From 4eacc008e33cf16c0616cf1b9b38c14fdfbd44fe Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jbjohnso@us.ibm.com>
Date: Tue, 25 Jun 2013 09:26:52 -0400
Subject: [PATCH 1/3] Fix problem where dbworkersocket rename could indicate a
 missing path

---
 perl-xCAT/xCAT/Table.pm | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/perl-xCAT/xCAT/Table.pm b/perl-xCAT/xCAT/Table.pm
index 704fa18bf..549f6d637 100644
--- a/perl-xCAT/xCAT/Table.pm
+++ b/perl-xCAT/xCAT/Table.pm
@@ -159,7 +159,7 @@ sub init_dbworker {
         #This process is the database worker, it's job is to manage database queries to reduce required handles and to permit cross-process caching
         $0 = "xcatd: DB Access";
         use File::Path;
-        mkpath('/tmp/xcat/');
+        mkpath('/var/run/xcat/');
         use IO::Socket;
         $SIG{TERM} = $SIG{INT} = sub {
             $exitdbthread=1;

From 85237d5126df391d81b30917c3e4229c62472fcd Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jbjohnso@us.ibm.com>
Date: Wed, 26 Jun 2013 10:32:07 -0400
Subject: [PATCH 2/3] Fix problem where rvitals could request the same sensor
 multiple times

---
 xCAT-server/lib/xcat/plugins/ipmi.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/xCAT-server/lib/xcat/plugins/ipmi.pm b/xCAT-server/lib/xcat/plugins/ipmi.pm
index 2d8e03427..df56d80dd 100644
--- a/xCAT-server/lib/xcat/plugins/ipmi.pm
+++ b/xCAT-server/lib/xcat/plugins/ipmi.pm
@@ -4789,15 +4789,18 @@ sub vitals {
 	}
 
     $sessdata->{sensorstoread} = [];
+    my %usedkeys;
 	foreach(keys %sensor_filters) {
 		my $filter = $_;
         if ($filter eq "energy" or $filter eq "leds") { next; }
 
 		foreach $key (sort {$sdr_hash{$a}->id_string cmp $sdr_hash{$b}->id_string} keys %sdr_hash) {
+            if ($usedkeys{$key}) { next; } #avoid duplicate requests for sensor data
 			my $sdr = $sdr_hash{$key};
 			if(($doall and not $sdr->rec_type == 0x11 and not $sdr->sensor_type==0xed) or ($sdr->rec_type == 0x01 and $sdr->sensor_type == $filter)) {
 				my $lformat = $format;
                 push @{$sessdata->{sensorstoread}},$sdr;
+                $usedkeys{$key}=1;
             }
 		}
 	}

From 160343bdef87bc083ba1e01d88703a43f25de019 Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jbjohnso@us.ibm.com>
Date: Thu, 11 Jul 2013 10:53:15 -0400
Subject: [PATCH 3/3] Change bmcsetup to disable cipher suites 0 and 1 in the
 face of peculiar cipher suite support or enumeration Also change to enable
 cipher suites 2 and 3 to facilitate sites without Rijndael

---
 xCAT-genesis-scripts/bin/bmcsetup | 40 ++++++++++++++++++-------------
 1 file changed, 24 insertions(+), 16 deletions(-)

diff --git a/xCAT-genesis-scripts/bin/bmcsetup b/xCAT-genesis-scripts/bin/bmcsetup
index 39ec56d03..2cca4e2e9 100755
--- a/xCAT-genesis-scripts/bin/bmcsetup
+++ b/xCAT-genesis-scripts/bin/bmcsetup
@@ -300,29 +300,37 @@ if [ $TRIES -gt $TIMEOUT ]; then echo "ERROR"; else echo "OK"; fi
 TRIES=0
 if [ ! "$IPMIVER" == "1.5"  ]; then 
     echo -n "Enabling IPMI v 2.0 LAN access: "
-    #two goals here, make sure cipher suite 0 does not work as it is insecure
-    #mae sure cipher suite 3 does work because we will use it
-    #leave every thing else alone.
-    ACCESS=`ipmitool raw 0xc 2 1 24 0 0 `
+    #the following goals:
+    #disable cipher suite 0 (if present, avoid password bypass)
+    #disable cipher suite 1 (if present, to avoid weaking Kg if used)
+    #enable cipher suite 2 (scenarios without perl Rijndael)
+    #enable cipher suite 3
+    #ignore the rest
+    ZEROIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '%0$'|sed -e 's/:.*//')
+    ONEIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^1$'|sed -e 's/:.*//')
+    TWOIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^2$'|sed -e 's/:.*//')
+    THREEIDX=$(ipmitool lan print $LANCHAN|grep ^RMCP+|cut -d: -f 2|sed -e 's/ //' -e 's/,/\n/g'|grep -n '^3$'|sed -e 's/:.*//')
+    ACCESS=$(ipmitool lan print $LANCHAN|grep 'Cipher Suite Priv Max'|cut -d: -f 2|sed -e 's/ //g' -e 's/\(.\)/\1\n/g'|grep -v '^$')
     NEWACCESS=""
-    i=0
+    i=1
     for elem in $ACCESS; do
-	if [ $i = 2 ]; then
-		NEWACCESS=`printf "$NEWACCESS 0x%02x" $((0x$elem&0xf0))`
-	elif [ $i = 3 ]; then
-		NEWACCESS=`printf "$NEWACCESS 0x%02x" $((0x$elem|0x44))`
-	elif [ $i != 0 ]; then
-		NEWACCESS="$NEWACCESS 0x$elem"
-	fi
-	i=$((i+1))
+        if [ $i = "$ZEROIDX" -o $i = "$ONEIDX" ]; then
+            NEWACCESS="$NEWACCESS"X
+        elif [ $i = "$TWOIDX" -o $i = "$THREEIDX" ]; then
+            #do not *downgrade* from OEM priv
+            if [ "$elem" != "O" ]; then NEWACCESS="$NEWACCESS"a; else NEWACCESS="$NEWACCESS"$elem; fi
+        else
+            NEWACCESS="$NEWACCESS"$elem
+        fi
+	    i=$((i+1))
     done
-    if ipmitool raw 0xc 1 1 24 $NEWACCESS > /dev/null; then
+    if ipmitool lan set $LANCHAN cipher_privs $NEWACCESS > /dev/null; then
 		echo OK
     else
 		echo ERROR
     fi
-	
-	
+
+
     TRIES=0
 
     echo -n "Enabling SOL for channel $LANCHAN:"