From 866b282d1b288c2738318aac4360eba71b72d10f Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 16 Feb 2016 22:17:43 +0000
Subject: [PATCH] Switch to FIPS implementation for CMAC.

Reviewed-by: Tim Hudson <tjh@openssl.org>
---
 crypto/cmac/cmac.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/crypto/cmac/cmac.c b/crypto/cmac/cmac.c
index 774e6dc919..2954b6eb7d 100644
--- a/crypto/cmac/cmac.c
+++ b/crypto/cmac/cmac.c
@@ -160,6 +160,14 @@ int CMAC_Init(CMAC_CTX *ctx, const void *key, size_t keylen,
             EVPerr(EVP_F_CMAC_INIT, EVP_R_DISABLED_FOR_FIPS);
             return 0;
         }
+
+        /* Switch to FIPS cipher implementation if possible */
+        if (cipher != NULL) {
+            const EVP_CIPHER *fcipher;
+            fcipher = FIPS_get_cipherbynid(EVP_CIPHER_nid(cipher));
+            if (fcipher != NULL)
+                cipher = fcipher;
+        }
         /*
          * Other algorithm blocking will be done in FIPS_cmac_init, via
          * FIPS_cipherinit().
-- 
2.40.0