From e01ba500f8e1aa424d59c5817a69930924083b2d Mon Sep 17 00:00:00 2001 From: Mrityunjay Raj Date: Mon, 11 May 2026 17:40:11 +0530 Subject: [PATCH 1/2] legacy: move legacy AES-CTR key classes into borg.legacy.crypto, refs #9556 --- src/borg/crypto/key.py | 48 ++++-------------------------- src/borg/legacy/crypto/__init__.py | 0 src/borg/legacy/crypto/key.py | 42 ++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 43 deletions(-) create mode 100644 src/borg/legacy/crypto/__init__.py create mode 100644 src/borg/legacy/crypto/key.py diff --git a/src/borg/crypto/key.py b/src/borg/crypto/key.py index 1b8e00044..30044bf92 100644 --- a/src/borg/crypto/key.py +++ b/src/borg/crypto/key.py @@ -29,7 +29,7 @@ from ..repoobj import RepoObj from .low_level import AES, bytes_to_int, num_cipher_blocks, hmac_sha256, blake2b_256 -from .low_level import AES256_CTR_HMAC_SHA256, AES256_CTR_BLAKE2b, AES256_OCB, CHACHA20_POLY1305 +from .low_level import AES256_OCB, CHACHA20_POLY1305 from . import low_level # workaround for lost passphrase or key in "authenticated" or "authenticated-blake2" mode @@ -729,40 +729,10 @@ class FlexiKey: raise TypeError("Unsupported borg key storage type") -class KeyfileKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): - TYPES_ACCEPTABLE = {KeyType.KEYFILE, KeyType.REPO, KeyType.PASSPHRASE} - TYPE = KeyType.KEYFILE - NAME = "key file" - ARG_NAME = "keyfile" - STORAGE = KeyBlobStorage.KEYFILE - CIPHERSUITE = AES256_CTR_HMAC_SHA256 - - -class RepoKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): - TYPES_ACCEPTABLE = {KeyType.KEYFILE, KeyType.REPO, KeyType.PASSPHRASE} - TYPE = KeyType.REPO - NAME = "repokey" - ARG_NAME = "repokey" - STORAGE = KeyBlobStorage.REPO - CIPHERSUITE = AES256_CTR_HMAC_SHA256 - - -class Blake2KeyfileKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): - TYPES_ACCEPTABLE = {KeyType.BLAKE2KEYFILE, KeyType.BLAKE2REPO} - TYPE = KeyType.BLAKE2KEYFILE - NAME = "key file BLAKE2b" - ARG_NAME = "keyfile-blake2" - STORAGE = KeyBlobStorage.KEYFILE - CIPHERSUITE = AES256_CTR_BLAKE2b - - -class Blake2RepoKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): - TYPES_ACCEPTABLE = {KeyType.BLAKE2KEYFILE, KeyType.BLAKE2REPO} - TYPE = KeyType.BLAKE2REPO - NAME = "repokey BLAKE2b" - ARG_NAME = "repokey-blake2" - STORAGE = KeyBlobStorage.REPO - CIPHERSUITE = AES256_CTR_BLAKE2b +# legacy imports placed after FlexiKey/AESKeyBase/KeyBase so those names are already +# in the partial module when legacy/crypto/key.py imports them back during circular load +from ..legacy.crypto.key import KeyfileKey, RepoKey, Blake2KeyfileKey, Blake2RepoKey # noqa: E402 +from ..legacy.crypto.key import LEGACY_KEY_TYPES # noqa: E402 class AuthenticatedKeyBase(AESKeyBase, FlexiKey): @@ -1002,14 +972,6 @@ class Blake2CHPORepoKey(ID_BLAKE2b_256, AEADKeyBase, FlexiKey): CIPHERSUITE = CHACHA20_POLY1305 -LEGACY_KEY_TYPES = ( - # legacy (AES-CTR based) crypto - KeyfileKey, - RepoKey, - Blake2KeyfileKey, - Blake2RepoKey, -) - AVAILABLE_KEY_TYPES = ( # these are available encryption modes for new repositories # not encrypted modes diff --git a/src/borg/legacy/crypto/__init__.py b/src/borg/legacy/crypto/__init__.py new file mode 100644 index 000000000..e69de29bb diff --git a/src/borg/legacy/crypto/key.py b/src/borg/legacy/crypto/key.py new file mode 100644 index 000000000..b9fd954a8 --- /dev/null +++ b/src/borg/legacy/crypto/key.py @@ -0,0 +1,42 @@ +from ...constants import * # NOQA +from ...crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_CTR_BLAKE2b +from ...crypto.key import ID_HMAC_SHA_256, ID_BLAKE2b_256, AESKeyBase, FlexiKey + + +class KeyfileKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): + TYPES_ACCEPTABLE = {KeyType.KEYFILE, KeyType.REPO, KeyType.PASSPHRASE} + TYPE = KeyType.KEYFILE + NAME = "key file" + ARG_NAME = "keyfile" + STORAGE = KeyBlobStorage.KEYFILE + CIPHERSUITE = AES256_CTR_HMAC_SHA256 + + +class RepoKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): + TYPES_ACCEPTABLE = {KeyType.KEYFILE, KeyType.REPO, KeyType.PASSPHRASE} + TYPE = KeyType.REPO + NAME = "repokey" + ARG_NAME = "repokey" + STORAGE = KeyBlobStorage.REPO + CIPHERSUITE = AES256_CTR_HMAC_SHA256 + + +class Blake2KeyfileKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): + TYPES_ACCEPTABLE = {KeyType.BLAKE2KEYFILE, KeyType.BLAKE2REPO} + TYPE = KeyType.BLAKE2KEYFILE + NAME = "key file BLAKE2b" + ARG_NAME = "keyfile-blake2" + STORAGE = KeyBlobStorage.KEYFILE + CIPHERSUITE = AES256_CTR_BLAKE2b + + +class Blake2RepoKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): + TYPES_ACCEPTABLE = {KeyType.BLAKE2KEYFILE, KeyType.BLAKE2REPO} + TYPE = KeyType.BLAKE2REPO + NAME = "repokey BLAKE2b" + ARG_NAME = "repokey-blake2" + STORAGE = KeyBlobStorage.REPO + CIPHERSUITE = AES256_CTR_BLAKE2b + + +LEGACY_KEY_TYPES = (KeyfileKey, RepoKey, Blake2KeyfileKey, Blake2RepoKey) From 0cf9322d78944f735cc7f65666543f076537bf6f Mon Sep 17 00:00:00 2001 From: Mrityunjay Raj Date: Mon, 11 May 2026 17:56:53 +0530 Subject: [PATCH 2/2] legacy: fix mypy false positives in key classes caused by circular import, refs #9556 --- src/borg/legacy/crypto/key.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/borg/legacy/crypto/key.py b/src/borg/legacy/crypto/key.py index b9fd954a8..4454015ee 100644 --- a/src/borg/legacy/crypto/key.py +++ b/src/borg/legacy/crypto/key.py @@ -3,7 +3,7 @@ from ...crypto.low_level import AES256_CTR_HMAC_SHA256, AES256_CTR_BLAKE2b from ...crypto.key import ID_HMAC_SHA_256, ID_BLAKE2b_256, AESKeyBase, FlexiKey -class KeyfileKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): +class KeyfileKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): # type: ignore[misc] TYPES_ACCEPTABLE = {KeyType.KEYFILE, KeyType.REPO, KeyType.PASSPHRASE} TYPE = KeyType.KEYFILE NAME = "key file" @@ -12,7 +12,7 @@ class KeyfileKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): CIPHERSUITE = AES256_CTR_HMAC_SHA256 -class RepoKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): +class RepoKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): # type: ignore[misc] TYPES_ACCEPTABLE = {KeyType.KEYFILE, KeyType.REPO, KeyType.PASSPHRASE} TYPE = KeyType.REPO NAME = "repokey" @@ -21,7 +21,7 @@ class RepoKey(ID_HMAC_SHA_256, AESKeyBase, FlexiKey): CIPHERSUITE = AES256_CTR_HMAC_SHA256 -class Blake2KeyfileKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): +class Blake2KeyfileKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): # type: ignore[misc] TYPES_ACCEPTABLE = {KeyType.BLAKE2KEYFILE, KeyType.BLAKE2REPO} TYPE = KeyType.BLAKE2KEYFILE NAME = "key file BLAKE2b" @@ -30,7 +30,7 @@ class Blake2KeyfileKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): CIPHERSUITE = AES256_CTR_BLAKE2b -class Blake2RepoKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): +class Blake2RepoKey(ID_BLAKE2b_256, AESKeyBase, FlexiKey): # type: ignore[misc] TYPES_ACCEPTABLE = {KeyType.BLAKE2KEYFILE, KeyType.BLAKE2REPO} TYPE = KeyType.BLAKE2REPO NAME = "repokey BLAKE2b"