Migrate to PCRE2

.github/workflows/job-static-check.yml

@@ -41,7 +41,7 @@ jobs:
         sudo apt-get install -y dpkg-dev debhelper g++ libncurses5 pkg-config \
           build-essential libpam0g-dev fakeroot gcc make autoconf buildah \
           liblmdb-dev libacl1-dev libcurl4-openssl-dev libyaml-dev libxml2-dev \
-          libssl-dev libpcre3-dev
+          libssl-dev libpcre2-dev
 
     - name: Run Autogen
       run: NO_CONFIGURE=1 PROJECT=community ./buildscripts/build-scripts/autogen

.github/workflows/macos_unit_tests.yml

@@ -11,7 +11,7 @@ jobs:
       with:
         submodules: recursive
     - name: Install dependencies
-      run: brew install lmdb automake openssl pcre
+      run: brew install lmdb automake openssl pcre2
     - name: Run autotools / configure
       run: ./autogen.sh --enable-debug
     - name: Compile and link

CONTRIBUTING.md

@@ -294,7 +294,7 @@ Keep in mind that these are guidelines, there will always be some situations whe
   ```
   AM_CFLAGS = \
   <TAB>$(OPENSSL_CFLAGS) \
-  <TAB>$(PCRE_CFLAGS) \
+  <TAB>$(PCRE2_CFLAGS) \
   <TAB>$(ENTERPRISE_CFLAGS)
   ```
 * Inside an `if`, you cannot indent with tabs (lines will be silently skipped):

INSTALL

@@ -16,7 +16,7 @@ In order to build CFEngine you need the following tools and libraries installed:
 
 * PAM library
 * OpenSSL library
-* PCRE library
+* PCRE2 library
 * POSIX threads (pthreads) library, if not provided by the operating system
 * Latest available LMDB (Lightning Memory-mapped DataBase), Tokyo Cabinet or QDBM
 
@@ -119,33 +119,33 @@ $ sudo yum install epel-release && sudo yum update
 Or on RHEL, replacing the version number with yours:
 $ sudo subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms && sudo yum update
 
-$ sudo yum install -y gcc gdb make git libtool autoconf automake byacc flex openssl-devel pcre-devel lmdb-devel pam-devel flex-devel libyaml-devel fakeroot libxml2-devel
+$ sudo yum install -y gcc gdb make git libtool autoconf automake byacc flex openssl-devel pcre2-devel lmdb-devel pam-devel flex-devel libyaml-devel fakeroot libxml2-devel
 
 For SELinux support you will need selinux-policy-devel package and specify `--with-selinux-policy` to `autogen.sh` or `configure`
 
 * Debian (Debian 12 2023-10-09)
 
-$ sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre3-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev libxml2-dev
+$ sudo apt-get install -y build-essential git libtool autoconf automake bison flex libssl-dev libpcre2-dev libbison-dev libacl1 libacl1-dev lmdb-utils liblmdb-dev libpam0g-dev libtool libyaml-dev libxml2-dev
 
 * FreeBSD (12.1 2020-04-07)
 
 See docs/BSD.md
 
 * SUSE (Tumbleweed 2020-02-02)
 
-$ sudo zypper install gdb gcc make lmdb autoconf automake libtool git python3 pcre-devel libopenssl-devel pam-devel
+$ sudo zypper install gdb gcc make lmdb autoconf automake libtool git python3 pcre2-devel libopenssl-devel pam-devel
 
 * AlpineOS (3.11.3 x86_64 2020-04-13)
 
-$ sudo apk add alpine-sdk lmdb-dev openssl-dev bison flex-dev acl-dev pcre-dev autoconf automake libtool git python3 gdb
+$ sudo apk add alpine-sdk lmdb-dev openssl-dev bison flex-dev acl-dev pcre2-dev autoconf automake libtool git python3 gdb
 $ ./autogen.sh --without-pam
 
 * Termux (2020-04-24)
 
-$ pkg install build-essential git autoconf automake bison flex liblmdb openssl pcre libacl libyaml
+$ pkg install build-essential git autoconf automake bison flex liblmdb openssl pcre2 libacl libyaml
 $ ./autogen.sh --without-pam
 
 * OSX (2021-10-20)
 
-brew install openssl lmdb autoconf automake libtool bison flex pcre m4 gcc make
+brew install openssl lmdb autoconf automake libtool bison flex pcre2 m4 gcc make
 ./autogen.sh --enable-debug

LICENSE

@@ -7,7 +7,7 @@ This file contains a copy of:
 
 CFEngine is provided under the terms of the GNU General Public License version 3
 (below), with explicit permission to link with the OpenSSL library, BerkeleyDB
-library and and PCRE library.
+library and PCRE2 library.
 
 On some systems, code under the Frontier Artistic License
 (/libcompat/snprintf) might become compiled. This is compatible with the

cf-agent/Makefile.am

@@ -30,7 +30,7 @@ AM_CPPFLAGS = -I$(srcdir)/../libpromises -I$(srcdir)/../libntech/libutils \
 	@CPPFLAGS@ \
 	$(ENTERPRISE_CPPFLAGS) \
 	$(OPENSSL_CPPFLAGS) \
-	$(PCRE_CPPFLAGS) \
+	$(PCRE2_CPPFLAGS) \
 	$(LIBVIRT_CPPFLAGS) \
 	$(POSTGRESQL_CPPFLAGS) \
 	$(MYSQL_CPPFLAGS) \
@@ -41,7 +41,7 @@ AM_CFLAGS = \
 	@CFLAGS@ \
 	$(ENTERPRISE_CFLAGS) \
 	$(OPENSSL_CFLAGS) \
-	$(PCRE_CFLAGS) \
+	$(PCRE2_CFLAGS) \
 	$(LIBVIRT_CFLAGS) \
 	$(POSTGRESQL_CFLAGS) \
 	$(MYSQL_CFLAGS) \
@@ -51,7 +51,7 @@ AM_CFLAGS = \
 AM_LDFLAGS = \
 	@LDFLAGS@ \
 	$(OPENSSL_LDFLAGS) \
-	$(PCRE_LDFLAGS) \
+	$(PCRE2_LDFLAGS) \
 	$(LIBVIRT_LDFLAGS) \
 	$(POSTGRESQL_LDFLAGS) \
 	$(MYSQL_LDFLAGS) \
@@ -64,7 +64,7 @@ endif
 
 libcf_agent_la_LIBADD = ../libpromises/libpromises.la \
 	$(OPENSSL_LIBS) \
-	$(PCRE_LIBS) \
+	$(PCRE2_LIBS) \
 	$(LIBVIRT_LIBS) \
 	$(POSTGRESQL_LIBS) \
 	$(MYSQL_LIBS) \

cf-agent/files_editxml.c

@@ -24,7 +24,6 @@
 
 #include <cf3.defs.h>
 
-#include <pcre.h>
 #include <actuator.h>
 #include <eval_context.h>
 #include <promises.h>
@@ -42,6 +41,7 @@
 #include <policy.h>
 #include <ornaments.h>
 #include <verify_classes.h>
+#include <regex.h>              /* StringMatch() */
 
 enum editxmltypesequence
 {
@@ -2981,20 +2981,7 @@ xmlChar *CharToXmlChar(char c[CF_BUFSIZE])
 
 static bool ContainsRegex(const char* rawstring, const char* regex)
 {
-    int ovector[OVECCOUNT], rc;
-    const char *errorstr;
-    int erroffset;
-
-    pcre *rx = pcre_compile(regex, 0, &errorstr, &erroffset, NULL);
-
-    if ((rc = pcre_exec(rx, NULL, rawstring, strlen(rawstring), 0, 0, ovector, OVECCOUNT)) >= 0)
-    {
-        pcre_free(rx);
-        return true;
-    }
-
-    pcre_free(rx);
-    return false;
+    return StringMatch(regex, rawstring, NULL, NULL);
 }
 
 /*********************************************************************/

cf-agent/verify_users_pam.c

@@ -35,6 +35,7 @@
 #include <files_lib.h>
 #include <eval_context.h>
 #include <regex.h> // CompileRegex()
+#include <buffer.h> // BufferData()
 
 #include <cf3.defs.h>
 #include <verify_methods.h>
@@ -146,8 +147,8 @@ static bool GetAIXShadowHash(const char *puser, const char **result)
     size_t puser_len = strlen(puser);
     char name_regex_str[strlen(puser) + 3];
 
-    pcre *name_regex = CompileRegex("^(\\S+):");
-    pcre *hash_regex = CompileRegex("^\\s+password\\s*=\\s*(\\S+)");
+    Regex *name_regex = CompileRegex("^(\\S+):");
+    Regex *hash_regex = CompileRegex("^\\s+password\\s*=\\s*(\\S+)");
     bool in_user_section = false;
 
     while (true)
@@ -162,13 +163,13 @@ static bool GetAIXShadowHash(const char *puser, const char **result)
             goto end;
         }
 
-        int submatch_vec[6];
 
-        int pcre_result = pcre_exec(name_regex, NULL, buf, strlen(buf), 0, 0, submatch_vec, 6);
-        if (pcre_result >= 0)
+        size_t match_start;
+        size_t match_end;
+        if (StringMatchWithPrecompiledRegex(name_regex, buf, &match_start, &match_end))
         {
-            if (submatch_vec[3] - submatch_vec[2] == puser_len
-                && strncmp(buf + submatch_vec[2], puser, puser_len) == 0)
+            /* Compare the part without the ':' */
+            if (StringEqualN(buf, puser, match_end - match_start - 1))
             {
                 in_user_section = true;
             }
@@ -178,35 +179,27 @@ static bool GetAIXShadowHash(const char *puser, const char **result)
             }
             continue;
         }
-        else if (pcre_result != PCRE_ERROR_NOMATCH)
-        {
-            errno = EINVAL;
-            goto end;
-        }
-
         if (!in_user_section)
         {
             continue;
         }
 
-        pcre_result = pcre_exec(hash_regex, NULL, buf, strlen(buf), 0, 0, submatch_vec, 6);
-        if (pcre_result >= 0)
+        Seq *captures = StringMatchCapturesWithPrecompiledRegex(hash_regex, buf, false);
+        if (captures != NULL)
         {
-            memcpy(hash_buf, buf + submatch_vec[2], submatch_vec[3] - submatch_vec[2]);
+            /* captures are buffers, the first one being the full match, the
+             * second being the first capture group, etc. */
+            StringCopy(BufferData(SeqAt(captures, 1)), hash_buf, sizeof(hash_buf));
             *result = hash_buf;
             ret = true;
-            goto end;
-        }
-        else if (pcre_result != PCRE_ERROR_NOMATCH)
-        {
-            errno = EINVAL;
+            SeqDestroy(captures);
             goto end;
         }
     }
 
 end:
-    pcre_free(name_regex);
-    pcre_free(hash_regex);
+    RegexDestroy(name_regex);
+    RegexDestroy(hash_regex);
     free(buf);
     fclose(fptr);
     return ret;

cf-check/Makefile.am

@@ -27,28 +27,28 @@ AM_CPPFLAGS = -I$(srcdir)/../libntech/libutils \
 	-I$(srcdir)/../libntech/libcompat \
 	-I$(srcdir)/../libcfecompat \
 	@CPPFLAGS@ \
-	$(PCRE_CPPFLAGS) \
+	$(PCRE2_CPPFLAGS) \
 	$(LIBYAML_CPPFLAGS) \
 	$(LMDB_CPPFLAGS) \
 	$(OPENSSL_CPPFLAGS)
 
 AM_CFLAGS = \
 	@CFLAGS@ \
 	$(LMDB_CFLAGS) \
-	$(PCRE_CFLAGS) \
+	$(PCRE2_CFLAGS) \
 	$(LIBYAML_CFLAGS) \
 	$(PTHREAD_CFLAGS)
 
 AM_LDFLAGS = \
 	@LDFLAGS@ \
-	$(PCRE_LDFLAGS) \
+	$(PCRE2_LDFLAGS) \
 	$(LIBYAML_LDFLAGS) \
 	$(LMDB_LDFLAGS)
 
 libcf_check_la_LIBADD = ../libntech/libutils/libutils.la \
 	../libcfecompat/libcfecompat.la \
 	$(LMDB_LIBS) \
-	$(PCRE_LIBS) \
+	$(PCRE2_LIBS) \
 	$(LIBYAML_LIBS) \
 	$(PTHREAD_LIBS) \
 	$(OPENSSL_LIBS)

cf-execd/Makefile.am

@@ -30,12 +30,12 @@ AM_CPPFLAGS = \
 	-I$(srcdir)/../libcfnet \
 	-I$(srcdir)/../libenv \
 	-I$(srcdir)/../cf-check \
-	$(PCRE_CPPFLAGS) \
+	$(PCRE2_CPPFLAGS) \
 	$(OPENSSL_CPPFLAGS) \
 	$(ENTERPRISE_CPPFLAGS)
 
 AM_CFLAGS = \
-	$(PCRE_CFLAGS) \
+	$(PCRE2_CFLAGS) \
 	$(OPENSSL_CFLAGS) \
 	$(PTHREAD_CFLAGS) \
 	$(ENTERPRISE_CFLAGS)

cf-execd/cf-execd-runner.c

@@ -447,20 +447,13 @@ static bool CompareResultEqualOrFiltered(const ExecConfig *config,
     FILE *new_fp = safe_fopen(filename, "r");
     if (new_fp)
     {
-        const char *errptr;
-        int erroffset;
-        pcre_extra *regex_extra = NULL;
         // Match timestamps and remove them. Not Y21K safe! :-)
-        pcre *regex = pcre_compile(LOGGING_TIMESTAMP_REGEX, PCRE_MULTILINE, &errptr, &erroffset, NULL);
+        Regex *regex = CompileRegex(LOGGING_TIMESTAMP_REGEX);
         if (!regex)
         {
             UnexpectedError("Compiling regular expression failed");
             rtn = false;
         }
-        else
-        {
-            regex_extra = pcre_study(regex, 0, &errptr);
-        }
 
         size_t old_line_size = CF_BUFSIZE;
         char *old_line = xmalloc(old_line_size);
@@ -508,15 +501,15 @@ static bool CompareResultEqualOrFiltered(const ExecConfig *config,
 
             // Remove timestamps from lines before comparison.
             char *index;
-            if (pcre_exec(regex, regex_extra, old_msg, strlen(old_msg), 0, 0, NULL, 0) >= 0)
+            if (StringMatchWithPrecompiledRegex(regex, old_msg, NULL, NULL))
             {
                 index = strstr(old_msg, ": ");
                 if (index != NULL)
                 {
                     old_msg = index + 2;
                 }
             }
-            if (pcre_exec(regex, regex_extra, new_msg, strlen(new_msg), 0, 0, NULL, 0) >= 0)
+            if (StringMatchWithPrecompiledRegex(regex, new_msg, NULL, NULL))
             {
                 index = strstr(new_msg, ": ");
                 if (index != NULL)
@@ -535,11 +528,7 @@ static bool CompareResultEqualOrFiltered(const ExecConfig *config,
         free(old_line);
         free(new_line);
 
-        if (regex_extra)
-        {
-            free(regex_extra);
-        }
-        pcre_free(regex);
+        RegexDestroy(regex);
     }
     else
     {