kdc-plugin: Split updating a PAC out of PAC verification

kdc-plugin: Split updating a PAC out of PAC verification

Up to now krb5plugin_kdc_pac_verify() has served to both verified and
updated a PAC. There are cases, however, when we only want to retrieve
and verify a PAC, but don't want to modify it. This is the case with the
PAC from a FAST armor ticket.

Therefore, add a new plugin function, pac_update(), that will update a
PAC obtained using pac_verify(). pac_verify() now only deals with
verifying a PAC, while pac_update() handles any necessary updates to it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>