The CVE-2018-0737 fix consists of commits:
9db724cfede4ba7a3668bff533973ee70145ec07
011f82e66f4bf131c733fd41a8390039859aafb2
7150a4720af7913cae16f2e4eaf768b578c0b298
(the three above are included in 1.1.0h)
6939eab03a6e23d2bd2c3f5e34fe1d48e542e787
and additional changes to our fips_rsa_keygen()

From 6939eab03a6e23d2bd2c3f5e34fe1d48e542e787 Mon Sep 17 00:00:00 2001
From: Billy Brumley <bbrumley@gmail.com>
Date: Wed, 11 Apr 2018 10:10:58 +0300
Subject: [PATCH] RSA key generation: ensure BN_mod_inverse and BN_mod_exp_mont
 both get called with BN_FLG_CONSTTIME flag set.

CVE-2018-0737

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
 crypto/rsa/rsa_gen.c | 2 ++
 1 file changed, 2 insertions(+)

Index: openssl-1.1.0h/crypto/rsa/rsa_gen.c
===================================================================
--- openssl-1.1.0h.orig/crypto/rsa/rsa_gen.c	2018-05-10 11:50:53.298706226 +0200
+++ openssl-1.1.0h/crypto/rsa/rsa_gen.c	2018-05-10 12:55:39.394968170 +0200
@@ -123,6 +123,7 @@ static int fips_rsa_builtin_keygen(RSA *
     int n = 0;
     int test = 0;
     int pbits = bits / 2;
+    unsigned long error = 0;
 
     if (FIPS_selftest_failed()) {
         FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED);
@@ -191,6 +192,10 @@ retry:
     if (!BN_lshift(r3, r3, pbits - 100))
         goto err;
 
+    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
+    BN_set_flags(r2, BN_FLG_CONSTTIME);
+
     /* generate p and q */
     for (i = 0; i < 5 * pbits; i++) {
  ploop:
@@ -205,9 +210,9 @@ retry:
 
         if (!BN_sub(r2, rsa->p, BN_value_one()))
             goto err;
-        if (!BN_gcd(r1, r2, rsa->e, ctx))
-            goto err;
-        if (BN_is_one(r1)) {
+        ERR_set_mark();
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            /* GCD == 1 since inverse exists */
             int r;
             r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0,
                                         cb);
@@ -217,6 +222,15 @@ retry:
                 break;
         }
 
+        error = ERR_peek_last_error();
+        if (ERR_GET_LIB(error) == ERR_LIB_BN
+            && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+            /* GCD != 1 */
+            ERR_pop_to_mark();
+        } else {
+            goto err;
+        }
+
         if (!BN_GENCB_call(cb, 2, n++))
             goto err;
     }
@@ -248,9 +262,9 @@ retry:
 
         if (!BN_sub(r2, rsa->q, BN_value_one()))
             goto err;
-        if (!BN_gcd(r1, r2, rsa->e, ctx))
-            goto err;
-        if (BN_is_one(r1)) {
+        ERR_set_mark();
+        if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) {
+            /* GCD == 1 since inverse exists */
             int r;
             r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0,
                                         cb);
@@ -260,6 +274,15 @@ retry:
                 break;
         }
 
+        error = ERR_peek_last_error();
+        if (ERR_GET_LIB(error) == ERR_LIB_BN
+            && ERR_GET_REASON(error) == BN_R_NO_INVERSE) {
+            /* GCD != 1 */
+            ERR_pop_to_mark();
+        } else {
+            goto err;
+        }
+
         if (!BN_GENCB_call(cb, 2, n++))
             goto err;
     }
@@ -457,6 +480,8 @@ static int rsa_builtin_keygen(RSA *rsa,
     if (BN_copy(rsa->e, e_value) == NULL)
         goto err;
 
+    BN_set_flags(rsa->p, BN_FLG_CONSTTIME);
+    BN_set_flags(rsa->q, BN_FLG_CONSTTIME);
     BN_set_flags(r2, BN_FLG_CONSTTIME);
     /* generate p and q */
     for (;;) {