Add missing htonl for IPsec SPI.

Also, do not allow to configure SPI values in the 0..255 range. RFC 4302
and RFC 4303 say the following:
"The set of SPI values in the range 1 through 255 are reserved by the
Internet Assigned Numbers Authority (IANA) for future use; a reserved
SPI value will not normally be assigned by IANA unless the use of the
assigned SPI value is specified in an RFC.  The SPI value of zero (0)
is reserved for local, implementation-specific use and MUST NOT be
sent on the wire".

ok and tweak benno@

2 files changed, 5 insertions, 4 deletions

diff --git a/usr.sbin/bgpd/parse.y b/usr.sbin/bgpd/parse.y
index 76d9c90c4f5..ddf1431441d 100644
--- a/usr.sbin/bgpd/parse.y
+++ b/usr.sbin/bgpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.297 2017/01/25 00:11:07 claudio Exp $ */
+/*	$OpenBSD: parse.y,v 1.298 2017/02/22 13:55:14 renato Exp $ */
 
 /*
  * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -27,6 +27,7 @@
 #include <sys/stat.h>
 #include <sys/un.h>
 #include <netinet/in.h>
+#include <netinet/ip_ipsp.h>
 #include <arpa/inet.h>
 #include <netmpls/mpls.h>
 
@@ -1266,7 +1267,7 @@ peeropts	: REMOTEAS as4number	{
 				    AUTH_IPSEC_MANUAL_AH;
 			}
 
-			if ($5 < 0 || $5 > UINT_MAX) {
+			if ($5 <= SPI_RESERVED_MAX || $5 > UINT_MAX) {
 				yyerror("bad spi number %lld", $5);
 				free($7);
 				YYERROR;
diff --git a/usr.sbin/bgpd/pfkey.c b/usr.sbin/bgpd/pfkey.c
index 5613b85df6e..4be700279f8 100644
--- a/usr.sbin/bgpd/pfkey.c
+++ b/usr.sbin/bgpd/pfkey.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: pfkey.c,v 1.46 2017/01/24 04:22:42 benno Exp $ */
+/*	$OpenBSD: pfkey.c,v 1.47 2017/02/22 13:55:14 renato Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -147,7 +147,7 @@ pfkey_send(int sd, uint8_t satype, uint8_t mtype, uint8_t dir,
 		sa.sadb_sa_exttype = SADB_EXT_SA;
 		sa.sadb_sa_len = sizeof(sa) / 8;
 		sa.sadb_sa_replay = 0;
-		sa.sadb_sa_spi = spi;
+		sa.sadb_sa_spi = htonl(spi);
 		sa.sadb_sa_state = SADB_SASTATE_MATURE;
 		break;
 	case SADB_X_ADDFLOW: