luci-app-snmpd: add strong SNMPv3 crypto options

[micpf]

Add SHA-256, SHA-384, SHA-512, SHA-224 authentication and AES-192,
AES-256 encryption options to the SNMPv3 user configuration.

net-snmp has supported these algorithms for a while, but the LuCI
dropdown only offered SHA(-1), MD5, AES(-128) and DES. Modern security
standards (e.g. EN 18031 CCK-1) require at least 112-bit security
strength, which rules out SHA-1 (80-bit) and DES (56-bit).

The default authentication type is changed from SHA to SHA-256.

The init script already passes auth_type and privacy_type directly to
net-snmp's createUser, so no backend changes are needed.

Tested with net-snmp 5.9.4 on OpenWrt 25.12 (aarch64).

[feckert]

@micpf Please make github action happy

[systemcrash]

ping @ckorber

[ckorber]

@micpf I will look into it. Please sign it with your credentials in the meantime as @feckert suggested. Although it is not mandatory by the workflow it is necessary according to the guideline.

[micpf]

Ok, now signed off with full name.

[ckorber]

Thank you.

@micpf I tested that on my machine:

snmpwalk -v3 -u Test -l authPriv -a SHA-256 -A testword -x AES-256 -X testword 192.168.161.10 
Result: correct snmpwalk

snmpwalk -v3 -u Test -l authPriv -a SHA-512 -A testword -x AES -X testword 192.168.161.10
Result: seems to work also.

But:
 snmpwalk -v3 -u Test -l authPriv -a SHA-512 -A testword -x AES-256 -X testword 192.168.161.10                                                                                          
snmpwalk: Unknown user name

luci-app-snmpd ➤ snmpwalk -v3 -u Test -l authPriv -a SHA -A testword -x AES-256 -X testword 192.168.161.10                                                                                              
snmpwalk: Unknown user name

But User Test is set:

agentaddress UDP:161,UDP6:161
master agentx
agentXSocket /var/run/agentx.sock
sysName <redacted>
sysDescr <redacted>

createUser Test SHA "testword" AES-256 "testword"
rouser Test priv

root@<redacted> ~ # uci show snmpd
snmpd.@agent[0]=agent
snmpd.@agent[0].agentaddress='UDP:161,UDP6:161'
snmpd.@agentx[0]=agentx
snmpd.@agentx[0].agentxsocket='/var/run/agentx.sock'
snmpd.@system[0]=system
snmpd.general=snmpd
snmpd.general.enabled='1'
snmpd.general.ip_protocol='ipv4/ipv6'
snmpd.general.snmp_port='161'
snmpd.general.snmp_version='v3'
snmpd.@v3[0]=v3
snmpd.@v3[0].username='Test'
snmpd.@v3[0].allow_write='0'
snmpd.@v3[0].auth_type='SHA'
snmpd.@v3[0].auth_pass='testword'
snmpd.@v3[0].privacy_type='AES-256'
snmpd.@v3[0].privacy_pass='testword'
snmpd.@v3[0].RestrictOID='no'

Seems that there are also changes necessary in net-snmp

[micpf]

Thanks for testing! I was able to reproduce and investigate the "Unknown user name" issue.

Root cause: stale persistent user data. net-snmp caches created users in /var/net-snmp/snmpd.conf. When you change a user's auth/privacy parameters, the old cached key material remains and the new createUser directive is silently skipped. The user then has mismatched keys and authentication fails.

Fix: Delete /var/net-snmp/snmpd.conf and restart snmpd whenever you change a user's crypto settings. On OpenWrt: rm -f /var/net-snmp/snmpd.conf && /etc/init.d/snmpd restart

Verified all combinations on OpenWrt 25.12 (net-snmp 5.9.4, aarch64):

Auth	Privacy	Result
SHA-256	AES-256	✅ works
SHA-512	AES-256	✅ works
SHA	AES-256	✅ works
SHA	AES	✅ works

Also verified that wrong passwords are properly rejected (no false positives).

net-snmp handles key extension internally for cases where the auth hash output is shorter than the privacy key requirement (e.g. SHA-1 with AES-256), using the Blumenthal key extension algorithm (RFC 3826 / draft-blumenthal-aes-usm-04).

[systemcrash]

Evidently a change in parameters requires a reinit. The way this (sort of) is handled in lldpd is to run an md5 or sha hash over the output config (existing vs new).

Without such a change the behaviour is just a 'bug'.

A fix seems like adding that rm to the init script (not this repo), and triggering a reinit upon config apply (some luci apps do this).

[micpf]

Agreed, the stale persistent user data is a real usability issue. However, the fix belongs in the net-snmp init script (packages repo), not in luci-app-snmpd — the init script should detect config changes and clear /var/net-snmp/snmpd.conf before recreating users.

I'd consider that a separate bug/PR against the net-snmp package. This PR only adds the missing algorithm options to the LuCI dropdown, which is correct regardless of the reinit issue.