From 6e34c698edcba5d81a4db0b2af580f09d1a35977 Mon Sep 17 00:00:00 2001
From: Lukas Burkhalter <lukas.burkhalter@proton.ch>
Date: Thu, 14 Nov 2024 14:15:56 +0100
Subject: [PATCH] docs: Add comments when handling parsing errors

---
 openpgp/read.go    | 8 ++++++++
 openpgp/v2/read.go | 8 ++++++++
 2 files changed, 16 insertions(+)

diff --git a/openpgp/read.go b/openpgp/read.go
index 629a0b74..44710ffd 100644
--- a/openpgp/read.go
+++ b/openpgp/read.go
@@ -234,8 +234,12 @@ FindKey:
 	mdFinal, sensitiveParsingErr := readSignedMessage(packets, md, keyring, config)
 	if sensitiveParsingErr != nil {
 		if md.decrypted != nil {
+			// The data is read from a stream that decrypts using a session key;
+			// therefore, we need to handle parsing errors appropriately.
+			// It's essential to mitigate the risk of oracle attacks.
 			return nil, errors.HandleDecryptionSensitiveParsingError(sensitiveParsingErr)
 		}
+		// Data was not encrypted and is directly read in plaintext.
 		return nil, errors.StructuralError(errors.GenericParsingErrorMessage)
 	}
 	return mdFinal, nil
@@ -447,8 +451,12 @@ func (scr *signatureCheckReader) Read(buf []byte) (int, error) {
 
 	if sensitiveParsingError != nil {
 		if scr.md.decrypted != nil {
+			// The data is read from a stream that decrypts using a session key;
+			// therefore, we need to handle parsing errors appropriately.
+			// This is essential to mitigate the risk of oracle attacks.
 			return n, errors.HandleDecryptionSensitiveParsingError(sensitiveParsingError)
 		}
+		// Data was not encrypted and is directly read in plaintext.
 		return n, errors.StructuralError(errors.GenericParsingErrorMessage)
 	}
 
diff --git a/openpgp/v2/read.go b/openpgp/v2/read.go
index bfa049fe..03730fd7 100644
--- a/openpgp/v2/read.go
+++ b/openpgp/v2/read.go
@@ -269,8 +269,12 @@ FindKey:
 	mdFinal, sensitiveParsingErr := readSignedMessage(packets, md, keyring, config)
 	if sensitiveParsingErr != nil {
 		if md.decrypted != nil {
+			// The data is read from a stream that decrypts using a session key;
+			// therefore, we need to handle parsing errors appropriately.
+			// This is essential to mitigate the risk of oracle attacks.
 			return nil, errors.HandleDecryptionSensitiveParsingError(sensitiveParsingErr)
 		}
+		// Data was not encrypted and is directly read in plaintext.
 		return nil, errors.StructuralError(errors.GenericParsingErrorMessage)
 	}
 	return mdFinal, nil
@@ -654,8 +658,12 @@ func (scr *signatureCheckReader) Read(buf []byte) (int, error) {
 
 	if sensitiveParsingError != nil {
 		if scr.md.decrypted != nil {
+			// The data is read from a stream that decrypts using a session key;
+			// therefore, we need to handle parsing errors appropriately.
+			// This is essential to mitigate the risk of oracle attacks.
 			return n, errors.HandleDecryptionSensitiveParsingError(sensitiveParsingError)
 		}
+		// Data was not encrypted and is directly read in plaintext.
 		return n, errors.StructuralError(errors.GenericParsingErrorMessage)
 	}