diff --git a/pkcs11/util_pkcs11.c b/pkcs11/util_pkcs11.c
index 8d38c581..20f34a12 100644
--- a/pkcs11/util_pkcs11.c
+++ b/pkcs11/util_pkcs11.c
@@ -2656,6 +2656,7 @@ CK_RV apply_encrypt_mechanism_init(yubihsm_pkcs11_session *session,
   }
 
   session->operation.op.encrypt.oaep_label = NULL;
+  session->operation.op.encrypt.oaep_label_len = 0;
   session->operation.op.encrypt.oaep_md = NULL;
   session->operation.op.encrypt.mgf1_md = NULL;
   session->operation.op.encrypt.key_len = 0;
@@ -2767,9 +2768,6 @@ CK_RV apply_encrypt_mechanism_init(yubihsm_pkcs11_session *session,
       memcpy(session->operation.op.encrypt.oaep_label, params->pSourceData,
              params->ulSourceDataLen);
       session->operation.op.encrypt.oaep_label_len = params->ulSourceDataLen;
-    } else {
-      session->operation.op.encrypt.oaep_label = NULL;
-      session->operation.op.encrypt.oaep_label_len = 0;
     }
   } else if (pMechanism->mechanism == CKM_AES_ECB) {
     if (object->object.type != YH_SYMMETRIC_KEY ||
@@ -3733,9 +3731,7 @@ CK_RV perform_rsa_encrypt(yh_session *session, yubihsm_pkcs11_op_info *op_info,
     }
   }
 
-  if (op_info->op.encrypt.oaep_md != NULL &&
-      op_info->op.encrypt.mgf1_md != NULL &&
-      op_info->op.encrypt.oaep_label != NULL) {
+  if (op_info->op.encrypt.oaep_md != NULL) {
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
     if (EVP_PKEY_CTX_set_rsa_oaep_md(ctx, EVP_MD_meth_dup(
                                             op_info->op.encrypt.oaep_md)) >=
@@ -3746,6 +3742,8 @@ CK_RV perform_rsa_encrypt(yh_session *session, yubihsm_pkcs11_op_info *op_info,
       rv = CKR_FUNCTION_FAILED;
       goto rsa_enc_cleanup;
     }
+  }
+  if (op_info->op.encrypt.mgf1_md != NULL) {
 #if (OPENSSL_VERSION_NUMBER >= 0x10100000L)
     if (EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, EVP_MD_meth_dup(
                                             op_info->op.encrypt.mgf1_md)) >=
@@ -3757,6 +3755,8 @@ CK_RV perform_rsa_encrypt(yh_session *session, yubihsm_pkcs11_op_info *op_info,
       rv = CKR_FUNCTION_FAILED;
       goto rsa_enc_cleanup;
     }
+  }
+  if (op_info->op.encrypt.oaep_label != NULL) {
 
     if (EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, op_info->op.encrypt.oaep_label,
                                          op_info->op.encrypt.oaep_label_len) >=
@@ -3776,6 +3776,7 @@ CK_RV perform_rsa_encrypt(yh_session *session, yubihsm_pkcs11_op_info *op_info,
 rsa_enc_cleanup:
   if (rv != CKR_OK) {
     free(op_info->op.encrypt.oaep_label);
+    op_info->op.encrypt.oaep_label = NULL;
   }
   EVP_PKEY_CTX_free(ctx);
   EVP_PKEY_free(public_key);