From 70051b1d88497829470b8d63cbc326fff8d5c1c7 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 14 Jun 2011 15:25:21 +0000
Subject: [PATCH] set FIPS allow before initialising ctx

---
 ssl/s3_srvr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 8600d0602f..197a498924 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1921,10 +1921,10 @@ int ssl3_send_server_key_exchange(SSL *s)
 				j=0;
 				for (num=2; num > 0; num--)
 					{
-					EVP_DigestInit_ex(&md_ctx,(num == 2)
-						?s->ctx->md5:s->ctx->sha1, NULL);
 					EVP_MD_CTX_set_flags(&md_ctx,
 						EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+					EVP_DigestInit_ex(&md_ctx,(num == 2)
+						?s->ctx->md5:s->ctx->sha1, NULL);
 					EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
 					EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
 					EVP_DigestUpdate(&md_ctx,&(d[4]),n);
-- 
2.25.1