From 4c6fd94d97159f5a3e740ba6dd2d9b65e3ed320c Mon Sep 17 00:00:00 2001
From: RPRX <63339210+RPRX@users.noreply.github.com>
Date: Mon, 1 Sep 2025 14:07:23 +0000
Subject: [PATCH] VLESS Encryption: Server checks one specific zero-bit in the
 peer-sent X25519 public key in relays

https://github.com/XTLS/Xray-core/pull/5067#issuecomment-3240198336
---
 proxy/vless/encryption/server.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/proxy/vless/encryption/server.go b/proxy/vless/encryption/server.go
index 89161da2..48924a7e 100644
--- a/proxy/vless/encryption/server.go
+++ b/proxy/vless/encryption/server.go
@@ -124,13 +124,16 @@ func (i *ServerInstance) Handshake(conn net.Conn, fallback *[]byte) (*CommonConn
 			index = 1088
 		}
 		if i.XorMode > 0 {
-			NewCTR(i.NfsPKeysBytes[j], iv).XORKeyStream(relays, relays[:index]) // we don't use buggy elligator, because we have PSK :)
+			NewCTR(i.NfsPKeysBytes[j], iv).XORKeyStream(relays, relays[:index]) // we don't use buggy elligator2, because we have PSK :)
 		}
 		if k, ok := k.(*ecdh.PrivateKey); ok {
 			publicKey, err := ecdh.X25519().NewPublicKey(relays[:index])
 			if err != nil {
 				return nil, err
 			}
+			if publicKey.Bytes()[31] > 127 { // we just don't want the observer can change even one bit without breaking the connection, though it has nothing to do with security
+				return nil, errors.New("the highest bit of the last byte of the peer-sent X25519 public key must be 0")
+			}
 			nfsKey, err = k.ECDH(publicKey)
 			if err != nil {
 				return nil, err