Avoid LTO + FORTIFY_SOURCE=3 issue

When compiled with LTO and FORTIFY_SOURCE=3 enabled together,
tpm2_makecredential outputs corrupted data which cannot be used with
tpm2_activatecredential.

This can be avoided by disabling compiler optimization for part of the
code using pragma.

This patch was obtained upstream from:
https://github.com/tpm2-software/tpm2-tools/pull/3219

This fixes the upstream issue:
https://github.com/tpm2-software/tpm2-tools/issues/3210

Resolves: rhbz#2171376

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>

tpm2-tools-fix-fortify.patch

@@ -0,0 +1,57 @@
+From 43b24bb6d1bbc65e80bd1de1d679922ba70ce5c0 Mon Sep 17 00:00:00 2001
+From: Juergen Repp <juergen_repp@web.de>
+Date: Mon, 6 Mar 2023 12:16:05 +0100
+Subject: [PATCH] kdfa.c Fix problem with FORTIFY_SOURCE on Fedora
+
+The original kdfa implementation did produce an error caused by the flags
+-flto -_FORTIFY_SOURCE=2 on Fedora rawhide.
+This error can be avoided by switching off the optimization with pragma.
+Fixes: #3210.
+
+Signed-off-by: Juergen Repp <juergen_repp@web.de>
+---
+ lib/tpm2_kdfa.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/lib/tpm2_kdfa.c b/lib/tpm2_kdfa.c
+index 5eb8d558c..9db0467e4 100644
+--- a/lib/tpm2_kdfa.c
++++ b/lib/tpm2_kdfa.c
+@@ -1,7 +1,6 @@
+ /* SPDX-License-Identifier: BSD-3-Clause */
+ 
+ #include <string.h>
+-
+ #include <openssl/evp.h>
+ #if OPENSSL_VERSION_NUMBER < 0x30000000L
+ #include <openssl/hmac.h>
+@@ -13,6 +12,15 @@
+ #include "tpm2_kdfa.h"
+ #include "tpm2_openssl.h"
+ 
++/*
++ * Disable optimazation because of an error in FORTIFY_SOURCE
++ */
++ 
++#ifdef _FORTIFY_SOURCE
++#pragma GCC push_options
++#pragma GCC optimize ("O0")
++#endif
++
+ TSS2_RC tpm2_kdfa(TPMI_ALG_HASH hash_alg, TPM2B *key, char *label,
+         TPM2B *context_u, TPM2B *context_v, UINT16 bits,
+         TPM2B_MAX_BUFFER *result_key) {
+@@ -139,3 +147,13 @@ TSS2_RC tpm2_kdfa(TPMI_ALG_HASH hash_alg, TPM2B *key, char *label,
+ 
+     return rval;
+ }
++#ifdef _FORTIFY_SOURCE
++
++#endif
++
++#ifdef _FORTIFY_SOURCE
++#pragma GCC pop_options
++#endif
++
++
++

tpm2-tools.spec

@@ -2,13 +2,18 @@
 
 Name:    tpm2-tools
 Version: 5.5
-Release: 2%{?candidate:.%{candidate}}%{?dist}
+Release: 3%{?candidate:.%{candidate}}%{?dist}
 Summary: A bunch of TPM testing toolS build upon tpm2-tss
 
 License: BSD
 URL:     https://github.com/tpm2-software/tpm2-tools
 Source0: https://github.com/tpm2-software/tpm2-tools/releases/download/%{version}%{?candidate:-%{candidate}}/%{name}-%{version}%{?candidate:-%{candidate}}.tar.gz
 
+# Disable optimization to avoid LTO + FORTIFY_SOURCE=3 issue:
+# https://bugzilla.redhat.com/show_bug.cgi?id=2171376
+# https://github.com/tpm2-software/tpm2-tools/issues/3210
+Patch0: tpm2-tools-fix-fortify.patch
+
 BuildRequires: make
 BuildRequires: gcc-c++
 BuildRequires: libtool
@@ -55,6 +60,10 @@ tpm2-tools is a batch of tools for tpm2.0. It is based on tpm2-tss.
 %{_mandir}/man1/tss2_*.1.gz
 
 %changelog
+* Mon Apr 17 2023 Anderson Toshiyuki Sasaki <ansasaki@redhat.com> - 5.5-3
+- Disable compiler optimization to fix LTO + FORTIFY_SOURCE=3 issue
+  Resolves rhbz#2171376
+
 * Tue Feb 21 2023 Yaakov Selkowitz <yselkowi@redhat.com> - 5.5-2
 - Disable manpage regeneration in RHEL/ELN builds