ARC: fix signing when DKIM-signing is also being done

[exim.git] / src / src / arc.c

diff --git a/src/src/arc.c b/src/src/arc.c
index 5f51d614dbdcad49748c579ffd087c4205e104c5..6f567dc5faf92bad38cd56d2ba48aabfc498fa75 100644 (file)
--- a/src/src/arc.c
+++ b/src/src/arc.c
@@ -760,7 +760,6 @@ arc_headers_check(arc_ctx * ctx)
 arc_set * as;
 int inst;
 BOOL ams_fail_found = FALSE;
-uschar * ret = NULL;
 
 if (!(as = ctx->arcset_chain))
   return US"none";
@@ -792,20 +791,20 @@ for(inst = 0; as; as = as->next)
 
 arc_received = ctx->arcset_chain_last;
 arc_received_instance = inst;
-if (ret)
-  return ret;
 
 /* We can skip the latest-AMS validation, if we already did it. */
 
 as = ctx->arcset_chain_last;
-if (as->ams_verify_done && !as->ams_verify_passed)
+if (!as->ams_verify_passed)
   {
-  arc_state_reason = as->ams_verify_done;
-  return US"fail";
+  if (as->ams_verify_done)
+    {
+    arc_state_reason = as->ams_verify_done;
+    return US"fail";
+    }
+  if (!!arc_ams_verify(ctx, as))
+    return US"fail";
   }
-if (!!arc_ams_verify(ctx, as))
-  return US"fail";
-
 return NULL;
 }
 
@@ -1239,7 +1238,7 @@ else
 if (  (errstr = exim_dkim_signing_init(privkey, &sctx))
    || (errstr = exim_dkim_sign(&sctx, hm, &hhash, sig)))
   {
-  log_write(0, LOG_MAIN|LOG_PANIC, "ARC: %s signing: %s\n", why, errstr);
+  log_write(0, LOG_MAIN, "ARC: %s signing: %s\n", why, errstr);
   return FALSE;
   }
 return TRUE;
@@ -1550,12 +1549,12 @@ selector = string_nextinlist(&signspec, &sep, NULL, 0);
 if (  !*identity | !*selector
    || !(privkey = string_nextinlist(&signspec, &sep, NULL, 0)) || !*privkey)
   {
-  log_write(0, LOG_MAIN|LOG_PANIC, "ARC: bad signing-specification (%s)",
+  log_write(0, LOG_MAIN, "ARC: bad signing-specification (%s)",
     !*identity ? "identity" : !*selector ? "selector" : "private-key");
-  return NULL;
+  return sigheaders ? sigheaders : string_get(0);
   }
 if (*privkey == '/' && !(privkey = expand_file_big_buffer(privkey)))
-  return NULL;
+  return sigheaders ? sigheaders : string_get(0);
 
 DEBUG(D_transport) debug_printf("ARC: sign for %s\n", identity);
 
@@ -1566,25 +1565,24 @@ string_from_gstring(sigheaders);
 if ((rheaders = arc_sign_scan_headers(&arc_sign_ctx, sigheaders)))
   {
   hdr_rlist ** rp;
-  for (rp = &rheaders; *rp; ) rp = &(*rp)->prev;
-  *rp = headers_rlist;
-  headers_rlist = rheaders;
+  for (rp = &headers_rlist; *rp; ) rp = &(*rp)->prev;
+  *rp = rheaders;
   }
-else
-  rheaders = headers_rlist;
 
 /* Finally, build a normal-order headers list */
 /*XXX only needed for hunt-the-AR? */
+/*XXX also, we really should be accepting any number of ADMD-matching ARs */
   {
   header_line * hnext = NULL;
-  for (; rheaders; hnext = rheaders->h, rheaders = rheaders->prev)
+  for (rheaders = headers_rlist; rheaders;
+       hnext = rheaders->h, rheaders = rheaders->prev)
     rheaders->h->next = hnext;
   headers = hnext;
   }
 
 if (!(arc_sign_find_ar(headers, identity, &ar)))
   {
-  log_write(0, LOG_MAIN|LOG_PANIC, "ARC: no Authentication-Results header for signing");
+  log_write(0, LOG_MAIN, "ARC: no Authentication-Results header for signing");
   return sigheaders ? sigheaders : string_get(0);
   }