diff --git a/lib/krb5/crypto-aes-sha2.c b/lib/krb5/crypto-aes-sha2.c
index 78bbf025f..a5e9f14f6 100644
--- a/lib/krb5/crypto-aes-sha2.c
+++ b/lib/krb5/crypto-aes-sha2.c
@@ -74,7 +74,8 @@ SP_HMAC_SHA2_checksum(krb5_context context,
     if (ret)
 	return ret;
 
-    ret = _krb5_evp_hmac_iov(context, key, iov, niov, hmac, &hmaclen, md, NULL);
+    ret = _krb5_evp_hmac_iov(context, crypto, key, iov, niov, hmac,
+                             &hmaclen, md, NULL);
     if (ret)
         return ret;
 
diff --git a/lib/krb5/crypto-evp.c b/lib/krb5/crypto-evp.c
index 594614910..4f6b920c8 100644
--- a/lib/krb5/crypto-evp.c
+++ b/lib/krb5/crypto-evp.c
@@ -114,6 +114,7 @@ out:
 
 krb5_error_code
 _krb5_evp_hmac_iov(krb5_context context,
+                   krb5_crypto crypto,
                    struct _krb5_key_data *key,
                    const struct krb5_crypto_iov *iov,
                    int niov,
@@ -126,7 +127,13 @@ _krb5_evp_hmac_iov(krb5_context context,
     krb5_data current = {0, 0};
     int i;
 
-    ctx = HMAC_CTX_new();
+    if (crypto != NULL) {
+	if (crypto->hmacctx == NULL)
+	    crypto->hmacctx = HMAC_CTX_new();
+	ctx = crypto->hmacctx;
+    } else {
+	ctx = HMAC_CTX_new();
+    }
     if (ctx == NULL)
         return krb5_enomem(context);
 
@@ -150,7 +157,8 @@ _krb5_evp_hmac_iov(krb5_context context,
 
     HMAC_Final(ctx, hmac, hmaclen);
 
-    HMAC_CTX_free(ctx);
+    if (crypto == NULL)
+        HMAC_CTX_free(ctx);
 
     return 0;
 }
diff --git a/lib/krb5/crypto.c b/lib/krb5/crypto.c
index 4df2a12a4..85d9a6286 100644
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -329,7 +329,7 @@ _krb5_SP_HMAC_SHA1_checksum(krb5_context context,
     unsigned char hmac[EVP_MAX_MD_SIZE];
     unsigned int hmaclen = sizeof(hmac);
 
-    ret = _krb5_evp_hmac_iov(context, key, iov, niov, hmac, &hmaclen,
+    ret = _krb5_evp_hmac_iov(context, crypto, key, iov, niov, hmac, &hmaclen,
                              EVP_sha1(), NULL);
 
     heim_assert(result->checksum.length <= hmaclen,
@@ -2526,6 +2526,9 @@ krb5_crypto_destroy(krb5_context context,
     if (crypto->mdctx)
 	EVP_MD_CTX_destroy(crypto->mdctx);
 
+    if (crypto->hmacctx)
+	HMAC_CTX_free(crypto->hmacctx);
+
     free (crypto);
     return 0;
 }
diff --git a/lib/krb5/crypto.h b/lib/krb5/crypto.h
index 908443b3a..d9c0dfcf3 100644
--- a/lib/krb5/crypto.h
+++ b/lib/krb5/crypto.h
@@ -205,6 +205,7 @@ struct krb5_crypto_data {
     struct _krb5_encryption_type *et;
     struct _krb5_key_data key;
     EVP_MD_CTX *mdctx;
+    HMAC_CTX *hmacctx;
     int num_key_usage;
     struct _krb5_key_usage *key_usage;
 };