chore: sync vless encryption code

transport/vless/encryption/doc.go

@@ -24,4 +24,5 @@
 // https://github.com/XTLS/Xray-core/commit/82ea7a3cc5ff23280b87e3052f0f83b04f0267fa
 // https://github.com/XTLS/Xray-core/commit/e8b02cd6649f14889841e8ab8ee6b2acca71dbe6
 // https://github.com/XTLS/Xray-core/commit/6768a22f676c9121cfc9dc4f51181a8a07837c8d
+// https://github.com/XTLS/Xray-core/commit/4c6fd94d97159f5a3e740ba6dd2d9b65e3ed320c
 package encryption

transport/vless/encryption/server.go

@@ -123,13 +123,16 @@ func (i *ServerInstance) Handshake(conn net.Conn, fallback *[]byte) (*CommonConn
 			index = 1088
 		}
 		if i.XorMode > 0 {
-			NewCTR(i.NfsPKeysBytes[j], iv).XORKeyStream(relays, relays[:index]) // we don't use buggy elligator, because we have PSK :)
+			NewCTR(i.NfsPKeysBytes[j], iv).XORKeyStream(relays, relays[:index]) // we don't use buggy elligator2, because we have PSK :)
 		}
 		if k, ok := k.(*ecdh.PrivateKey); ok {
 			publicKey, err := ecdh.X25519().NewPublicKey(relays[:index])
 			if err != nil {
 				return nil, err
 			}
+			if publicKey.Bytes()[31] > 127 { // we just don't want the observer can change even one bit without breaking the connection, though it has nothing to do with security
+				return nil, errors.New("the highest bit of the last byte of the peer-sent X25519 public key must be 0")
+			}
 			nfsKey, err = k.ECDH(publicKey)
 			if err != nil {
 				return nil, err