search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge remote-tracking branch 'origin/master'
[unleashed/lotheac.git] / usr / src / uts / common / rpc / sec / svcauthdes.c
blob563067bb04e56d60cf5228667055ccbf5befba74
1 /*
2 * CDDL HEADER START
3 *
4 * The contents of this file are subject to the terms of the
5 * Common Development and Distribution License (the "License").
6 * You may not use this file except in compliance with the License.
7 *
8 * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
9 * or http://www.opensolaris.org/os/licensing.
10 * See the License for the specific language governing permissions
11 * and limitations under the License.
12 *
13 * When distributing Covered Code, include this CDDL HEADER in each
14 * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
15 * If applicable, add the following below this CDDL HEADER, with the
16 * fields enclosed by brackets "[]" replaced with your own identifying
17 * information: Portions Copyright [yyyy] [name of copyright owner]
18 *
19 * CDDL HEADER END
20 */
21 /*
22 * Copyright 2017 Joyent Inc
23 * Copyright 2009 Sun Microsystems, Inc. All rights reserved.
24 * Use is subject to license terms.
25 */
26
27 /* Copyright (c) 1983, 1984, 1985, 1986, 1987, 1988, 1989 AT&T */
28 /* All Rights Reserved */
29
30 /*
31 * Portions of this source code were derived from Berkeley 4.3 BSD
32 * under license from the Regents of the University of California.
33 */
34
35 /*
36 * svcauth_des.c, server-side des authentication
37 *
38 * We insure for the service the following:
39 * (1) The timestamp microseconds do not exceed 1 million.
40 * (2) The timestamp plus the window is less than the current time.
41 * (3) The timestamp is not less than the one previously
42 * seen in the current session.
43 *
44 * It is up to the server to determine if the window size is
45 * too small.
46 */
47
48 #include <sys/types.h>
49 #include <sys/time.h>
50 #include <sys/systm.h>
51 #include <sys/param.h>
52 #include <sys/stream.h>
53 #include <sys/stropts.h>
54 #include <sys/strsubr.h>
55 #include <sys/tiuser.h>
56 #include <sys/tihdr.h>
57 #include <sys/t_kuser.h>
58 #include <sys/t_lock.h>
59 #include <sys/debug.h>
60 #include <sys/kmem.h>
61 #include <sys/time.h>
62 #include <sys/cmn_err.h>
63 #include <sys/debug.h>
64
65 #include <rpc/types.h>
66 #include <rpc/xdr.h>
67 #include <rpc/auth.h>
68 #include <rpc/auth_des.h>
69 #include <rpc/rpc_msg.h>
70 #include <rpc/svc.h>
71 #include <rpc/svc_auth.h>
72 #include <rpc/clnt.h>
73 #include <rpc/des_crypt.h>
74
75 #define USEC_PER_SEC 1000000
76 #define BEFORE(t1, t2) timercmp(t1, t2, < /* COMMENT HERE TO DEFEAT CSTYLE */)
77
78 /*
79 * Cache of conversation keys and some other useful items.
80 * The hash table size is controled via authdes_cachesz variable.
81 * The authdes_cachesz has to be the power of 2.
82 */
83 #define AUTHDES_CACHE_TABLE_SZ 1024
84 static int authdes_cachesz = AUTHDES_CACHE_TABLE_SZ;
85 #define HASH(key) ((key) & (authdes_cachesz - 1))
86
87 /* low water mark for the number of cache entries */
88 static int low_cache_entries = 128;
89
90 struct authdes_cache_entry {
91 uint32_t nickname; /* nick name id */
92 uint32_t window; /* credential lifetime window */
93 des_block key; /* conversation key */
94 time_t ref_time; /* time referenced previously */
95 char *rname; /* client's name */
96 caddr_t localcred; /* generic local credential */
97 struct authdes_cache_entry *prev, *next; /* hash table linked list */
98 struct authdes_cache_entry *lru_prev, *lru_next; /* LRU linked list */
99 kmutex_t lock; /* cache entry lock */
100 };
101 static struct authdes_cache_entry **authdes_cache; /* [authdes_cachesz] */
102 static struct authdes_cache_entry *lru_first = NULL;
103 static struct authdes_cache_entry *lru_last = NULL;
104 static kmutex_t authdes_lock; /* cache table lock */
105
106 static struct kmem_cache *authdes_cache_handle;
107 static uint32_t Nickname = 0;
108
109 static struct authdes_cache_entry *authdes_cache_new(char *,
110 des_block *, uint32_t);
111 static struct authdes_cache_entry *authdes_cache_get(uint32_t);
112 static void authdes_cache_reclaim(void *);
113 static void sweep_cache();
114
115 /*
116 * After 12 hours, check and delete cache entries that have been
117 * idled for more than 10 hours.
118 */
119 static time_t authdes_sweep_interval = 12*60*60;
120 static time_t authdes_cache_time = 10*60*60;
121 static time_t authdes_last_swept = 0;
122
123 /*
124 * cache statistics
125 */
126 static int authdes_ncache = 0; /* number of current cached entries */
127 static int authdes_ncachehits = 0; /* #times cache hit */
128 static int authdes_ncachemisses = 0; /* #times cache missed */
129
130 #define NOT_DEAD(ptr) ASSERT((((intptr_t)(ptr)) != 0xdeadbeef))
131 #define IS_ALIGNED(ptr) ASSERT((((intptr_t)(ptr)) & 3) == 0)
132
133 /*
134 * Service side authenticator for AUTH_DES
135 */
136 enum auth_stat
137 _svcauth_des(struct svc_req *rqst, struct rpc_msg *msg)
138 {
139 int32_t *ixdr;
140 des_block cryptbuf[2];
141 struct authdes_cred *cred;
142 struct authdes_verf verf;
143 int status;
144 des_block *sessionkey;
145 des_block ivec;
146 uint32_t window, winverf, namelen;
147 bool_t nick;
148 struct timeval timestamp, current_time;
149 struct authdes_cache_entry *nick_entry;
150 struct area {
151 struct authdes_cred area_cred;
152 char area_netname[MAXNETNAMELEN+1];
153 } *area;
154 timestruc_t now;
155
156 mutex_enter(&authdes_lock);
157 if (authdes_cache == NULL) {
158 authdes_cache = kmem_zalloc(
159 sizeof (struct authdes_cache_entry *) * authdes_cachesz,
160 KM_SLEEP);
161 }
162 mutex_exit(&authdes_lock);
163
164 CTASSERT(sizeof (struct area) <= RQCRED_SIZE);
165 /* LINTED pointer alignment */
166 area = (struct area *)rqst->rq_clntcred;
167 cred = (struct authdes_cred *)&area->area_cred;
168
169 /*
170 * Get the credential
171 */
172 /* LINTED pointer alignment */
173 ixdr = (int32_t *)msg->rm_call.cb_cred.oa_base;
174 cred->adc_namekind = IXDR_GET_ENUM(ixdr, enum authdes_namekind);
175 switch (cred->adc_namekind) {
176 case ADN_FULLNAME:
177 namelen = IXDR_GET_U_INT32(ixdr);
178 if (namelen > MAXNETNAMELEN)
179 return (AUTH_BADCRED);
180 cred->adc_fullname.name = area->area_netname;
181 bcopy(ixdr, cred->adc_fullname.name, namelen);
182 cred->adc_fullname.name[namelen] = 0;
183 ixdr += (RNDUP(namelen) / BYTES_PER_XDR_UNIT);
184 cred->adc_fullname.key.key.high = (uint32_t)*ixdr++;
185 cred->adc_fullname.key.key.low = (uint32_t)*ixdr++;
186 cred->adc_fullname.window = (uint32_t)*ixdr++;
187 nick = FALSE;
188 break;
189 case ADN_NICKNAME:
190 cred->adc_nickname = (uint32_t)*ixdr++;
191 nick = TRUE;
192 break;
193 default:
194 return (AUTH_BADCRED);
195 }
196
197 /*
198 * Get the verifier
199 */
200 /* LINTED pointer alignment */
201 ixdr = (int32_t *)msg->rm_call.cb_verf.oa_base;
202 verf.adv_xtimestamp.key.high = (uint32_t)*ixdr++;
203 verf.adv_xtimestamp.key.low = (uint32_t)*ixdr++;
204 verf.adv_int_u = (uint32_t)*ixdr++;
205
206
207 /*
208 * Get the conversation key
209 */
210 if (!nick) { /* ADN_FULLNAME */
211 sessionkey = &cred->adc_fullname.key;
212 if (key_decryptsession(cred->adc_fullname.name, sessionkey) !=
213 RPC_SUCCESS) {
214 return (AUTH_BADCRED); /* key not found */
215 }
216 } else { /* ADN_NICKNAME */
217 mutex_enter(&authdes_lock);
218 if (!(nick_entry = authdes_cache_get(cred->adc_nickname))) {
219 RPCLOG(1, "_svcauth_des: nickname %d not in the cache\n",
220 cred->adc_nickname);
221 mutex_exit(&authdes_lock);
222 return (AUTH_BADCRED); /* need refresh */
223 }
224 sessionkey = &nick_entry->key;
225 mutex_enter(&nick_entry->lock);
226 mutex_exit(&authdes_lock);
227 }
228
229 /*
230 * Decrypt the timestamp
231 */
232 cryptbuf[0] = verf.adv_xtimestamp;
233 if (!nick) { /* ADN_FULLNAME */
234 cryptbuf[1].key.high = cred->adc_fullname.window;
235 cryptbuf[1].key.low = verf.adv_winverf;
236 ivec.key.high = ivec.key.low = 0;
237 status = cbc_crypt((char *)sessionkey, (char *)cryptbuf,
238 2 * sizeof (des_block), DES_DECRYPT, (char *)&ivec);
239 } else { /* ADN_NICKNAME */
240 status = ecb_crypt((char *)sessionkey, (char *)cryptbuf,
241 sizeof (des_block), DES_DECRYPT);
242 }
243 if (DES_FAILED(status)) {
244 RPCLOG0(1, "_svcauth_des: decryption failure\n");
245 if (nick) {
246 mutex_exit(&nick_entry->lock);
247 }
248 return (AUTH_FAILED); /* system error */
249 }
250
251 /*
252 * XDR the decrypted timestamp
253 */
254 ixdr = (int32_t *)cryptbuf;
255 timestamp.tv_sec = IXDR_GET_INT32(ixdr);
256 timestamp.tv_usec = IXDR_GET_INT32(ixdr);
257
258 /*
259 * Check for valid credentials and verifiers.
260 * They could be invalid because the key was flushed
261 * out of the cache, and so a new session should begin.
262 * Be sure and send AUTH_REJECTED{CRED, VERF} if this is the case.
263 */
264 if (!nick) { /* ADN_FULLNAME */
265 window = IXDR_GET_U_INT32(ixdr);
266 winverf = IXDR_GET_U_INT32(ixdr);
267 if (winverf != window - 1) {
268 RPCLOG(1, "_svcauth_des: window verifier mismatch %d\n",
269 winverf);
270 return (AUTH_BADCRED); /* garbled credential */
271 }
272 } else { /* ADN_NICKNAME */
273 window = nick_entry->window;
274 }
275
276 if (timestamp.tv_usec >= USEC_PER_SEC) {
277 RPCLOG(1, "_svcauth_des: invalid usecs %ld\n",
278 timestamp.tv_usec);
279 /* cached out (bad key), or garbled verifier */
280 if (nick) {
281 mutex_exit(&nick_entry->lock);
282 }
283 return (nick ? AUTH_REJECTEDVERF : AUTH_BADVERF);
284 }
285
286 gethrestime(&now);
287 current_time.tv_sec = now.tv_sec;
288 current_time.tv_usec = now.tv_nsec / 1000;
289
290 current_time.tv_sec -= window; /* allow for expiration */
291 if (!BEFORE(&current_time, &timestamp)) {
292 RPCLOG0(1, "_svcauth_des: timestamp expired\n");
293 /* replay, or garbled credential */
294 if (nick) {
295 mutex_exit(&nick_entry->lock);
296 }
297 return (nick ? AUTH_REJECTEDVERF : AUTH_BADCRED);
298 }
299
300 /*
301 * xdr the timestamp before encrypting
302 */
303 ixdr = (int32_t *)cryptbuf;
304 IXDR_PUT_INT32(ixdr, timestamp.tv_sec - 1);
305 IXDR_PUT_INT32(ixdr, timestamp.tv_usec);
306
307 /*
308 * encrypt the timestamp
309 */
310 status = ecb_crypt((char *)sessionkey, (char *)cryptbuf,
311 sizeof (des_block), DES_ENCRYPT);
312 if (DES_FAILED(status)) {
313 RPCLOG0(1, "_svcauth_des: encryption failure\n");
314 if (nick) {
315 mutex_exit(&nick_entry->lock);
316 }
317 return (AUTH_FAILED); /* system error */
318 }
319 verf.adv_xtimestamp = cryptbuf[0];
320
321 /*
322 * If a ADN_FULLNAME, create a new nickname cache entry.
323 */
324 if (!nick) {
325 mutex_enter(&authdes_lock);
326 if (!(nick_entry = authdes_cache_new(cred->adc_fullname.name,
327 sessionkey, window))) {
328 RPCLOG0(1, "_svcauth_des: can not create new cache entry\n");
329 mutex_exit(&authdes_lock);
330 return (AUTH_FAILED);
331 }
332 mutex_enter(&nick_entry->lock);
333 mutex_exit(&authdes_lock);
334 }
335 verf.adv_nickname = nick_entry->nickname;
336
337 /*
338 * Serialize the reply verifier, and update rqst
339 */
340 /* LINTED pointer alignment */
341 ixdr = (int32_t *)msg->rm_call.cb_verf.oa_base;
342 *ixdr++ = (int32_t)verf.adv_xtimestamp.key.high;
343 *ixdr++ = (int32_t)verf.adv_xtimestamp.key.low;
344 *ixdr++ = (int32_t)verf.adv_int_u;
345
346 rqst->rq_xprt->xp_verf.oa_flavor = AUTH_DES;
347 rqst->rq_xprt->xp_verf.oa_base = msg->rm_call.cb_verf.oa_base;
348 rqst->rq_xprt->xp_verf.oa_length =
349 (uint_t)((char *)ixdr - msg->rm_call.cb_verf.oa_base);
350 if (rqst->rq_xprt->xp_verf.oa_length > MAX_AUTH_BYTES) {
351 RPCLOG0(1, "_svcauth_des: invalid oa length\n");
352 mutex_exit(&nick_entry->lock);
353 return (AUTH_BADVERF);
354 }
355
356 /*
357 * We succeeded and finish cooking the credential.
358 * nicknames are cooked into fullnames
359 */
360 if (!nick) {
361 cred->adc_nickname = nick_entry->nickname;
362 cred->adc_fullname.window = window;
363 } else { /* ADN_NICKNAME */
364 cred->adc_namekind = ADN_FULLNAME;
365 cred->adc_fullname.name = nick_entry->rname;
366 cred->adc_fullname.key = nick_entry->key;
367 cred->adc_fullname.window = nick_entry->window;
368 }
369 mutex_exit(&nick_entry->lock);
370
371 /*
372 * For every authdes_sweep_interval, delete cache entries that have been
373 * idled for authdes_cache_time.
374 */
375 mutex_enter(&authdes_lock);
376 if ((gethrestime_sec() - authdes_last_swept) > authdes_sweep_interval)
377 sweep_cache();
378
379 mutex_exit(&authdes_lock);
380
381 return (AUTH_OK); /* we made it! */
382 }
383
384 /*
385 * Initialization upon loading the rpcsec module.
386 */
387 void
388 svcauthdes_init(void)
389 {
390 mutex_init(&authdes_lock, NULL, MUTEX_DEFAULT, NULL);
391 /*
392 * Allocate des cache handle
393 */
394 authdes_cache_handle = kmem_cache_create("authdes_cache_handle",
395 sizeof (struct authdes_cache_entry), 0, NULL, NULL,
396 authdes_cache_reclaim, NULL, NULL, 0);
397 }
398
399 /*
400 * Final actions upon exiting the rpcsec module.
401 */
402 void
403 svcauthdes_fini(void)
404 {
405 mutex_destroy(&authdes_lock);
406 kmem_cache_destroy(authdes_cache_handle);
407 }
408
409 /*
410 * Local credential handling stuff.
411 * NOTE: bsd unix dependent.
412 * Other operating systems should put something else here.
413 */
414
415 struct bsdcred {
416 uid_t uid; /* cached uid */
417 gid_t gid; /* cached gid */
418 short valid; /* valid creds */
419 short grouplen; /* length of cached groups */
420 gid_t groups[1]; /* cached groups - allocate ngroups_max */
421 };
422
423 /*
424 * Map a des credential into a unix cred.
425 * We cache the credential here so the application does
426 * not have to make an rpc call every time to interpret
427 * the credential.
428 */
429 int
430 kauthdes_getucred(const struct authdes_cred *adc, cred_t *cr)
431 {
432 uid_t i_uid;
433 gid_t i_gid;
434 int i_grouplen;
435 struct bsdcred *cred;
436 struct authdes_cache_entry *nickentry;
437
438 mutex_enter(&authdes_lock);
439 if (!(nickentry = authdes_cache_get(adc->adc_nickname))) {
440 RPCLOG0(1, "authdes_getucred: invalid nickname\n");
441 mutex_exit(&authdes_lock);
442 return (0);
443 }
444
445 mutex_enter(&nickentry->lock);
446 mutex_exit(&authdes_lock);
447 /* LINTED pointer alignment */
448 cred = (struct bsdcred *)nickentry->localcred;
449 if (!cred->valid) {
450 /*
451 * not in cache: lookup
452 */
453 if (netname2user(adc->adc_fullname.name, &i_uid, &i_gid,
454 &i_grouplen, &cred->groups[0]) != RPC_SUCCESS) {
455 /*
456 * Probably a host principal, since at this
457 * point we have valid keys. Note that later
458 * if the principal is not in the root list
459 * for NFS, we will be mapped to that exported
460 * file system's anonymous user, typically
461 * NOBODY. keyserv KEY_GETCRED will fail for a
462 * root-netnames so we assume root here.
463 * Currently NFS is the only caller of this
464 * routine. If other RPC services call this
465 * routine, it is up to that service to
466 * differentiate between local and remote
467 * roots.
468 */
469 i_uid = 0;
470 i_gid = 0;
471 i_grouplen = 0;
472 }
473 RPCLOG0(2, "authdes_getucred: missed ucred cache\n");
474 cred->uid = i_uid;
475 cred->gid = i_gid;
476 cred->grouplen = (short)i_grouplen;
477 cred->valid = 1;
478 }
479
480 /*
481 * cached credentials
482 */
483 if (crsetugid(cr, cred->uid, cred->gid) != 0 ||
484 crsetgroups(cr, cred->grouplen, &cred->groups[0]) != 0) {
485 mutex_exit(&nickentry->lock);
486 return (0);
487 }
488 mutex_exit(&nickentry->lock);
489 return (1);
490 }
491
492 /*
493 * Create a new cache_entry and put it in authdes_cache table.
494 * Caller should have already locked the authdes_cache table.
495 */
496 struct authdes_cache_entry *
497 authdes_cache_new(char *fullname, des_block *sessionkey, uint32_t window) {
498
499 struct authdes_cache_entry *new, *head;
500 struct bsdcred *ucred;
501 int index;
502
503 if (!(new = kmem_cache_alloc(authdes_cache_handle, KM_SLEEP))) {
504 return (NULL);
505 }
506
507 if (!(new->rname = kmem_alloc(strlen(fullname) + 1, KM_NOSLEEP))) {
508 kmem_cache_free(authdes_cache_handle, new);
509 return (NULL);
510 }
511
512 if (!(ucred = kmem_alloc(sizeof (struct bsdcred) +
513 (ngroups_max - 1) * sizeof (gid_t), KM_NOSLEEP))) {
514 kmem_free(new->rname, strlen(fullname) + 1);
515 kmem_cache_free(authdes_cache_handle, new);
516 return (NULL);
517 }
518
519 (void) strcpy(new->rname, fullname);
520 ucred->valid = 0;
521 new->localcred = (caddr_t)ucred;
522 new->key = *sessionkey;
523 new->window = window;
524 new->ref_time = gethrestime_sec();
525 new->nickname = Nickname++;
526 mutex_init(&new->lock, NULL, MUTEX_DEFAULT, NULL);
527
528 /* put new into the hash table */
529 index = HASH(new->nickname);
530 head = authdes_cache[index];
531 if ((new->next = head) != NULL) {
532 head->prev = new;
533 }
534 authdes_cache[index] = new;
535 new->prev = NULL;
536
537 /* update the LRU list */
538 new->lru_prev = NULL;
539 if ((new->lru_next = lru_first) != NULL) {
540 lru_first->lru_prev = new;
541 } else {
542 lru_last = new;
543 }
544 lru_first = new;
545
546 authdes_ncache++;
547 return (new);
548 }
549
550 /*
551 * Get an existing cache entry from authdes_cache table.
552 * The caller should have locked the authdes_cache table.
553 */
554 struct authdes_cache_entry *
555 authdes_cache_get(uint32_t nickname) {
556
557 struct authdes_cache_entry *cur = NULL;
558 int index = HASH(nickname);
559
560 ASSERT(MUTEX_HELD(&authdes_lock));
561 for (cur = authdes_cache[index]; cur; cur = cur->next) {
562 if ((cur->nickname == nickname)) {
563 /* find it, update the LRU list */
564 if (cur != lru_first) {
565 cur->lru_prev->lru_next = cur->lru_next;
566 if (cur->lru_next != NULL) {
567 cur->lru_next->lru_prev = cur->lru_prev;
568 } else {
569 lru_last = cur->lru_prev;
570 }
571 cur->lru_prev = NULL;
572 cur->lru_next = lru_first;
573 lru_first->lru_prev = cur;
574 lru_first = cur;
575 }
576
577 cur->ref_time = gethrestime_sec();
578 authdes_ncachehits++;
579 return (cur);
580 }
581 }
582
583 authdes_ncachemisses++;
584 return (NULL);
585 }
586
587 /*
588 * authdes_cache_reclaim() is called by the kernel memory allocator
589 * when memory is low. This routine will reclaim 25% of the least recent
590 * used cache entries above the low water mark (low_cache_entries).
591 * If the cache entries have already hit the low water mark, it will
592 * return 1 cache entry.
593 */
594 /*ARGSUSED*/
595 void
596 authdes_cache_reclaim(void *pdata) {
597 struct authdes_cache_entry *p;
598 int n, i;
599
600 mutex_enter(&authdes_lock);
601 n = authdes_ncache - low_cache_entries;
602 n = n > 0 ? n/4 : 1;
603
604 for (i = 0; i < n; i++) {
605 if ((p = lru_last) == lru_first)
606 break;
607
608 /* Update the hash linked list */
609 if (p->prev == NULL) {
610 authdes_cache[HASH(p->nickname)] = p->next;
611 } else {
612 p->prev->next = p->next;
613 }
614 if (p->next != NULL) {
615 p->next->prev = p->prev;
616 }
617
618 /* update the LRU linked list */
619 p->lru_prev->lru_next = NULL;
620 lru_last = p->lru_prev;
621
622 kmem_free(p->rname, strlen(p->rname) + 1);
623 kmem_free(p->localcred, sizeof (struct bsdcred) +
624 (ngroups_max - 1) * sizeof (gid_t));
625 mutex_destroy(&p->lock);
626 kmem_cache_free(authdes_cache_handle, p);
627
628 authdes_ncache--;
629 }
630 mutex_exit(&authdes_lock);
631 RPCLOG(4, "_svcauth_des: %d cache entries reclaimed...\n",
632 authdes_ncache);
633 }
634
635 /*
636 * Walk through the LRU doubly-linked list and delete the cache
637 * entries that have not been used for more than authdes_cache_time.
638 *
639 * Caller should have locked the cache table.
640 */
641 void
642 sweep_cache() {
643 struct authdes_cache_entry *p;
644
645 ASSERT(MUTEX_HELD(&authdes_lock));
646 while ((p = lru_last) != lru_first) {
647 IS_ALIGNED(p);
648 NOT_DEAD(p);
649
650 /*
651 * If the last LRU entry idled less than authdes_cache_time,
652 * we are done with the sweeping.
653 */
654 if (p->ref_time + authdes_cache_time > gethrestime_sec())
655 break;
656
657 /* update the hash linked list */
658 if (p->prev == NULL) {
659 authdes_cache[HASH(p->nickname)] = p->next;
660 } else {
661 p->prev->next = p->next;
662 }
663 if (p->next != NULL) {
664 p->next->prev = p->prev;
665 }
666
667 /* update the LRU linked list */
668 p->lru_prev->lru_next = NULL;
669 lru_last = p->lru_prev;
670
671 kmem_free(p->rname, strlen(p->rname) + 1);
672 kmem_free(p->localcred, sizeof (struct bsdcred) +
673 (ngroups_max - 1) * sizeof (gid_t));
674 mutex_destroy(&p->lock);
675 kmem_cache_free(authdes_cache_handle, p);
676
677 authdes_ncache--;
678 }
679
680 authdes_last_swept = gethrestime_sec();
681 RPCLOG(4, "_svcauth_des: sweeping cache...#caches left = %d\n",
682 authdes_ncache);
683 }