#18879 regressed i2d_re_X509_REQ_tbs by setting the modified bit after, rather than before, serializing the TBS structure, which was fixed in #19299. It looks like that wasn't the only such regression. It did the same to X509_sign and friends.

The changes in that PR to x_all.c should be reverted. The aim with setting the modified bit in X509_sign is not to mark that something changed, but to refresh the cached TBS structure before signing it. (OpenSSL's X509 API returns too many mutable pointers to properly manage that dirty bit automatically, alas.)

(Marking the TBS structure dirty after adding a signature doesn't make sense because the signature isn't in the TBS structure.)

The practical implications here are that code which starts with an existing, parsed X509 object as template (so the cache is filled), then modifies it and re-signs it, will break in OpenSSL 1.1.1r and 3.0.6. Likewise with the other crypto/x509 types.