Set SA's natt_type before calling key_mature() in key_add(),

as the SA may be used as soon as key_mature() has been done.

Obtained from:	NETASQ
MFC after:	1 week

sys/netipsec/key.c

@@ -5422,12 +5422,6 @@ key_add(so, m, mhp)
 		return key_senderror(so, m, error);
 	}
 
-	/* check SA values to be mature. */
-	if ((error = key_mature(newsav)) != 0) {
-		KEY_FREESAV(&newsav);
-		return key_senderror(so, m, error);
-	}
-
 #ifdef IPSEC_NAT_T
 	/*
 	 * Handle more NAT-T info if present,
@@ -5447,6 +5441,12 @@ key_add(so, m, mhp)
 #endif
 #endif
 
+	/* check SA values to be mature. */
+	if ((error = key_mature(newsav)) != 0) {
+		KEY_FREESAV(&newsav);
+		return key_senderror(so, m, error);
+	}
+
 	/*
 	 * don't call key_freesav() here, as we would like to keep the SA
 	 * in the database on success.