tls: Use SHA1 for sessionIdContext in FIPS mode

FIPS 140-2 disallows use of MD5, which is used to derive the
default sessionIdContext for tls.createServer().

PR-URL: #3755
Reviewed-By: Fedor Indutny <[email protected]>

Author: stefanmb

doc/api/tls.markdown

@@ -804,7 +804,8 @@ automatically set as a listener for the [secureConnection][] event.  The
 
   - `sessionIdContext`: A string containing an opaque identifier for session
     resumption. If `requestCert` is `true`, the default is MD5 hash value
-    generated from command-line. Otherwise, the default is not provided.
+    generated from command-line. (In FIPS mode a truncated SHA1 hash is
+    used instead.) Otherwise, the default is not provided.
 
   - `secureProtocol`: The SSL method to use, e.g. `SSLv3_method` to force
     SSL version 3. The possible values depend on your installation of

lib/_tls_wrap.js

@@ -14,6 +14,21 @@ const Timer = process.binding('timer_wrap').Timer;
 const tls_wrap = process.binding('tls_wrap');
 const TCP = process.binding('tcp_wrap').TCP;
 const Pipe = process.binding('pipe_wrap').Pipe;
+const defaultSessionIdContext = getDefaultSessionIdContext();
+
+function getDefaultSessionIdContext() {
+  var defaultText = process.argv.join(' ');
+  /* SSL_MAX_SID_CTX_LENGTH is 128 bits */
+  if (process.config.variables.openssl_fips) {
+    return crypto.createHash('sha1')
+      .update(defaultText)
+      .digest('hex').slice(0, 32);
+  } else {
+    return crypto.createHash('md5')
+      .update(defaultText)
+      .digest('hex');
+  }
+}
 
 function onhandshakestart() {
   debug('onhandshakestart');
@@ -872,9 +887,7 @@ Server.prototype.setOptions = function(options) {
   if (options.sessionIdContext) {
     this.sessionIdContext = options.sessionIdContext;
   } else {
-    this.sessionIdContext = crypto.createHash('md5')
-                                  .update(process.argv.join(' '))
-                                  .digest('hex');
+    this.sessionIdContext = defaultSessionIdContext;
   }
 };