diff --git a/src/crypto/internal/boring/aes.go b/src/crypto/internal/boring/aes.go
index d18ed5cdc5c259..cc2f5131a7a05d 100644
--- a/src/crypto/internal/boring/aes.go
+++ b/src/crypto/internal/boring/aes.go
@@ -323,10 +323,11 @@ func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
 
 	// Make room in dst to append plaintext+overhead.
 	n := len(dst)
-	for cap(dst) < n+len(plaintext)+gcmTagSize {
-		dst = append(dst[:cap(dst)], 0)
+	if total := n+len(plaintext)+gcmTagSize; cap(dst) >= total {
+		dst = dst[:total]
+	} else {
+		dst = append(dst, make([]byte, len(plaintext)+gcmTagSize)...)
 	}
-	dst = dst[:n+len(plaintext)+gcmTagSize]
 
 	// Check delayed until now to make sure len(dst) is accurate.
 	if inexactOverlap(dst[n:], plaintext) {
@@ -362,10 +363,11 @@ func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, er
 
 	// Make room in dst to append ciphertext without tag.
 	n := len(dst)
-	for cap(dst) < n+len(ciphertext)-gcmTagSize {
-		dst = append(dst[:cap(dst)], 0)
+	if total := n+len(ciphertext)-gcmTagSize; cap(dst) >= total {
+		dst = dst[:total]
+	} else {
+		dst = append(dst, make([]byte, len(ciphertext)-gcmTagSize)...)
 	}
-	dst = dst[:n+len(ciphertext)-gcmTagSize]
 
 	// Check delayed until now to make sure len(dst) is accurate.
 	if inexactOverlap(dst[n:], ciphertext) {