lib/krb5: fix krb5_init_creds_step() interaction with krb5_fast_anon_pkinit_step()

_krb5_fast_anon_pkinit_step() should not set
KRB5_INIT_CREDS_STEP_FLAG_CONTINUE if it doesn't generate any output.

And krb5_init_creds_step() needs to return if
_krb5_fast_anon_pkinit_step() returned with
KRB5_INIT_CREDS_STEP_FLAG_CONTINUE set.
As that means the recursive call to krb5_init_creds_step()
generated output that should be send to a KDC and the
KDC response if needed as input for the next step.

Signed-off-by: Stefan Metzmacher <metze@samba.org>

lib/krb5/fast.c

@@ -953,8 +953,6 @@ _krb5_fast_anon_pkinit_step(krb5_context context,
     krb5_get_init_creds_opt_free(context, state->anon_pkinit_opt);
     state->anon_pkinit_opt = NULL;
 
-    *flags |= KRB5_INIT_CREDS_STEP_FLAG_CONTINUE;
-
 out:
     krb5_free_principal(context, principal);
     krb5_free_cred_contents(context, &cred);

lib/krb5/init_creds_pw.c

@@ -3469,8 +3469,7 @@ krb5_init_creds_step(krb5_context context,
             ctx->fast_state.flags &= ~KRB5_FAST_REQUIRED;
             ctx->fast_state.flags &= ~KRB5_FAST_ANON_PKINIT_ARMOR;
         } else if (ret ||
-                   ((*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) == 0) ||
-                   out->length)
+                   (*flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE))
 	    return ret;
 
 	in = ∅