CESNET · michalvasko · Jan 5, 2026 · Dec 13, 2025 · Jan 5, 2026
diff --git a/src/server_config.c b/src/server_config.c
@@ -123,7 +123,7 @@ nc_server_config_ssh_opts_free(struct nc_server_ssh_opts *opts)
     struct nc_hostkey *hostkey;
     struct nc_auth_client *auth_client;
     struct nc_public_key *pubkey;
-    LY_ARRAY_COUNT_TYPE i, j;
+    LY_ARRAY_COUNT_TYPE i = 0, j = 0;
 
     if (!opts) {
         return;
@@ -179,7 +179,7 @@ static void
 nc_server_config_tls_opts_free(struct nc_server_tls_opts *opts)
 {
     struct nc_ctn *ctn, *next;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
 
     if (!opts) {
         return;
@@ -243,7 +243,7 @@ static void
 nc_server_config_unix_opts_free(struct nc_server_unix_opts *opts)
 {
     struct nc_server_unix_user_mapping *mapping;
-    LY_ARRAY_COUNT_TYPE i, j;
+    LY_ARRAY_COUNT_TYPE i = 0, j = 0;
 
     if (!opts) {
         return;
@@ -275,7 +275,7 @@ static void
 nc_server_config_keystore_free(struct nc_keystore *ks)
 {
     struct nc_keystore_entry *entry;
-    LY_ARRAY_COUNT_TYPE i, j;
+    LY_ARRAY_COUNT_TYPE i = 0, j = 0;
 
     if (!ks) {
         return;
@@ -309,7 +309,7 @@ nc_server_config_truststore_free(struct nc_truststore *ts)
 {
     struct nc_certificate_bag *cbag;
     struct nc_public_key_bag *pkbag;
-    LY_ARRAY_COUNT_TYPE i, j;
+    LY_ARRAY_COUNT_TYPE i = 0, j = 0;
 
     if (!ts) {
         return;
@@ -359,7 +359,7 @@ nc_server_config_free(struct nc_server_config *config)
     struct nc_endpt *endpt;
     struct nc_ch_client *ch_client;
     struct nc_ch_endpt *ch_endpt;
-    LY_ARRAY_COUNT_TYPE i, j;
+    LY_ARRAY_COUNT_TYPE i = 0, j = 0;
     char *socket_path = NULL;
 
     if (!config) {
@@ -599,7 +599,7 @@ config_local_bind(const struct lyd_node *node, enum nc_operation parent_op, stru
     enum nc_operation op;
     struct nc_bind *bind = NULL;
     const char *local_addr;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
 
     NC_NODE_GET_OP(node, parent_op, &op);
 
@@ -963,7 +963,7 @@ config_ssh_hostkey(const struct lyd_node *node, enum nc_operation parent_op, str
     enum nc_operation op;
     struct nc_hostkey *hostkey = NULL;
     const char *name;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
 
     NC_NODE_GET_OP(node, parent_op, &op);
 
@@ -1104,7 +1104,7 @@ config_ssh_user_public_key(const struct lyd_node *node, enum nc_operation parent
     enum nc_operation op;
     struct lyd_node *n;
     struct nc_public_key *key = NULL;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     const char *name;
 
     NC_NODE_GET_OP(node, parent_op, &op);
@@ -2151,7 +2151,7 @@ config_tls_client_auth_ca_cert(const struct lyd_node *node,
     enum nc_operation op;
     struct lyd_node *n;
     const char *name;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     struct nc_certificate *cert = NULL;
 
     NC_NODE_GET_OP(node, parent_op, &op);
@@ -2274,7 +2274,7 @@ config_tls_client_auth_ee_cert(const struct lyd_node *node,
     enum nc_operation op;
     struct lyd_node *n;
     const char *name;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     struct nc_certificate *cert = NULL;
 
     NC_NODE_GET_OP(node, parent_op, &op);
@@ -3068,7 +3068,7 @@ static int
 config_unix_user_mapping_netconf_user(const struct lyd_node *node, enum nc_operation parent_op, struct nc_server_unix_user_mapping *mapping)
 {
     enum nc_operation op;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     const char *user;
     char **allowed_user;
 
@@ -3126,7 +3126,7 @@ config_unix_user_mapping(const struct lyd_node *node, enum nc_operation parent_o
     enum nc_operation op;
     struct nc_server_unix_user_mapping *mapping = NULL;
     const char *system_user;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     struct ly_set *set = NULL;
     uint32_t j;
 
@@ -3262,7 +3262,7 @@ config_endpoint(const struct lyd_node *node, enum nc_operation parent_op,
     enum nc_operation op;
     struct nc_endpt *endpt = NULL;
     const char *name;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     int r;
 
     NC_NODE_GET_OP(node, parent_op, &op);
@@ -3601,7 +3601,7 @@ config_ch_client_endpoint(const struct lyd_node *node, enum nc_operation parent_
     struct lyd_node *n;
     enum nc_operation op;
     const char *name;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     struct nc_ch_endpt *endpt = NULL;
 
     NC_NODE_GET_OP(node, parent_op, &op);
@@ -3855,7 +3855,7 @@ config_netconf_client(const struct lyd_node *node, enum nc_operation parent_op,
     struct lyd_node *n;
     enum nc_operation op;
     const char *name;
-    LY_ARRAY_COUNT_TYPE i, j;
+    LY_ARRAY_COUNT_TYPE i = 0, j = 0;
     struct nc_ch_client *ch_client = NULL;
 
     NC_NODE_GET_OP(node, parent_op, &op);
@@ -4097,7 +4097,7 @@ config_asymmetric_key_cert(const struct lyd_node *node, enum nc_operation parent
     enum nc_operation op;
     struct nc_certificate *cert = NULL;
     const char *name;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
 
     NC_NODE_GET_OP(node, parent_op, &op);
 
@@ -4167,7 +4167,7 @@ config_asymmetric_key(const struct lyd_node *node, enum nc_operation parent_op,
     enum nc_operation op;
     const char *name;
     struct nc_keystore_entry *entry = NULL;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
 
     NC_NODE_GET_OP(node, parent_op, &op);
 
@@ -4382,7 +4382,7 @@ config_certificate_bag_cert(const struct lyd_node *node, enum nc_operation paren
     enum nc_operation op;
     struct nc_certificate *cert = NULL;
     const char *name;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
 
     NC_NODE_GET_OP(node, parent_op, &op);
 
@@ -4436,7 +4436,7 @@ config_certificate_bag(const struct lyd_node *node, enum nc_operation parent_op,
     enum nc_operation op;
     const char *name;
     struct nc_certificate_bag *bag = NULL;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     uint32_t j;
     struct ly_set *set = NULL;
 
@@ -4569,7 +4569,7 @@ config_public_key_bag_pubkey(const struct lyd_node *node, enum nc_operation pare
     enum nc_operation op;
     const char *name;
     struct nc_public_key *pubkey = NULL;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
 
     NC_NODE_GET_OP(node, parent_op, &op);
 
@@ -4621,7 +4621,7 @@ config_public_key_bag(const struct lyd_node *node, enum nc_operation parent_op,
     enum nc_operation op;
     const char *name;
     struct nc_public_key_bag *bag = NULL;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     struct ly_set *set = NULL;
     uint32_t j;
 
@@ -4848,7 +4848,7 @@ config_cert_exp_notif_interval(const struct lyd_node *node, enum nc_operation pa
     struct lyd_node *anchor_node, *period_node;
     enum nc_operation op;
     const char *anchor_str, *period_str;
-    uint32_t i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     struct nc_cert_exp_time anchor = {0}, period = {0};
     struct nc_cert_exp_time_interval *interval = NULL;
 
@@ -5238,7 +5238,7 @@ nc_server_config_reconcile_chclients_dispatch(struct nc_server_config *old_cfg,
     struct nc_ch_client *old_ch_client, *new_ch_client;
     struct nc_server_ch_thread_arg **ch_thread_arg;
     int found;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     char **started_clients = NULL, **client_name = NULL;
 
     if (!server_opts.ch_dispatch_data.acquire_ctx_cb || !server_opts.ch_dispatch_data.release_ctx_cb ||
@@ -5752,7 +5752,7 @@ static int
 nc_server_config_truststore_dup(const struct nc_truststore *src, struct nc_truststore *dst)
 {
     int rc = 0;
-    LY_ARRAY_COUNT_TYPE i, j;
+    LY_ARRAY_COUNT_TYPE i = 0, j = 0;
     const struct nc_certificate_bag *src_cbag;
     struct nc_certificate_bag *dst_cbag;
     const struct nc_certificate *src_cert;
@@ -6492,7 +6492,7 @@ nc_server_config_oper_get_user_password_last_modified(const char *ch_client, con
         const char *username, time_t *last_modified)
 {
     int rc = 0;
-    LY_ARRAY_COUNT_TYPE i;
+    LY_ARRAY_COUNT_TYPE i = 0;
     struct nc_server_ssh_opts *ssh_opts = NULL;
     struct nc_endpt *endpt = NULL;
     struct nc_ch_client *client = NULL;

diff --git a/src/server_config_util_ssh.c b/src/server_config_util_ssh.c
@@ -495,15 +495,31 @@ _nc_server_config_add_ssh_user_password(const struct ly_ctx *ctx, const char *tr
         const char *password, struct lyd_node **config)
 {
     int ret = 0;
+    size_t i;
     char *hashed_pw = NULL;
-    const char *salt = "$6$idsizuippipk$";
+    char salt[3 /* "$6$" */ + 16 /* random chars */ + 1 /* trailing '$' */ + 1 /* NUL */];
     struct crypt_data *cdata = NULL;
-
-    NC_CHECK_ARG_RET(NULL, ctx, tree_path, password, config, 1);
+    unsigned char rnd[16];
+    static const char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 
     cdata = calloc(1, sizeof *cdata);
     NC_CHECK_ERRMEM_GOTO(!cdata, ret = 1, cleanup);
 
+    /* generate a random salt compatible with crypt SHA-512: "$6$<salt>$" */
+    if (nc_tls_generate_random_bytes_wrap(rnd, sizeof rnd)) {
+        ret = 1;
+        goto cleanup;
+    }
+
+    salt[0] = '$';
+    salt[1] = '6';
+    salt[2] = '$';
+    for (i = 0; i < sizeof rnd; ++i) {
+        salt[3 + i] = itoa64[rnd[i] % 64];
+    }
+    salt[3 + sizeof rnd] = '$';
+    salt[3 + sizeof rnd + 1] = '\0';
+
     hashed_pw = crypt_r(password, salt, cdata);
     if (!hashed_pw) {
         ERR(NULL, "Hashing password failed (%s).", strerror(errno));

diff --git a/src/session_mbedtls.c b/src/session_mbedtls.c
@@ -2478,3 +2478,26 @@ nc_tls_keylog_session_wrap(void *session)
 {
     mbedtls_ssl_set_export_keys_cb(session, nc_tls_keylog_write_line, NULL);
 }
+
+int
+nc_tls_generate_random_bytes_wrap(void *buf, size_t num)
+{
+    int rc = 0;
+    mbedtls_ctr_drbg_context *ctr_drbg = NULL;
+    mbedtls_entropy_context *entropy = NULL;
+
+    rc = nc_tls_rng_new(&ctr_drbg, &entropy);
+    if (rc) {
+        goto cleanup;
+    }
+
+    rc = mbedtls_ctr_drbg_random(ctr_drbg, buf, num);
+    if (rc) {
+        nc_mbedtls_strerr(NULL, rc, "Creating random bytes failed");
+        goto cleanup;
+    }
+
+cleanup:
+    nc_tls_rng_destroy(ctr_drbg, entropy);
+    return rc;
+}
diff --git a/src/session_openssl.c b/src/session_openssl.c
@@ -40,6 +40,7 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
+#include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -1975,3 +1976,14 @@ nc_tls_keylog_session_wrap(void *session)
 
     SSL_CTX_set_keylog_callback(ctx, nc_tls_keylog_write_line);
 }
+
+int
+nc_tls_generate_random_bytes_wrap(void *buf, size_t num)
+{
+    if (RAND_bytes(buf, (int)num) != 1) {
+        ERR(NULL, "Generating random bytes failed (%s).", ERR_reason_error_string(ERR_get_error()));
+        return 1;
+    }
+
+    return 0;
+}
diff --git a/src/session_wrapper.h b/src/session_wrapper.h
@@ -757,4 +757,13 @@ time_t nc_tls_get_cert_exp_time_wrap(void *cert);
  */
 void nc_tls_keylog_session_wrap(void *session);
 
+/**
+ * @brief Generate random bytes.
+ *
+ * @param[in] buf Buffer to fill with random bytes.
+ * @param[in] num Number of random bytes to generate. Caller is responsible for ensuring the buffer is large enough.
+ * @return 0 on success, 1 on error.
+ */
+int nc_tls_generate_random_bytes_wrap(void *buf, size_t num);
+
 #endif