Fix invalid ARC-Seal when email contains existing sets

abeverley · abeverley · commit 2093e7a80c0b · 2024-02-03T10:03:29.000Z
This fixes a bug whereby existing sets were not being included in a
signature and thus the signature was invalid.

This was only happening when Mode was undefined (default value) or only
signing. This meant that the code to verify existing sets was never
executed.

This commit removes the check for running the previous-set verification
function, to ensure that it is run regardless (if there are no previous
sets then arc_canon_runheaders_seal() is basically a no-op anyway.
diff --git a/libopenarc/arc.c b/libopenarc/arc.c
@@ -2912,8 +2912,8 @@ arc_eoh(ARC_MESSAGE *msg)
 		return ARC_STAT_SYNTAX;
 	}
 
-	if ((msg->arc_mode & ARC_MODE_VERIFY) != 0 &&
-	    msg->arc_cstate != ARC_CHAIN_FAIL)
+	/* need to verify previous sets even if running in sign mode */
+	if (msg->arc_cstate != ARC_CHAIN_FAIL)
 	{
 		status = arc_canon_runheaders_seal(msg);
 		if (status != ARC_STAT_OK)

Original file line number	Diff line number	Diff line change
`@@ -2912,8 +2912,8 @@ arc_eoh(ARC_MESSAGE *msg)`
`2912`	`2912`	`return ARC_STAT_SYNTAX;`
`2913`	`2913`	`}`
`2914`	`2914`
`2915`		`- if ((msg->arc_mode & ARC_MODE_VERIFY) != 0 &&`
`2916`		`- msg->arc_cstate != ARC_CHAIN_FAIL)`
	`2915`	`+ /* need to verify previous sets even if running in sign mode */`
	`2916`	`+ if (msg->arc_cstate != ARC_CHAIN_FAIL)`
`2917`	`2917`	`{`
`2918`	`2918`	`status = arc_canon_runheaders_seal(msg);`
`2919`	`2919`	`if (status != ARC_STAT_OK)`