Use additional OpensslCredentials_t parameter for hostname checking.

This will allow demos to disable hostname checking, allowing them to be used
with Greengrass or other endpoints that do not have the hostname in their
certificate subject.

Author: archigup

demos/defender/defender_demo_json/mqtt_operations.c

@@ -370,6 +370,7 @@ static bool connectToBrokerWithBackoffRetries( NetworkContext_t * pNetworkContex
     opensslCredentials.pClientCertPath = CLIENT_CERT_PATH;
     opensslCredentials.pPrivateKeyPath = CLIENT_PRIVATE_KEY_PATH;
     opensslCredentials.sniHostName = AWS_IOT_ENDPOINT;
+    opensslCredentials.certHostName = AWS_IOT_ENDPOINT;
 
     if( AWS_MQTT_PORT == 443 )
     {

demos/http/http_demo_basic_tls/http_demo_basic_tls.c

@@ -234,6 +234,7 @@ static int32_t connectToServer( NetworkContext_t * pNetworkContext )
     ( void ) memset( &opensslCredentials, 0, sizeof( opensslCredentials ) );
     opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
     opensslCredentials.sniHostName = SERVER_HOST;
+    opensslCredentials.certHostName = SERVER_HOST;
 
     /* Initialize server information. */
     serverInfo.pHostName = SERVER_HOST;

demos/http/http_demo_mutual_auth/http_demo_mutual_auth.c

@@ -181,6 +181,7 @@ static int32_t connectToServer( NetworkContext_t * pNetworkContext )
     opensslCredentials.pPrivateKeyPath = CLIENT_PRIVATE_KEY_PATH;
     opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
     opensslCredentials.sniHostName = AWS_IOT_ENDPOINT;
+    opensslCredentials.certHostName = AWS_IOT_ENDPOINT;
 
     /* ALPN is required when communicating to AWS IoT Core over port 443 through HTTP. */
     if( AWS_HTTPS_PORT == 443 )

demos/http/http_demo_s3_download/http_demo_s3_download.c

@@ -891,6 +891,7 @@ static int32_t connectToIotServer( NetworkContext_t * pNetworkContext )
         /* Initialize TLS credentials. */
         opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
         opensslCredentials.sniHostName = serverHost;
+        opensslCredentials.certHostName = serverHost;
         opensslCredentials.pClientCertPath = CLIENT_CERT_PATH;
         opensslCredentials.pPrivateKeyPath = CLIENT_PRIVATE_KEY_PATH;
 
@@ -944,6 +945,7 @@ static int32_t connectToS3Server( NetworkContext_t * pNetworkContext )
         /* Initialize TLS credentials. */
         opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
         opensslCredentials.sniHostName = serverHost;
+        opensslCredentials.certHostName = serverHost;
 
         /* Initialize server information. */
         serverInfo.pHostName = serverHost;

demos/http/http_demo_s3_download_multithreaded/http_demo_s3_download_multithreaded.c

@@ -340,6 +340,7 @@ static int connectToServer( NetworkContext_t * pNetworkContext )
     /* Initialize TLS credentials. */
     opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
     opensslCredentials.sniHostName = serverHost;
+    opensslCredentials.certHostName = serverHost;
 
     /* serverHost should consist only of the host address located in S3_PRESIGNED_GET_URL. */
     memcpy( serverHost, pHost, hostLen );

demos/http/http_demo_s3_upload/http_demo_s3_upload.c

@@ -285,6 +285,7 @@ static int32_t connectToServer( NetworkContext_t * pNetworkContext )
         /* Initialize TLS credentials. */
         opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
         opensslCredentials.sniHostName = serverHost;
+        opensslCredentials.certHostName = serverHost;
 
         /* Initialize server information. */
         serverInfo.pHostName = serverHost;

demos/mqtt/mqtt_demo_basic_tls/mqtt_demo_basic_tls.c

@@ -480,6 +480,7 @@ static int connectToServerWithBackoffRetries( NetworkContext_t * pNetworkContext
     memset( &opensslCredentials, 0, sizeof( OpensslCredentials_t ) );
     opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
     opensslCredentials.sniHostName = BROKER_ENDPOINT;
+    opensslCredentials.certHostName = BROKER_ENDPOINT;
 
     /* Initialize reconnect attempts and interval */
     BackoffAlgorithm_InitializeParams( &reconnectParams,

demos/mqtt/mqtt_demo_mutual_auth/mqtt_demo_mutual_auth.c

@@ -603,6 +603,9 @@ static int connectToServerWithBackoffRetries( NetworkContext_t * pNetworkContext
      * https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html */
     opensslCredentials.sniHostName = AWS_IOT_ENDPOINT;
 
+    /* Check that the server certificate matches the hostname */
+    opensslCredentials.certHostName = AWS_IOT_ENDPOINT;
+
     if( AWS_MQTT_PORT == 443 )
     {
         /* Pass the ALPN protocol name depending on the port being used.

demos/mqtt/mqtt_demo_subscription_manager/mqtt_demo_subscription_manager.c

@@ -542,6 +542,7 @@ static int connectToServerWithBackoffRetries( NetworkContext_t * pNetworkContext
     memset( &opensslCredentials, 0, sizeof( OpensslCredentials_t ) );
     opensslCredentials.pRootCaPath = ROOT_CA_CERT_PATH;
     opensslCredentials.sniHostName = BROKER_ENDPOINT;
+    opensslCredentials.certHostName = BROKER_ENDPOINT;
 
     /* Seed pseudo random number generator used in the demo for
      * backoff period calculation when retrying failed network operations

demos/ota/ota_demo_core_http/ota_demo_core_http.c

@@ -1076,6 +1076,9 @@ static int connectToServerWithBackoffRetries( NetworkContext_t * pNetworkContext
      * https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html */
     opensslCredentials.sniHostName = AWS_IOT_ENDPOINT;
 
+    /* Check that the server certificate matches the hostname */
+    opensslCredentials.certHostName = AWS_IOT_ENDPOINT;
+
     if( AWS_MQTT_PORT == 443 )
     {
         /* Pass the ALPN protocol name depending on the port being used.
@@ -1371,6 +1374,7 @@ static int32_t connectToS3Server( NetworkContext_t * pNetworkContext,
         serverInfo.pHostName = serverHost;
         serverInfo.hostNameLength = serverHostLength;
         serverInfo.port = AWS_HTTPS_PORT;
+        opensslCredentials.certHostName = serverHost;
 
         /* Establish a TLS session with the HTTP server. This example connects
          * to the HTTP server as specified in SERVER_HOST and HTTPS_PORT in