On 12/09/2012 04:33 AM, Jeffrey Walton wrote: > Hi All, > > On page 133 of the User Guide 2.0 for the OpenSSL FIPS Object Module > v2.0, the document (book?) talks about symbol renaming. The discussion > occurs in "Appendix I, API Entry Points by Source File," and the text > is below. > > Why does symbol renaming occur?
Short answer: to avoid symbol name conflicts for static linking. Long answer: The FIPS module source distro is a separate smaller tarball, but instead of storing it in a completely distinct source tree it is created on the fly from the larger openssl source tree. Note we wanted to remove extraneous source from the FIPS module source distribution so as to simplify the validation process. The resulting FIPS module can be statically linked (and usually is, for the "FIPS capable" shared library). But, unlike earlier modules we wanted to preserve separate implementations of the FIPS algorithms for non-FIPS mode, as the FIPS module code can't be changed. So the symbol renaming is done to avoid symbol conflicts between the two different implementations of the FIPS approved algorithms and associated code. That way the non-FIPS implementations can continue to improve over time (bugfixes and optimizations) while the FIPS module proper remains frozen in time. The 2.0 module should also be compatible with the evolving baseline OpenSSL for longer. -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
