RRDP serial numbers should only increase.

Warn if the serial number decreases between syncs.

On top of this only allow a small window of up to 2 deltas from the
current one to consider our cache to be in sync.
The number 2 is probably to conservative and should be adjusted once
some data points got collected.

It seems to happen that CAs restore RRDP snapshots instead of building
a fresh snapshot with a new session-id. Which results in rpki-client to
ignore the repo until the serial number is bigger again.
OK tb@

diff --git a/usr.sbin/rpki-client/rrdp_notification.c b/usr.sbin/rpki-client/rrdp_notification.c
index 84bc953..016385d 100644 (file)
--- a/usr.sbin/rpki-client/rrdp_notification.c
+++ b/usr.sbin/rpki-client/rrdp_notification.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: rrdp_notification.c,v 1.15 2022/05/15 15:00:53 deraadt Exp $ */
+/*     $OpenBSD: rrdp_notification.c,v 1.16 2022/06/16 16:09:56 claudio Exp $ */
 /*
  * Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -383,8 +383,13 @@ notification_done(struct notification_xml *nxml, char *last_mod)
        if (nxml->repository->serial == 0)
                goto snapshot;
 
-       /* if our serial is equal or bigger, the repo is up to date */
-       if (nxml->repository->serial >= nxml->serial) {
+       if (nxml->repository->serial > nxml->serial)
+               warnx("%s: serial number decreased from %lld to %lld",
+                   nxml->notifyuri, nxml->repository->serial, nxml->serial);
+
+       /* if our serial is equal or plus 2, the repo is up to date */
+       if (nxml->repository->serial >= nxml->serial &&
+           nxml->repository->serial - nxml->serial <= 2) {
                nxml->current->serial = nxml->repository->serial;
                return NOTIFICATION;
        }