VLESS Encryption: Server checks one specific zero-bit in the peer-sent X25519 public key in relays

https://github.com/XTLS/Xray-core/pull/5067#issuecomment-3240198336
pull/5080/head
RPRX 2025-09-01 14:07:23 +00:00
parent fd54b10d97
commit 4c6fd94d97
1 changed files with 4 additions and 1 deletions

View File

@ -124,13 +124,16 @@ func (i *ServerInstance) Handshake(conn net.Conn, fallback *[]byte) (*CommonConn
index = 1088
}
if i.XorMode > 0 {
NewCTR(i.NfsPKeysBytes[j], iv).XORKeyStream(relays, relays[:index]) // we don't use buggy elligator, because we have PSK :)
NewCTR(i.NfsPKeysBytes[j], iv).XORKeyStream(relays, relays[:index]) // we don't use buggy elligator2, because we have PSK :)
}
if k, ok := k.(*ecdh.PrivateKey); ok {
publicKey, err := ecdh.X25519().NewPublicKey(relays[:index])
if err != nil {
return nil, err
}
if publicKey.Bytes()[31] > 127 { // we just don't want the observer can change even one bit without breaking the connection, though it has nothing to do with security
return nil, errors.New("the highest bit of the last byte of the peer-sent X25519 public key must be 0")
}
nfsKey, err = k.ECDH(publicKey)
if err != nil {
return nil, err