// Code generated by cmd/cgo; DO NOT EDIT.

//line /builddir/build/BUILD/go-go-1.12.8-2-openssl-fips/src/crypto/internal/boring/aes.go:1:1
// Copyright 2017 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// +build linux
// +build !android
// +build !no_openssl
// +build !cmd_go_bootstrap
// +build !msan

package boring

// #include "goboringcrypto.h"
import _ "unsafe"
import (
	"crypto/cipher"
	"errors"
	"runtime"
	"strconv"
	"unsafe"
)

type aesKeySizeError int

func (k aesKeySizeError) Error() string {
	return "crypto/aes: invalid key size " + strconv.Itoa(int(k))
}

const aesBlockSize = 16

type aesCipher struct {
	key     []byte
	enc_ctx * /*line :33:11*/_Ctype_struct_evp_cipher_ctx_st /*line :33:27*/
	dec_ctx * /*line :34:11*/_Ctype_struct_evp_cipher_ctx_st /*line :34:27*/
	cipher  * /*line :35:11*/_Ctype_struct_evp_cipher_st /*line :35:23*/
}

type extraModes interface {
	// Copied out of crypto/aes/modes.go.
	NewCBCEncrypter(iv []byte) cipher.BlockMode
	NewCBCDecrypter(iv []byte) cipher.BlockMode
	NewCTR(iv []byte) cipher.Stream
	NewGCM(nonceSize, tagSize int) (cipher.AEAD, error)

	// Invented for BoringCrypto.
	NewGCMTLS() (cipher.AEAD, error)
}

var _ extraModes = (*aesCipher)(nil)

func NewAESCipher(key []byte) (cipher.Block, error) {
	c := &aesCipher{key: make([]byte, len(key))}
	copy(c.key, key)

	switch len(c.key) * 8 {
	case 128:
		c.cipher = ( /*line :57:14*/_Cfunc__goboringcrypto_EVP_aes_128_ecb /*line :57:46*/)()
	case 192:
		c.cipher = ( /*line :59:14*/_Cfunc__goboringcrypto_EVP_aes_192_ecb /*line :59:46*/)()
	case 256:
		c.cipher = ( /*line :61:14*/_Cfunc__goboringcrypto_EVP_aes_256_ecb /*line :61:46*/)()
	default:
		return nil, errors.New("crypto/cipher: Invalid key size")
	}

	runtime.SetFinalizer(c, (*aesCipher).finalize)

	return c, nil
}

func (c *aesCipher) finalize() {
	if c.enc_ctx != nil {
		func() { _cgo0 := /*line :73:41*/c.enc_ctx; _cgoCheckPointer(_cgo0); _Cfunc__goboringcrypto_EVP_CIPHER_CTX_free(_cgo0); }()
	}
	if c.dec_ctx != nil {
		func() { _cgo0 := /*line :76:41*/c.dec_ctx; _cgoCheckPointer(_cgo0); _Cfunc__goboringcrypto_EVP_CIPHER_CTX_free(_cgo0); }()
	}
}

func (c *aesCipher) BlockSize() int { return aesBlockSize }

func (c *aesCipher) Encrypt(dst, src []byte) {
	if inexactOverlap(dst, src) {
		panic("crypto/cipher: invalid buffer overlap")
	}
	if len(src) < aesBlockSize {
		panic("crypto/aes: input not full block")
	}
	if len(dst) < aesBlockSize {
		panic("crypto/aes: output not full block")
	}

	if c.enc_ctx == nil {
		c.enc_ctx = ( /*line :94:15*/_Cfunc__goboringcrypto_EVP_CIPHER_CTX_new /*line :94:50*/)()
		if c.enc_ctx == nil {
			panic("cipher: unable to create EVP cipher ctx")
		}

		k := (* /*line :99:10*/_Ctype_uchar /*line :99:17*/)(unsafe.Pointer(&c.key[0]))

		if  /*line :101:6*/_Ctype_int /*line :101:11*/(1) != func() _Ctype_int{ _cgo0 := /*line :101:54*/c.enc_ctx; _cgo1 := /*line :101:65*/c.cipher; var _cgo2 *_Ctype_struct_engine_st = /*line :101:75*/nil; var _cgo3 *_Ctype_uchar = /*line :101:80*/k; var _cgo4 *_Ctype_uchar = /*line :101:83*/nil; var _cgo5 _Ctype_int = /*line :101:88*/_Ciconst_GO_AES_ENCRYPT; _cgoCheckPointer(_cgo0); _cgoCheckPointer(_cgo1); return _Cfunc__goboringcrypto_EVP_CipherInit_ex(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4, _cgo5); }() {
			panic("cipher: unable to initialize EVP cipher ctx")
		}
	}

	outlen :=  /*line :106:12*/_Ctype_int /*line :106:17*/(0)
	func() _Ctype_int{ _cgo0 := /*line :107:37*/c.enc_ctx; var _cgo1 *_Ctype_uchar = /*line :107:48*/(*_Ctype_uchar)(unsafe.Pointer(&dst[0])); var _cgo2 *_Ctype_int = /*line :107:85*/&outlen; var _cgo3 *_Ctype_uchar = /*line :107:94*/(*_Ctype_uchar)(unsafe.Pointer(&src[0])); var _cgo4 _Ctype_int = _Ctype_int(aesBlockSize); _cgoCheckPointer(_cgo0); return _Cfunc__goboringcrypto_EVP_CipherUpdate(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4); }()
	runtime.KeepAlive(c)
}

func (c *aesCipher) Decrypt(dst, src []byte) {
	if inexactOverlap(dst, src) {
		panic("crypto/cipher: invalid buffer overlap")
	}
	if len(src) < aesBlockSize {
		panic("crypto/aes: input not full block")
	}
	if len(dst) < aesBlockSize {
		panic("crypto/aes: output not full block")
	}
	if c.dec_ctx == nil {
		c.dec_ctx = ( /*line :122:15*/_Cfunc__goboringcrypto_EVP_CIPHER_CTX_new /*line :122:50*/)()
		if c.dec_ctx == nil {
			panic("cipher: unable to create EVP cipher ctx")
		}

		k := (* /*line :127:10*/_Ctype_uchar /*line :127:17*/)(unsafe.Pointer(&c.key[0]))

		if  /*line :129:6*/_Ctype_int /*line :129:11*/(1) != func() _Ctype_int{ _cgo0 := /*line :129:54*/c.dec_ctx; _cgo1 := /*line :129:65*/c.cipher; var _cgo2 *_Ctype_struct_engine_st = /*line :129:75*/nil; var _cgo3 *_Ctype_uchar = /*line :129:80*/k; var _cgo4 *_Ctype_uchar = /*line :129:83*/nil; var _cgo5 _Ctype_int = /*line :129:88*/_Ciconst_GO_AES_DECRYPT; _cgoCheckPointer(_cgo0); _cgoCheckPointer(_cgo1); return _Cfunc__goboringcrypto_EVP_CipherInit_ex(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4, _cgo5); }() {
			panic("cipher: unable to initialize EVP cipher ctx")
		}
	}

	outlen :=  /*line :134:12*/_Ctype_int /*line :134:17*/(0)
	func() _Ctype_int{ _cgo0 := /*line :135:37*/c.dec_ctx; var _cgo1 *_Ctype_uchar = /*line :135:48*/(*_Ctype_uchar)(unsafe.Pointer(&dst[0])); var _cgo2 *_Ctype_int = /*line :135:85*/&outlen; var _cgo3 *_Ctype_uchar = /*line :135:94*/(*_Ctype_uchar)(unsafe.Pointer(&src[0])); var _cgo4 _Ctype_int = _Ctype_int(aesBlockSize); _cgoCheckPointer(_cgo0); return _Cfunc__goboringcrypto_EVP_CipherUpdate(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4); }()
	runtime.KeepAlive(c)
}

type aesCBC struct {
	key  []byte
	mode  /*line :141:7*/_Ctype_int /*line :141:12*/
	iv   [aesBlockSize]byte
	ctx  * /*line :143:8*/_Ctype_struct_evp_cipher_ctx_st /*line :143:24*/
}

func (x *aesCBC) BlockSize() int { return aesBlockSize }

func (x *aesCBC) CryptBlocks(dst, src []byte) {
	if inexactOverlap(dst, src) {
		panic("crypto/cipher: invalid buffer overlap")
	}
	if len(src)%aesBlockSize != 0 {
		panic("crypto/cipher: input not full blocks")
	}
	if len(dst) < len(src) {
		panic("crypto/cipher: output smaller than input")
	}
	if len(src) > 0 {
		outlen :=  /*line :159:13*/_Ctype_int /*line :159:18*/(0)
		if func() _Ctype_int{ _cgo0 := /*line :161:4*/x.ctx; var _cgo1 *_Ctype_struct_evp_cipher_st = /*line :162:4*/nil; var _cgo2 *_Ctype_struct_engine_st = /*line :162:9*/nil; var _cgo3 *_Ctype_uchar = /*line :162:14*/nil; var _cgo4 *_Ctype_uchar = /*line :163:4*/(*_Ctype_uchar)(unsafe.Pointer(&x.iv[0])); var _cgo5 _Ctype_int = /*line :164:4*/-1; _cgoCheckPointer(_cgo0); return _Cfunc__goboringcrypto_EVP_CipherInit_ex(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4, _cgo5); }() != 1 {
			panic("crypto/cipher: CipherInit_ex failed")
		}
		runtime.KeepAlive(x)
		if func() _Ctype_int{ _cgo0 := /*line :169:4*/x.ctx; var _cgo1 *_Ctype_uchar = /*line :170:4*/base(dst); var _cgo2 *_Ctype_int = /*line :170:15*/&outlen; var _cgo3 *_Ctype_uchar = /*line :171:4*/base(src); var _cgo4 _Ctype_int = _Ctype_int(len(src)); _cgoCheckPointer(_cgo0); return _Cfunc__goboringcrypto_EVP_CipherUpdate(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4); }() != 1 {
			panic("crypto/cipher: CipherUpdate failed")
		}
		runtime.KeepAlive(x)
	}
}

func (x *aesCBC) SetIV(iv []byte) {
	if len(iv) != aesBlockSize {
		panic("cipher: incorrect length IV")
	}
	copy(x.iv[:], iv)
}

func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode {
	x := &aesCBC{key: c.key, mode: ( /*line :187:33*/_Ciconst_GO_AES_ENCRYPT /*line :187:48*/)}
	copy(x.iv[:], iv)

	x.ctx = ( /*line :190:10*/_Cfunc__goboringcrypto_EVP_CIPHER_CTX_new /*line :190:45*/)()
	if x.ctx == nil {
		panic("cipher: unable to create EVP cipher ctx")
	}

	k := (* /*line :195:9*/_Ctype_uchar /*line :195:16*/)(unsafe.Pointer(&x.key[0]))
	vec := (* /*line :196:11*/_Ctype_uchar /*line :196:18*/)(unsafe.Pointer(&x.iv[0]))

	var cipher * /*line :198:14*/_Ctype_struct_evp_cipher_st /*line :198:26*/
	switch len(c.key) * 8 {
	case 128:
		cipher = ( /*line :201:12*/_Cfunc__goboringcrypto_EVP_aes_128_cbc /*line :201:44*/)()
	case 192:
		cipher = ( /*line :203:12*/_Cfunc__goboringcrypto_EVP_aes_192_cbc /*line :203:44*/)()
	case 256:
		cipher = ( /*line :205:12*/_Cfunc__goboringcrypto_EVP_aes_256_cbc /*line :205:44*/)()
	default:
		panic("crypto/boring: unsupported key length")
	}
	if  /*line :209:5*/_Ctype_int /*line :209:10*/(1) != func() _Ctype_int{ _cgo0 := /*line :209:53*/x.ctx; _cgo1 := /*line :209:60*/cipher; var _cgo2 *_Ctype_struct_engine_st = /*line :209:68*/nil; var _cgo3 *_Ctype_uchar = /*line :209:73*/k; var _cgo4 *_Ctype_uchar = /*line :209:76*/vec; var _cgo5 _Ctype_int = /*line :209:81*/x.mode; _cgoCheckPointer(_cgo0); _cgoCheckPointer(_cgo1); return _Cfunc__goboringcrypto_EVP_CipherInit_ex(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4, _cgo5); }() {
		panic("cipher: unable to initialize EVP cipher ctx")
	}

	runtime.SetFinalizer(x, (*aesCBC).finalize)

	return x
}

func (c *aesCBC) finalize() {
	func() { _cgo0 := /*line :219:40*/c.ctx; _cgoCheckPointer(_cgo0); _Cfunc__goboringcrypto_EVP_CIPHER_CTX_free(_cgo0); }()
}

func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode {
	x := &aesCBC{key: c.key, mode: ( /*line :223:33*/_Ciconst_GO_AES_DECRYPT /*line :223:48*/)}
	copy(x.iv[:], iv)

	x.ctx = ( /*line :226:10*/_Cfunc__goboringcrypto_EVP_CIPHER_CTX_new /*line :226:45*/)()
	if x.ctx == nil {
		panic("cipher: unable to create EVP cipher ctx")
	}

	k := (* /*line :231:9*/_Ctype_uchar /*line :231:16*/)(unsafe.Pointer(&x.key[0]))
	vec := (* /*line :232:11*/_Ctype_uchar /*line :232:18*/)(unsafe.Pointer(&x.iv[0]))

	var cipher * /*line :234:14*/_Ctype_struct_evp_cipher_st /*line :234:26*/
	switch len(c.key) * 8 {
	case 128:
		cipher = ( /*line :237:12*/_Cfunc__goboringcrypto_EVP_aes_128_cbc /*line :237:44*/)()
	case 192:
		cipher = ( /*line :239:12*/_Cfunc__goboringcrypto_EVP_aes_192_cbc /*line :239:44*/)()
	case 256:
		cipher = ( /*line :241:12*/_Cfunc__goboringcrypto_EVP_aes_256_cbc /*line :241:44*/)()
	}
	if  /*line :243:5*/_Ctype_int /*line :243:10*/(1) != func() _Ctype_int{ _cgo0 := /*line :243:53*/x.ctx; _cgo1 := /*line :243:60*/cipher; var _cgo2 *_Ctype_struct_engine_st = /*line :243:68*/nil; var _cgo3 *_Ctype_uchar = /*line :243:73*/k; var _cgo4 *_Ctype_uchar = /*line :243:76*/vec; var _cgo5 _Ctype_int = /*line :243:81*/x.mode; _cgoCheckPointer(_cgo0); _cgoCheckPointer(_cgo1); return _Cfunc__goboringcrypto_EVP_CipherInit_ex(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4, _cgo5); }() {
		panic("cipher: unable to initialize EVP cipher ctx")
	}

	runtime.SetFinalizer(x, (*aesCBC).finalize)
	return x
}

type aesCTR struct {
	key        []byte
	iv         [aesBlockSize]byte
	ctx        * /*line :254:14*/_Ctype_struct_evp_cipher_ctx_st /*line :254:30*/
	num         /*line :255:13*/_Ctype_uint /*line :255:19*/
	ecount_buf [16] /*line :256:17*/_Ctype_uint8_t /*line :256:26*/
}

func (x *aesCTR) XORKeyStream(dst, src []byte) {
	if inexactOverlap(dst, src) {
		panic("crypto/cipher: invalid buffer overlap")
	}
	if len(dst) < len(src) {
		panic("crypto/cipher: output smaller than input")
	}
	if len(src) == 0 {
		return
	}
	func() { _cgo0 := /*line :270:3*/x.ctx; var _cgo1 *_Ctype_uint8_t = /*line :271:3*/(*_Ctype_uint8_t)(unsafe.Pointer(&src[0])); var _cgo2 *_Ctype_uint8_t = /*line :272:3*/(*_Ctype_uint8_t)(unsafe.Pointer(&dst[0])); var _cgo3 _Ctype_size_t = _Ctype_size_t(len(src)); _cgoCheckPointer(_cgo0); _Cfunc__goboringcrypto_EVP_AES_ctr128_enc(_cgo0, _cgo1, _cgo2, _cgo3); }()
	runtime.KeepAlive(x)
}

func (c *aesCipher) NewCTR(iv []byte) cipher.Stream {
	x := &aesCTR{key: c.key}
	copy(x.iv[:], iv)

	x.ctx = ( /*line :281:10*/_Cfunc__goboringcrypto_EVP_CIPHER_CTX_new /*line :281:45*/)()
	if x.ctx == nil {
		panic("cipher: unable to create EVP cipher ctx")
	}

	k := (* /*line :286:9*/_Ctype_uchar /*line :286:16*/)(unsafe.Pointer(&x.key[0]))
	vec := (* /*line :287:11*/_Ctype_uchar /*line :287:18*/)(unsafe.Pointer(&x.iv[0]))

	switch len(c.key) * 8 {
	case 128:
		if  /*line :291:6*/_Ctype_int /*line :291:11*/(1) != func() _Ctype_int{ _cgo0 := /*line :291:55*/x.ctx; _cgo1 := _Cfunc__goboringcrypto_EVP_aes_128_ctr(); var _cgo2 *_Ctype_struct_engine_st = /*line :291:99*/nil; var _cgo3 *_Ctype_uchar = /*line :291:104*/k; var _cgo4 *_Ctype_uchar = /*line :291:107*/vec; _cgoCheckPointer(_cgo0); _cgoCheckPointer(_cgo1); return _Cfunc__goboringcrypto_EVP_EncryptInit_ex(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4); }() {
			panic("cipher: unable to initialize EVP cipher ctx")
		}
	case 192:
		if  /*line :295:6*/_Ctype_int /*line :295:11*/(1) != func() _Ctype_int{ _cgo0 := /*line :295:55*/x.ctx; _cgo1 := _Cfunc__goboringcrypto_EVP_aes_192_ctr(); var _cgo2 *_Ctype_struct_engine_st = /*line :295:99*/nil; var _cgo3 *_Ctype_uchar = /*line :295:104*/k; var _cgo4 *_Ctype_uchar = /*line :295:107*/vec; _cgoCheckPointer(_cgo0); _cgoCheckPointer(_cgo1); return _Cfunc__goboringcrypto_EVP_EncryptInit_ex(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4); }() {
			panic("cipher: unable to initialize EVP cipher ctx")
		}
	case 256:
		if  /*line :299:6*/_Ctype_int /*line :299:11*/(1) != func() _Ctype_int{ _cgo0 := /*line :299:55*/x.ctx; _cgo1 := _Cfunc__goboringcrypto_EVP_aes_256_ctr(); var _cgo2 *_Ctype_struct_engine_st = /*line :299:99*/nil; var _cgo3 *_Ctype_uchar = /*line :299:104*/k; var _cgo4 *_Ctype_uchar = /*line :299:107*/vec; _cgoCheckPointer(_cgo0); _cgoCheckPointer(_cgo1); return _Cfunc__goboringcrypto_EVP_EncryptInit_ex(_cgo0, _cgo1, _cgo2, _cgo3, _cgo4); }() {
			panic("cipher: unable to initialize EVP cipher ctx")
		}
	}

	runtime.SetFinalizer(x, (*aesCTR).finalize)

	return x
}

func (c *aesCTR) finalize() {
	func() { _cgo0 := /*line :310:40*/c.ctx; _cgoCheckPointer(_cgo0); _Cfunc__goboringcrypto_EVP_CIPHER_CTX_free(_cgo0); }()
}

type aesGCM struct {
	key []byte
	tls bool
}

const (
	gcmBlockSize         = 16
	gcmTagSize           = 16
	gcmStandardNonceSize = 12
)

type aesNonceSizeError int

func (n aesNonceSizeError) Error() string {
	return "crypto/aes: invalid GCM nonce size " + strconv.Itoa(int(n))
}

type noGCM struct {
	cipher.Block
}

func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
	if nonceSize != gcmStandardNonceSize {
		return nil, errors.New("crypto/aes: GCM nonce size can't be non-standard")
	}
	if tagSize != gcmTagSize {
		return nil, errors.New("crypto/aes: GCM tag size can't be non-standard")
	}
	return c.newGCM(false)
}

func (c *aesCipher) NewGCMTLS() (cipher.AEAD, error) {
	return c.newGCM(true)
}

func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) {
	keyLen := len(c.key) * 8

	if keyLen != 128 && keyLen != 256 {
		// Return error for GCM with non-standard key size.
		return nil, fail("GCM invoked with non-standard key size")
	}

	g := &aesGCM{key: c.key, tls: tls}
	if g.NonceSize() != gcmStandardNonceSize {
		panic("boringcrypto: internal confusion about nonce size")
	}
	if g.Overhead() != gcmTagSize {
		panic("boringcrypto: internal confusion about tag size")
	}

	return g, nil
}

func (g *aesGCM) NonceSize() int {
	return gcmStandardNonceSize
}

func (g *aesGCM) Overhead() int {
	return gcmTagSize
}

// base returns the address of the underlying array in b,
// being careful not to panic when b has zero length.
func base(b []byte) * /*line :377:22*/_Ctype_uint8_t /*line :377:31*/ {
	if len(b) == 0 {
		return nil
	}
	return (* /*line :381:11*/_Ctype_uint8_t /*line :381:20*/)(unsafe.Pointer(&b[0]))
}

func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
	if len(nonce) != gcmStandardNonceSize {
		panic("cipher: incorrect nonce length given to GCM")
	}
	if uint64(len(plaintext)) > ((1<<32)-2)*aesBlockSize || len(plaintext)+gcmTagSize < len(plaintext) {
		panic("cipher: message too large for GCM")
	}
	if len(dst)+len(plaintext)+gcmTagSize < len(dst) {
		panic("cipher: message too large for buffer")
	}

	// Make room in dst to append plaintext+overhead.
	n := len(dst)
	for cap(dst) < n+len(plaintext)+gcmTagSize {
		dst = append(dst[:cap(dst)], 0)
	}
	dst = dst[:n+len(plaintext)+gcmTagSize]

	// Check delayed until now to make sure len(dst) is accurate.
	if inexactOverlap(dst[n:], plaintext) {
		panic("cipher: invalid buffer overlap")
	}

	var ciphertextLen  /*line :407:20*/_Ctype_size_t /*line :407:28*/

	if ok := ( /*line :409:11*/_Cfunc__goboringcrypto_EVP_CIPHER_CTX_seal /*line :409:47*/)(
		(* /*line :410:5*/_Ctype_uint8_t /*line :410:14*/)(unsafe.Pointer(&dst[n])),
		base(nonce), base(additionalData),  /*line :411:38*/_Ctype_size_t /*line :411:46*/(len(additionalData)),
		base(plaintext),  /*line :412:20*/_Ctype_size_t /*line :412:28*/(len(plaintext)), &ciphertextLen,
		base(g.key),  /*line :413:16*/_Ctype_int /*line :413:21*/(len(g.key)*8)); ok != 1 {
		panic("boringcrypto: EVP_CIPHER_CTX_seal fail")
	}
	runtime.KeepAlive(g)

	if ciphertextLen !=  /*line :418:22*/_Ctype_size_t /*line :418:30*/(len(plaintext)+gcmTagSize) {
		panic("boringcrypto: [seal] internal confusion about GCM tag size")
	}
	return dst[:n+int(ciphertextLen)]
}

var errOpen = errors.New("cipher: message authentication failed")

func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
	if len(nonce) != gcmStandardNonceSize {
		panic("cipher: incorrect nonce length given to GCM")
	}
	if len(ciphertext) < gcmTagSize {
		return nil, errOpen
	}
	if uint64(len(ciphertext)) > ((1<<32)-2)*aesBlockSize+gcmTagSize {
		return nil, errOpen
	}

	// Make room in dst to append ciphertext without tag.
	n := len(dst)
	for cap(dst) < n+len(ciphertext)-gcmTagSize {
		dst = append(dst[:cap(dst)], 0)
	}
	dst = dst[:n+len(ciphertext)-gcmTagSize]

	// Check delayed until now to make sure len(dst) is accurate.
	if inexactOverlap(dst[n:], ciphertext) {
		panic("cipher: invalid buffer overlap")
	}

	tag := ciphertext[len(ciphertext)-gcmTagSize:]

	var outLen  /*line :451:13*/_Ctype_size_t /*line :451:21*/

	ok := ( /*line :453:8*/_Cfunc__goboringcrypto_EVP_CIPHER_CTX_open /*line :453:44*/)(
		base(ciphertext),  /*line :454:21*/_Ctype_int /*line :454:26*/(len(ciphertext)-gcmTagSize),
		base(additionalData),  /*line :455:25*/_Ctype_int /*line :455:30*/(len(additionalData)),
		base(tag), base(g.key),  /*line :456:27*/_Ctype_int /*line :456:32*/(len(g.key)*8),
		base(nonce),  /*line :457:16*/_Ctype_int /*line :457:21*/(len(nonce)),
		base(dst[n:]), &outLen)
	runtime.KeepAlive(g)
	if ok == 0 {
		// Zero output buffer on error.
		for i := range dst {
			dst[i] = 0
		}
		return nil, errOpen
	}
	if outLen !=  /*line :467:15*/_Ctype_size_t /*line :467:23*/(len(ciphertext)-gcmTagSize) {
		panic("boringcrypto: [open] internal confusion about GCM tag size")
	}
	return dst[:n+int(outLen)], nil
}

func anyOverlap(x, y []byte) bool {
	return len(x) > 0 && len(y) > 0 &&
		uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) &&
		uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1]))
}

func inexactOverlap(x, y []byte) bool {
	if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] {
		return false
	}
	return anyOverlap(x, y)
}
