From 4bea454021de916722415968c590ed02711fc986 Mon Sep 17 00:00:00 2001
From: "Dr. Stephen Henson" <steve@openssl.org>
Date: Tue, 14 Jun 2011 15:25:41 +0000
Subject: [PATCH] set FIPS allow before initialising ctx

---
 ssl/s3_srvr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c
index 2b8cc5fe80..b95648fb31 100644
--- a/ssl/s3_srvr.c
+++ b/ssl/s3_srvr.c
@@ -1877,10 +1877,10 @@ int ssl3_send_server_key_exchange(SSL *s)
 				j=0;
 				for (num=2; num > 0; num--)
 					{
-					EVP_DigestInit_ex(&md_ctx,(num == 2)
-						?s->ctx->md5:s->ctx->sha1, NULL);
 					EVP_MD_CTX_set_flags(&md_ctx,
 						EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+					EVP_DigestInit_ex(&md_ctx,(num == 2)
+						?s->ctx->md5:s->ctx->sha1, NULL);
 					EVP_DigestUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE);
 					EVP_DigestUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE);
 					EVP_DigestUpdate(&md_ctx,&(d[4]),n);
-- 
2.40.0