From 45f3b96b6659fd34edcd55e31deae14663f56704 Mon Sep 17 00:00:00 2001
From: Yosuke Shimizu <yosuke@wolfssl.com>
Date: Tue, 16 Jun 2026 16:56:49 +0900
Subject: [PATCH] Update the skip guard for Mac environment

---
 apps/wolfsshd/test/test_configuration.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/apps/wolfsshd/test/test_configuration.c b/apps/wolfsshd/test/test_configuration.c
index cac8585c7..33aa6096a 100644
--- a/apps/wolfsshd/test/test_configuration.c
+++ b/apps/wolfsshd/test/test_configuration.c
@@ -630,8 +630,14 @@ static int test_CheckPasswordHashUnix(void)
     int rc;
 
     hash = crypt(correct, salt);
-    if (hash == NULL || hash[0] == '*' || WSTRLEN(hash) == 0) {
-        Log("    crypt() unavailable or refused salt, skipping.\n");
+    /* Skip if crypt() did not honor the $6$ SHA-512 request. macOS/Darwin and
+     * some BSD libc only implement legacy DES, which ignores the modular salt,
+     * truncates the password to 8 bytes, and returns a valid-looking 13-char
+     * hash that begins "$6l..." (no second '$'). A real $6$ hash begins with
+     * "$6$<salt>$", so the prefix check cleanly distinguishes them. */
+    if (hash == NULL || hash[0] == '*' || WSTRLEN(hash) == 0 ||
+            WSTRNCMP(hash, "$6$", 3) != 0) {
+        Log("    crypt() did not honor $6$ SHA-512, skipping.\n");
         return WS_SUCCESS;
     }
     if (WSTRLEN(hash) >= sizeof(stored)) {