Revert "krb5: zero nonce before encoding for GSS preauth"

This reverts commit 34b374b5e4.

We are revising the GSS-API pre-authentication draft to include the nonce from
the first request in the GSS channel bindings, to avoid re-encoding issues that
may surface with Kerberos implementations that do not correctly implement DER.

kdc/gss_preauth.c

@@ -191,7 +191,6 @@ _kdc_gss_rd_padata(astgs_request_t r,
 {
     krb5_error_code ret;
     size_t size;
-    KDC_REQ_BODY kdc_req_body;
 
     OM_uint32 minor;
     gss_client_params *gcp = NULL;
@@ -232,11 +231,8 @@ _kdc_gss_rd_padata(astgs_request_t r,
 
     _krb5_gss_data_to_buffer(&pa->padata_value, &input_token);
 
-    kdc_req_body = r->req.req_body;
-    kdc_req_body.nonce = 0;
-
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, cb.application_data.value,
-                       cb.application_data.length, &kdc_req_body,
+                       cb.application_data.length, &r->req.req_body,
                        &size, ret);
     heim_assert(ret || size == cb.application_data.length,
                 "internal asn1 encoder error");

lib/krb5/init_creds_pw.c

@@ -1211,7 +1211,6 @@ gss_pa_step(krb5_context context,
     krb5_data req_body;
     PA_DATA *pa;
     krb5_data *input_token;
-    KDC_REQ_BODY kdc_req_body;
 
     krb5_data_zero(&req_body);
     krb5_data_zero(output_token);
@@ -1239,16 +1238,8 @@ gss_pa_step(krb5_context context,
 	goto out;
     }
 
-    /*
-     * Zero the nonce before encoding, as the nonce may change between
-     * AS-REQs and we don't know which step the GSS mechanism will
-     * honor the channel binding data.
-     */
-    kdc_req_body = ctx->as_req.req_body;
-    kdc_req_body.nonce = 0;
-
     ASN1_MALLOC_ENCODE(KDC_REQ_BODY, req_body.data, req_body.length,
-		       &kdc_req_body, &len, ret);
+		       &ctx->as_req.req_body, &len, ret);
     if (ret)
 	goto out;
     heim_assert(req_body.length == len, "ASN.1 internal error");