Use method rsa keygen first if FIPS mode if it is a FIPS method.

diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c
index c37d54430c0b78377eb29547742c5edf1d616eaf..42290cce66cbf769acaae587d363fa1f985a3200 100644 (file)
--- a/crypto/rsa/rsa_gen.c
+++ b/crypto/rsa/rsa_gen.c
@@ -81,19 +81,19 @@ static int rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
 int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb)
        {
 #ifdef OPENSSL_FIPS
-       if (FIPS_mode())
+       if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
+                       && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
                {
-               if (rsa->meth->flags & RSA_FLAG_FIPS_METHOD)
-                       return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
-               if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW))
-                       {
-                       RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
-                       return 0;
-                       }
+               RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD);
+               return 0;
                }
 #endif
        if(rsa->meth->rsa_keygen)
                return rsa->meth->rsa_keygen(rsa, bits, e_value, cb);
+#ifdef OPENSSL_FIPS
+       if (FIPS_mode())
+               return FIPS_rsa_generate_key_ex(rsa, bits, e_value, cb);
+#endif
        return rsa_builtin_keygen(rsa, bits, e_value, cb);
        }