diff --git a/openssh-8.7p1-evp-fips-compl-dh.patch b/openssh-8.7p1-evp-fips-compl-dh.patch
index 7494245..e36ef60 100644
--- a/openssh-8.7p1-evp-fips-compl-dh.patch
+++ b/openssh-8.7p1-evp-fips-compl-dh.patch
@@ -1,7 +1,7 @@
-diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/dh.c ./dh.c
---- ../../openssh-8.7p1/dh.c	2023-03-01 14:26:52.504445780 +0100
-+++ ./dh.c	2023-03-01 14:20:09.823193384 +0100
-@@ -37,6 +37,9 @@ 
+diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/dh.c openssh-8.7p1-patched/dh.c
+--- openssh-8.7p1/dh.c	2023-05-16 15:38:53.461326047 +0200
++++ openssh-8.7p1-patched/dh.c	2023-05-16 15:37:14.785260359 +0200
+@@ -37,6 +37,9 @@
  #include <openssl/bn.h>
  #include <openssl/dh.h>
  #include <openssl/fips.h>
@@ -11,7 +11,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x 
  
  #include "dh.h"
  #include "pathnames.h"
-@@ -289,10 +292,15 @@
+@@ -290,10 +293,15 @@
  int
  dh_gen_key(DH *dh, int need)
  {
@@ -30,7 +30,7 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x 
  
  	if (need < 0 || dh_p == NULL ||
  	    (pbits = BN_num_bits(dh_p)) <= 0 ||
-@@ -300,19 +308,85 @@
+@@ -301,19 +309,85 @@
  		return SSH_ERR_INVALID_ARGUMENT;
  	if (need < 256)
  		need = 256;
@@ -125,10 +125,10 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x 
  }
  
  DH *
-diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kex.c ./kex.c
---- ../../openssh-8.7p1/kex.c	2023-03-01 14:26:52.508445832 +0100
-+++ ./kex.c	2023-02-28 14:09:27.164743771 +0100
-@@ -1602,3 +1602,47 @@
+diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kex.c openssh-8.7p1-patched/kex.c
+--- openssh-8.7p1/kex.c	2023-05-16 15:38:53.465326090 +0200
++++ openssh-8.7p1-patched/kex.c	2023-05-16 15:37:14.785260359 +0200
+@@ -1603,3 +1603,47 @@
  	return r;
  }
  
@@ -176,20 +176,21 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x 
 +	return r;
 +}
 +#endif /* WITH_OPENSSL */
-diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kexdh.c ./kexdh.c
---- ../../openssh-8.7p1/kexdh.c	2023-03-01 14:26:52.448445050 +0100
-+++ ./kexdh.c	2023-02-28 14:05:00.700902124 +0100
-@@ -35,6 +35,9 @@
+diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kexdh.c openssh-8.7p1-patched/kexdh.c
+--- openssh-8.7p1/kexdh.c	2023-05-16 15:38:53.403325420 +0200
++++ openssh-8.7p1-patched/kexdh.c	2023-05-16 15:37:34.097468928 +0200
+@@ -35,6 +35,10 @@
  
  #include "openbsd-compat/openssl-compat.h"
  #include <openssl/dh.h>
++#include <openssl/err.h>
 +#include <openssl/evp.h>
 +#include <openssl/core_names.h>
 +#include <openssl/param_build.h>
  
  #include "sshkey.h"
  #include "kex.h"
-@@ -83,6 +86,9 @@
+@@ -83,9 +87,12 @@
  kex_dh_compute_key(struct kex *kex, BIGNUM *dh_pub, struct sshbuf *out)
  {
  	BIGNUM *shared_secret = NULL;
@@ -198,31 +199,61 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x 
 +	EVP_PKEY_CTX *ctx = NULL;
  	u_char *kbuf = NULL;
  	size_t klen = 0;
- 	int kout, r;
-@@ -106,18 +112,39 @@
- 		r = SSH_ERR_ALLOC_FAIL;
+-	int kout, r;
++	int kout, r = 0;
+ 
+ #ifdef DEBUG_KEXDH
+ 	fprintf(stderr, "dh_pub= ");
+@@ -100,24 +107,64 @@
+ 		r = SSH_ERR_MESSAGE_INCOMPLETE;
  		goto out;
  	}
--	if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 ||
--	    BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
+-	klen = DH_size(kex->dh);
 +
 +	DH_get0_key(kex->dh, &pub, &priv);
 +	DH_get0_pqg(kex->dh, &p, &q, &g);
 +	/* import key */
-+	kex_create_evp_dh(&pkey, p, q, g, pub, priv);
++	r = kex_create_evp_dh(&pkey, p, q, g, pub, priv);
++	if (r != 0) {
++		error_f("Could not create EVP_PKEY for dh");
++		ERR_print_errors_fp(stderr);
++		goto out;
++	}
 +	/* import peer key 
 +	 * the parameters should be the same as with pkey
 +	 */
-+	kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL);
++	debug_f("import peer key to evp");
++	r = kex_create_evp_dh(&dh_pkey, p, q, g, dh_pub, NULL);
++	if (r != 0) {
++		error_f("Could not import peer key for dh");
++		ERR_print_errors_fp(stderr);
++		goto out;
++	}
 +
++	debug_f("creating EVP_PKEY_CTX");
 +	if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, pkey, NULL)) == NULL) {
 +		error_f("Could not init EVP_PKEY_CTX for dh");
 +		r = SSH_ERR_ALLOC_FAIL;
 +		goto out;
 +	}
++	debug_f("Deriving - init context");
 +	if (EVP_PKEY_derive_init(ctx) != 1 ||
 +	    EVP_PKEY_derive_set_peer(ctx, dh_pkey) != 1 ||
-+	    EVP_PKEY_derive(ctx, kbuf, &klen) != 1 ||
++	    EVP_PKEY_derive(ctx, NULL, &klen) != 1) {
++		error_f("Could not get key size");
++		r = SSH_ERR_LIBCRYPTO_ERROR;
++		goto out;
++	}
++	debug_f("Deriving - buffer size is %d", (int)klen);
+ 	if ((kbuf = malloc(klen)) == NULL ||
+ 	    (shared_secret = BN_new()) == NULL) {
+ 		r = SSH_ERR_ALLOC_FAIL;
+ 		goto out;
+ 	}
+-	if ((kout = DH_compute_key(kbuf, dh_pub, kex->dh)) < 0 ||
+-	    BN_bin2bn(kbuf, kout, shared_secret) == NULL) {
++	debug_f("Deriving - using real buffer");
++	if (EVP_PKEY_derive(ctx, kbuf, &klen) != 1 ||
 +	    BN_bin2bn(kbuf, klen, shared_secret) == NULL) {
 +		error_f("Could not derive key");
  		r = SSH_ERR_LIBCRYPTO_ERROR;
@@ -242,9 +273,9 @@ diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x 
  	return r;
  }
  
-diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac ../../openssh-8.7p1/kex.h ./kex.h
---- ../../openssh-8.7p1/kex.h	2023-03-01 14:26:52.508445832 +0100
-+++ ./kex.h	2023-02-28 13:16:49.811047554 +0100
+diff --color -ru -x regress -x autom4te.cache -x '*.o' -x '*.lo' -x Makefile -x config.status -x configure~ -x configure.ac openssh-8.7p1/kex.h openssh-8.7p1-patched/kex.h
+--- openssh-8.7p1/kex.h	2023-05-16 15:38:53.465326090 +0200
++++ openssh-8.7p1-patched/kex.h	2023-05-16 15:37:14.786260370 +0200
 @@ -33,6 +33,9 @@
  # include <openssl/bn.h>
  # include <openssl/dh.h>
diff --git a/openssh.spec b/openssh.spec
index 48d1d18..eae9abb 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -51,7 +51,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %global openssh_ver 8.7p1
-%global openssh_rel 30
+%global openssh_rel 31
 %global pam_ssh_agent_ver 0.10.4
 %global pam_ssh_agent_rel 5
 
@@ -770,6 +770,13 @@ test -f %{sysconfig_anaconda} && \
 %endif
 
 %changelog
+* Tue May 16 2023 Norbert Pocs <npocs@redhat.com> - 8.7p1-31
+- Fix minor issues with openssh-8.7p1-evp-fips-compl-dh.patch:
+- Check return values
+- Use EVP API to get the size of DH
+- Add some log debug lines
+- Related: rhbz#2091694
+
 * Thu Apr 20 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 8.7p1-30
 - Some non-terminating processes were listening on ports.
   Resolves: rhbz#2177768