VLESS Encryption: Server checks one specific zero-bit in the peer-sent X25519 public key in relays

https://github.com/XTLS/Xray-core/pull/5067#issuecomment-3240198336
2025-09-01 14:07:23 +00:00 · 2025-09-01 14:07:23 +00:00 · 4c6fd94d97
parent fd54b10d97
commit 4c6fd94d97
1 changed files with 4 additions and 1 deletions
--- a/proxy/vless/encryption/server.go
+++ b/proxy/vless/encryption/server.go
@ -124,13 +124,16 @@ func (i *ServerInstance) Handshake(conn net.Conn, fallback *[]byte) (*CommonConn
 			index = 1088
 		}
 		if i.XorMode > 0 {
-			NewCTR(i.NfsPKeysBytes[j], iv).XORKeyStream(relays, relays[:index]) // we don't use buggy elligator, because we have PSK :)
+			NewCTR(i.NfsPKeysBytes[j], iv).XORKeyStream(relays, relays[:index]) // we don't use buggy elligator2, because we have PSK :)
 		}
 		if k, ok := k.(*ecdh.PrivateKey); ok {
 			publicKey, err := ecdh.X25519().NewPublicKey(relays[:index])
 			if err != nil {
 				return nil, err
 			}
+			if publicKey.Bytes()[31] > 127 { // we just don't want the observer can change even one bit without breaking the connection, though it has nothing to do with security
+				return nil, errors.New("the highest bit of the last byte of the peer-sent X25519 public key must be 0")
+			}
 			nfsKey, err = k.ECDH(publicKey)
 			if err != nil {
 				return nil, err