From c0db74cc6dfb43f51aaac66a7d82bc231bfc70c2 Mon Sep 17 00:00:00 2001
From: Andy Beverley <andy@andybev.com>
Date: Thu, 29 Aug 2024 17:10:41 +0100
Subject: [PATCH] Fix failed signatures with multiple transitions (#172)

Commit f6b57dc causes messages transitioning multiple times in the same
Authserv-ID domain to always have an ARC result of fail. This commit
allows that to happen and takes the most recent result instead.
---
 openarc/openarc.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/openarc/openarc.c b/openarc/openarc.c
index 7e191dc1..a3baf2cf 100644
--- a/openarc/openarc.c
+++ b/openarc/openarc.c
@@ -3673,14 +3673,15 @@ mlfi_eom(SMFICTX *ctx)
 						arfound += 1;
 						if (arfound > 1)
 						{
-							arc_set_cv(afc->mctx_arcmsg,
-							           ARC_CHAIN_FAIL);
-
+							/* Assume that AR headers are being processed by
+							* the most recent first. If a message is transitioning
+							* between multiple systems in the same authserv-id then
+							* use the most recent one and skip the rest. */
 							if (conf->conf_dolog)
 							{
 								syslog(LOG_INFO,
-								       "%s: chain state forced to \"fail\" due to multiple results present",
-								       afc->mctx_jobid);
+									"%s: ignoring earlier authentication-results %s in same authserv-id",
+									afc->mctx_jobid, ares_getresult(ar.ares_result[n].result_result));
 							}
 
 							continue;