Index: openssl-1.0.2g/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.0.2g.orig/crypto/rsa/rsa_gen.c	2016-04-13 15:07:34.371851679 +0200
+++ openssl-1.0.2g/crypto/rsa/rsa_gen.c	2016-04-13 15:18:00.630306031 +0200
@@ -177,6 +177,7 @@ static int FIPS_rsa_builtin_keygen(RSA *
     BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp;
     BIGNUM local_r0, local_d, local_p;
     BIGNUM *pr0, *d, *p;
+    BIGNUM *gcd_p1_q1 = NULL, *lcm_p1_q1 = NULL;
     BN_CTX *ctx = NULL;
     int ok = -1;
     int i;
@@ -204,6 +205,8 @@ static int FIPS_rsa_builtin_keygen(RSA *
     r1 = BN_CTX_get(ctx);
     r2 = BN_CTX_get(ctx);
     r3 = BN_CTX_get(ctx);
+    gcd_p1_q1 = BN_CTX_get(ctx);
+    lcm_p1_q1 = BN_CTX_get(ctx);
 
     if (r3 == NULL)
         goto err;
@@ -372,12 +375,18 @@ static int FIPS_rsa_builtin_keygen(RSA *
         BN_with_flags(pr0, r0, BN_FLG_CONSTTIME);
     } else
         pr0 = r0;
-    if (!BN_mod_inverse(rsa->d, rsa->e, pr0, ctx))
+
+    /* calculate lcm(p-1,q-1) = (p-1)*(q-1) / gcd(p-1,q-1) */
+    if (!BN_gcd(gcd_p1_q1, r1, r2, ctx))
+        goto err;               /* gcd(p-1,q-1) */
+    if (!BN_div(lcm_p1_q1, NULL, pr0, gcd_p1_q1, ctx))
+        goto err;
+    if (!BN_mod_inverse(rsa->d, rsa->e, lcm_p1_q1, ctx))
         goto err;               /* d */
 
     if (BN_num_bits(rsa->d) < pbits)
         goto retry;             /* d is too small */
-
+ 
     /* set up d for correct BN_FLG_CONSTTIME flag */
     if (!(rsa->flags & RSA_FLAG_NO_CONSTTIME)) {
         d = &local_d;