Make null cipher work in FIPS mode.

3 files changed, 12 insertions, 2 deletions

diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c
index 177fe43ac6..84a3f864da 100644
--- a/crypto/evp/evp_enc.c
+++ b/crypto/evp/evp_enc.c
@@ -174,7 +174,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, ENGINE *imp
 			{
 			const EVP_CIPHER *fcipher;
 			if (cipher)
-				fcipher = FIPS_get_cipherbynid(EVP_CIPHER_type(cipher));
+				fcipher = evp_get_fips_cipher(cipher);
 			if (fcipher)
 				cipher = fcipher;
 			return FIPS_cipherinit(ctx, cipher, key, iv, enc);
diff --git a/crypto/evp/evp_lib.c b/crypto/evp/evp_lib.c
index d548ad1d31..cf8a0c9a4b 100644
--- a/crypto/evp/evp_lib.c
+++ b/crypto/evp/evp_lib.c
@@ -218,7 +218,7 @@ unsigned long EVP_CIPHER_flags(const EVP_CIPHER *cipher)
 	{
 #ifdef OPENSSL_FIPS
 	const EVP_CIPHER *fcipher;
-	fcipher = FIPS_get_cipherbynid(EVP_CIPHER_type(cipher));
+	fcipher = evp_get_fips_cipher(cipher);
 	if (fcipher && fcipher->flags & EVP_CIPH_FLAG_FIPS)
 		return cipher->flags | EVP_CIPH_FLAG_FIPS;
 #endif
@@ -313,6 +313,15 @@ const EVP_MD *evp_get_fips_md(const EVP_MD *md)
 	else
 		return FIPS_get_digestbynid(nid);
 	}
+
+const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher)
+	{
+	if (cipher->nid == NID_undef)
+		return FIPS_evp_enc_null();
+	else
+		return FIPS_get_cipherbynid(EVP_CIPHER_type(cipher));
+	}
+
 #endif
 
 unsigned long EVP_MD_flags(const EVP_MD *md)
diff --git a/crypto/evp/evp_locl.h b/crypto/evp/evp_locl.h
index f4a943a716..ca0d4558c9 100644
--- a/crypto/evp/evp_locl.h
+++ b/crypto/evp/evp_locl.h
@@ -349,6 +349,7 @@ int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, int passlen,
 			     const EVP_CIPHER *c, const EVP_MD *md, int en_de);
 
 const EVP_MD *evp_get_fips_md(const EVP_MD *md);
+const EVP_CIPHER *evp_get_fips_cipher(const EVP_CIPHER *cipher);
 
 #ifdef OPENSSL_FIPS