1<refentry id="setkey"> 2 3<refmeta> 4<refentrytitle>setkey</refentrytitle> 5<manvolnum>8</manvolnum> 6<refmiscinfo>iputils-&snapshot;</refmiscinfo> 7</refmeta> 8 9<refnamediv> 10<refname>setkey</refname> 11<refpurpose>manually manipulate the IPsec SA/SP database</refpurpose> 12</refnamediv> 13 14<refsynopsisdiv> 15<cmdsynopsis> 16<command>setkey</command> 17<arg choice="opt"><option>-dv</option></arg> 18<arg choice="req"><option/-c/</arg> 19</cmdsynopsis> 20<cmdsynopsis> 21<command>setkey</command> 22<arg choice="opt"><option>-dv</option></arg> 23<arg choice="req"><option/-f/</arg> 24<arg choice="req"><replaceable/filename/</arg> 25</cmdsynopsis> 26<cmdsynopsis> 27<command>setkey</command> 28<arg choice="opt"><option>-adPlv</option></arg> 29<arg choice="req"><option/-D/</arg> 30</cmdsynopsis> 31<cmdsynopsis> 32<command>setkey</command> 33<arg choice="opt"><option>-dPv</option></arg> 34<arg choice="req"><option/-F/</arg> 35</cmdsynopsis> 36<cmdsynopsis> 37<command>setkey</command> 38<arg choice="opt"><option>-h</option></arg> 39<arg choice="req"><option/-x/</arg> 40</cmdsynopsis> 41</refsynopsisdiv> 42 43<refsect1><title>DESCRIPTION</title> 44<para> 45<command/setkey/ adds, updates, dumps, or flushes 46Security Association Database (SAD) entries 47as well as Security Policy Database (SPD) entries in the kernel. 48</para> 49 50<para> 51<command/setkey/ takes a series of operations from the standard input 52(if invoked with <option/-c/) or the file named <replaceable/filename/ 53(if invoked with <option/-f/ <replaceable/filename/). 54</para> 55 56<para> 57<variablelist> 58 <varlistentry> 59 <term><option/-D/</term> 60 <listitem><para> 61Dump the SAD entries. If with <option/-P/, the SPD entries are dumped. 62 </para></listitem> 63 </varlistentry> 64 <varlistentry> 65 <term><option/-F/</term> 66 <listitem><para> 67Flush the SAD entries. If with <option/-P/, the SPD entries are flushed. 68 </para></listitem> 69 </varlistentry> 70 <varlistentry> 71 <term><option/-a/</term> 72 <listitem><para> 73<command/setkey/ usually does not display dead SAD entries with 74<option/-D/. If with <option/-a/, the dead SAD entries will be displayed 75as well. A dead SAD entry means that it has been expired but remains 76because it is referenced by SPD entries. 77 </para></listitem> 78 </varlistentry> 79 <varlistentry> 80 <term><option/-d/</term> 81 <listitem><para> 82Enable to print debugging messages for command parser, without talking 83to kernel. It is not used usually. 84 </para></listitem> 85 </varlistentry> 86 <varlistentry> 87 <term><option/-x/</term> 88 <listitem><para> 89Loop forever and dump all the messages transmitted to 90<constant/PF_KEY/ socket. <option/-xx/ makes each timestamps unformatted. 91 </para></listitem> 92 </varlistentry> 93 <varlistentry> 94 <term><option/-h/</term> 95 <listitem><para> 96Add hexadecimal dump on <option/-x/ mode. 97 </para></listitem> 98 </varlistentry> 99 <varlistentry> 100 <term><option/-l/</term> 101 <listitem><para> 102Loop forever with short output on <option/-D/. 103 </para></listitem> 104 </varlistentry> 105 <varlistentry> 106 <term><option/-v/</term> 107 <listitem><para> 108Be verbose. The program will dump messages exchanged on 109<constant/PF_KEY/ socket, including messages sent from other processes 110to the kernel. 111 </para></listitem> 112 </varlistentry> 113</variablelist> 114</para> 115 116<para> 117Operations have the following grammar. Note that lines starting with 118hashmarks ('#') are treated as comment lines. 119</para> 120 121<para> 122<variablelist> 123 <varlistentry> 124 <term> 125 <option/add/ 126 <replaceable/src/ 127 <replaceable/dst/ 128 <replaceable/protocol/ 129 <replaceable/spi/ 130 <replaceable/extensions/ 131 <replaceable/algorithm.../ 132 ; 133 </term> 134 <listitem><para> 135Add an SAD entry. 136 </para></listitem> 137 </varlistentry> 138 <varlistentry> 139 <term> 140 <option/get/ 141 <replaceable/src/ 142 <replaceable/dst/ 143 <replaceable/protocol/ 144 <replaceable/spi/ 145 ; 146 </term> 147 <listitem><para> 148Show an SAD entry. 149 </para></listitem> 150 </varlistentry> 151 <varlistentry> 152 <term> 153 <option/delete/ 154 <replaceable/src/ 155 <replaceable/dst/ 156 <replaceable/protocol/ 157 <replaceable/spi/ 158 ; 159 </term> 160 <listitem><para> 161Remove an SAD entry. 162 </para></listitem> 163 </varlistentry> 164 <varlistentry> 165 <term> 166 <option/deleteall/ 167 <replaceable/src/ 168 <replaceable/dst/ 169 <replaceable/protocol/ 170 ; 171 </term> 172 <listitem><para> 173Remove all SAD entries that match the specification. 174 </para></listitem> 175 </varlistentry> 176 <varlistentry> 177 <term> 178 <option/flush/ 179 <replaceable/protocol/ 180 ; 181 </term> 182 <listitem><para> 183Clear all SAD entries matched by the options. 184 </para></listitem> 185 </varlistentry> 186 <varlistentry> 187 <term> 188 <option/dump/ 189 <replaceable/protocol/ 190 ; 191 </term> 192 <listitem><para> 193Dump all SAD entries matched by the options. 194 </para></listitem> 195 </varlistentry> 196 <varlistentry> 197 <term> 198 <option/spdadd/ 199 <replaceable/src_range/ 200 <replaceable/dst_range/ 201 <replaceable/upperspec/ 202 <replaceable/policy/ 203 ; 204 </term> 205 <listitem><para> 206Add an SPD entry. 207 </para></listitem> 208 </varlistentry> 209 <varlistentry> 210 <term> 211 <option/spddelete/ 212 <replaceable/src_range/ 213 <replaceable/dst_range/ 214 <replaceable/upperspec/ 215 <option/-P/ <replaceable/direction/ 216 ; 217 </term> 218 <listitem><para> 219Delete an SPD entry. 220 </para></listitem> 221 </varlistentry> 222 <varlistentry> 223 <term> 224 <option/spdflush/ 225 ; 226 </term> 227 <listitem><para> 228Clear all SPD entries. 229 </para></listitem> 230 </varlistentry> 231 <varlistentry> 232 <term> 233 <option/spddump/ 234 ; 235 </term> 236 <listitem><para> 237Dump all SPD entries. 238 </para></listitem> 239 </varlistentry> 240</variablelist> 241</para> 242 243<para> 244Meta-arguments are as follows: 245</para> 246 247<para> 248<variablelist> 249 <varlistentry> 250 <term> 251 <replaceable/src/, 252 <replaceable/dst/ 253 </term> 254 <listitem><para> 255Source/destination of the secure communication is specified as 256IPv4/v6 address. <command/setkey/ does not consult hostname-to-address 257for arguments <replaceable/src/ and <replaceable/dst/. 258They must be in numeric form. 259 </para></listitem> 260 </varlistentry> 261 <varlistentry> 262 <term> 263 <replaceable/protocol/ 264 </term> 265 <listitem><para> 266<replaceable/protocol/ is one of following: 267 <variablelist> 268 <varlistentry> 269 <term><constant/esp/</term> 270 <listitem><para> 271ESP based on rfc2405 272 </para></listitem> 273 </varlistentry> 274 <varlistentry> 275 <term><constant/ah/</term> 276 <listitem><para> 277AH based on rfc2402 278 </para></listitem> 279 </varlistentry> 280<![IGNORE[ 281 <varlistentry> 282 <term><constant/ipcomp/</term> 283 <listitem><para> 284IPCOMP 285 </para></listitem> 286 </varlistentry> 287 <varlistentry> 288 <term><constant/esp-old/</term> 289 <listitem><para> 290ESP based on rfc1827 291 </para></listitem> 292 </varlistentry> 293 <varlistentry> 294 <term><constant/ah-old/</term> 295 <listitem><para> 296ESP based on rfc1826 297 </para></listitem> 298 </varlistentry> 299]]> 300 </variablelist> 301 </para></listitem> 302 </varlistentry> 303 <varlistentry> 304 <term> 305 <replaceable/spi/ 306 </term> 307 <listitem><para> 308Security Parameter Index (SPI) for the SAD and the SPD. 309It must be decimal number or hexadecimal number 310(with <literal/0x/ attached). 311You cannot use the set of SPI values in the range 0 through 255. 312 </para></listitem> 313 </varlistentry> 314 <varlistentry> 315 <term> 316 <replaceable/extensions/ 317 </term> 318 <listitem><para> 319takes some of the following: 320 <variablelist> 321 <varlistentry> 322 <term><option/-m/ <replaceable/mode/</term> 323 <listitem><para> 324Specify a security protocol mode for use. <replaceable/mode/ 325is one of following: <option/transport/ or <option/tunnel/. 326The default value is <option/transport/. 327 </para><para> 328NOTE: it is a difference of KAME. Our implemenation does not allow 329to use single SA both for transport and tunnel mode via IPsec 330interface. Tunneled frames still can be encapsulated in transport 331mode SA, provided you use tunnel devices and apply transport mode 332IPsec to IPIP protocol. 333 </para></listitem> 334 </varlistentry> 335 <varlistentry> 336 <term><option/-r/ <replaceable/size/</term> 337 <listitem><para> 338Specify window size of bytes for replay prevention. 339<replaceable/size/ must be decimal number in the range 0 ... 32. 340If <replaceable/size/ is zero, replay check doesn't take place. 341If <replaceable/size/ is not specified, replay window is 32 for 342AH and authenticated ESP, and disabled for unauthenticated ESP. 343 </para><para> 344NOTE: it is a difference of KAME. Default value must be reasonable before all. 345 </para></listitem> 346 </varlistentry> 347<![IGNORE[ 348 <varlistentry> 349 <term><option/-u/ <replaceable/id/</term> 350 <listitem><para> 351Specify the identifier of the policy entry in SPD. 352See <replaceable/policy/. 353 </para></listitem> 354 </varlistentry> 355 <varlistentry> 356 <term><option/-f/ <replaceable/pad_option/</term> 357 <listitem><para> 358defines the content of the ESP padding. 359.Ar pad_option 360is one of following: 361.Bl -tag -width random-pad -compact 362.It Li zero-pad 363All of the padding are zero. 364.It Li random-pad 365A series of randomized values are set. 366.It Li seq-pad 367A series of sequential increasing numbers started from 1 are set. 368 </para></listitem> 369 </varlistentry> 370 <varlistentry> 371 <term><option/-f/ <option/nocyclic-seq/</term> 372 <listitem><para> 373Don't allow cyclic sequence number. 374 </para></listitem> 375 </varlistentry> 376]]> 377 <varlistentry> 378 <term><option/-lh/ <replaceable/time/, 379 <option/-ls/ <replaceable/time/ 380 </term> 381 <listitem><para> 382Specify hard/soft life time duration of the SA. 383 </para></listitem> 384 </varlistentry> 385 </variablelist> 386 </para></listitem> 387 </varlistentry> 388 <varlistentry> 389 <term> 390 <replaceable/algorithm/ 391 </term> 392 <listitem><para> 393 <variablelist> 394 <varlistentry> 395 <term> 396 <option/-E/ <replaceable/ealgo/ <replaceable/key/ 397 </term> 398 <listitem><para> 399Specify an encryption algorithm. 400 </para></listitem> 401 </varlistentry> 402 <varlistentry> 403 <term> 404 <option/-A/ <replaceable/aalgo/ <replaceable/key/ 405 </term> 406 <listitem><para> 407Specify an authentication algorithm. 408If <option/-A/ is used with <replaceable/protocol/ <literal/esp/, 409it will be treated as ESP payload authentication algorithm. 410 </para></listitem> 411 </varlistentry> 412 413<![IGNORE[ 414 <varlistentry> 415 <term> 416 <option/-C/ <replaceable/calgo/ <option/-R/ 417 </term> 418 <listitem><para> 419Specify compression algorithm. 420If 421<option/-R/ 422is not specified with 423.Li ipcomp 424line, the kernel will use well-known IPComp CPI 425(compression parameter index) 426on IPComp CPI field on packets, and 427.Ar spi 428field will be ignored. 429.Ar spi 430field is only for kernel internal use in this case. 431.\"Therefore, compression protocol number will appear on IPComp CPI field. 432If 433<option/-R/ 434is used, 435the value on 436.Ar spi 437field will appear on IPComp CPI field on outgoing packets. 438.Ar spi 439field needs to be smaller than 440.Li 0x10000 441in this case. 442 </para></listitem> 443 </varlistentry> 444]]> 445 446 </variablelist> 447 448<replaceable/protocol/ <literal/esp/ accepts <option/-E/ and <option/-A/. 449<![IGNORE[ 450<replaceable/protocol/ <literal/esp-old/ accepts <option/-E/ only. 451]]> 452<replaceable/protocol/ <literal/ah/ 453<![IGNORE[ 454<literal/ah-old/ 455]]> 456accepts <option/-A/ only. 457<![IGNORE[ 458<replaceable/protocol/ <literal/ipcomp/ accepts <option/-C/ only. 459]]> 460</para> 461 462<para> 463<replaceable/key/ must be double-quoted character string or series 464of hexadecimal digits. 465</para> 466 467<para> 468Possible values for 469<replaceable/ealgo/ and <replaceable/aalgo/ 470<![IGNORE[ 471<replaceable/calgo/ 472]]> 473are specified in separate section. 474 </para></listitem> 475 </varlistentry> 476 477 <varlistentry> 478 <term> 479 <replaceable/src_range/, <replaceable/dst_range/ 480 </term> 481 <listitem><para> 482These are selections of the secure communication specified as 483IPv4/v6 address or IPv4/v6 address range, and it may accompany 484TCP/UDP port specification. This takes the following form: 485 <itemizedlist> 486 <listitem><para><replaceable> 487 address 488 </replaceable></para></listitem> 489 <listitem><para><replaceable> 490 address/prefixlen 491 </replaceable></para></listitem> 492 <listitem><para><replaceable> 493 address[port] 494 </replaceable></para></listitem> 495 <listitem><para><replaceable> 496 address/prefixlen[port] 497 </replaceable></para></listitem> 498 </itemizedlist> 499</para> 500<para> 501<replaceable/prefixlen/ and <replaceable/port/ must be decimal numbers. 502The square bracket around <replaceable/port/ is really necessary. 503They are not manpage metacharacters. 504<command/setkey/ does not consult hostname-to-address for arguments 505<replaceable/src/ and <replaceable/dst/. They must be in numeric form. 506 507 </para></listitem> 508 </varlistentry> 509 510 <varlistentry> 511 <term> 512 <replaceable/upperspec/ 513 </term> 514 <listitem><para> 515Upper-layer protocol to be used. You can use one of words in 516<literal>/etc/protocols</literal> as <replaceable/upperspec/. 517Or <literal/icmp6/, <literal/ip4/, and <literal/any/ 518can be specified. <literal/any/ stands for any protocol. 519Also you can use the protocol number. 520</para> 521<para> 522NOTE: <literal/upperspec/ is not advised against forwarding case 523at this moment, as it requires extra reassembly at forwarding node 524(not implemented at this moment). We have many protocols in 525<literal>/etc/protocols</literal>, but protocols except of TCP, UDP and 526ICMP may not be suitable to use with IPSec. You have to consider and 527be careful to use them. 528 </para></listitem> 529 </varlistentry> 530 531 <varlistentry> 532 <term> 533 <replaceable/policy/ 534 </term> 535 <listitem><para> 536<replaceable/policy/ is the one of following: 537 <itemizedlist> 538 <listitem><para> 539<option/-P/ <replaceable/direction/ <literal/discard/ 540 </para></listitem> 541 <listitem><para> 542<option/-P/ <replaceable/direction/ <literal/none/ 543 </para></listitem> 544 <listitem><para> 545<option/-P/ <replaceable/direction/ <literal/ipsec/ 546 <replaceable>protocol/mode/src-dst/level</replaceable> 547 </para></listitem> 548 </itemizedlist> 549</para><para> 550You must specify the direction of its policy as <replaceable/direction/. 551Either <literal/out/ or <literal/in/ or <literal/fwd/ 552are used. 553</para><para> 554<literal/discard/ means the packet matching indexes will be discarded. 555<literal/none/ means that IPsec operation will not take place onto the packet. 556<literal/ipsec/ means that IPsec operation will take place onto the packet. 557Either <literal/ah/ or <literal/esp/ 558<![IGNORE[ or <literal/ipcomp/ ]]> 559is to be set as <replaceable/protocol/. 560</para><para> 561<replaceable/mode/ is either <literal/transport/ or <literal/tunnel/. 562If <replaceable/mode/ is <literal/tunnel/, you must specify the end-points 563addresses of the SA as <replaceable/src/ and <replaceable/dst/ 564with <literal/-/ between these addresses which is used to specify 565the SA to use. If <replaceable/mode/ is <literal/transport/, both 566<replaceable/src/ and <replaceable/dst/ can be omited. 567</para><para> 568<replaceable/level/ is to be one of the following: 569<![IGNORE[ 570<literal/default/, <literal/use/, <literal/require/ or <literal/unique/. 571]]> 572<literal/use/ or <literal/require/. 573If the SA is not available in every level, the kernel will request 574getting SA to the key exchange daemon. 575<![IGNORE[ 576<literal/default/ means the kernel consults to the system wide default 577against protocol you specified, e.g.\& 578.Li esp_trans_deflev 579sysctl variable, when the kernel processes the packet. 580]]> 581<literal/use/ means that the kernel use a SA if it's available, 582otherwise the kernel keeps normal operation. 583<literal/require/ means SA is required whenever the kernel sends 584a packet matched with the policy. 585<![IGNORE[ 586.Li unique 587is the same to require. 588In addition, it allows the policy to bind with the unique out-bound SA. 589If you use the SA by manual keying, 590you can put the decimal number as the policy identifier after 591.Li unique 592separated by colon 593.Sq \: 594like the following; 595.Li unique:number . 596.Li number 597must be between 1 and 32767. 598It corresponds to 599.Ar extensions Fl u . 600.Pp 601]]> 602Note that 603<literal/discard/ and <literal/none/ are not in the syntax described in 604ipsec_set_policy(3). There are little differences in the syntax. 605See ipsec_set_policy(3) for detail. 606 </para></listitem> 607 </varlistentry> 608</variablelist> 609</para> 610</refsect1> 611 612<refsect1><title>ALGORITHMS</title> 613 614<para> 615The following list shows the supported algorithms. 616<replaceable/protocol/ and <replaceable/algorithm/ 617are almost orthogonal. Followings are the list of authentication 618algorithms that can be used as <replaceable/aalgo/ 619in <option/-A/ <replaceable/aalgo/ of <replaceable/protocol/ 620parameter: 621</para> 622 623<informaltable frame="none"> 624<tgroup cols=3><tbody> 625<row> <entry>algorithm</entry> 626 <entry>keylen (bits)</entry> 627 <entry>comment</entry> 628</row> 629<row> <entry>hmac-md5</entry> 630 <entry>128</entry> 631 <entry>ah: rfc2403</entry> 632</row> 633<row> <entry>hmac-sha1</entry> 634 <entry>160</entry> 635 <entry>ah: rfc2401</entry> 636</row> 637</tbody></tgroup> 638</informaltable> 639 640<![IGNORE[ 641algorithm keylen (bits) comment 642hmac-md5 128 ah: rfc2403 643 128 ah-old: rfc2085 644hmac-sha1 160 ah: rfc2404 645 160 ah-old: 128bit ICV (no document) 646keyed-md5 128 ah: 96bit ICV (no document) 647 128 ah-old: rfc1828 648keyed-sha1 160 ah: 96bit ICV (no document) 649 160 ah-old: 128bit ICV (no document) 650null 0 to 2048 for debugging 651hmac-sha2-256 256 ah: 96bit ICV (no document) 652 256 ah-old: 128bit ICV (no document) 653hmac-sha2-384 384 ah: 96bit ICV (no document) 654 384 ah-old: 128bit ICV (no document) 655hmac-sha2-512 512 ah: 96bit ICV (no document) 656 512 ah-old: 128bit ICV (no document) 657]]> 658 659<para> 660Followings are the list of encryption algorithms that can be used as 661<replaceable/ealgo/ in <option/-E/ <replaceable/ealgo/ of 662<replaceable/protocol/ parameter: 663</para> 664 665<informaltable frame="none"> 666<tgroup cols=3><tbody> 667<row> <entry>algorithm</entry> 668 <entry>keylen (bits)</entry> 669 <entry>comment</entry> 670</row> 671<row> <entry>des-cbc</entry> 672 <entry>64</entry> 673 <entry>esp: rfc2405</entry> 674</row> 675<row> <entry>3des-cbc</entry> 676 <entry>192</entry> 677 <entry>esp: rfc2451</entry> 678</row> 679</tbody></tgroup> 680</informaltable> 681 682<![IGNORE[ 683algorithm keylen (bits) comment 684des-cbc 64 esp-old: rfc1829, esp: rfc2405 6853des-cbc 192 rfc2451 686simple 0 to 2048 rfc2410 687blowfish-cbc 40 to 448 rfc2451 688cast128-cbc 40 to 128 rfc2451 689des-deriv 64 ipsec-ciph-des-derived-01 (expired) 6903des-deriv 192 no document 691rijndael-cbc 128/192/256 draft-ietf-ipsec-ciph-aes-cbc-00 692]]> 693 694<![IGNORE[ 695<para> 696Followings are the list of compression algorithms that can be used as 697<replaceable/calgo/ in <option/-C/ <replaceable/calgo/ of 698<replaceable/protocol/ parameter: 699</para> 700 701algorithm comment 702deflate rfc2394 703lzs rfc2395 704]]> 705 706</refsect1> 707 708<refsect1><title>EXAMPLES</title> 709 710<programlisting> 711add 10.0.11.41 10.0.11.33 esp 123457 712 -m tunnel -E des-cbc "ESP SA!!" ; 713 714add 10.0.11.41 10.0.11.33 ah 123456 715 -m transport -A hmac-sha1 "AH SA configuration!" ; 716 717add 10.0.11.41 10.0.11.34 esp 0x10001 718 -m tunnel 719 -E des-cbc "ESP with" 720 -A hmac-md5 "authentication!!" ; 721 722get 10.0.11.41 10.0.11.33 ah 123456 ; 723 724flush ; 725 726dump esp ; 727 728</programlisting> 729 730<para> 731Encapsulate output of telnetd in ESP tunnel encrypted with DES 732and authenticated with MD5. 733</para> 734 735<programlisting> 736 737spdadd 192.168.0.1/32[23] 192.168.0.2/32[any] any 738 -P out ipsec esp/tunnel/10.0.11.41-10.0.11.34/require ; 739 740</programlisting> 741 742<para> 743Or alternatively, encapsulate output of telnetd in ESP tunnel 744encrypted with DES, but with stronger authentication of whole 745encapsulated packet with MD5. 746</para> 747 748<programlisting> 749 750spdadd 192.168.0.1/32[23] 192.168.0.2/32[any] any 751 -P out ipsec 752 esp/tunnel/10.0.11.41-10.0.11.33/require 753 ah/transport//require ; 754 755</programlisting> 756 757</refsect1> 758 759<refsect1><title>RETURN VALUES</title> 760 761<para> 762The command exits with 0 on success, and non-zero on errors. 763</para> 764 765</refsect1> 766 767<refsect1><title>SEE ALSO</title> 768 769<para> 770ipsec_set_policy(3), 771racoon(8), 772sysctl(8) 773</para> 774 775</refsect1> 776 777<refsect1><title>HISTORY</title> 778<para> 779The <command/setkey/ command first appeared in WIDE Hydrangea IPv6 protocol 780stack kit. The command was completely re-designed in June 1998. 781</para> 782<para> 783This port to Linux was made on November 2002. 784</para> 785 786</refsect1> 787 788</refentry> 789 790<![IGNORE[ 791<refsect1><title>COPYING</title> 792<para> 793<literallayout> 794 $KAME: setkey.8,v 1.49 2001/05/18 05:49:51 sakane Exp $ 795 $FreeBSD: src/usr.sbin/setkey/setkey.8,v 1.19 2001/08/10 13:45:35 ru Exp $ 796 797 Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project. 798 All rights reserved. 799 800 Redistribution and use in source and binary forms, with or without 801 modification, are permitted provided that the following conditions 802 are met: 803 1. Redistributions of source code must retain the above copyright 804 notice, this list of conditions and the following disclaimer. 805 2. Redistributions in binary form must reproduce the above copyright 806 notice, this list of conditions and the following disclaimer in the 807 documentation and/or other materials provided with the distribution. 808 3. Neither the name of the project nor the names of its contributors 809 may be used to endorse or promote products derived from this software 810 without specific prior written permission. 811 812 THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 813 ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 814 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 815 ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 816 FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 817 DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 818 OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 819 HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 820 LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 821 OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 822 SUCH DAMAGE. 823</literallayout> 824</para> 825</refsect1> 826]]> 827 828 829