diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
new file mode 100644
index 0000000..2aa7eca
--- /dev/null
+++ b/.github/workflows/linter.yml
@@ -0,0 +1,34 @@
+name: Linter
+
+on:
+  push:
+    branches:
+      - dev
+    paths:
+      - "**/*.go"
+      - ".github/workflows/linter.yml"
+  pull_request:
+    types: [ opened, synchronize, reopened ]
+    paths:
+      - "**/*.go"
+      - ".github/workflows/linter.yml"
+
+jobs:
+  lint:
+    if: github.repository == 'sagernet/sing'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Get latest go version
+        id: version
+        run: |
+          echo ::set-output name=go_version::$(curl -s https://raw.githubusercontent.com/actions/go-versions/main/versions-manifest.json | grep -oE '"version": "[0-9]{1}.[0-9]{1,}(.[0-9]{1,})?"' | head -1 | cut -d':' -f2 | sed 's/ //g; s/"//g')
+      - name: Setup Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: ${{ steps.version.outputs.go_version }}
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3
+        with:
+          version: latest
\ No newline at end of file
diff --git a/.golangci.yml b/.golangci.yml
new file mode 100644
index 0000000..33f01ab
--- /dev/null
+++ b/.golangci.yml
@@ -0,0 +1,55 @@
+run:
+  timeout: 5m
+
+linters:
+  enable-all: true
+  disable:
+    - errcheck
+    - wrapcheck
+    - varnamelen
+    - stylecheck
+    - nonamedreturns
+    - nlreturn
+    - ireturn
+    - gomnd
+    - exhaustivestruct
+    - ifshort
+    - goerr113
+    - gochecknoglobals
+    - forcetypeassert
+    - exhaustruct
+    - exhaustive
+    - cyclop
+    - containedctx
+    - wsl
+    - nestif
+    - lll
+    - funlen
+    - goconst
+    - godot
+    - gocognit
+    - golint
+    - goimports
+    - nakedret
+
+linters-settings:
+  revive:
+    rules:
+      - name: var-naming
+        disabled: true
+  gocritic:
+    disabled-checks:
+      - ifElseChain
+  gosec:
+    excludes:
+      - G401 # use weak cipher
+      - G404 # use math/rand
+      - G501 # import md5
+      - G503 # import rc4
+      - G505 # import sha1
+  govet:
+    enable-all: true
+    disable:
+      - composites
+      - fieldalignment
+      - shadow
\ No newline at end of file
diff --git a/format.go b/format.go
index ccdf305..8f2a2e2 100644
--- a/format.go
+++ b/format.go
@@ -3,4 +3,5 @@ package shadowsocks
 //go:generate go install -v mvdan.cc/gofumpt@latest
 //go:generate go install -v github.com/daixiang0/gci@latest
 //go:generate gofumpt -l -w .
+//go:generate gofmt -s -w .
 //go:generate gci write .
diff --git a/go.mod b/go.mod
index adebd50..e143fbe 100644
--- a/go.mod
+++ b/go.mod
@@ -3,12 +3,12 @@ module github.com/sagernet/sing-shadowsocks
 go 1.18
 
 require (
-	github.com/sagernet/sing v0.0.0-20220627234642-a817f7084d9c
-	golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e
+	github.com/sagernet/sing v0.0.0-20220629043543-849d16c37bbb
+	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d
 	lukechampine.com/blake3 v1.1.7
 )
 
 require (
 	github.com/klauspost/cpuid/v2 v2.0.12 // indirect
-	golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c // indirect
+	golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b // indirect
 )
diff --git a/go.sum b/go.sum
index 2467070..df3577a 100644
--- a/go.sum
+++ b/go.sum
@@ -1,11 +1,11 @@
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.0.12 h1:p9dKCg8i4gmOxtv35DvrYoWqYzQrvEVdjQ762Y0OqZE=
 github.com/klauspost/cpuid/v2 v2.0.12/go.mod h1:g2LTdtYhdyuGPqyWyv7qRAmj1WBqxuObKfj5c0PQa7c=
-github.com/sagernet/sing v0.0.0-20220627234642-a817f7084d9c h1:98QC0wtaD648MFPw82KaT1O9LloQgR4ZyIDtNtsno8Y=
-github.com/sagernet/sing v0.0.0-20220627234642-a817f7084d9c/go.mod h1:I67R/q5f67xDExL2kL3RLIP7kGJBOPkYXkpRAykgC+E=
-golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e h1:T8NU3HyQ8ClP4SEE+KbFlg6n0NhuTsN4MyznaarGsZM=
-golang.org/x/crypto v0.0.0-20220525230936-793ad666bf5e/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c h1:aFV+BgZ4svzjfabn8ERpuB4JI4N6/rdy1iusx77G3oU=
-golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+github.com/sagernet/sing v0.0.0-20220629043543-849d16c37bbb h1:uWSKHyuyi8wIyVDzIvaOqck3yT0gIWonW8JQNRCg8Ok=
+github.com/sagernet/sing v0.0.0-20220629043543-849d16c37bbb/go.mod h1:lR0Mc9cBSAgFLGgXWtj5D1X191KeQ/S+LHOhRhuINBo=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d h1:sK3txAijHtOK88l68nt020reeT1ZdKLIYetKl95FzVY=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b h1:2n253B2r0pYSmEV+UNCQoPfU/FiaizQEK5Gu4Bq4JE8=
+golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 lukechampine.com/blake3 v1.1.7 h1:GgRMhmdsuK8+ii6UZFDL8Nb+VyMwadAgcJyfYHxG6n0=
 lukechampine.com/blake3 v1.1.7/go.mod h1:tkKEOtDkNtklkXtLNEOGNq5tcV90tJiA1vAA12R78LA=
diff --git a/shadowaead/service.go b/shadowaead/service.go
index becf2dc..9061513 100644
--- a/shadowaead/service.go
+++ b/shadowaead/service.go
@@ -97,6 +97,9 @@ func (s *Service) newConnection(ctx context.Context, conn net.Conn, metadata M.M
 	readCipher, err := s.constructor(key.Bytes())
 	key.Release()
 	common.KeepAlive(_key)
+	if err != nil {
+		return err
+	}
 	reader := NewReader(conn, readCipher, MaxPacketSize)
 
 	err = reader.ReadWithLengthChunk(header.From(s.keySaltLength))
@@ -264,6 +267,9 @@ func (w *serverPacketWriter) WritePacket(buffer *buf.Buffer, destination M.Socks
 	writeCipher, err := w.constructor(key.Bytes())
 	key.Release()
 	common.KeepAlive(_key)
+	if err != nil {
+		return err
+	}
 	writeCipher.Seal(buffer.From(w.keySaltLength)[:0], rw.ZeroBytes[:writeCipher.NonceSize()], buffer.From(w.keySaltLength), nil)
 	buffer.Extend(Overhead)
 	return w.source.WritePacket(buffer, M.SocksaddrFromNet(w.nat.LocalAddr()))
diff --git a/shadowaead_2022/encrypted_stream.go b/shadowaead_2022/encrypted_stream.go
index 59935ff..96dfafc 100644
--- a/shadowaead_2022/encrypted_stream.go
+++ b/shadowaead_2022/encrypted_stream.go
@@ -14,9 +14,7 @@ const (
 	recordTypeApplicationData = 23
 
 	tlsVersion10 = 0x0301
-	tlsVersion11 = 0x0302
 	tlsVersion12 = 0x0303
-	tlsVersion13 = 0x0304
 
 	tlsEncryptedLengthChunkLength = 5 + shadowaead.Overhead
 )
diff --git a/shadowaead_2022/protocol.go b/shadowaead_2022/protocol.go
index a4b68e9..09e0ad0 100644
--- a/shadowaead_2022/protocol.go
+++ b/shadowaead_2022/protocol.go
@@ -128,12 +128,18 @@ func New(method string, pskList [][]byte, options ...MethodOption) (shadowsocks.
 	switch method {
 	case "2022-blake3-aes-128-gcm", "2022-blake3-aes-256-gcm":
 		m.udpBlockEncryptCipher, err = aes.NewCipher(pskList[0])
+		if err != nil {
+			return nil, err
+		}
 		m.udpBlockDecryptCipher, err = aes.NewCipher(pskList[len(pskList)-1])
+		if err != nil {
+			return nil, err
+		}
 	case "2022-blake3-chacha20-poly1305":
 		m.udpCipher, err = chacha20poly1305.NewX(pskList[0])
-	}
-	if err != nil {
-		return nil, err
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	m.pskList = pskList
diff --git a/shadowaead_2022/relay.go b/shadowaead_2022/relay.go
index 2547eaf..e6f1482 100644
--- a/shadowaead_2022/relay.go
+++ b/shadowaead_2022/relay.go
@@ -228,10 +228,7 @@ func (s *RelayService[U]) newPacket(ctx context.Context, conn N.PacketConn, buff
 	metadata.Protocol = "shadowsocks-relay"
 	metadata.Destination = s.uDestination[user]
 	s.udpNat.NewContextPacket(ctx, sessionId, buffer, metadata, func(natConn N.PacketConn) (context.Context, N.PacketWriter) {
-		return &shadowsocks.UserContext[U]{
-			ctx,
-			user,
-		}, &udpnat.DirectBackWriter{Source: conn, Nat: natConn}
+		return &shadowsocks.UserContext[U]{ctx, user}, &udpnat.DirectBackWriter{Source: conn, Nat: natConn}
 	})
 	return nil
 }
diff --git a/shadowaead_2022/service_multi.go b/shadowaead_2022/service_multi.go
index d186ace..b966b78 100644
--- a/shadowaead_2022/service_multi.go
+++ b/shadowaead_2022/service_multi.go
@@ -371,10 +371,7 @@ process:
 
 	metadata.Destination = destination
 	s.udpNat.NewContextPacket(ctx, sessionId, buffer, metadata, func(natConn N.PacketConn) (context.Context, N.PacketWriter) {
-		return &shadowsocks.UserContext[U]{
-			ctx,
-			user,
-		}, &serverPacketWriter{s.Service, conn, natConn, session, s.uCipher[user]}
+		return &shadowsocks.UserContext[U]{ctx, user}, &serverPacketWriter{s.Service, conn, natConn, session, s.uCipher[user]}
 	})
 	return nil
 }
diff --git a/shadowaead_2022/service_multi_test.go b/shadowaead_2022/service_multi_test.go
index f3d011b..f50006a 100644
--- a/shadowaead_2022/service_multi_test.go
+++ b/shadowaead_2022/service_multi_test.go
@@ -15,6 +15,7 @@ import (
 )
 
 func TestMultiService(t *testing.T) {
+	t.Parallel()
 	method := "2022-blake3-aes-128-gcm"
 	var iPSK [16]byte
 	rand.Reader.Read(iPSK[:])
diff --git a/shadowaead_2022/service_test.go b/shadowaead_2022/service_test.go
index d58c90a..37b6fb4 100644
--- a/shadowaead_2022/service_test.go
+++ b/shadowaead_2022/service_test.go
@@ -14,6 +14,7 @@ import (
 )
 
 func TestService(t *testing.T) {
+	t.Parallel()
 	method := "2022-blake3-aes-128-gcm"
 	var psk [16]byte
 	rand.Reader.Read(psk[:])
diff --git a/shadowsocks.go b/shadowsocks.go
index 86c6766..cd6893e 100644
--- a/shadowsocks.go
+++ b/shadowsocks.go
@@ -80,7 +80,7 @@ func Key(password []byte, keySize int) []byte {
 	h := md5.New()
 	for len(b) < keySize {
 		h.Write(prev)
-		h.Write([]byte(password))
+		h.Write(password)
 		b = h.Sum(b)
 		prev = b[len(b)-h.Size():]
 		h.Reset()