In your example, you are passing a dst slice that starts _after_ ad and nonce, so you are satisfying the API. I don't think the API is trying to require anything about an earlier portion of the backing array that is not pointed to by dst; the dst slice in your example does not include the ad or the nonce.
Does that help? On Thursday, October 16, 2025 at 7:19:31 PM UTC+1 Eric Grosse wrote: > I'm puzzled why crypto/cipher type AEAD has the comment > dst and additionalData may not overlap. > Just as it is idiomatic to provide a dst that already contains a nonce > prefix, > I find it useful to include an additionalData prefix. This seems to work > and does not trigger a warning even after the fixes from issue #21624. > For concreteness, consider > dst := make([]byte, 0, len(ad)+len(nonce)+len(plaintext)+aead.Overhead()) > dst = append(dst, ad) > dst = append(dst, nonce) > dst = aead.Seal(dst, nonce, plaintext, ad) > in preparation for writing dst to a network connection. > > In the language of crypto internal function sliceForAppend, I understand > that ad may not overlap tail, but why not allow it to be part of head? > Is there some subtle timing side-channel that I'm overlooking? > Is the comment just poorly worded and should be improved? > -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/golang-nuts/a0dc539d-0fc4-44ec-b2d5-a39c5ca90debn%40googlegroups.com.
