Make it possible to change SA addresses via SADB_UPDATE.

This is not allowed by RFC 2367, but it is useful feature for implementing
MOBIKE protocol by IKEd (RFC 4555). We still support the old behavior of
the SADB_UPDATE, but two new extension headers are added:
SADB_X_EXT_NEW_ADDRESS_SRC and SADB_X_EXT_NEW_ADDRESS_DST. IKEd can use
them to specify new addresses for MATURE SA. When kernel has discovered
these headers, it allocates new SA, copies the content of old SA into new,
then unlinks old SA from the SADB. The same actions will be done, when
IKEd wants to change NAT-T configuration.

This is similar to making SADB_DELETE and SADB_ADD, but it keeps the
state of SA unchanged, that is impossible to make with SADB_DELETE
and SADB_ADD.

To implement this the lock filed of secasvar was changed to be a pointer.
Also all fields that could not be copied moved to the end of structure.
Now secasvar lock can be shared between old and new SA, this needed to
avoid modification of SA content (e.g. replay window) during migration.

Discussed with: Tobias Brunner <tobias at strongswan org>