Implement KERB_AP_OPTIONS_CBT (server side)

if the client asserted knowledge of channel-bindings by
passing KERB_AP_OPTIONS_CBT, and the server passed bindings,
require the bindings to match.

lib/gssapi/krb5/accept_sec_context.c

@@ -566,9 +566,10 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status,
 
         if (authenticator->cksum != NULL
 	    && authenticator->cksum->cksumtype == CKSUMTYPE_GSSAPI) {
-            ret = _gsskrb5_verify_8003_checksum(minor_status,
+            ret = _gsskrb5_verify_8003_checksum(context,
+						minor_status,
 						input_chan_bindings,
-						authenticator->cksum,
+						authenticator,
 						&ctx->flags,
 						&ctx->fwd_data);