gssapi: Allow a NULL authenticator

Some non-GSSAPI implementations that instead try to create compatible packets by wrapping krb5_mk_req()
can trigger a NULL authenticator here.  Assume this to be equvilent to specifying an all-zero
channel bindings and some reasonable (fixed) flags.

Original patch by Andrew Bartlett, restructured by Douglas Bagnall

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

lib/gssapi/krb5/accept_sec_context.c

@@ -511,13 +511,8 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 	    return ret;
 	}
 
-	if (authenticator->cksum == NULL) {
+        if (authenticator->cksum != NULL
-	    krb5_free_authenticator(context, &authenticator);
+	    && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
-	    *minor_status = 0;
-	    return GSS_S_BAD_BINDINGS;
-	}
-
-        if (authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
             ret = _gsskrb5_verify_8003_checksum(minor_status,
 						input_chan_bindings,
 						authenticator->cksum,
@@ -529,6 +524,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 		return ret;
 	    }
         } else {
+	    if (authenticator->cksum != NULL) {
 		krb5_crypto crypto;
 
 		kret = krb5_crypto_init(context,
@@ -558,11 +554,14 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 		    *minor_status = kret;
 		    return ret;
 		}
+	    }
 
 	    /*
-	     * Samba style get some flags (but not DCE-STYLE), use
+	     * If there is no checksum or a kerberos checksum (which Windows
-	     * ap_options to guess the mutual flag.
+	     * and Samba accept), we use the ap_options to guess the mutual
+	     * flag.
 	     */
+
 	    ctx->flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG;
 	    if (ap_options & AP_OPTS_MUTUAL_REQUIRED)
 		ctx->flags |= GSS_C_MUTUAL_FLAG;