set FIPS permitted flag before initalising digest

ssl/s3_enc.c

@@ -614,7 +614,6 @@ int ssl3_digest_cached_records(SSL *s)
 		if ((mask & ssl_get_algorithm2(s)) && md) 
 			{
 			s->s3->handshake_dgst[i]=EVP_MD_CTX_create();
-			EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
 #ifdef OPENSSL_FIPS
 			if (EVP_MD_nid(md) == NID_md5)
 				{
@@ -622,6 +621,7 @@ int ssl3_digest_cached_records(SSL *s)
 						EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 				}
 #endif
+			EVP_DigestInit_ex(s->s3->handshake_dgst[i],md,NULL);
 			EVP_DigestUpdate(s->s3->handshake_dgst[i],hdata,hdatalen);
 			} 
 		else