Exetended OAEP support.

Extend OAEP support. Generalise the OAEP padding functions to support arbitrary digests. Extend EVP_PKEY RSA method to handle the new OAEP padding functions and add ctrls to set the additional parameters.

Exetended OAEP support.
Extend OAEP support. Generalise the OAEP padding functions to support arbitrary digests. Extend EVP_PKEY RSA method to handle the new OAEP padding functions and add ctrls to set the additional parameters.
271fef0e · Dr. Stephen Henson · 965e06da · 271fef0e · 271fef0e · 271fef0e
5 changed file
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 Changes between 1.0.x and 1.1.0  [xx XXX xxxx]
+  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,
+     MGF1 digest and OAEP label.
+     [Steve Henson]
  *) Add callbacks for arbitrary TLS extensions.
     [Trevor Perrin <trevp@trevp.net> and Ben Laurie]

--- a/crypto/rsa/rsa.h
+++ b/crypto/rsa/rsa.h
@@ -249,13 +249,23 @@ struct rsa_st
 				EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)
 #define	 EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md)	\
-		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG,  \
+		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
+			EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \
 				EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md)
+#define	 EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md)	\
+		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,  \
+				EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md)
 #define	 EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd)	\
-		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG,  \
+		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \
+			EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \
 				EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)
+#define	 EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen)	\
+		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,  \
+				EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)l)
 #define EVP_PKEY_CTRL_RSA_PADDING	(EVP_PKEY_ALG_CTRL + 1)
 #define EVP_PKEY_CTRL_RSA_PSS_SALTLEN	(EVP_PKEY_ALG_CTRL + 2)
@@ -267,6 +277,9 @@ struct rsa_st
 #define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN	(EVP_PKEY_ALG_CTRL + 7)
 #define EVP_PKEY_CTRL_GET_RSA_MGF1_MD		(EVP_PKEY_ALG_CTRL + 8)
+#define EVP_PKEY_CTRL_RSA_OAEP_MD	(EVP_PKEY_ALG_CTRL + 9)
+#define EVP_PKEY_CTRL_RSA_OAEP_LABEL	(EVP_PKEY_ALG_CTRL + 10)
 #define RSA_PKCS1_PADDING	1
 #define RSA_SSLV23_PADDING	2
 #define RSA_NO_PADDING		3
@@ -401,6 +414,14 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to,int tlen,
 int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,
 	const unsigned char *f,int fl,int rsa_len,
 	const unsigned char *p,int pl);
+int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+	const unsigned char *from, int flen,
+	const unsigned char *param, int plen,
+	const EVP_MD *md, const EVP_MD *mgf1md);
+int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+	const unsigned char *from, int flen, int num,
+	const unsigned char *param, int plen,
+	const EVP_MD *md, const EVP_MD *mgf1md);
 int RSA_padding_add_SSLv23(unsigned char *to,int tlen,
 	const unsigned char *f,int fl);
 int RSA_padding_check_SSLv23(unsigned char *to,int tlen,
@@ -495,6 +516,7 @@ void ERR_load_RSA_strings(void);
 #define RSA_F_RSA_NULL_PUBLIC_ENCRYPT			 135
 #define RSA_F_RSA_PADDING_ADD_NONE			 107
 #define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP		 121
+#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1		 154
 #define RSA_F_RSA_PADDING_ADD_PKCS1_PSS			 125
 #define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1		 152
 #define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1		 108
@@ -503,6 +525,7 @@ void ERR_load_RSA_strings(void);
 #define RSA_F_RSA_PADDING_ADD_X931			 127
 #define RSA_F_RSA_PADDING_CHECK_NONE			 111
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP		 122
+#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1		 153
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1		 112
 #define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2		 113
 #define RSA_F_RSA_PADDING_CHECK_SSLV23			 114
@@ -539,6 +562,7 @@ void ERR_load_RSA_strings(void);
 #define RSA_R_D_E_NOT_CONGRUENT_TO_1			 123
 #define RSA_R_FIRST_OCTET_INVALID			 133
 #define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE	 144
+#define RSA_R_INVALID_DIGEST				 157
 #define RSA_R_INVALID_DIGEST_LENGTH			 143
 #define RSA_R_INVALID_HEADER				 137
 #define RSA_R_INVALID_KEYBITS				 145

--- a/crypto/rsa/rsa_err.c
+++ b/crypto/rsa/rsa_err.c
 /* crypto/rsa/rsa_err.c */
 /* ====================================================================
- * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1999-2013 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -73,7 +73,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
 {ERR_FUNC(RSA_F_CHECK_PADDING_MD),	"CHECK_PADDING_MD"},
 {ERR_FUNC(RSA_F_DO_RSA_PRINT),	"DO_RSA_PRINT"},
 {ERR_FUNC(RSA_F_FIPS_RSA_SIGN_DIGEST),	"FIPS_rsa_sign_digest"},
-{ERR_FUNC(RSA_F_FIPS_RSA_VERIFY),	"FIPS_RSA_VERIFY"},
+{ERR_FUNC(RSA_F_FIPS_RSA_VERIFY),	"FIPS_rsa_verify"},
 {ERR_FUNC(RSA_F_FIPS_RSA_VERIFY_DIGEST),	"FIPS_rsa_verify_digest"},
 {ERR_FUNC(RSA_F_INT_RSA_VERIFY),	"INT_RSA_VERIFY"},
 {ERR_FUNC(RSA_F_MEMORY_LOCK),	"MEMORY_LOCK"},
@@ -100,6 +100,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
 {ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT),	"RSA_NULL_PUBLIC_ENCRYPT"},
 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE),	"RSA_padding_add_none"},
 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP),	"RSA_padding_add_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1),	"RSA_padding_add_PKCS1_OAEP_mgf1"},
 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS),	"RSA_padding_add_PKCS1_PSS"},
 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1),	"RSA_padding_add_PKCS1_PSS_mgf1"},
 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1),	"RSA_padding_add_PKCS1_type_1"},
@@ -108,6 +109,7 @@ static ERR_STRING_DATA RSA_str_functs[]=
 {ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931),	"RSA_padding_add_X931"},
 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE),	"RSA_padding_check_none"},
 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP),	"RSA_padding_check_PKCS1_OAEP"},
+{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1),	"RSA_padding_check_PKCS1_OAEP_mgf1"},
 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1),	"RSA_padding_check_PKCS1_type_1"},
 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2),	"RSA_padding_check_PKCS1_type_2"},
 {ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23),	"RSA_padding_check_SSLv23"},
@@ -147,6 +149,7 @@ static ERR_STRING_DATA RSA_str_reasons[]=
 {ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},
 {ERR_REASON(RSA_R_FIRST_OCTET_INVALID)   ,"first octet invalid"},
 {ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE),"illegal or unsupported padding mode"},
+{ERR_REASON(RSA_R_INVALID_DIGEST)        ,"invalid digest"},
 {ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) ,"invalid digest length"},
 {ERR_REASON(RSA_R_INVALID_HEADER)        ,"invalid header"},
 {ERR_REASON(RSA_R_INVALID_KEYBITS)       ,"invalid keybits"},

--- a/crypto/rsa/rsa_oaep.c
+++ b/crypto/rsa/rsa_oaep.c
@@ -30,41 +30,55 @@
 #include <openssl/rand.h>
 #include <openssl/sha.h>
-static int MGF1(unsigned char *mask, long len,
-	const unsigned char *seed, long seedlen);
 int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
 	const unsigned char *from, int flen,
 	const unsigned char *param, int plen)
 	{
+	return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen,
+						param, plen, NULL, NULL);
+	}
+int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+	const unsigned char *from, int flen,
+	const unsigned char *param, int plen,
+	const EVP_MD *md, const EVP_MD *mgf1md)
+	{
 	int i, emlen = tlen - 1;
 	unsigned char *db, *seed;
-	unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];
+	unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE];
+	int mdlen;
+	if (md == NULL)
+		md = EVP_sha1();
+	if (mgf1md == NULL)
+		mgf1md = md;
-	if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)
+	mdlen = EVP_MD_size(md);
+	if (flen > emlen - 2 * mdlen - 1)
 		{
-		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,
 		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
 		return 0;
 		}
-	if (emlen < 2 * SHA_DIGEST_LENGTH + 1)
+	if (emlen < 2 * mdlen + 1)
 		{
-		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, RSA_R_KEY_SIZE_TOO_SMALL);
 		return 0;
 		}
 	to[0] = 0;
 	seed = to + 1;
-	db = to + SHA_DIGEST_LENGTH + 1;
+	db = to + mdlen + 1;
-	if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))
+	if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))
 		return 0;
-	memset(db + SHA_DIGEST_LENGTH, 0,
+	memset(db + mdlen, 0,
-		emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);
+		emlen - flen - 2 * mdlen - 1);
-	db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;
+	db[emlen - flen - mdlen - 1] = 0x01;
-	memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);
+	memcpy(db + emlen - flen - mdlen, from, (unsigned int) flen);
-	if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)
+	if (RAND_bytes(seed, mdlen) <= 0)
 		return 0;
 #ifdef PKCS_TESTVECT
 	memcpy(seed,
@@ -72,21 +86,21 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,
 	   20);
 #endif
-	dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);
+	dbmask = OPENSSL_malloc(emlen - mdlen);
 	if (dbmask == NULL)
 		{
-		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
 		return 0;
 		}
-	if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0)
+	if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)
 		return 0;
-	for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)
+	for (i = 0; i < emlen - mdlen; i++)
 		db[i] ^= dbmask[i];
-	if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0)
+	if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)
 		return 0;
-	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+	for (i = 0; i < mdlen; i++)
 		seed[i] ^= seedmask[i];
 	OPENSSL_free(dbmask);
@@ -97,14 +111,32 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 	const unsigned char *from, int flen, int num,
 	const unsigned char *param, int plen)
 	{
+	return RSA_padding_check_PKCS1_OAEP_mgf1(to, tlen, from , flen, num,
+							param, plen,
+							NULL, NULL);
+	}
+int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,
+	const unsigned char *from, int flen, int num,
+	const unsigned char *param, int plen,
+	const EVP_MD *md, const EVP_MD *mgf1md)
+	{
 	int i, dblen, mlen = -1;
 	const unsigned char *maskeddb;
 	int lzero;
-	unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];
+	unsigned char *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];
 	unsigned char *padded_from;
 	int bad = 0;
+	int mdlen;
-	if (--num < 2 * SHA_DIGEST_LENGTH + 1)
+	if (md == NULL)
+		md = EVP_sha1();
+	if (mgf1md == NULL)
+		mgf1md = md;
+	mdlen = EVP_MD_size(md);
+	if (--num < 2 * mdlen + 1)
 		/* 'num' is the length of the modulus, i.e. does not depend on the
 		 * particular ciphertext. */
 		goto decoding_err;
@@ -122,11 +154,11 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 		flen = num; /* don't overflow the memcpy to padded_from */
 		}
-	dblen = num - SHA_DIGEST_LENGTH;
+	dblen = num - mdlen;
 	db = OPENSSL_malloc(dblen + num);
 	if (db == NULL)
 		{
-		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);
+		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);
 		return -1;
 		}
@@ -136,26 +168,26 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 	memset(padded_from, 0, lzero);
 	memcpy(padded_from + lzero, from, flen);
-	maskeddb = padded_from + SHA_DIGEST_LENGTH;
+	maskeddb = padded_from + mdlen;
-	if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))
+	if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))
 		return -1;
-	for (i = 0; i < SHA_DIGEST_LENGTH; i++)
+	for (i = 0; i < mdlen; i++)
 		seed[i] ^= padded_from[i];
-	if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))
+	if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md))
 		return -1;
 	for (i = 0; i < dblen; i++)
 		db[i] ^= maskeddb[i];
-	if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))
+	if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL))
 		return -1;
-	if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)
+	if (CRYPTO_memcmp(db, phash, mdlen) != 0 || bad)
 		goto decoding_err;
 	else
 		{
-		for (i = SHA_DIGEST_LENGTH; i < dblen; i++)
+		for (i = mdlen; i < dblen; i++)
 			if (db[i] != 0x00)
 				break;
 		if (i == dblen || db[i] != 0x01)
@@ -167,7 +199,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 			mlen = dblen - ++i;
 			if (tlen < mlen)
 				{
-				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);
+				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);
 				mlen = -1;
 				}
 			else
@@ -180,7 +212,7 @@ int RSA_padding_check_PKCS1_OAEP(unsigned char *to, int tlen,
 decoding_err:
 	/* to avoid chosen ciphertext attacks, the error message should not reveal
 	 * which kind of decoding error happened */
-	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);
+	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_OAEP_DECODING_ERROR);
 	if (db != NULL) OPENSSL_free(db);
 	return -1;
 	}
@@ -229,9 +261,4 @@ int PKCS1_MGF1(unsigned char *mask, long len,
 	return rv;
 	}
-static int MGF1(unsigned char *mask, long len, const unsigned char *seed,
-		 long seedlen)
-	{
-	return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());
-	}
 #endif
--- a/crypto/rsa/rsa_pmeth.c
+++ b/crypto/rsa/rsa_pmeth.c
@@ -63,6 +63,7 @@
 #include <openssl/rsa.h>
 #include <openssl/bn.h>
 #include <openssl/evp.h>
+#include <openssl/x509v3.h>
 #ifndef OPENSSL_NO_CMS
 #include <openssl/cms.h>
 #endif
@@ -84,10 +85,13 @@ typedef struct
 	const EVP_MD *md;
 	/* message digest for MGF1 */
 	const EVP_MD *mgf1md;
-	/* PSS/OAEP salt length */
+	/* PSS salt length */
 	int saltlen;
 	/* Temp buffer */
 	unsigned char *tbuf;
+	/* OAEP label */
+	unsigned char *oaep_label;
+	size_t oaep_labellen;
 	} RSA_PKEY_CTX;
 static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
@@ -105,6 +109,9 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx)
 	rctx->saltlen = -2;
+	rctx->oaep_label = NULL;
+	rctx->oaep_labellen = 0;
 	ctx->data = rctx;
 	ctx->keygen_info = rctx->gentmp;
 	ctx->keygen_info_count = 2;
@@ -128,6 +135,17 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src)
 		}
 	dctx->pad_mode = sctx->pad_mode;
 	dctx->md = sctx->md;
+	dctx->mgf1md = sctx->mgf1md;
+	if (sctx->oaep_label)
+		{
+		if (dctx->oaep_label)
+			OPENSSL_free(dctx->oaep_label);
+		dctx->oaep_label = BUF_memdup(sctx->oaep_label,
+						sctx->oaep_labellen);
+		if (!dctx->oaep_label)
+			return 0;
+		dctx->oaep_labellen = sctx->oaep_labellen;
+		}
 	return 1;
 	}
@@ -150,6 +168,8 @@ static void pkey_rsa_cleanup(EVP_PKEY_CTX *ctx)
 			BN_free(rctx->pub_exp);
 		if (rctx->tbuf)
 			OPENSSL_free(rctx->tbuf);
+		if (rctx->oaep_label)
+			OPENSSL_free(rctx->oaep_label);
 		OPENSSL_free(rctx);
 		}
 	}
@@ -336,7 +356,6 @@ static int pkey_rsa_verify(EVP_PKEY_CTX *ctx,
 	return 1;
 	}
 static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
 					unsigned char *out, size_t *outlen,
@@ -344,7 +363,23 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,
 	{
 	int ret;
 	RSA_PKEY_CTX *rctx = ctx->data;
-	ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
+	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING)
+		{
+		int klen = RSA_size(ctx->pkey->pkey.rsa);
+		if (!setup_tbuf(rctx, ctx))
+			return -1;
+		if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,
+							in, inlen,
+							rctx->oaep_label,
+							rctx->oaep_labellen,
+							rctx->md, rctx->mgf1md))
+			return -1;
+		ret = RSA_public_encrypt(klen, rctx->tbuf, out,
+						ctx->pkey->pkey.rsa,
+						RSA_NO_PADDING);
+		}
+	else
+		ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 							rctx->pad_mode);
 	if (ret < 0)
 		return ret;
@@ -358,7 +393,29 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx,
 	{
 	int ret;
 	RSA_PKEY_CTX *rctx = ctx->data;
-	ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
+	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING)
+		{
+		int i;
+		if (!setup_tbuf(rctx, ctx))
+			return -1;
+		ret = RSA_private_decrypt(inlen, in, rctx->tbuf,
+							ctx->pkey->pkey.rsa,
+							RSA_NO_PADDING);
+		if (ret <= 0)
+			return ret;
+		for (i = 0; i < ret; i++)
+			{
+			if (rctx->tbuf[i])
+				break;
+			}
+		ret = RSA_padding_check_PKCS1_OAEP_mgf1(out,ret,rctx->tbuf + i,
+							ret - i, ret,
+							rctx->oaep_label,
+							rctx->oaep_labellen,
+							rctx->md, rctx->mgf1md);
+		}
+	else 
+		ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,
 							rctx->pad_mode);
 	if (ret < 0)
 		return ret;
@@ -458,9 +515,19 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 		case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:
 		if (!p2)
 			return -2;
+		BN_free(rctx->pub_exp);
 		rctx->pub_exp = p2;
 		return 1;
+		case EVP_PKEY_CTRL_RSA_OAEP_MD:
+		if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)
+			{
+			RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);
+			return 0;
+			}
+		rctx->md = p2;
+		return 1;
 		case EVP_PKEY_CTRL_MD:
 		if (!check_padding_md(p2, rctx->pad_mode))
 			return 0;
@@ -469,7 +536,8 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 		case EVP_PKEY_CTRL_RSA_MGF1_MD:
 		case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:
-		if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)
+		if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING
+			&& rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)
 			{
 			RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);
 			return -2;
@@ -485,6 +553,12 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2)
 			rctx->mgf1md = p2;
 		return 1;
+		case EVP_PKEY_CTRL_RSA_OAEP_LABEL:
+		OPENSSL_free(rctx->oaep_label);
+		rctx->oaep_label = p2;
+		rctx->oaep_labellen = p1;
+		return 1;
 		case EVP_PKEY_CTRL_DIGESTINIT:
 		case EVP_PKEY_CTRL_PKCS7_ENCRYPT:
 		case EVP_PKEY_CTRL_PKCS7_DECRYPT:
@@ -577,6 +651,43 @@ static int pkey_rsa_ctrl_str(EVP_PKEY_CTX *ctx,
 		return ret;
 		}
+	if (!strcmp(type, "rsa_mgf1_md"))
+		{
+		const EVP_MD *md;
+		if (!(md = EVP_get_digestbyname(value)))
+			{
+			RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
+						RSA_R_INVALID_DIGEST);
+			return 0;
+			}
+		return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md);
+		}
+	if (!strcmp(type, "rsa_oaep_md"))
+		{
+		const EVP_MD *md;
+		if (!(md = EVP_get_digestbyname(value)))
+			{
+			RSAerr(RSA_F_PKEY_RSA_CTRL_STR,
+						RSA_R_INVALID_DIGEST);
+			return 0;
+			}
+		return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md);
+		}
+	if (!strcmp(type, "rsa_oaep_label"))
+		{
+		unsigned char *lab;
+		long lablen;
+		int ret;
+		lab = string_to_hex(value, &lablen);
+		if (!lab)
+			return 0;
+		ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);
+		if (ret <= 0)
+			OPENSSL_free(lab);
+		return ret;
+		}
 	return -2;
 	}