From 5b3831598d086f199b8e94176aa11f69bb53d1c3 Mon Sep 17 00:00:00 2001
From: job <>
Date: Tue, 25 Apr 2023 10:18:39 +0000
Subject: Invalidate the DER cache earlier on in X509 setter functions

Note that it is important to invalidate the cache before returning,
as the return might bubble up an error.

OK tb@ jsing@
---
 src/lib/libcrypto/x509/x509_set.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/lib/libcrypto/x509/x509_set.c b/src/lib/libcrypto/x509/x509_set.c
index 19e0f2b55f..cd12c9ec2f 100644
--- a/src/lib/libcrypto/x509/x509_set.c
+++ b/src/lib/libcrypto/x509/x509_set.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_set.c,v 1.24 2023/02/23 18:12:32 job Exp $ */
+/* $OpenBSD: x509_set.c,v 1.25 2023/04/25 10:18:39 job Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -88,6 +88,7 @@ X509_set_version(X509 *x, long version)
 		if ((x->cert_info->version = ASN1_INTEGER_new()) == NULL)
 			return (0);
 	}
+	x->cert_info->enc.modified = 1;
 	return (ASN1_INTEGER_set(x->cert_info->version, version));
 }
 LCRYPTO_ALIAS(X509_set_version);
@@ -110,6 +111,7 @@ X509_set_serialNumber(X509 *x, ASN1_INTEGER *serial)
 	if (in != serial) {
 		in = ASN1_INTEGER_dup(serial);
 		if (in != NULL) {
+			x->cert_info->enc.modified = 1;
 			ASN1_INTEGER_free(x->cert_info->serialNumber);
 			x->cert_info->serialNumber = in;
 		}
@@ -123,6 +125,7 @@ X509_set_issuer_name(X509 *x, X509_NAME *name)
 {
 	if ((x == NULL) || (x->cert_info == NULL))
 		return (0);
+	x->cert_info->enc.modified = 1;
 	return (X509_NAME_set(&x->cert_info->issuer, name));
 }
 LCRYPTO_ALIAS(X509_set_issuer_name);
@@ -132,6 +135,7 @@ X509_set_subject_name(X509 *x, X509_NAME *name)
 {
 	if (x == NULL || x->cert_info == NULL)
 		return (0);
+	x->cert_info->enc.modified = 1;
 	return (X509_NAME_set(&x->cert_info->subject, name));
 }
 LCRYPTO_ALIAS(X509_set_subject_name);
@@ -163,6 +167,7 @@ X509_set_notBefore(X509 *x, const ASN1_TIME *tm)
 	if (in != tm) {
 		in = ASN1_STRING_dup(tm);
 		if (in != NULL) {
+			x->cert_info->enc.modified = 1;
 			ASN1_TIME_free(x->cert_info->validity->notBefore);
 			x->cert_info->validity->notBefore = in;
 		}
@@ -205,6 +210,7 @@ X509_set_notAfter(X509 *x, const ASN1_TIME *tm)
 	if (in != tm) {
 		in = ASN1_STRING_dup(tm);
 		if (in != NULL) {
+			x->cert_info->enc.modified = 1;
 			ASN1_TIME_free(x->cert_info->validity->notAfter);
 			x->cert_info->validity->notAfter = in;
 		}
@@ -225,6 +231,7 @@ X509_set_pubkey(X509 *x, EVP_PKEY *pkey)
 {
 	if ((x == NULL) || (x->cert_info == NULL))
 		return (0);
+	x->cert_info->enc.modified = 1;
 	return (X509_PUBKEY_set(&(x->cert_info->key), pkey));
 }
 LCRYPTO_ALIAS(X509_set_pubkey);
-- 
cgit v1.2.3-55-g6feb