1 files changed, 15 insertions, 14 deletions

diff --git a/src/lib/crypto/builtin/aes/aes_s2k.c b/src/lib/crypto/builtin/aes/aes_s2k.c
index 36045edc0d..76d73c6357 100644
--- a/src/lib/crypto/builtin/aes/aes_s2k.c
+++ b/src/lib/crypto/builtin/aes/aes_s2k.c
@@ -44,6 +44,7 @@ krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
     unsigned long iter_count;
     krb5_data out;
     static const krb5_data usage = { KV5M_DATA, 8, "kerberos" };
+    krb5_key tempkey = NULL;
     krb5_error_code err;
 
     if (params) {
@@ -66,25 +67,25 @@ krb5int_aes_string_to_key(const struct krb5_enc_provider *enc,
     if (iter_count >= MAX_ITERATION_COUNT)
 	return KRB5_ERR_BAD_S2K_PARAMS;
 
-    /*
-     * Dense key space, no parity bits or anything, so take a shortcut
-     * and use the key contents buffer for the generated bytes.
-     */
+    /* Use the output keyblock contents for temporary space. */
     out.data = (char *) key->contents;
     out.length = key->length;
     if (out.length != 16 && out.length != 32)
 	return KRB5_CRYPTO_INTERNAL;
 
     err = krb5int_pbkdf2_hmac_sha1 (&out, iter_count, string, salt);
-    if (err) {
-	memset(out.data, 0, out.length);
-	return err;
-    }
+    if (err)
+	goto cleanup;
 
-    err = krb5_derive_key (enc, key, key, &usage);
-    if (err) {
-	memset(out.data, 0, out.length);
-	return err;
-    }
-    return 0;
+    err = krb5_k_create_key (NULL, key, &tempkey);
+    if (err)
+	goto cleanup;
+
+    err = krb5_derive_keyblock (enc, tempkey, key, &usage);
+
+cleanup:
+    if (err)
+	memset (out.data, 0, out.length);
+    krb5_k_free_key (NULL, tempkey);
+    return err;
 }