golang
diff --git a/‎acme/http.go
+20-1 b/‎acme/http.go
+20-1
diff --git a/‎acme/version_go112.go
-27 b/‎acme/version_go112.go
-27
diff --git a/‎bcrypt/bcrypt.go
+1-1 b/‎bcrypt/bcrypt.go
+1-1
diff --git a/‎blake2s/blake2s.go
+9-1 b/‎blake2s/blake2s.go
+9-1
diff --git a/‎blake2s/register.go
-21 b/‎blake2s/register.go
-21
diff --git a/‎blowfish/cipher.go
+1-1 b/‎blowfish/cipher.go
+1-1
diff --git a/‎bn256/bn256.go
+1-1 b/‎bn256/bn256.go
+1-1
diff --git a/‎cast5/cast5.go
+1-1 b/‎cast5/cast5.go
+1-1
diff --git a/‎chacha20poly1305/chacha20poly1305.go
+1-1 b/‎chacha20poly1305/chacha20poly1305.go
+1-1
diff --git a/‎cryptobyte/asn1/asn1.go
+1-1 b/‎cryptobyte/asn1/asn1.go
+1-1
diff --git a/‎cryptobyte/string.go
+1-1 b/‎cryptobyte/string.go
+1-1
diff --git a/‎curve25519/curve25519.go
+35-4 b/‎curve25519/curve25519.go
+35-4
diff --git a/‎curve25519/curve25519_compat.go
-105 b/‎curve25519/curve25519_compat.go
-105
diff --git a/‎curve25519/curve25519_go120.go
-46 b/‎curve25519/curve25519_go120.go
-46
@@ -15,6 +15,7 @@ import (
 	"io"
 	"math/big"
 	"net/http"
+	"runtime/debug"
 	"strconv"
 	"strings"
 	"time"
@@ -271,9 +272,27 @@ func (c *Client) httpClient() *http.Client {
 }
 
 // packageVersion is the version of the module that contains this package, for
-// sending as part of the User-Agent header. It's set in version_go112.go.
+// sending as part of the User-Agent header.
 var packageVersion string
 
+func init() {
+	// Set packageVersion if the binary was built in modules mode and x/crypto
+	// was not replaced with a different module.
+	info, ok := debug.ReadBuildInfo()
+	if !ok {
+		return
+	}
+	for _, m := range info.Deps {
+		if m.Path != "golang.org/x/crypto" {
+			continue
+		}
+		if m.Replace == nil {
+			packageVersion = m.Version
+		}
+		break
+	}
+}
+
 // userAgent returns the User-Agent header value. It includes the package name,
 // the module version (if available), and the c.UserAgent value (if set).
 func (c *Client) userAgent() string {
 
@@ -4,7 +4,7 @@
 
 // Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
 // algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
-package bcrypt // import "golang.org/x/crypto/bcrypt"
+package bcrypt
 
 // The code is a port of Provos and Mazières's C implementation.
 import (
 
@@ -16,9 +16,10 @@
 //
 // BLAKE2X is a construction to compute hash values larger than 32 bytes. It
 // can produce hash values between 0 and 65535 bytes.
-package blake2s // import "golang.org/x/crypto/blake2s"
+package blake2s
 
 import (
+	"crypto"
 	"encoding/binary"
 	"errors"
 	"hash"
@@ -55,6 +56,13 @@ func Sum256(data []byte) [Size]byte {
 // and BinaryUnmarshaler for state (de)serialization as documented by hash.Hash.
 func New256(key []byte) (hash.Hash, error) { return newDigest(Size, key) }
 
+func init() {
+	crypto.RegisterHash(crypto.BLAKE2s_256, func() hash.Hash {
+		h, _ := New256(nil)
+		return h
+	})
+}
+
 // New128 returns a new hash.Hash computing the BLAKE2s-128 checksum given a
 // non-empty key. Note that a 128-bit digest is too small to be secure as a
 // cryptographic hash and should only be used as a MAC, thus the key argument
 
@@ -11,7 +11,7 @@
 // Deprecated: any new system should use AES (from crypto/aes, if necessary in
 // an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
 // golang.org/x/crypto/chacha20poly1305).
-package blowfish // import "golang.org/x/crypto/blowfish"
+package blowfish
 
 // The code is a port of Bruce Schneier's C implementation.
 // See https://www.schneier.com/blowfish.html.
 
@@ -23,7 +23,7 @@
 // elliptic curve. This package is frozen, and not implemented in constant time.
 // There is a more complete implementation at github.com/cloudflare/bn256, but
 // note that it suffers from the same security issues of the underlying curve.
-package bn256 // import "golang.org/x/crypto/bn256"
+package bn256
 
 import (
 	"crypto/rand"
 
@@ -11,7 +11,7 @@
 // Deprecated: any new system should use AES (from crypto/aes, if necessary in
 // an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from
 // golang.org/x/crypto/chacha20poly1305).
-package cast5 // import "golang.org/x/crypto/cast5"
+package cast5
 
 import (
 	"errors"
 
@@ -5,7 +5,7 @@
 // Package chacha20poly1305 implements the ChaCha20-Poly1305 AEAD and its
 // extended nonce variant XChaCha20-Poly1305, as specified in RFC 8439 and
 // draft-irtf-cfrg-xchacha-01.
-package chacha20poly1305 // import "golang.org/x/crypto/chacha20poly1305"
+package chacha20poly1305
 
 import (
 	"crypto/cipher"
 
@@ -4,7 +4,7 @@
 
 // Package asn1 contains supporting types for parsing and building ASN.1
 // messages with the cryptobyte package.
-package asn1 // import "golang.org/x/crypto/cryptobyte/asn1"
+package asn1
 
 // Tag represents an ASN.1 identifier octet, consisting of a tag number
 // (indicating a type) and class (such as context-specific or constructed).
 
@@ -15,7 +15,7 @@
 //
 // See the documentation and examples for the Builder and String types to get
 // started.
-package cryptobyte // import "golang.org/x/crypto/cryptobyte"
+package cryptobyte
 
 // String represents a string of bytes. It provides methods for parsing
 // fixed-length and length-prefixed values from it.
 
@@ -6,17 +6,25 @@
 // performs scalar multiplication on the elliptic curve known as Curve25519.
 // See RFC 7748.
 //
-// Starting in Go 1.20, this package is a wrapper for the X25519 implementation
+// This package is a wrapper for the X25519 implementation
 // in the crypto/ecdh package.
-package curve25519 // import "golang.org/x/crypto/curve25519"
+package curve25519
+
+import "crypto/ecdh"
 
 // ScalarMult sets dst to the product scalar * point.
 //
 // Deprecated: when provided a low-order point, ScalarMult will set dst to all
 // zeroes, irrespective of the scalar. Instead, use the X25519 function, which
 // will return an error.
 func ScalarMult(dst, scalar, point *[32]byte) {
-	scalarMult(dst, scalar, point)
+	if _, err := x25519(dst, scalar[:], point[:]); err != nil {
+		// The only error condition for x25519 when the inputs are 32 bytes long
+		// is if the output would have been the all-zero value.
+		for i := range dst {
+			dst[i] = 0
+		}
+	}
 }
 
 // ScalarBaseMult sets dst to the product scalar * base where base is the
@@ -25,7 +33,12 @@ func ScalarMult(dst, scalar, point *[32]byte) {
 // It is recommended to use the X25519 function with Basepoint instead, as
 // copying into fixed size arrays can lead to unexpected bugs.
 func ScalarBaseMult(dst, scalar *[32]byte) {
-	scalarBaseMult(dst, scalar)
+	curve := ecdh.X25519()
+	priv, err := curve.NewPrivateKey(scalar[:])
+	if err != nil {
+		panic("curve25519: internal error: scalarBaseMult was not 32 bytes")
+	}
+	copy(dst[:], priv.PublicKey().Bytes())
 }
 
 const (
@@ -57,3 +70,21 @@ func X25519(scalar, point []byte) ([]byte, error) {
 	var dst [32]byte
 	return x25519(&dst, scalar, point)
 }
+
+func x25519(dst *[32]byte, scalar, point []byte) ([]byte, error) {
+	curve := ecdh.X25519()
+	pub, err := curve.NewPublicKey(point)
+	if err != nil {
+		return nil, err
+	}
+	priv, err := curve.NewPrivateKey(scalar)
+	if err != nil {
+		return nil, err
+	}
+	out, err := priv.ECDH(pub)
+	if err != nil {
+		return nil, err
+	}
+	copy(dst[:], out)
+	return dst[:], nil
+}