Do not call pairwise tests in non-fips mode.
Some possible generated keys might be too small to pass.
diff -up openssl-fips-0.9.8e/fips/dsa/fips_dsa_key.c.no-pairwise openssl-fips-0.9.8e/fips/dsa/fips_dsa_key.c
--- openssl-fips-0.9.8e/fips/dsa/fips_dsa_key.c.no-pairwise	2007-09-12 19:46:04.000000000 +0200
+++ openssl-fips-0.9.8e/fips/dsa/fips_dsa_key.c	2009-04-15 11:21:07.000000000 +0200
@@ -154,7 +154,7 @@ static int dsa_builtin_keygen(DSA *dsa)
 	dsa->pub_key=pub_key;
 	if (fips_dsa_pairwise_fail)
 		BN_add_word(dsa->pub_key, 1);
-	if(!fips_check_dsa(dsa))
+	if(FIPS_mode() && !fips_check_dsa(dsa))
 	    goto err;
 	ok=1;
 
diff -up openssl-fips-0.9.8e/fips/rsa/fips_rsa_gen.c.no-pairwise openssl-fips-0.9.8e/fips/rsa/fips_rsa_gen.c
--- openssl-fips-0.9.8e/fips/rsa/fips_rsa_gen.c.no-pairwise	2007-09-12 19:46:07.000000000 +0200
+++ openssl-fips-0.9.8e/fips/rsa/fips_rsa_gen.c	2009-04-15 11:21:31.000000000 +0200
@@ -288,7 +288,7 @@ static int rsa_builtin_keygen(RSA *rsa, 
 	if (fips_rsa_pairwise_fail)
 		BN_add_word(rsa->n, 1);
 
-	if(!fips_check_rsa(rsa))
+	if(FIPS_mode() && !fips_check_rsa(rsa))
 	    goto err;
 
 	ok=1;