This gets us to the point of seemingly being able to wrap and unwrap IPv4

Remarkably hard to test this on a single computer

pass-1/rlocs.c

@@ -15,6 +15,7 @@
 #include <openssl/rsa.h>
 #include <openssl/bio.h>
 #include <openssl/rand.h>
+#include <openssl/err.h>
 
 #include <json/json_tokener.h>
 #include <json/linkhash.h>
@@ -404,11 +405,61 @@ struct rloc *rloc_find_by_address( struct rlocs *reg, struct in_addr *ipv4, stru
     return i < reg->num_entries ? current : NULL;
 }
 
+/* Replaces the public key in the rloc struct with a private key so we can
+ * unwrap, as well as wrap, packets.
+ */
+int rloc_add_private_key( struct rloc *rloc, char *filename )
+{
+    BIO *key_data = BIO_new_file( filename, "r" );
+    
+    RSA* key = PEM_read_bio_RSAPrivateKey( key_data, NULL, NULL, NULL );
+    
+    if ( key == NULL ) {
+        warn( "Failed to add private key %s", filename );
+        return 0;
+    }
+    
+    RSA_free( rloc->key );
+    rloc->key = key;
+    
+    return 1;
+}
+
+void show_ssl_errors(void)
+{
+    long err;
+    char msg[256];
+    
+    while ( ( err = ERR_get_error() ) ) {
+        ERR_error_string( err, &msg[0] );
+        warn( "Error %lu in crypto: %s", err, &msg[0] );
+    }
+    
+}
+
 ssize_t rloc_encrypt( struct rloc *rloc, unsigned char *data, size_t data_len, unsigned char *dest, size_t dest_len )
 {
-    return RSA_public_encrypt( data_len, data, dest, rloc->key, RSA_PKCS1_OAEP_PADDING );
+    ssize_t result = RSA_public_encrypt( data_len, data, dest, rloc->key, RSA_PKCS1_OAEP_PADDING );
+
+    if ( result < 0 ) {
+        show_ssl_errors();
+    }
+    
+    return result;
 }
 
+ssize_t rloc_decrypt( struct rloc *rloc, unsigned char *data, size_t data_len, unsigned char *dest, size_t dest_len )
+{
+    ssize_t result = RSA_private_decrypt( data_len, data, dest, rloc->key, RSA_PKCS1_OAEP_PADDING );
+    
+    if ( result < 0 ) {
+        show_ssl_errors();
+    }
+    
+    return result;
+}
+
+
 void rlocs_debug_output( struct rlocs *reg )
 {
     int i;