[DB_AES_CHUNK];
7809d0
 #else
7809d0
 	keyInstance	decrypt_ki;	/* Decryption key instance */
7809d0
 	keyInstance	encrypt_ki;	/* Encryption key instance */