THE NEXT FUTURE becomes THE REALITY NOW

Thank @yuhan6665 for testing

transport/internet/reality/config.go

@@ -0,0 +1,45 @@
+package reality
+
+import (
+	"time"
+
+	"github.com/xtls/reality"
+	"github.com/xtls/xray-core/transport/internet"
+)
+
+func (c *Config) GetREALITYConfig() *reality.Config {
+	config := &reality.Config{
+		Show: c.Show,
+		Type: c.Type,
+		Dest: c.Dest,
+		Xver: byte(c.Xver),
+
+		PrivateKey:   c.PrivateKey,
+		MinClientVer: c.MinClientVer,
+		MaxClientVer: c.MaxClientVer,
+		MaxTimeDiff:  time.Duration(c.MaxTimeDiff) * time.Millisecond,
+
+		NextProtos:             nil, // should be nil
+		SessionTicketsDisabled: true,
+	}
+	config.ServerNames = make(map[string]bool)
+	for _, serverName := range c.ServerNames {
+		config.ServerNames[serverName] = true
+	}
+	config.ShortIds = make(map[[8]byte]bool)
+	for _, shortId := range c.ShortIds {
+		config.ShortIds[*(*[8]byte)(shortId)] = true
+	}
+	return config
+}
+
+func ConfigFromStreamSettings(settings *internet.MemoryStreamConfig) *Config {
+	if settings == nil {
+		return nil
+	}
+	config, ok := settings.SecuritySettings.(*Config)
+	if !ok {
+		return nil
+	}
+	return config
+}

transport/internet/reality/config.pb.go

@@ -0,0 +1,300 @@
+// Code generated by protoc-gen-go. DO NOT EDIT.
+// versions:
+// 	protoc-gen-go v1.28.1
+// 	protoc        v3.21.12
+// source: transport/internet/reality/config.proto
+
+package reality
+
+import (
+	protoreflect "google.golang.org/protobuf/reflect/protoreflect"
+	protoimpl "google.golang.org/protobuf/runtime/protoimpl"
+	reflect "reflect"
+	sync "sync"
+)
+
+const (
+	// Verify that this generated code is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion)
+	// Verify that runtime/protoimpl is sufficiently up-to-date.
+	_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
+)
+
+type Config struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	Show         bool     `protobuf:"varint,1,opt,name=show,proto3" json:"show,omitempty"`
+	Dest         string   `protobuf:"bytes,2,opt,name=dest,proto3" json:"dest,omitempty"`
+	Type         string   `protobuf:"bytes,3,opt,name=type,proto3" json:"type,omitempty"`
+	Xver         uint64   `protobuf:"varint,4,opt,name=xver,proto3" json:"xver,omitempty"`
+	ServerNames  []string `protobuf:"bytes,5,rep,name=server_names,json=serverNames,proto3" json:"server_names,omitempty"`
+	PrivateKey   []byte   `protobuf:"bytes,6,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
+	MinClientVer []byte   `protobuf:"bytes,7,opt,name=min_client_ver,json=minClientVer,proto3" json:"min_client_ver,omitempty"`
+	MaxClientVer []byte   `protobuf:"bytes,8,opt,name=max_client_ver,json=maxClientVer,proto3" json:"max_client_ver,omitempty"`
+	MaxTimeDiff  uint64   `protobuf:"varint,9,opt,name=max_time_diff,json=maxTimeDiff,proto3" json:"max_time_diff,omitempty"`
+	ShortIds     [][]byte `protobuf:"bytes,10,rep,name=short_ids,json=shortIds,proto3" json:"short_ids,omitempty"`
+	Fingerprint  string   `protobuf:"bytes,21,opt,name=Fingerprint,proto3" json:"Fingerprint,omitempty"`
+	ServerName   string   `protobuf:"bytes,22,opt,name=server_name,json=serverName,proto3" json:"server_name,omitempty"`
+	PublicKey    []byte   `protobuf:"bytes,23,opt,name=public_key,json=publicKey,proto3" json:"public_key,omitempty"`
+	ShortId      []byte   `protobuf:"bytes,24,opt,name=short_id,json=shortId,proto3" json:"short_id,omitempty"`
+	SpiderX      string   `protobuf:"bytes,25,opt,name=spider_x,json=spiderX,proto3" json:"spider_x,omitempty"`
+	SpiderY      []int64  `protobuf:"varint,26,rep,packed,name=spider_y,json=spiderY,proto3" json:"spider_y,omitempty"`
+}
+
+func (x *Config) Reset() {
+	*x = Config{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_transport_internet_reality_config_proto_msgTypes[0]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *Config) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*Config) ProtoMessage() {}
+
+func (x *Config) ProtoReflect() protoreflect.Message {
+	mi := &file_transport_internet_reality_config_proto_msgTypes[0]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use Config.ProtoReflect.Descriptor instead.
+func (*Config) Descriptor() ([]byte, []int) {
+	return file_transport_internet_reality_config_proto_rawDescGZIP(), []int{0}
+}
+
+func (x *Config) GetShow() bool {
+	if x != nil {
+		return x.Show
+	}
+	return false
+}
+
+func (x *Config) GetDest() string {
+	if x != nil {
+		return x.Dest
+	}
+	return ""
+}
+
+func (x *Config) GetType() string {
+	if x != nil {
+		return x.Type
+	}
+	return ""
+}
+
+func (x *Config) GetXver() uint64 {
+	if x != nil {
+		return x.Xver
+	}
+	return 0
+}
+
+func (x *Config) GetServerNames() []string {
+	if x != nil {
+		return x.ServerNames
+	}
+	return nil
+}
+
+func (x *Config) GetPrivateKey() []byte {
+	if x != nil {
+		return x.PrivateKey
+	}
+	return nil
+}
+
+func (x *Config) GetMinClientVer() []byte {
+	if x != nil {
+		return x.MinClientVer
+	}
+	return nil
+}
+
+func (x *Config) GetMaxClientVer() []byte {
+	if x != nil {
+		return x.MaxClientVer
+	}
+	return nil
+}
+
+func (x *Config) GetMaxTimeDiff() uint64 {
+	if x != nil {
+		return x.MaxTimeDiff
+	}
+	return 0
+}
+
+func (x *Config) GetShortIds() [][]byte {
+	if x != nil {
+		return x.ShortIds
+	}
+	return nil
+}
+
+func (x *Config) GetFingerprint() string {
+	if x != nil {
+		return x.Fingerprint
+	}
+	return ""
+}
+
+func (x *Config) GetServerName() string {
+	if x != nil {
+		return x.ServerName
+	}
+	return ""
+}
+
+func (x *Config) GetPublicKey() []byte {
+	if x != nil {
+		return x.PublicKey
+	}
+	return nil
+}
+
+func (x *Config) GetShortId() []byte {
+	if x != nil {
+		return x.ShortId
+	}
+	return nil
+}
+
+func (x *Config) GetSpiderX() string {
+	if x != nil {
+		return x.SpiderX
+	}
+	return ""
+}
+
+func (x *Config) GetSpiderY() []int64 {
+	if x != nil {
+		return x.SpiderY
+	}
+	return nil
+}
+
+var File_transport_internet_reality_config_proto protoreflect.FileDescriptor
+
+var file_transport_internet_reality_config_proto_rawDesc = []byte{
+	0x0a, 0x27, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65,
+	0x72, 0x6e, 0x65, 0x74, 0x2f, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x2f, 0x63, 0x6f, 0x6e,
+	0x66, 0x69, 0x67, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x1f, 0x78, 0x72, 0x61, 0x79, 0x2e,
+	0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e,
+	0x65, 0x74, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x22, 0xdc, 0x03, 0x0a, 0x06, 0x43,
+	0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x12, 0x0a, 0x04, 0x73, 0x68, 0x6f, 0x77, 0x18, 0x01, 0x20,
+	0x01, 0x28, 0x08, 0x52, 0x04, 0x73, 0x68, 0x6f, 0x77, 0x12, 0x12, 0x0a, 0x04, 0x64, 0x65, 0x73,
+	0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x64, 0x65, 0x73, 0x74, 0x12, 0x12, 0x0a,
+	0x04, 0x74, 0x79, 0x70, 0x65, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x74, 0x79, 0x70,
+	0x65, 0x12, 0x12, 0x0a, 0x04, 0x78, 0x76, 0x65, 0x72, 0x18, 0x04, 0x20, 0x01, 0x28, 0x04, 0x52,
+	0x04, 0x78, 0x76, 0x65, 0x72, 0x12, 0x21, 0x0a, 0x0c, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x5f,
+	0x6e, 0x61, 0x6d, 0x65, 0x73, 0x18, 0x05, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0b, 0x73, 0x65, 0x72,
+	0x76, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x70, 0x72, 0x69, 0x76,
+	0x61, 0x74, 0x65, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0a, 0x70,
+	0x72, 0x69, 0x76, 0x61, 0x74, 0x65, 0x4b, 0x65, 0x79, 0x12, 0x24, 0x0a, 0x0e, 0x6d, 0x69, 0x6e,
+	0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x76, 0x65, 0x72, 0x18, 0x07, 0x20, 0x01, 0x28,
+	0x0c, 0x52, 0x0c, 0x6d, 0x69, 0x6e, 0x43, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x56, 0x65, 0x72, 0x12,
+	0x24, 0x0a, 0x0e, 0x6d, 0x61, 0x78, 0x5f, 0x63, 0x6c, 0x69, 0x65, 0x6e, 0x74, 0x5f, 0x76, 0x65,
+	0x72, 0x18, 0x08, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x0c, 0x6d, 0x61, 0x78, 0x43, 0x6c, 0x69, 0x65,
+	0x6e, 0x74, 0x56, 0x65, 0x72, 0x12, 0x22, 0x0a, 0x0d, 0x6d, 0x61, 0x78, 0x5f, 0x74, 0x69, 0x6d,
+	0x65, 0x5f, 0x64, 0x69, 0x66, 0x66, 0x18, 0x09, 0x20, 0x01, 0x28, 0x04, 0x52, 0x0b, 0x6d, 0x61,
+	0x78, 0x54, 0x69, 0x6d, 0x65, 0x44, 0x69, 0x66, 0x66, 0x12, 0x1b, 0x0a, 0x09, 0x73, 0x68, 0x6f,
+	0x72, 0x74, 0x5f, 0x69, 0x64, 0x73, 0x18, 0x0a, 0x20, 0x03, 0x28, 0x0c, 0x52, 0x08, 0x73, 0x68,
+	0x6f, 0x72, 0x74, 0x49, 0x64, 0x73, 0x12, 0x20, 0x0a, 0x0b, 0x46, 0x69, 0x6e, 0x67, 0x65, 0x72,
+	0x70, 0x72, 0x69, 0x6e, 0x74, 0x18, 0x15, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0b, 0x46, 0x69, 0x6e,
+	0x67, 0x65, 0x72, 0x70, 0x72, 0x69, 0x6e, 0x74, 0x12, 0x1f, 0x0a, 0x0b, 0x73, 0x65, 0x72, 0x76,
+	0x65, 0x72, 0x5f, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x16, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0a, 0x73,
+	0x65, 0x72, 0x76, 0x65, 0x72, 0x4e, 0x61, 0x6d, 0x65, 0x12, 0x1d, 0x0a, 0x0a, 0x70, 0x75, 0x62,
+	0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x18, 0x17, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x09, 0x70,
+	0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x68, 0x6f, 0x72,
+	0x74, 0x5f, 0x69, 0x64, 0x18, 0x18, 0x20, 0x01, 0x28, 0x0c, 0x52, 0x07, 0x73, 0x68, 0x6f, 0x72,
+	0x74, 0x49, 0x64, 0x12, 0x19, 0x0a, 0x08, 0x73, 0x70, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x78, 0x18,
+	0x19, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07, 0x73, 0x70, 0x69, 0x64, 0x65, 0x72, 0x58, 0x12, 0x19,
+	0x0a, 0x08, 0x73, 0x70, 0x69, 0x64, 0x65, 0x72, 0x5f, 0x79, 0x18, 0x1a, 0x20, 0x03, 0x28, 0x03,
+	0x52, 0x07, 0x73, 0x70, 0x69, 0x64, 0x65, 0x72, 0x59, 0x42, 0x7f, 0x0a, 0x23, 0x63, 0x6f, 0x6d,
+	0x2e, 0x78, 0x72, 0x61, 0x79, 0x2e, 0x74, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e,
+	0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74, 0x2e, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79,
+	0x50, 0x01, 0x5a, 0x34, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x78,
+	0x74, 0x6c, 0x73, 0x2f, 0x78, 0x72, 0x61, 0x79, 0x2d, 0x63, 0x6f, 0x72, 0x65, 0x2f, 0x74, 0x72,
+	0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65, 0x74,
+	0x2f, 0x72, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0xaa, 0x02, 0x1f, 0x58, 0x72, 0x61, 0x79, 0x2e,
+	0x54, 0x72, 0x61, 0x6e, 0x73, 0x70, 0x6f, 0x72, 0x74, 0x2e, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e,
+	0x65, 0x74, 0x2e, 0x52, 0x65, 0x61, 0x6c, 0x69, 0x74, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
+}
+
+var (
+	file_transport_internet_reality_config_proto_rawDescOnce sync.Once
+	file_transport_internet_reality_config_proto_rawDescData = file_transport_internet_reality_config_proto_rawDesc
+)
+
+func file_transport_internet_reality_config_proto_rawDescGZIP() []byte {
+	file_transport_internet_reality_config_proto_rawDescOnce.Do(func() {
+		file_transport_internet_reality_config_proto_rawDescData = protoimpl.X.CompressGZIP(file_transport_internet_reality_config_proto_rawDescData)
+	})
+	return file_transport_internet_reality_config_proto_rawDescData
+}
+
+var file_transport_internet_reality_config_proto_msgTypes = make([]protoimpl.MessageInfo, 1)
+var file_transport_internet_reality_config_proto_goTypes = []interface{}{
+	(*Config)(nil), // 0: xray.transport.internet.reality.Config
+}
+var file_transport_internet_reality_config_proto_depIdxs = []int32{
+	0, // [0:0] is the sub-list for method output_type
+	0, // [0:0] is the sub-list for method input_type
+	0, // [0:0] is the sub-list for extension type_name
+	0, // [0:0] is the sub-list for extension extendee
+	0, // [0:0] is the sub-list for field type_name
+}
+
+func init() { file_transport_internet_reality_config_proto_init() }
+func file_transport_internet_reality_config_proto_init() {
+	if File_transport_internet_reality_config_proto != nil {
+		return
+	}
+	if !protoimpl.UnsafeEnabled {
+		file_transport_internet_reality_config_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*Config); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+	}
+	type x struct{}
+	out := protoimpl.TypeBuilder{
+		File: protoimpl.DescBuilder{
+			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
+			RawDescriptor: file_transport_internet_reality_config_proto_rawDesc,
+			NumEnums:      0,
+			NumMessages:   1,
+			NumExtensions: 0,
+			NumServices:   0,
+		},
+		GoTypes:           file_transport_internet_reality_config_proto_goTypes,
+		DependencyIndexes: file_transport_internet_reality_config_proto_depIdxs,
+		MessageInfos:      file_transport_internet_reality_config_proto_msgTypes,
+	}.Build()
+	File_transport_internet_reality_config_proto = out.File
+	file_transport_internet_reality_config_proto_rawDesc = nil
+	file_transport_internet_reality_config_proto_goTypes = nil
+	file_transport_internet_reality_config_proto_depIdxs = nil
+}

transport/internet/reality/config.proto

@@ -0,0 +1,27 @@
+syntax = "proto3";
+
+package xray.transport.internet.reality;
+option csharp_namespace = "Xray.Transport.Internet.Reality";
+option go_package = "github.com/xtls/xray-core/transport/internet/reality";
+option java_package = "com.xray.transport.internet.reality";
+option java_multiple_files = true;
+
+message Config {
+  bool show = 1;
+  string dest = 2;
+  string type = 3;
+  uint64 xver = 4;
+  repeated string server_names = 5;
+  bytes private_key = 6;
+  bytes min_client_ver = 7;
+  bytes max_client_ver = 8;
+  uint64 max_time_diff = 9;
+  repeated bytes short_ids = 10;
+
+  string Fingerprint = 21;
+  string server_name = 22;
+  bytes public_key = 23;
+  bytes short_id = 24;
+  string spider_x = 25;
+  repeated int64 spider_y = 26;
+}

transport/internet/reality/errors.generated.go

@@ -0,0 +1,9 @@
+package reality
+
+import "github.com/xtls/xray-core/common/errors"
+
+type errPathObjHolder struct{}
+
+func newError(values ...interface{}) *errors.Error {
+	return errors.New(values...).WithPathObj(errPathObjHolder{})
+}

transport/internet/reality/reality.go

@@ -0,0 +1,269 @@
+package reality
+
+import (
+	"bytes"
+	"context"
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/ed25519"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/sha512"
+	gotls "crypto/tls"
+	"crypto/x509"
+	"encoding/binary"
+	"fmt"
+	"io"
+	"math/big"
+	"net/http"
+	"reflect"
+	"regexp"
+	"strings"
+	"sync"
+	"time"
+	"unsafe"
+
+	utls "github.com/refraction-networking/utls"
+	"github.com/xtls/reality"
+	"github.com/xtls/xray-core/common/errors"
+	"github.com/xtls/xray-core/common/net"
+	"github.com/xtls/xray-core/core"
+	"github.com/xtls/xray-core/transport/internet/tls"
+	"golang.org/x/crypto/hkdf"
+	"golang.org/x/net/http2"
+)
+
+//go:generate go run github.com/xtls/xray-core/common/errors/errorgen
+
+type Conn struct {
+	*reality.Conn
+}
+
+func (c *Conn) HandshakeAddress() net.Address {
+	if err := c.Handshake(); err != nil {
+		return nil
+	}
+	state := c.ConnectionState()
+	if state.ServerName == "" {
+		return nil
+	}
+	return net.ParseAddress(state.ServerName)
+}
+
+func Server(c net.Conn, config *reality.Config) (net.Conn, error) {
+	realityConn, err := reality.Server(c, config)
+	return &Conn{Conn: realityConn}, err
+}
+
+type UConn struct {
+	*utls.UConn
+	ServerName string
+	AuthKey    []byte
+	Verified   bool
+}
+
+func (c *UConn) HandshakeAddress() net.Address {
+	if err := c.Handshake(); err != nil {
+		return nil
+	}
+	state := c.ConnectionState()
+	if state.ServerName == "" {
+		return nil
+	}
+	return net.ParseAddress(state.ServerName)
+}
+
+func (c *UConn) VerifyPeerCertificate(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
+	p, _ := reflect.TypeOf(c.Conn).Elem().FieldByName("peerCertificates")
+	certs := *(*([]*x509.Certificate))(unsafe.Pointer(uintptr(unsafe.Pointer(c.Conn)) + p.Offset))
+	if pub, ok := certs[0].PublicKey.(ed25519.PublicKey); ok {
+		h := hmac.New(sha512.New, c.AuthKey)
+		h.Write(pub)
+		if bytes.Equal(h.Sum(nil), certs[0].Signature) {
+			c.Verified = true
+			return nil
+		}
+	}
+	opts := x509.VerifyOptions{
+		DNSName:       c.ServerName,
+		Intermediates: x509.NewCertPool(),
+	}
+	for _, cert := range certs[1:] {
+		opts.Intermediates.AddCert(cert)
+	}
+	if _, err := certs[0].Verify(opts); err != nil {
+		return err
+	}
+	return nil
+}
+
+func UClient(c net.Conn, config *Config, ctx context.Context, dest net.Destination) (net.Conn, error) {
+	localAddr := c.LocalAddr().String()
+	uConn := &UConn{}
+	utlsConfig := &utls.Config{
+		VerifyPeerCertificate:  uConn.VerifyPeerCertificate,
+		ServerName:             config.ServerName,
+		InsecureSkipVerify:     true,
+		SessionTicketsDisabled: true,
+	}
+	if utlsConfig.ServerName == "" && dest.Address.Family().IsDomain() {
+		utlsConfig.ServerName = dest.Address.Domain()
+	}
+	uConn.ServerName = utlsConfig.ServerName
+	fingerprint := tls.GetFingerprint(config.Fingerprint)
+	if fingerprint == nil {
+		return nil, newError("REALITY: failed to get fingerprint").AtError()
+	}
+	uConn.UConn = utls.UClient(c, utlsConfig, *fingerprint)
+	{
+		uConn.BuildHandshakeState()
+		hello := uConn.HandshakeState.Hello
+		hello.SessionId = make([]byte, 32)
+		copy(hello.Raw[39:], hello.SessionId) // the location of session ID
+		binary.BigEndian.PutUint64(hello.SessionId, uint64(time.Now().Unix()))
+		hello.SessionId[0] = core.Version_x
+		hello.SessionId[1] = core.Version_y
+		hello.SessionId[2] = core.Version_z
+		copy(hello.SessionId[8:], config.ShortId)
+		if config.Show {
+			fmt.Printf("REALITY localAddr: %v\thello.sessionId[:16]: %v\n", localAddr, hello.SessionId[:16])
+		}
+		uConn.AuthKey = uConn.HandshakeState.State13.EcdheParams.SharedKey(config.PublicKey)
+		if uConn.AuthKey == nil {
+			return nil, errors.New("REALITY: SharedKey == nil")
+		}
+		if _, err := hkdf.New(sha256.New, uConn.AuthKey, hello.Random[:20], []byte("REALITY")).Read(uConn.AuthKey); err != nil {
+			return nil, err
+		}
+		block, _ := aes.NewCipher(uConn.AuthKey)
+		aead, _ := cipher.NewGCM(block)
+		aead.Seal(hello.SessionId[:0], hello.Random[20:], hello.SessionId[:16], hello.Raw)
+		copy(hello.Raw[39:], hello.SessionId)
+		if config.Show {
+			fmt.Printf("REALITY localAddr: %v\thello.sessionId: %v\n", localAddr, hello.SessionId)
+			fmt.Printf("REALITY localAddr: %v\tuConn.AuthKey: %v\n", localAddr, uConn.AuthKey)
+		}
+	}
+	if err := uConn.Handshake(); err != nil {
+		return nil, err
+	}
+	if config.Show {
+		fmt.Printf("REALITY localAddr: %v\tuConn.Verified: %v\n", localAddr, uConn.Verified)
+	}
+	if !uConn.Verified {
+		go func() {
+			client := &http.Client{
+				Transport: &http2.Transport{
+					DialTLSContext: func(ctx context.Context, network, addr string, cfg *gotls.Config) (net.Conn, error) {
+						fmt.Printf("REALITY localAddr: %v\tDialTLSContext\n", localAddr)
+						return uConn, nil
+					},
+				},
+			}
+			prefix := []byte("https://" + uConn.ServerName)
+			maps.Lock()
+			if maps.maps == nil {
+				maps.maps = make(map[string]map[string]bool)
+			}
+			paths := maps.maps[uConn.ServerName]
+			if paths == nil {
+				paths = make(map[string]bool)
+				paths[config.SpiderX] = true
+				maps.maps[uConn.ServerName] = paths
+			}
+			firstURL := string(prefix) + getPathLocked(paths)
+			maps.Unlock()
+			get := func(first bool) {
+				var (
+					req  *http.Request
+					resp *http.Response
+					err  error
+					body []byte
+				)
+				if first {
+					req, _ = http.NewRequest("GET", firstURL, nil)
+				} else {
+					maps.Lock()
+					req, _ = http.NewRequest("GET", string(prefix)+getPathLocked(paths), nil)
+					maps.Unlock()
+				}
+				req.Header.Set("User-Agent", fingerprint.Client) // TODO: User-Agent map
+				if first && config.Show {
+					fmt.Printf("REALITY localAddr: %v\treq.UserAgent(): %v\n", localAddr, req.UserAgent())
+				}
+				times := 1
+				if !first {
+					times = int(randBetween(config.SpiderY[4], config.SpiderY[5]))
+				}
+				for j := 0; j < times; j++ {
+					if !first && j == 0 {
+						req.Header.Set("Referer", firstURL)
+					}
+					req.AddCookie(&http.Cookie{Name: "padding", Value: strings.Repeat("0", int(randBetween(config.SpiderY[0], config.SpiderY[1])))})
+					if resp, err = client.Do(req); err != nil {
+						break
+					}
+					req.Header.Set("Referer", req.URL.String())
+					if body, err = io.ReadAll(resp.Body); err != nil {
+						break
+					}
+					maps.Lock()
+					for _, m := range href.FindAllSubmatch(body, -1) {
+						m[1] = bytes.TrimPrefix(m[1], prefix)
+						if !bytes.Contains(m[1], dot) {
+							paths[string(m[1])] = true
+						}
+					}
+					req.URL.Path = getPathLocked(paths)
+					if config.Show {
+						fmt.Printf("REALITY localAddr: %v\treq.Referer(): %v\n", localAddr, req.Referer())
+						fmt.Printf("REALITY localAddr: %v\tlen(body): %v\n", localAddr, len(body))
+						fmt.Printf("REALITY localAddr: %v\tlen(paths): %v\n", localAddr, len(paths))
+					}
+					maps.Unlock()
+					if !first {
+						time.Sleep(time.Duration(randBetween(config.SpiderY[6], config.SpiderY[7])) * time.Millisecond) // interval
+					}
+				}
+			}
+			get(true)
+			concurrency := int(randBetween(config.SpiderY[2], config.SpiderY[3]))
+			for i := 0; i < concurrency; i++ {
+				go get(false)
+			}
+			// Do not close the connection
+		}()
+		time.Sleep(time.Duration(randBetween(config.SpiderY[8], config.SpiderY[9])) * time.Millisecond) // return
+		return nil, errors.New("REALITY: processed invalid connection")
+	}
+	return uConn, nil
+}
+
+var href = regexp.MustCompile(`href="([/h].*?)"`)
+var dot = []byte(".")
+
+var maps struct {
+	sync.Mutex
+	maps map[string]map[string]bool
+}
+
+func getPathLocked(paths map[string]bool) string {
+	stopAt := int(randBetween(0, int64(len(paths)-1)))
+	i := 0
+	for s := range paths {
+		if i == stopAt {
+			return s
+		}
+		i++
+	}
+	return "/"
+}
+
+func randBetween(left int64, right int64) int64 {
+	if left == right {
+		return left
+	}
+	bigInt, _ := rand.Int(rand.Reader, big.NewInt(right-left))
+	return left + bigInt.Int64()
+}