Bug #50492: Use the correct salt for hash comparison, not the default salt.

Index: openldap-2.4.45+dfsg/contrib/slapd-modules/k5pwd/k5pwd.c
===================================================================
--- openldap-2.4.45+dfsg.orig/contrib/slapd-modules/k5pwd/k5pwd.c
+++ openldap-2.4.45+dfsg/contrib/slapd-modules/k5pwd/k5pwd.c
@@ -155,7 +155,7 @@ static int k5key_chk(
 	Attribute *a, *a_krb5PrincipalName;
 	krb5_error_code ret;
 	krb5_keyblock key;
-	krb5_salt salt;
+	krb5_salt salt = {0};
 	hdb_entry ent;
 	int decode_ret;
 
@@ -201,37 +201,13 @@ static int k5key_chk(
 			}
 		}
 
-		ret = krb5_get_pw_salt( context, ent.principal, &salt );
 		krb5_free_principal( context, ent.principal );
 
-		if (ret) {
-			const char *error_string;
-			error_string = krb5_get_error_message( context, ret );
-			Debug( LDAP_DEBUG_ANY, "%s: k5pwd: "
-				"k5key_chk: krb5_get_pw_salt failed for: %s.\n",
-				op->o_log_prefix, a_krb5PrincipalName->a_vals[0].bv_val, 0 );
-			if (error_string) {
-				Debug( LDAP_DEBUG_ANY, "%s: k5pwd: "
-					"k5key_chk: error_string: %s.\n",
-					op->o_log_prefix, error_string, 0 );
-				krb5_free_error_message(context, error_string);
-			} else {
-				Debug( LDAP_DEBUG_ANY, "%s: k5pwd: "
-					"k5key_chk: ret=%d.\n",
-					op->o_log_prefix, ret, 0 );
-			};
-
-			rc = LUTIL_PASSWD_ERR;
-			break;
-		}
-
 		a = attr_find( e->e_attrs, ad_krb5Key );
 		if ( !a ) break;
 
-		ent.keys.len = 1;
-		ent.keys.val = &ekey;
 		decode_ret = decode_Key((unsigned char *) a->a_vals[0].bv_val,
-			(size_t) a->a_vals[0].bv_len, &ent.keys.val[0], &l);
+			(size_t) a->a_vals[0].bv_len, &ekey, &l);
 
 		if (decode_ret) {
 			const char *error_string;
@@ -254,6 +230,32 @@ static int k5key_chk(
 			rc = LUTIL_PASSWD_ERR;
 			break;
 		}
+		if (ekey.salt) {
+			salt.saltvalue.data = ekey.salt->salt.data;
+			salt.saltvalue.length = ekey.salt->salt.length;
+			salt.salttype = KRB5_PW_SALT;
+		} else {
+			ret = krb5_get_pw_salt( context, ent.principal, &salt );
+			if (ret) {
+				const char *error_string;
+				error_string = krb5_get_error_message( context, ret );
+				Debug( LDAP_DEBUG_ANY, "%s: k5pwd: "
+					"k5key_chk: krb5_get_pw_salt failed for: %s.\n",
+					op->o_log_prefix, a_krb5PrincipalName->a_vals[0].bv_val, 0 );
+				if (error_string) {
+					Debug( LDAP_DEBUG_ANY, "%s: k5pwd: "
+						"k5key_chk: error_string: %s.\n",
+						op->o_log_prefix, error_string, 0 );
+					krb5_free_error_message(context, error_string);
+				} else {
+					Debug( LDAP_DEBUG_ANY, "%s: k5pwd: "
+						"k5key_chk: ret=%d.\n",
+						op->o_log_prefix, ret, 0 );
+				};
+	
+				rc = LUTIL_PASSWD_ERR;
+				break;
+		}
 
 		if ( db->HDB_MASTER_KEY_SET )
 			hdb_unseal_keys( context, db, &ent );