RRDP serial numbers should only increase.

Warn if the serial number decreases between syncs.

On top of this only allow a small window of up to 2 deltas from the
current one to consider our cache to be in sync.
The number 2 is probably to conservative and should be adjusted once
some data points got collected.

It seems to happen that CAs restore RRDP snapshots instead of building
a fresh snapshot with a new session-id. Which results in rpki-client to
ignore the repo until the serial number is bigger again.
OK tb@

1 files changed, 8 insertions, 3 deletions

diff --git a/usr.sbin/rpki-client/rrdp_notification.c b/usr.sbin/rpki-client/rrdp_notification.c
index 84bc953b6e9..016385d7252 100644
--- a/usr.sbin/rpki-client/rrdp_notification.c
+++ b/usr.sbin/rpki-client/rrdp_notification.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: rrdp_notification.c,v 1.15 2022/05/15 15:00:53 deraadt Exp $ */
+/*	$OpenBSD: rrdp_notification.c,v 1.16 2022/06/16 16:09:56 claudio Exp $ */
 /*
  * Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -383,8 +383,13 @@ notification_done(struct notification_xml *nxml, char *last_mod)
 	if (nxml->repository->serial == 0)
 		goto snapshot;
 
-	/* if our serial is equal or bigger, the repo is up to date */
-	if (nxml->repository->serial >= nxml->serial) {
+	if (nxml->repository->serial > nxml->serial)
+		warnx("%s: serial number decreased from %lld to %lld",
+		    nxml->notifyuri, nxml->repository->serial, nxml->serial);
+
+	/* if our serial is equal or plus 2, the repo is up to date */
+	if (nxml->repository->serial >= nxml->serial &&
+	    nxml->repository->serial - nxml->serial <= 2) {
 		nxml->current->serial = nxml->repository->serial;
 		return NOTIFICATION;
 	}