Fix the skip guard for Mac environment

[yosuke-wolfssl]

Fix test_CheckPasswordHashUnix false-fail on macOS/Darwin

Summary

test_CheckPasswordHashUnix in apps/wolfsshd/test/test_configuration.c
false-fails on macOS (and some BSDs) because the platform crypt(3) does not
implement the $6$ (SHA-512) modular-crypt format. This is a test-harness bug,
not a defect in CheckPasswordHashUnix() itself.

Root cause

The test builds a stored hash with a SHA-512 modular-crypt salt:

const char* salt = "$6$wolfsshtestsalt$";
hash = crypt(correct, salt);

macOS/Darwin libc crypt(3) only supports legacy DES. Given a $6$… salt it
silently falls back to DES, using just the first 2 characters as the salt and
truncating the password to 8 bytes. Both test passwords share their first
8 bytes (wolfssh-), so DES produces an identical hash for the "correct" and
"wrong" passwords. The negative path ("wrong password is rejected") then
genuinely matches, CheckPasswordHashUnix() correctly returns
WSSHD_AUTH_SUCCESS, and the test fails with ret=-1001 (binary exits 23).

The existing skip guard only caught the NULL / * / empty crypt-failure
conventions. The DES fallback returns a valid-looking 13-char hash, so the
guard never tripped and the test proceeded with degenerate coverage.

Fix

Tighten the skip guard to verify crypt() actually honored the $6$ request
before trusting the negative path. A real SHA-512 hash begins with $6$<salt>$;
the DES fallback begins $6l… (no second $), so a WSTRNCMP(hash, "$6$", 3)
prefix check cleanly distinguishes them.

hash = crypt(correct, salt);
if (hash == NULL || hash[0] == '*' || WSTRLEN(hash) == 0 ||
        WSTRNCMP(hash, "$6$", 3) != 0) {
    Log("    crypt() did not honor $6$ SHA-512, skipping.\n");
    return WS_SUCCESS;
}

On glibc-based Linux the $6$ hash is produced as expected and the test runs
normally; only platforms whose crypt(3) lacks $6$ support now skip instead
of false-failing.

Testing

• test_configuration full suite: PASS (exit 0) on macOS — the password
  hash case now logs crypt() did not honor $6$ SHA-512, skipping.

[Copilot]

Pull request overview

This PR fixes a macOS/Darwin-specific false failure in the wolfsshd test suite by tightening the skip guard in test_CheckPasswordHashUnix() so the test only runs when crypt(3) actually produces a $6$ (SHA-512 modular-crypt) hash rather than silently falling back to legacy DES.

Changes:

• Add a runtime guard that verifies crypt() honored the $6$ request by checking the returned hash prefix begins with "$6$".
• Improve the skip message and add an explanatory comment documenting the Darwin/BSD DES-fallback behavior and why it breaks the negative-path test.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[wolfSSL-Fenrir-bot]

Fenrir Automated Review — PR #1040

Scan targets checked: wolfssh-bugs, wolfssh-src

No new issues found in the changed files. ✅