diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c
index 3c43173..e6998ab 100644
--- a/ssl/t1_enc.c
+++ b/ssl/t1_enc.c
@@ -170,16 +170,12 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 	OPENSSL_assert(chunk >= 0);
 
 	EVP_MD_CTX_init(&ctx);
-	EVP_MD_CTX_init(&ctx_tmp);
 	EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-	EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
 	mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
 	if (!mac_key)
 		goto err;
 	if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key))
 		goto err;
-	if (!EVP_DigestSignInit(&ctx_tmp,NULL,md, NULL, mac_key))
-		goto err;
 	if (seed1 && !EVP_DigestSignUpdate(&ctx,seed1,seed1_len))
 		goto err;
 	if (seed2 && !EVP_DigestSignUpdate(&ctx,seed2,seed2_len))
@@ -193,8 +189,15 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 	if (!EVP_DigestSignFinal(&ctx,A1,&A1_len))
 		goto err;
 
+	EVP_MD_CTX_cleanup(&ctx);
+
 	for (;;)
 		{
+		EVP_MD_CTX_init(&ctx);
+		EVP_MD_CTX_init(&ctx_tmp);
+		EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+		EVP_MD_CTX_set_flags(&ctx_tmp, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+
 		/* Reinit mac contexts */
 		if (!EVP_DigestSignInit(&ctx,NULL,md, NULL, mac_key))
 			goto err;
@@ -232,6 +235,10 @@ static int tls1_P_hash(const EVP_MD *md, const unsigned char *sec,
 			memcpy(out,A1,olen);
 			break;
 			}
+
+        EVP_MD_CTX_cleanup(&ctx);
+        EVP_MD_CTX_cleanup(&ctx_tmp);
+
 		}
 	ret = 1;
 err: