From 555a3969512ceff24581b660c71a97fcf9a35597 Mon Sep 17 00:00:00 2001
From: komuw <komuw05@gmail.com>
Date: Mon, 16 Sep 2024 13:59:36 +0300
Subject: [PATCH] g

---
 cry/enc.go  | 5 +++--
 cry/hash.go | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/cry/enc.go b/cry/enc.go
index d1698746..4d163baa 100644
--- a/cry/enc.go
+++ b/cry/enc.go
@@ -110,7 +110,8 @@ func (e Enc) Encrypt(plainTextMsg string) (encryptedMsg []byte) {
 	)
 
 	// Encrypt the message and append the ciphertext to the nonce.
-	encrypted := e.aead.Seal(nonce, nonce, msgToEncrypt, nil)
+	// version as additionalData ensures that encryption/decryption will fail if using different versions of `ong/cry`
+	encrypted := e.aead.Seal(nonce, nonce, msgToEncrypt, []byte{version})
 
 	// Append the salt & nonce to encrypted msg.
 	// |salt|nonce|encryptedMsg|
@@ -151,7 +152,7 @@ func (e Enc) Decrypt(encryptedMsg []byte) (decryptedMsg []byte, err error) {
 	}
 
 	// Decrypt the message and check it wasn't tampered with.
-	return aead.Open(nil, nonce, ciphertext, nil)
+	return aead.Open(nil, nonce, ciphertext, []byte{version})
 }
 
 // EncryptEncode is like [Enc.Encrypt] except that it returns a string that is encoded using [base64.RawURLEncoding]
diff --git a/cry/hash.go b/cry/hash.go
index 5b4a899d..2985799b 100644
--- a/cry/hash.go
+++ b/cry/hash.go
@@ -15,7 +15,7 @@ import (
 //   (a) https://github.com/elithrar/simple-scrypt whose license(MIT) can be found here: https://github.com/elithrar/simple-scrypt/blob/v1.3.0/LICENSE
 
 const (
-	// this should be increased every time the parameters passed to [argon2.IDKey] are changed.
+	// this should be incremented every time the parameters passed to [argon2.IDKey] are changed.
 	version   = 2
 	separator = "$"
 
@@ -40,7 +40,7 @@ func Hash(password string) string {
 	// Add version, salt to the derived key.
 	// The salt and the derived key are hex encoded.
 	// NB: We could include the other params(_time, memory, threads) in this serialization.
-	//     But we don't for simplicity & also because those params are hardcoded for each cry version.
+	//     But we don't for simplicity & also because those params are hardcoded for each `ong/cry` version.
 	return fmt.Sprintf(
 		`%d%s%x%s%x`,
 		version,