Split xfrm_state_replace into xfrm_state_add and xfrm_state_replace.

Fixes:
1. Only update update lifetime and encap options if the state is valid.
2. Disallow updates to states that do not exist.
3. Bail if afinfo cannot be found.
 
This brings SADB_UPDATE in line with what is required by RFC2367.
It is also needed by SFS NAT-T support as it needs to update valid
states when the encap ports move.

I've tweaked the logic slightly so that SADB_UPDATE will fail on a
larval state that hasn't undergone SADB_GETSPI.  This is what RFC2367
calls for and it simplifies the code in that we don't have to call
find_acq for SADB_UPDATE.

This doesn't affect any of the three KMs as they either don't use
SADB_UPDATE or call SADB_GETSPI before doing an update.