6 files changed, 23 insertions, 8 deletions
diff --git a/Swiften/TLS/OpenSSL/OpenSSLCertificate.cpp b/Swiften/TLS/OpenSSL/OpenSSLCertificate.cpp
index 8d2d965..bb51428 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLCertificate.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLCertificate.cpp
@@ -34,12 +34,20 @@ OpenSSLCertificate::OpenSSLCertificate(const ByteArray& der) {
     if (!cert) {
         SWIFT_LOG(warning) << "Error creating certificate from DER data" << std::endl;
     }
     parse();
 }
 
+void OpenSSLCertificate::incrementReferenceCount() const {
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+    X509_up_ref(cert.get());
+#else
+    CRYPTO_add(&(cert.get()->references), 1, CRYPTO_LOCK_EVP_PKEY);
+#endif
+}
+
 ByteArray OpenSSLCertificate::toDER() const {
     ByteArray result;
     if (!cert) {
         return result;
     }
     result.resize(i2d_X509(cert.get(), nullptr));
diff --git a/Swiften/TLS/OpenSSL/OpenSSLCertificate.h b/Swiften/TLS/OpenSSL/OpenSSLCertificate.h
index 186caea..64da82a 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLCertificate.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLCertificate.h
@@ -42,12 +42,14 @@ namespace Swift {
             ByteArray toDER() const;
 
             std::shared_ptr<X509> getInternalX509() const {
                 return cert;
             }
 
+            void incrementReferenceCount() const;
+
         private:
             void parse();
 
             void addSRVName(const std::string& name) {
                 srvNames.push_back(name);
             }
diff --git a/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.cpp b/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.cpp
index 5eb626b..fd94ec8 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.cpp
@@ -17,14 +17,14 @@ OpenSSLCertificateFactory::~OpenSSLCertificateFactory() {
 }
 
 Certificate* OpenSSLCertificateFactory::createCertificateFromDER(const ByteArray& der) {
     return new OpenSSLCertificate(der);
 }
 
-std::vector<std::unique_ptr<Certificate>> OpenSSLCertificateFactory::createCertificateChain(const ByteArray& data) {
-    std::vector<std::unique_ptr<Certificate>> certificateChain;
+std::vector<std::shared_ptr<Certificate>> OpenSSLCertificateFactory::createCertificateChain(const ByteArray& data) {
+    std::vector<std::shared_ptr<Certificate>> certificateChain;
 
     if (data.size() > std::numeric_limits<int>::max()) {
         return certificateChain;
     }
 
     auto bio = std::shared_ptr<BIO>(BIO_new(BIO_s_mem()), BIO_free);
@@ -32,17 +32,17 @@ std::vector<std::unique_ptr<Certificate>> OpenSSLCertificateFactory::createCerti
 
     // Attempt parsing data as PEM
     X509* openSSLCert = nullptr;
     auto x509certFromPEM = PEM_read_bio_X509(bio.get(), &openSSLCert, nullptr, nullptr);
     if (x509certFromPEM && openSSLCert) {
         std::shared_ptr<X509> x509Cert(openSSLCert, X509_free);
-        certificateChain.emplace_back(std::make_unique<OpenSSLCertificate>(x509Cert));
+        certificateChain.emplace_back(std::make_shared<OpenSSLCertificate>(x509Cert));
         openSSLCert = nullptr;
         while ((x509certFromPEM = PEM_read_bio_X509(bio.get(), &openSSLCert, nullptr, nullptr)) != nullptr) {
             std::shared_ptr<X509> x509Cert(openSSLCert, X509_free);
-            certificateChain.emplace_back(std::make_unique<OpenSSLCertificate>(x509Cert));
+            certificateChain.emplace_back(std::make_shared<OpenSSLCertificate>(x509Cert));
             openSSLCert = nullptr;
         }
     }
 
     return certificateChain;
 }
diff --git a/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.h b/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.h
index 48e9b2c..a6974c8 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLCertificateFactory.h
@@ -13,9 +13,9 @@ namespace Swift {
     class OpenSSLCertificateFactory : public CertificateFactory {
         public:
             OpenSSLCertificateFactory();
             virtual ~OpenSSLCertificateFactory() override final;
 
             virtual Certificate* createCertificateFromDER(const ByteArray& der) override final;
-            virtual std::vector<std::unique_ptr<Certificate>> createCertificateChain(const ByteArray& data) override final;
+            virtual std::vector<std::shared_ptr<Certificate>> createCertificateChain(const ByteArray& data) override final;
     };
 }
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
index 5c80976..32d6470 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.cpp
@@ -564,13 +564,13 @@ void OpenSSLContext::sendPendingDataToApplication() {
     if (ret < 0 && SSL_get_error(handle_.get(), ret) != SSL_ERROR_WANT_READ) {
         state_ = State::Error;
         onError(std::make_shared<TLSError>(TLSError::UnknownError, openSSLInternalErrorToString()));
     }
 }
 
-bool OpenSSLContext::setCertificateChain(std::vector<std::unique_ptr<Certificate>>&& certificateChain) {
+bool OpenSSLContext::setCertificateChain(const std::vector<std::shared_ptr<Certificate>>& certificateChain) {
     if (certificateChain.size() == 0) {
         SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl;
         return false;
     }
 
     // load endpoint certificate
@@ -580,23 +580,28 @@ bool OpenSSLContext::setCertificateChain(std::vector<std::unique_ptr<Certificate
     }
 
     if (SSL_CTX_use_certificate(context_.get(), openSSLCert->getInternalX509().get()) != 1) {
         return false;
     }
 
+    // Increment reference count on certificate so that it does not get freed when the SSL context is destroyed
+    openSSLCert->incrementReferenceCount();
+
     if (certificateChain.size() > 1) {
         for (auto certificate = certificateChain.begin() + 1; certificate != certificateChain.end(); ++certificate) {
             auto openSSLCert = dynamic_cast<OpenSSLCertificate*>(certificate->get());
             if (!openSSLCert) {
                 return false;
             }
+
             if (SSL_CTX_add_extra_chain_cert(context_.get(), openSSLCert->getInternalX509().get()) != 1) {
                 SWIFT_LOG(warning) << "Trying to load empty certificate chain." << std::endl;
                 return false;
             }
-            certificate->release();
+
+            openSSLCert->incrementReferenceCount();
         }
     }
 
     if (handle_) {
         // This workaround is needed as OpenSSL has a shortcut to not do anything
         // if you set the SSL_CTX to the existing SSL_CTX and not reloading the
diff --git a/Swiften/TLS/OpenSSL/OpenSSLContext.h b/Swiften/TLS/OpenSSL/OpenSSLContext.h
index 885b1fe..8eb5758 100644
--- a/Swiften/TLS/OpenSSL/OpenSSLContext.h
+++ b/Swiften/TLS/OpenSSL/OpenSSLContext.h
@@ -43,13 +43,13 @@ namespace Swift {
             virtual ~OpenSSLContext() override final;
 
             void accept() override final;
             void connect() override final;
             void connect(const std::string& requestHostname) override final;
 
-            bool setCertificateChain(std::vector<std::unique_ptr<Certificate>>&& certificateChain) override final;
+            bool setCertificateChain(const std::vector<std::shared_ptr<Certificate>>& certificateChain) override final;
             bool setPrivateKey(const PrivateKey::ref& privateKey) override final;
             bool setClientCertificate(CertificateWithKey::ref cert) override final;
             void setAbortTLSHandshake(bool abort) override final;
             bool setDiffieHellmanParameters(const ByteArray& parametersInOpenSslDer) override final;
 
             void handleDataFromNetwork(const SafeByteArray&) override final;