wolfsshd: fix Match User/Group directive misparse

[yosuke-wolfssl]

Summary

Match User/Match Group directives in wolfsshd were misparsed, allowing an authentication-policy bypass.

AddRestrictedCase() located the User/Group keyword in a Match directive value with XSTRSTR — an unanchored substring search. When a user name contained the substring Group (e.g. GroupAdmin), the Group pass matched inside that token and extracted a spurious groupAppliesTo value (Admin). Symmetrically, a group name containing User (e.g. UserStaff) produced a ghost usrAppliesTo. wolfSSHD_GetUserConf() then exact-matched these ghost tokens at every authentication attempt, so any OS account whose name or primary group equaled a ghost token inherited the Match block's overrides (e.g. PasswordAuthentication yes overriding a global no) — bypassing the intended per-user policy. The reverse direction incorrectly denied access to unrelated users.

Fix

Replaced the per-keyword substring search with a positional token-pair parser (ParseMatchCriteria) that walks the value as whitespace-separated tokens:

• A User/Group keyword is matched as an exact whole token.
• The token immediately following a keyword is taken literally as the name and is never re-examined as a keyword — so a principal named like the opposite keyword (Match User Group, a user literally named Group) is handled by position, not by substring.
• A recognized keyword with no following name (e.g. a bare Match User) is now a configuration error (fail-closed), instead of being silently accepted as a dead node that quietly discarded the admin's subsequent settings.
• Unrecognized Match criteria are still ignored (kept lenient toward criteria wolfsshd does not yet support).

Also:

• Removing XSTRSTR eliminates an empty-keyword infinite-loop edge case.
• Fixed a pre-existing leak in HandleMatch: the per-match config node was allocated but neither linked nor freed when criteria parsing failed.

Tests

Added regression tests in apps/wolfsshd/test/test_configuration.c:

Test	Covers
test_GetUserConfMatchSubstring	user name containing Group → no ghost group token
test_GetUserConfMatchSubstringGroup	group name containing User → no ghost user token
test_GetUserConfMatchLiteralKeywordName	Match User Group → user named Group, group unset
test_GetUserConfMatchBareKeyword	bare Match User → fail-closed
test_GetUserConfMatchRepeatedKeyword	Match User a User b → free-then-replace path
test_GetUserConfMatchUserAndGroup	both criteria on one line → both names extracted

Verification

• Full test_configuration suite passes.
• Each new test was validated with a negative control — it fails against the unfixed/regressed code and passes with the fix.

[Copilot]

Pull request overview

This PR fixes a security-relevant misparse of Match User / Match Group directives in wolfsshd by replacing an unanchored substring search with a positional token-pair parser, preventing “ghost” user/group tokens from unintentionally inheriting Match-block authentication overrides.

Changes:

• Replaced the old Match criteria extraction logic with ParseMatchCriteria() that matches User/Group as whole tokens and consumes the following token as the literal principal name.
• Made bare recognized keywords (e.g., Match User) fail closed (configuration error) and fixed an error-path leak by freeing an unlinked Match config node on parse failure.
• Added regression tests covering substring/keyword-name edge cases, repeated keywords, bare keywords, and combined user+group criteria.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
apps/wolfsshd/configuration.c	Introduces positional parsing for Match criteria and fixes error-path memory handling.
apps/wolfsshd/test/test_configuration.c	Adds regression tests to prevent reintroduction of the Match User/Group misparse and related edge cases.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1039

Scan targets checked: wolfssh-bugs, wolfssh-src
Findings: 2
1 finding(s) posted as inline comments (see file-level comments below)

Low (1)

Stale leftover comment

Function: ParseMatchCriteria
Category: Code Quality

A stale leftover comment exists at line 874, not a security concern but indicates incomplete cleanup.

Recommendation: Remove the stale comment to maintain code cleanliness.

---

This review was generated automatically by Fenrir. Findings are non-blocking.