diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
index a6ce4de49d9bf6..b907e9e9cdc4e4 100644
--- a/src/crypto/crypto_cipher.cc
+++ b/src/crypto/crypto_cipher.cc
@@ -987,17 +987,7 @@ bool PublicKeyCipher::Cipher(
       return false;
   }
 
-  if (oaep_label.size() != 0) {
-    // OpenSSL takes ownership of the label, so we need to create a copy.
-    void* label = OPENSSL_memdup(oaep_label.data(), oaep_label.size());
-    CHECK_NOT_NULL(label);
-    if (0 >= EVP_PKEY_CTX_set0_rsa_oaep_label(ctx.get(),
-                     static_cast<unsigned char*>(label),
-                                      oaep_label.size())) {
-      OPENSSL_free(label);
-      return false;
-    }
-  }
+  if (!SetRsaOaepLabel(ctx, oaep_label.ToByteSource())) return false;
 
   size_t out_len = 0;
   if (EVP_PKEY_cipher(
diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc
index ec339e5635d419..4eacb1f142b6e0 100644
--- a/src/crypto/crypto_rsa.cc
+++ b/src/crypto/crypto_rsa.cc
@@ -221,18 +221,7 @@ WebCryptoCipherStatus RSA_Cipher(
     return WebCryptoCipherStatus::FAILED;
   }
 
-  size_t label_len = params.label.size();
-  if (label_len > 0) {
-    void* label = OPENSSL_memdup(params.label.data<char>(), label_len);
-    CHECK_NOT_NULL(label);
-    if (EVP_PKEY_CTX_set0_rsa_oaep_label(
-      ctx.get(),
-      static_cast<unsigned char*>(label),
-      label_len) <= 0) {
-      OPENSSL_free(label);
-      return WebCryptoCipherStatus::FAILED;
-    }
-  }
+  if (!SetRsaOaepLabel(ctx, params.label)) return WebCryptoCipherStatus::FAILED;
 
   size_t out_len = 0;
   if (cipher(
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index e878c5ea15d58f..f1bb7a9c7aadbc 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -654,6 +654,21 @@ Maybe<bool> SetEncodedValue(
   return target->Set(env->context(), name, value);
 }
 
+bool SetRsaOaepLabel(const EVPKeyCtxPointer& ctx, const ByteSource& label) {
+  if (label.size() != 0) {
+    // OpenSSL takes ownership of the label, so we need to create a copy.
+    void* label_copy = OPENSSL_memdup(label.data(), label.size());
+    CHECK_NOT_NULL(label_copy);
+    int ret = EVP_PKEY_CTX_set0_rsa_oaep_label(
+        ctx.get(), static_cast<unsigned char*>(label_copy), label.size());
+    if (ret <= 0) {
+      OPENSSL_free(label_copy);
+      return false;
+    }
+  }
+  return true;
+}
+
 CryptoJobMode GetCryptoJobMode(v8::Local<v8::Value> args) {
   CHECK(args->IsUint32());
   uint32_t mode = args.As<v8::Uint32>()->Value();
diff --git a/src/crypto/crypto_util.h b/src/crypto/crypto_util.h
index dc3bb15cfb48a8..7f83d6d1919df5 100644
--- a/src/crypto/crypto_util.h
+++ b/src/crypto/crypto_util.h
@@ -791,6 +791,8 @@ v8::Maybe<bool> SetEncodedValue(
     const BIGNUM* bn,
     int size = 0);
 
+bool SetRsaOaepLabel(const EVPKeyCtxPointer& rsa, const ByteSource& label);
+
 namespace Util {
 void Initialize(Environment* env, v8::Local<v8::Object> target);
 void RegisterExternalReferences(ExternalReferenceRegistry* registry);