Exetended OAEP support.

 Changes between 1.0.x and 1.1.0  [xx XXX xxxx]

  *) Extended RSA OAEP support via EVP_PKEY API. Options to specify digest,

     MGF1 digest and OAEP label.

     [Steve Henson]

  *) Add callbacks for arbitrary TLS extensions.

     [Trevor Perrin <trevp@trevp.net> and Ben Laurie]

				EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP, 0, pubexp)

#define	 EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md)	\

		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG,  \

		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \

			EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \

				EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)md)

#define	 EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md)	\

		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,  \

				EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)md)

#define	 EVP_PKEY_CTX_get_rsa_mgf1_md(ctx, pmd)	\

		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_SIG,  \

		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, \

			EVP_PKEY_OP_TYPE_SIG | EVP_PKEY_OP_TYPE_CRYPT, \

				EVP_PKEY_CTRL_GET_RSA_MGF1_MD, 0, (void *)pmd)

#define	 EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen)	\

		EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,  \

				EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)l)

#define EVP_PKEY_CTRL_RSA_PADDING	(EVP_PKEY_ALG_CTRL + 1)

#define EVP_PKEY_CTRL_RSA_PSS_SALTLEN	(EVP_PKEY_ALG_CTRL + 2)

#define EVP_PKEY_CTRL_GET_RSA_PSS_SALTLEN	(EVP_PKEY_ALG_CTRL + 7)

#define EVP_PKEY_CTRL_GET_RSA_MGF1_MD		(EVP_PKEY_ALG_CTRL + 8)

#define EVP_PKEY_CTRL_RSA_OAEP_MD	(EVP_PKEY_ALG_CTRL + 9)

#define EVP_PKEY_CTRL_RSA_OAEP_LABEL	(EVP_PKEY_ALG_CTRL + 10)

#define RSA_PKCS1_PADDING	1

#define RSA_SSLV23_PADDING	2

#define RSA_NO_PADDING		3

int RSA_padding_check_PKCS1_OAEP(unsigned char *to,int tlen,

	const unsigned char *f,int fl,int rsa_len,

	const unsigned char *p,int pl);

int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,

	const unsigned char *from, int flen,

	const unsigned char *param, int plen,

	const EVP_MD *md, const EVP_MD *mgf1md);

int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,

	const unsigned char *from, int flen, int num,

	const unsigned char *param, int plen,

	const EVP_MD *md, const EVP_MD *mgf1md);

int RSA_padding_add_SSLv23(unsigned char *to,int tlen,

	const unsigned char *f,int fl);

int RSA_padding_check_SSLv23(unsigned char *to,int tlen,

#define RSA_F_RSA_NULL_PUBLIC_ENCRYPT			 135

#define RSA_F_RSA_PADDING_ADD_NONE			 107

#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP		 121

#define RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1		 154

#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS			 125

#define RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1		 152

#define RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1		 108

#define RSA_F_RSA_PADDING_ADD_X931			 127

#define RSA_F_RSA_PADDING_CHECK_NONE			 111

#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP		 122

#define RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1		 153

#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1		 112

#define RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2		 113

#define RSA_F_RSA_PADDING_CHECK_SSLV23			 114

#define RSA_R_D_E_NOT_CONGRUENT_TO_1			 123

#define RSA_R_FIRST_OCTET_INVALID			 133

#define RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE	 144

#define RSA_R_INVALID_DIGEST				 157

#define RSA_R_INVALID_DIGEST_LENGTH			 143

#define RSA_R_INVALID_HEADER				 137

#define RSA_R_INVALID_KEYBITS				 145

/* crypto/rsa/rsa_err.c */

/* ====================================================================

 * Copyright (c) 1999-2010 The OpenSSL Project.  All rights reserved.

 * Copyright (c) 1999-2013 The OpenSSL Project.  All rights reserved.

 *

 * Redistribution and use in source and binary forms, with or without

 * modification, are permitted provided that the following conditions

{ERR_FUNC(RSA_F_CHECK_PADDING_MD),	"CHECK_PADDING_MD"},

{ERR_FUNC(RSA_F_DO_RSA_PRINT),	"DO_RSA_PRINT"},

{ERR_FUNC(RSA_F_FIPS_RSA_SIGN_DIGEST),	"FIPS_rsa_sign_digest"},

{ERR_FUNC(RSA_F_FIPS_RSA_VERIFY),	"FIPS_RSA_VERIFY"},

{ERR_FUNC(RSA_F_FIPS_RSA_VERIFY),	"FIPS_rsa_verify"},

{ERR_FUNC(RSA_F_FIPS_RSA_VERIFY_DIGEST),	"FIPS_rsa_verify_digest"},

{ERR_FUNC(RSA_F_INT_RSA_VERIFY),	"INT_RSA_VERIFY"},

{ERR_FUNC(RSA_F_MEMORY_LOCK),	"MEMORY_LOCK"},

{ERR_FUNC(RSA_F_RSA_NULL_PUBLIC_ENCRYPT),	"RSA_NULL_PUBLIC_ENCRYPT"},

{ERR_FUNC(RSA_F_RSA_PADDING_ADD_NONE),	"RSA_padding_add_none"},

{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP),	"RSA_padding_add_PKCS1_OAEP"},

{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1),	"RSA_padding_add_PKCS1_OAEP_mgf1"},

{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS),	"RSA_padding_add_PKCS1_PSS"},

{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_PSS_MGF1),	"RSA_padding_add_PKCS1_PSS_mgf1"},

{ERR_FUNC(RSA_F_RSA_PADDING_ADD_PKCS1_TYPE_1),	"RSA_padding_add_PKCS1_type_1"},

{ERR_FUNC(RSA_F_RSA_PADDING_ADD_X931),	"RSA_padding_add_X931"},

{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_NONE),	"RSA_padding_check_none"},

{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP),	"RSA_padding_check_PKCS1_OAEP"},

{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1),	"RSA_padding_check_PKCS1_OAEP_mgf1"},

{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_1),	"RSA_padding_check_PKCS1_type_1"},

{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_PKCS1_TYPE_2),	"RSA_padding_check_PKCS1_type_2"},

{ERR_FUNC(RSA_F_RSA_PADDING_CHECK_SSLV23),	"RSA_padding_check_SSLv23"},

{ERR_REASON(RSA_R_D_E_NOT_CONGRUENT_TO_1),"d e not congruent to 1"},

{ERR_REASON(RSA_R_FIRST_OCTET_INVALID)   ,"first octet invalid"},

{ERR_REASON(RSA_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE),"illegal or unsupported padding mode"},

{ERR_REASON(RSA_R_INVALID_DIGEST)        ,"invalid digest"},

{ERR_REASON(RSA_R_INVALID_DIGEST_LENGTH) ,"invalid digest length"},

{ERR_REASON(RSA_R_INVALID_HEADER)        ,"invalid header"},

{ERR_REASON(RSA_R_INVALID_KEYBITS)       ,"invalid keybits"},

#include <openssl/rand.h>

#include <openssl/sha.h>

static int MGF1(unsigned char *mask, long len,

	const unsigned char *seed, long seedlen);

int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen,

	const unsigned char *from, int flen,

	const unsigned char *param, int plen)

	{

	return RSA_padding_add_PKCS1_OAEP_mgf1(to, tlen, from, flen,

						param, plen, NULL, NULL);

	}

int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,

	const unsigned char *from, int flen,

	const unsigned char *param, int plen,

	const EVP_MD *md, const EVP_MD *mgf1md)

	{

	int i, emlen = tlen - 1;

	unsigned char *db, *seed;

	unsigned char *dbmask, seedmask[SHA_DIGEST_LENGTH];

	unsigned char *dbmask, seedmask[EVP_MAX_MD_SIZE];

	int mdlen;

	if (md == NULL)

		md = EVP_sha1();

	if (mgf1md == NULL)

		mgf1md = md;

	if (flen > emlen - 2 * SHA_DIGEST_LENGTH - 1)

	mdlen = EVP_MD_size(md);

	if (flen > emlen - 2 * mdlen - 1)

		{

		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP,

		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1,

		   RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);

		return 0;

		}

	if (emlen < 2 * SHA_DIGEST_LENGTH + 1)

	if (emlen < 2 * mdlen + 1)

		{

		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, RSA_R_KEY_SIZE_TOO_SMALL);

		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, RSA_R_KEY_SIZE_TOO_SMALL);

		return 0;

		}

	to[0] = 0;

	seed = to + 1;

	db = to + SHA_DIGEST_LENGTH + 1;

	db = to + mdlen + 1;

	if (!EVP_Digest((void *)param, plen, db, NULL, EVP_sha1(), NULL))

	if (!EVP_Digest((void *)param, plen, db, NULL, md, NULL))

		return 0;

	memset(db + SHA_DIGEST_LENGTH, 0,

		emlen - flen - 2 * SHA_DIGEST_LENGTH - 1);

	db[emlen - flen - SHA_DIGEST_LENGTH - 1] = 0x01;

	memcpy(db + emlen - flen - SHA_DIGEST_LENGTH, from, (unsigned int) flen);

	if (RAND_bytes(seed, SHA_DIGEST_LENGTH) <= 0)

	memset(db + mdlen, 0,

		emlen - flen - 2 * mdlen - 1);

	db[emlen - flen - mdlen - 1] = 0x01;

	memcpy(db + emlen - flen - mdlen, from, (unsigned int) flen);

	if (RAND_bytes(seed, mdlen) <= 0)

		return 0;

#ifdef PKCS_TESTVECT

	memcpy(seed,

	   20);

#endif

	dbmask = OPENSSL_malloc(emlen - SHA_DIGEST_LENGTH);

	dbmask = OPENSSL_malloc(emlen - mdlen);

	if (dbmask == NULL)

		{

		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);

		RSAerr(RSA_F_RSA_PADDING_ADD_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);

		return 0;

		}

	if (MGF1(dbmask, emlen - SHA_DIGEST_LENGTH, seed, SHA_DIGEST_LENGTH) < 0)

	if (PKCS1_MGF1(dbmask, emlen - mdlen, seed, mdlen, mgf1md) < 0)

		return 0;

	for (i = 0; i < emlen - SHA_DIGEST_LENGTH; i++)

	for (i = 0; i < emlen - mdlen; i++)

		db[i] ^= dbmask[i];

	if (MGF1(seedmask, SHA_DIGEST_LENGTH, db, emlen - SHA_DIGEST_LENGTH) < 0)

	if (PKCS1_MGF1(seedmask, mdlen, db, emlen - mdlen, mgf1md) < 0)

		return 0;

	for (i = 0; i < SHA_DIGEST_LENGTH; i++)

	for (i = 0; i < mdlen; i++)

		seed[i] ^= seedmask[i];

	OPENSSL_free(dbmask);

	const unsigned char *from, int flen, int num,

	const unsigned char *param, int plen)

	{

	return RSA_padding_check_PKCS1_OAEP_mgf1(to, tlen, from , flen, num,

							param, plen,

							NULL, NULL);

	}

int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen,

	const unsigned char *from, int flen, int num,

	const unsigned char *param, int plen,

	const EVP_MD *md, const EVP_MD *mgf1md)

	{

	int i, dblen, mlen = -1;

	const unsigned char *maskeddb;

	int lzero;

	unsigned char *db = NULL, seed[SHA_DIGEST_LENGTH], phash[SHA_DIGEST_LENGTH];

	unsigned char *db = NULL, seed[EVP_MAX_MD_SIZE], phash[EVP_MAX_MD_SIZE];

	unsigned char *padded_from;

	int bad = 0;

	int mdlen;

	if (--num < 2 * SHA_DIGEST_LENGTH + 1)

	if (md == NULL)

		md = EVP_sha1();

	if (mgf1md == NULL)

		mgf1md = md;

	mdlen = EVP_MD_size(md);

	if (--num < 2 * mdlen + 1)

		/* 'num' is the length of the modulus, i.e. does not depend on the

		 * particular ciphertext. */

		goto decoding_err;

		flen = num; /* don't overflow the memcpy to padded_from */

		}

	dblen = num - SHA_DIGEST_LENGTH;

	dblen = num - mdlen;

	db = OPENSSL_malloc(dblen + num);

	if (db == NULL)

		{

		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, ERR_R_MALLOC_FAILURE);

		RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, ERR_R_MALLOC_FAILURE);

		return -1;

		}

	memset(padded_from, 0, lzero);

	memcpy(padded_from + lzero, from, flen);

	maskeddb = padded_from + SHA_DIGEST_LENGTH;

	maskeddb = padded_from + mdlen;

	if (MGF1(seed, SHA_DIGEST_LENGTH, maskeddb, dblen))

	if (PKCS1_MGF1(seed, mdlen, maskeddb, dblen, mgf1md))

		return -1;

	for (i = 0; i < SHA_DIGEST_LENGTH; i++)

	for (i = 0; i < mdlen; i++)

		seed[i] ^= padded_from[i];

	if (MGF1(db, dblen, seed, SHA_DIGEST_LENGTH))

	if (PKCS1_MGF1(db, dblen, seed, mdlen, mgf1md))

		return -1;

	for (i = 0; i < dblen; i++)

		db[i] ^= maskeddb[i];

	if (!EVP_Digest((void *)param, plen, phash, NULL, EVP_sha1(), NULL))

	if (!EVP_Digest((void *)param, plen, phash, NULL, md, NULL))

		return -1;

	if (CRYPTO_memcmp(db, phash, SHA_DIGEST_LENGTH) != 0 || bad)

	if (CRYPTO_memcmp(db, phash, mdlen) != 0 || bad)

		goto decoding_err;

	else

		{

		for (i = SHA_DIGEST_LENGTH; i < dblen; i++)

		for (i = mdlen; i < dblen; i++)

			if (db[i] != 0x00)

				break;

		if (i == dblen || db[i] != 0x01)

			mlen = dblen - ++i;

			if (tlen < mlen)

				{

				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_DATA_TOO_LARGE);

				RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_DATA_TOO_LARGE);

				mlen = -1;

				}

			else

decoding_err:

	/* to avoid chosen ciphertext attacks, the error message should not reveal

	 * which kind of decoding error happened */

	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP, RSA_R_OAEP_DECODING_ERROR);

	RSAerr(RSA_F_RSA_PADDING_CHECK_PKCS1_OAEP_MGF1, RSA_R_OAEP_DECODING_ERROR);

	if (db != NULL) OPENSSL_free(db);

	return -1;

	}

	return rv;

	}

static int MGF1(unsigned char *mask, long len, const unsigned char *seed,

		 long seedlen)

	{

	return PKCS1_MGF1(mask, len, seed, seedlen, EVP_sha1());

	}

#endif

#include <openssl/rsa.h>

#include <openssl/bn.h>

#include <openssl/evp.h>

#include <openssl/x509v3.h>

#ifndef OPENSSL_NO_CMS

#include <openssl/cms.h>

#endif

	const EVP_MD *md;

	/* message digest for MGF1 */

	const EVP_MD *mgf1md;

	/* PSS/OAEP salt length */

	/* PSS salt length */

	int saltlen;

	/* Temp buffer */

	unsigned char *tbuf;

	/* OAEP label */

	unsigned char *oaep_label;

	size_t oaep_labellen;

	} RSA_PKEY_CTX;

static int pkey_rsa_init(EVP_PKEY_CTX *ctx)

	rctx->saltlen = -2;

	rctx->oaep_label = NULL;

	rctx->oaep_labellen = 0;

	ctx->data = rctx;

	ctx->keygen_info = rctx->gentmp;

	ctx->keygen_info_count = 2;

		}

	dctx->pad_mode = sctx->pad_mode;

	dctx->md = sctx->md;

	dctx->mgf1md = sctx->mgf1md;

	if (sctx->oaep_label)

		{

		if (dctx->oaep_label)

			OPENSSL_free(dctx->oaep_label);

		dctx->oaep_label = BUF_memdup(sctx->oaep_label,

						sctx->oaep_labellen);

		if (!dctx->oaep_label)

			return 0;

		dctx->oaep_labellen = sctx->oaep_labellen;

		}

	return 1;

	}

			BN_free(rctx->pub_exp);

		if (rctx->tbuf)

			OPENSSL_free(rctx->tbuf);

		if (rctx->oaep_label)

			OPENSSL_free(rctx->oaep_label);

		OPENSSL_free(rctx);

		}

	}

	}

static int pkey_rsa_encrypt(EVP_PKEY_CTX *ctx,

					unsigned char *out, size_t *outlen,

					const unsigned char *in, size_t inlen)

	{

	int ret;

	RSA_PKEY_CTX *rctx = ctx->data;

	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING)

		{

		int klen = RSA_size(ctx->pkey->pkey.rsa);

		if (!setup_tbuf(rctx, ctx))

			return -1;

		if (!RSA_padding_add_PKCS1_OAEP_mgf1(rctx->tbuf, klen,

							in, inlen,

							rctx->oaep_label,

							rctx->oaep_labellen,

							rctx->md, rctx->mgf1md))

			return -1;

		ret = RSA_public_encrypt(klen, rctx->tbuf, out,

						ctx->pkey->pkey.rsa,

						RSA_NO_PADDING);

		}

	else

		ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa,

							rctx->pad_mode);

	if (ret < 0)

	{

	int ret;

	RSA_PKEY_CTX *rctx = ctx->data;

	if (rctx->pad_mode == RSA_PKCS1_OAEP_PADDING)

		{

		int i;

		if (!setup_tbuf(rctx, ctx))

			return -1;

		ret = RSA_private_decrypt(inlen, in, rctx->tbuf,

							ctx->pkey->pkey.rsa,

							RSA_NO_PADDING);

		if (ret <= 0)

			return ret;

		for (i = 0; i < ret; i++)

			{

			if (rctx->tbuf[i])

				break;

			}

		ret = RSA_padding_check_PKCS1_OAEP_mgf1(out,ret,rctx->tbuf + i,

							ret - i, ret,

							rctx->oaep_label,

							rctx->oaep_labellen,

							rctx->md, rctx->mgf1md);

		}

	else 

		ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa,

							rctx->pad_mode);

	if (ret < 0)

		case EVP_PKEY_CTRL_RSA_KEYGEN_PUBEXP:

		if (!p2)

			return -2;

		BN_free(rctx->pub_exp);

		rctx->pub_exp = p2;

		return 1;

		case EVP_PKEY_CTRL_RSA_OAEP_MD:

		if (rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)

			{

			RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_PADDING_MODE);

			return 0;

			}

		rctx->md = p2;

		return 1;

		case EVP_PKEY_CTRL_MD:

		if (!check_padding_md(p2, rctx->pad_mode))

			return 0;

		case EVP_PKEY_CTRL_RSA_MGF1_MD:

		case EVP_PKEY_CTRL_GET_RSA_MGF1_MD:

		if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING)

		if (rctx->pad_mode != RSA_PKCS1_PSS_PADDING

			&& rctx->pad_mode != RSA_PKCS1_OAEP_PADDING)

			{

			RSAerr(RSA_F_PKEY_RSA_CTRL, RSA_R_INVALID_MGF1_MD);

			return -2;

			rctx->mgf1md = p2;

		return 1;

		case EVP_PKEY_CTRL_RSA_OAEP_LABEL:

		OPENSSL_free(rctx->oaep_label);

		rctx->oaep_label = p2;

		rctx->oaep_labellen = p1;

		return 1;

		case EVP_PKEY_CTRL_DIGESTINIT:

		case EVP_PKEY_CTRL_PKCS7_ENCRYPT:

		case EVP_PKEY_CTRL_PKCS7_DECRYPT:

		return ret;

		}

	if (!strcmp(type, "rsa_mgf1_md"))

		{

		const EVP_MD *md;

		if (!(md = EVP_get_digestbyname(value)))

			{

			RSAerr(RSA_F_PKEY_RSA_CTRL_STR,

						RSA_R_INVALID_DIGEST);

			return 0;

			}

		return EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md);

		}

	if (!strcmp(type, "rsa_oaep_md"))

		{

		const EVP_MD *md;

		if (!(md = EVP_get_digestbyname(value)))

			{

			RSAerr(RSA_F_PKEY_RSA_CTRL_STR,

						RSA_R_INVALID_DIGEST);

			return 0;

			}

		return EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md);

		}

	if (!strcmp(type, "rsa_oaep_label"))

		{

		unsigned char *lab;

		long lablen;

		int ret;

		lab = string_to_hex(value, &lablen);

		if (!lab)

			return 0;

		ret = EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, lab, lablen);

		if (ret <= 0)

			OPENSSL_free(lab);

		return ret;

		}

	return -2;

	}