release 2.6.0

Adding exceptions on clients

.gitignore

@@ -230,3 +230,6 @@ pip-log.txt
 
 #Mr Developer
 .mr.developer.cfg
+
+# Sphinx
+docs/_build

.travis.yml

@@ -0,0 +1,37 @@
+language: cpp
+cache:
+  apt: true
+os:
+  - linux
+  - osx
+sudo: required
+dist: trusty
+addons:
+  apt:
+    packages:
+      - build-essential
+      - cmake
+      - g++
+      - clang
+      - libboost-chrono-dev
+      - libboost-date-time-dev
+      - libboost-filesystem-dev
+      - libboost-program-options-dev
+      - libboost-regex-dev
+      - libboost-system-dev
+      - libboost-thread-dev
+      - libminiupnpc-dev
+      - libssl-dev
+compiler:
+  - gcc
+  - clang
+before_install:
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew update ; fi
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew install openssl miniupnpc ; fi
+  - if [[ "$TRAVIS_OS_NAME" == "osx" ]]; then brew unlink boost openssl && brew link boost openssl -f ; fi
+env:
+  matrix:
+    - BUILD_TYPE=Release UPNP=ON
+    - BUILD_TYPE=Release UPNP=OFF
+script:
+  - cd build && cmake -DCMAKE_BUILD_TYPE=${BUILD_TYPE} -DWITH_UPNP=${UPNP} && make

AddressBook.cpp

@@ -5,12 +5,12 @@
 #include <fstream>
 #include <chrono>
 #include <condition_variable>
-#include <boost/filesystem.hpp>
 #include <boost/lexical_cast.hpp>
-#include <cryptopp/osrng.h>
-#include "base64.h"
+#include <openssl/rand.h>
+#include "Base.h"
 #include "util.h"
 #include "Identity.h"
+#include "FS.h"
 #include "Log.h"
 #include "NetDb.h"
 #include "ClientContext.h"
@@ -20,138 +20,191 @@ namespace i2p
 {
 namespace client
 {
-
+	// TODO: this is actually proxy class
 	class AddressBookFilesystemStorage: public AddressBookStorage
 	{
-		public:
+		private:
+			i2p::fs::HashedStorage storage;
+			std::string etagsPath, indexPath, localPath;
 
-			AddressBookFilesystemStorage ();
-			bool GetAddress (const i2p::data::IdentHash& ident, i2p::data::IdentityEx& address) const;
-			void AddAddress (const i2p::data::IdentityEx& address);
+		public:
+			AddressBookFilesystemStorage (): storage("addressbook", "b", "", "b32") {};
+			std::shared_ptr<const i2p::data::IdentityEx> GetAddress (const i2p::data::IdentHash& ident) const;
+			void AddAddress (std::shared_ptr<const i2p::data::IdentityEx> address);
 			void RemoveAddress (const i2p::data::IdentHash& ident);
 
+			bool Init ();
 			int Load (std::map<std::string, i2p::data::IdentHash>& addresses);
+			int LoadLocal (std::map<std::string, i2p::data::IdentHash>& addresses);
 			int Save (const std::map<std::string, i2p::data::IdentHash>& addresses);
 
-		private:	
-			
-			boost::filesystem::path GetPath () const { return i2p::util::filesystem::GetDefaultDataDir() / "addressbook"; };
+			void SaveEtag (const i2p::data::IdentHash& subsciption, const std::string& etag, const std::string& lastModified);
+			bool GetEtag (const i2p::data::IdentHash& subscription, std::string& etag, std::string& lastModified);
+
+		private:
+
+			int LoadFromFile (const std::string& filename, std::map<std::string, i2p::data::IdentHash>& addresses); // returns -1 if can't open file, otherwise number of records
 
 	};
 
-	AddressBookFilesystemStorage::AddressBookFilesystemStorage ()
-	{
-		auto path = GetPath ();
-		if (!boost::filesystem::exists (path))
-		{
-			// Create directory is necessary
-			if (!boost::filesystem::create_directory (path))
-				LogPrint (eLogError, "Failed to create addressbook directory");
-		}
-	}
-
-	bool AddressBookFilesystemStorage::GetAddress (const i2p::data::IdentHash& ident, i2p::data::IdentityEx& address) const
-	{
-		auto filename = GetPath () / (ident.ToBase32() + ".b32");
-		std::ifstream f(filename.c_str (), std::ifstream::binary);
-		if (f.is_open ())	
-		{
-			f.seekg (0,std::ios::end);
-			size_t len = f.tellg ();
-			if (len < i2p::data::DEFAULT_IDENTITY_SIZE)
-			{
-				LogPrint (eLogError, "File ", filename, " is too short. ", len);
-				return false;
-			}
-			f.seekg(0, std::ios::beg);
-			uint8_t * buf = new uint8_t[len];
-			f.read((char *)buf, len);
-			address.FromBuffer (buf, len);
-			delete[] buf;
+	bool AddressBookFilesystemStorage::Init()
+	{	
+		storage.SetPlace(i2p::fs::GetDataDir());
+		// init storage
+		if (storage.Init(i2p::data::GetBase32SubstitutionTable(), 32))
+		{	
+			// init ETags
+			etagsPath = i2p::fs::StorageRootPath (storage, "etags");
+			if (!i2p::fs::Exists (etagsPath))
+				i2p::fs::CreateDirectory (etagsPath);
+			// init address files
+			indexPath = i2p::fs::StorageRootPath (storage, "addresses.csv");
+			localPath = i2p::fs::StorageRootPath (storage, "local.csv");
 			return true;
-		}
-		else
-			return false;
+		}	
+		return false;
 	}
 
-	void AddressBookFilesystemStorage::AddAddress (const i2p::data::IdentityEx& address)
+	std::shared_ptr<const i2p::data::IdentityEx> AddressBookFilesystemStorage::GetAddress (const i2p::data::IdentHash& ident) const
 	{
-		auto filename = GetPath () / (address.GetIdentHash ().ToBase32() + ".b32");
-		std::ofstream f (filename.c_str (), std::ofstream::binary | std::ofstream::out);
-		if (f.is_open ())	
-		{
-			size_t len = address.GetFullLen ();
-			uint8_t * buf = new uint8_t[len];
-			address.ToBuffer (buf, len);
-			f.write ((char *)buf, len);
-			delete[] buf;
+		std::string filename = storage.Path(ident.ToBase32());
+		std::ifstream f(filename, std::ifstream::binary);
+		if (!f.is_open ()) {
+			LogPrint(eLogDebug, "Addressbook: Requested, but not found: ", filename);
+			return nullptr;
 		}
-		else
-			LogPrint (eLogError, "Can't open file ", filename);	
+
+		f.seekg (0,std::ios::end);
+		size_t len = f.tellg ();
+		if (len < i2p::data::DEFAULT_IDENTITY_SIZE) {
+			LogPrint (eLogError, "Addressbook: File ", filename, " is too short: ", len);
+			return nullptr;
+		}
+		f.seekg(0, std::ios::beg);
+		uint8_t * buf = new uint8_t[len];
+		f.read((char *)buf, len);
+		auto address = std::make_shared<i2p::data::IdentityEx>(buf, len);
+		delete[] buf;
+		return address;
+	}
+
+	void AddressBookFilesystemStorage::AddAddress (std::shared_ptr<const i2p::data::IdentityEx> address)
+	{
+		std::string path = storage.Path( address->GetIdentHash().ToBase32() );
+		std::ofstream f (path, std::ofstream::binary | std::ofstream::out);
+		if (!f.is_open ())	{
+			LogPrint (eLogError, "Addressbook: can't open file ", path);
+			return;
+		}
+		size_t len = address->GetFullLen ();
+		uint8_t * buf = new uint8_t[len];
+		address->ToBuffer (buf, len);
+		f.write ((char *)buf, len);
+		delete[] buf;
 	}	
 
 	void AddressBookFilesystemStorage::RemoveAddress (const i2p::data::IdentHash& ident)
 	{
-		auto filename = GetPath () / (ident.ToBase32() + ".b32");
-		if (boost::filesystem::exists (filename))  
-			boost::filesystem::remove (filename);
+		storage.Remove( ident.ToBase32() );
+	}
+
+	int AddressBookFilesystemStorage::LoadFromFile (const std::string& filename, std::map<std::string, i2p::data::IdentHash>& addresses)
+	{
+		int num = 0;	
+		std::ifstream f (filename, std::ifstream::in); // in text mode
+		if (!f) return -1;
+
+		addresses.clear ();
+		while (!f.eof ()) 
+		{
+			std::string s;
+			getline(f, s);
+			if (!s.length()) continue; // skip empty line
+
+			std::size_t pos = s.find(',');
+			if (pos != std::string::npos)
+			{
+				std::string name = s.substr(0, pos++);
+				std::string addr = s.substr(pos);
+
+				i2p::data::IdentHash ident;
+				ident.FromBase32 (addr);
+				addresses[name] = ident;
+				num++;
+			}		
+		}
+		return num;
 	}
 
 	int AddressBookFilesystemStorage::Load (std::map<std::string, i2p::data::IdentHash>& addresses)
 	{
-		int num = 0;	
-		auto filename = GetPath () / "addresses.csv";
-		std::ifstream f (filename.c_str (), std::ofstream::in); // in text mode
-		if (f.is_open ())	
+		int num = LoadFromFile (indexPath, addresses);	
+		if (num < 0)
 		{
-			addresses.clear ();
-			while (!f.eof ())
-			{
-				std::string s;
-				getline(f, s);
-				if (!s.length())
-					continue; // skip empty line
+			LogPrint(eLogWarning, "Addressbook: Can't open ", indexPath);
+			return 0;
+		}			
+		LogPrint(eLogInfo, "Addressbook: using index file ", indexPath);
+		LogPrint (eLogInfo, "Addressbook: ", num, " addresses loaded from storage");
 
-				size_t pos = s.find(',');
-				if (pos != std::string::npos)
-				{
-					std::string name = s.substr(0, pos++);
-					std::string addr = s.substr(pos);
+		return num;
+	}
 
-					i2p::data::IdentHash ident;
-					ident.FromBase32 (addr);
-					addresses[name] = ident;
-					num++;
-				}		
-			}
-			LogPrint (eLogInfo, num, " addresses loaded");
-		}
-		else
-			LogPrint (eLogWarning, filename, " not found");
+	int AddressBookFilesystemStorage::LoadLocal (std::map<std::string, i2p::data::IdentHash>& addresses)
+	{
+		int num = LoadFromFile (localPath, addresses);	
+		if (num < 0) return 0;
+		LogPrint (eLogInfo, "Addressbook: ", num, " local addresses loaded");	
 		return num;
 	}
 
 	int AddressBookFilesystemStorage::Save (const std::map<std::string, i2p::data::IdentHash>& addresses)
 	{
-		int num = 0;
-		auto filename = GetPath () / "addresses.csv";
-		std::ofstream f (filename.c_str (), std::ofstream::out); // in text mode
-		if (f.is_open ())	
-		{
-			for (auto it: addresses)
-			{
-				f << it.first << "," << it.second.ToBase32 () << std::endl;
-				num++;
-			}
-			LogPrint (eLogInfo, num, " addresses saved");
+		if (addresses.size() == 0) {
+			LogPrint(eLogWarning, "Addressbook: not saving empty addressbook");
+			return 0;
 		}
-		else	
-			LogPrint (eLogError, "Can't open file ", filename);	
+
+		int num = 0;
+		std::ofstream f (indexPath, std::ofstream::out); // in text mode
+
+		if (!f.is_open ()) {
+			LogPrint (eLogWarning, "Addressbook: Can't open ", indexPath);
+			return 0;
+		}
+
+		for (auto it: addresses) {
+			f << it.first << "," << it.second.ToBase32 () << std::endl;
+			num++;
+		}
+		LogPrint (eLogInfo, "Addressbook: ", num, " addresses saved");
 		return num;	
 	}	
 
+	void AddressBookFilesystemStorage::SaveEtag (const i2p::data::IdentHash& subscription, const std::string& etag, const std::string& lastModified)
+	{
+		std::string fname = etagsPath + i2p::fs::dirSep + subscription.ToBase32 () + ".txt";
+		std::ofstream f (fname, std::ofstream::out | std::ofstream::trunc);
+		if (f)
+		{	
+			f << etag << std::endl; 
+			f<< lastModified << std::endl;
+		}	
+	}
+
+	bool AddressBookFilesystemStorage::GetEtag (const i2p::data::IdentHash& subscription, std::string& etag, std::string& lastModified)
+	{
+		std::string fname = etagsPath + i2p::fs::dirSep + subscription.ToBase32 () + ".txt";
+		std::ifstream f (fname, std::ofstream::in);
+		if (!f || f.eof ()) return false;
+		std::getline (f, etag);
+		if (f.eof ()) return false; 
+		std::getline (f, lastModified);
+		return true;
+	}
+
 //---------------------------------------------------------------------
-	AddressBook::AddressBook (): m_Storage (nullptr), m_IsLoaded (false), m_IsDownloading (false), 
+	AddressBook::AddressBook (): m_Storage(new AddressBookFilesystemStorage), m_IsLoaded (false), m_IsDownloading (false), 
 		m_DefaultSubscription (nullptr), m_SubscriptionsUpdateTimer (nullptr)
 	{
 	}
@@ -163,11 +216,20 @@ namespace client
 
 	void AddressBook::Start ()
 	{
+		m_Storage->Init();
+		LoadHosts (); /* try storage, then hosts.txt, then download */
 		StartSubscriptions ();
+		StartLookups ();
 	}
+
+	void AddressBook::StartResolvers ()
+	{
+		LoadLocal ();
+	}	
 	
 	void AddressBook::Stop ()
 	{
+		StopLookups ();
 		StopSubscriptions ();
 		if (m_SubscriptionsUpdateTimer)
 		{	
@@ -176,17 +238,17 @@ namespace client
 		}	
 		if (m_IsDownloading)
 		{
-			LogPrint (eLogInfo, "Subscription is downloading. Waiting for temination...");
+			LogPrint (eLogInfo, "Addressbook: subscriptions is downloading, abort");
 			for (int i = 0; i < 30; i++)
 			{
 				if (!m_IsDownloading)
 				{
-					LogPrint (eLogInfo, "Subscription download complete");
+					LogPrint (eLogInfo, "Addressbook: subscriptions download complete");
 					break;
 				}	
 				std::this_thread::sleep_for (std::chrono::seconds (1)); // wait for 1 seconds
 			}	
-			LogPrint (eLogError, "Subscription download hangs");
+			LogPrint (eLogError, "Addressbook: subscription download timeout");
 			m_IsDownloading = false;
 		}	
 		if (m_Storage)
@@ -195,21 +257,12 @@ namespace client
 			delete m_Storage;
 			m_Storage = nullptr;
 		}
-		if (m_DefaultSubscription)
-		{	
-			delete m_DefaultSubscription;
-			m_DefaultSubscription = nullptr;
-		}	
+		m_DefaultSubscription = nullptr;	
 		for (auto it: m_Subscriptions)
 			delete it;
 		m_Subscriptions.clear ();	
 	}	
 	
-	AddressBookStorage * AddressBook::CreateStorage ()
-	{
-		return new AddressBookFilesystemStorage ();
-	}	
-
 	bool AddressBook::GetIdentHash (const std::string& address, i2p::data::IdentHash& ident)
 	{
 		auto pos = address.find(".b32.i2p");
@@ -230,7 +283,10 @@ namespace client
 					return true;
 				}
 				else
+				{	
+					LookupAddress (address); // TODO:
 					return false;
+				}	
 			}
 		}	
 		// if not .b32 we assume full base64 address
@@ -243,74 +299,48 @@ namespace client
 	
 	const i2p::data::IdentHash * AddressBook::FindAddress (const std::string& address)
 	{
-		if (!m_IsLoaded)
-			LoadHosts ();
-		if (m_IsLoaded)
-		{
-			auto it = m_Addresses.find (address);
-			if (it != m_Addresses.end ())
-				return &it->second;
-		}
+		auto it = m_Addresses.find (address);
+		if (it != m_Addresses.end ())
+			return &it->second;
 		return nullptr;	
 	}
 
 	void AddressBook::InsertAddress (const std::string& address, const std::string& base64)
 	{
-		i2p::data::IdentityEx ident;
-		ident.FromBase64 (base64);
-		if (!m_Storage)
-			 m_Storage = CreateStorage ();
+		auto ident = std::make_shared<i2p::data::IdentityEx>();
+		ident->FromBase64 (base64);
 		m_Storage->AddAddress (ident);
-		m_Addresses[address] = ident.GetIdentHash ();
-		LogPrint (address,"->", ToAddress(ident.GetIdentHash ()), " added");
+		m_Addresses[address] = ident->GetIdentHash ();
+		LogPrint (eLogInfo, "Addressbook: added ", address," -> ", ToAddress(ident->GetIdentHash ()));
 	}
 
-	void AddressBook::InsertAddress (const i2p::data::IdentityEx& address)
+	void AddressBook::InsertAddress (std::shared_ptr<const i2p::data::IdentityEx> address)
 	{
-		if (!m_Storage) 
-			m_Storage = CreateStorage ();
 		m_Storage->AddAddress (address);
 	}
 
-	bool AddressBook::GetAddress (const std::string& address, i2p::data::IdentityEx& identity)
+	std::shared_ptr<const i2p::data::IdentityEx> AddressBook::GetAddress (const std::string& address)
 	{
-		if (!m_Storage) 
-			m_Storage = CreateStorage ();
 		i2p::data::IdentHash ident;
-		if (!GetIdentHash (address, ident)) return false;
-		return m_Storage->GetAddress (ident, identity);
+		if (!GetIdentHash (address, ident)) return nullptr;
+		return m_Storage->GetAddress (ident);
 	}	
 
 	void AddressBook::LoadHosts ()
 	{
-		if (!m_Storage)
-			 m_Storage = CreateStorage ();
 		if (m_Storage->Load (m_Addresses) > 0)
 		{
 			m_IsLoaded = true;
 			return;
 		}
 	
-		// try hosts.txt first
-		std::ifstream f (i2p::util::filesystem::GetFullPath ("hosts.txt").c_str (), std::ofstream::in); // in text mode
+		// then try hosts.txt
+		std::ifstream f (i2p::fs::DataDirPath("hosts.txt"), std::ifstream::in); // in text mode
 		if (f.is_open ())	
 		{
 			LoadHostsFromStream (f);
 			m_IsLoaded = true;
 		}
-		else
-		{
-			// if not found download it from http://i2p-projekt.i2p/hosts.txt 
-			LogPrint (eLogInfo, "hosts.txt not found. Try to download it from default subscription...");
-			if (!m_IsDownloading)
-			{
-				m_IsDownloading = true;
-				if (!m_DefaultSubscription)
-					m_DefaultSubscription = new AddressBookSubscription (*this, DEFAULT_SUBSCRIPTION_ADDRESS);
-				m_DefaultSubscription->CheckSubscription ();
-			}
-		}	
-		
 	}
 
 	void AddressBook::LoadHostsFromStream (std::istream& f)
@@ -332,18 +362,18 @@ namespace client
 				std::string name = s.substr(0, pos++);
 				std::string addr = s.substr(pos);
 
-				i2p::data::IdentityEx ident;
-				if (ident.FromBase64(addr))
+				auto ident = std::make_shared<i2p::data::IdentityEx> ();
+				if (ident->FromBase64(addr))
 				{	
-					m_Addresses[name] = ident.GetIdentHash ();
+					m_Addresses[name] = ident->GetIdentHash ();
 					m_Storage->AddAddress (ident);
 					numAddresses++;
 				}	
 				else
-					LogPrint (eLogError, "Malformed address ", addr, " for ", name);
+					LogPrint (eLogError, "Addressbook: malformed address ", addr, " for ", name);
 			}		
 		}
-		LogPrint (eLogInfo, numAddresses, " addresses processed");
+		LogPrint (eLogInfo, "Addressbook: ", numAddresses, " addresses processed");
 		if (numAddresses > 0)
 		{	
 			m_IsLoaded = true;
@@ -355,7 +385,7 @@ namespace client
 	{
 		if (!m_Subscriptions.size ())
 		{
-			std::ifstream f (i2p::util::filesystem::GetFullPath ("subscriptions.txt").c_str (), std::ofstream::in); // in text mode
+			std::ifstream f (i2p::fs::DataDirPath ("subscriptions.txt"), std::ifstream::in); // in text mode
 			if (f.is_open ())
 			{
 				std::string s;
@@ -365,22 +395,73 @@ namespace client
 					if (!s.length()) continue; // skip empty line
 					m_Subscriptions.push_back (new AddressBookSubscription (*this, s));
 				}
-				LogPrint (eLogInfo, m_Subscriptions.size (), " subscriptions loaded");
+				LogPrint (eLogInfo, "Addressbook: ", m_Subscriptions.size (), " subscriptions urls loaded");
 			}
 			else
-				LogPrint (eLogWarning, "subscriptions.txt not found");
+				LogPrint (eLogWarning, "Addressbook: subscriptions.txt not found in datadir");
 		}
 		else
-			LogPrint (eLogError, "Subscriptions already loaded");
+			LogPrint (eLogError, "Addressbook: subscriptions already loaded");
 	}
 
-	void AddressBook::DownloadComplete (bool success)
+	void AddressBook::LoadLocal ()
+	{
+		std::map<std::string, i2p::data::IdentHash> localAddresses;
+		m_Storage->LoadLocal (localAddresses);
+		for (auto it: localAddresses)
+		{
+			auto dot = it.first.find ('.');
+			if (dot != std::string::npos)
+			{
+				auto domain = it.first.substr (dot + 1);
+				auto it1 = m_Addresses.find (domain);  // find domain in our addressbook
+				if (it1 != m_Addresses.end ())
+				{
+					auto dest = context.FindLocalDestination (it1->second);
+					if (dest) 
+					{
+						// address is ours
+						std::shared_ptr<AddressResolver> resolver;
+						auto it2 = m_Resolvers.find (it1->second); 
+						if (it2 != m_Resolvers.end ())
+							resolver = it2->second; // resolver exists
+						else
+						{
+							// create new resolver
+							resolver = std::make_shared<AddressResolver>(dest);
+							m_Resolvers.insert (std::make_pair(it1->second, resolver));
+						}
+						resolver->AddAddress (it.first, it.second);
+					}
+				}
+			}
+		}
+	}
+
+	bool AddressBook::GetEtag (const i2p::data::IdentHash& subscription, std::string& etag, std::string& lastModified)
+	{
+		if (m_Storage)
+			return m_Storage->GetEtag (subscription, etag, lastModified);	
+		else
+			return false;		
+	}
+
+	void AddressBook::DownloadComplete (bool success, const i2p::data::IdentHash& subscription, const std::string& etag, const std::string& lastModified)
 	{
 		m_IsDownloading = false;
+		int nextUpdateTimeout = CONTINIOUS_SUBSCRIPTION_RETRY_TIMEOUT;
+		if (success)
+		{	
+			if (m_DefaultSubscription) m_DefaultSubscription.reset (nullptr);
+			if (m_IsLoaded)
+				nextUpdateTimeout = CONTINIOUS_SUBSCRIPTION_UPDATE_TIMEOUT; 
+			else
+				m_IsLoaded = true;
+			if (m_Storage) m_Storage->SaveEtag (subscription, etag, lastModified);
+		}	
 		if (m_SubscriptionsUpdateTimer)
 		{
-			m_SubscriptionsUpdateTimer->expires_from_now (boost::posix_time::minutes(
-				success ? CONTINIOUS_SUBSCRIPTION_UPDATE_TIMEOUT : CONTINIOUS_SUBSCRIPTION_RETRY_TIMEOUT));
+			m_SubscriptionsUpdateTimer->expires_from_now (boost::posix_time::minutes(nextUpdateTimeout));
 			m_SubscriptionsUpdateTimer->async_wait (std::bind (&AddressBook::HandleSubscriptionsUpdateTimer,
 				this, std::placeholders::_1));
 		}
@@ -389,8 +470,8 @@ namespace client
 	void AddressBook::StartSubscriptions ()
 	{
 		LoadSubscriptions ();
-		if (!m_Subscriptions.size ()) return;	
-
+		if (m_IsLoaded && m_Subscriptions.empty ()) return;
+		
 		auto dest = i2p::client::context.GetSharedLocalDestination ();
 		if (dest)
 		{
@@ -400,7 +481,7 @@ namespace client
 				this, std::placeholders::_1));
 		}
 		else
-			LogPrint (eLogError, "Can't start subscriptions: missing shared local destination");
+			LogPrint (eLogError, "Addressbook: can't start subscriptions: missing shared local destination");
 	}
 
 	void AddressBook::StopSubscriptions ()
@@ -414,19 +495,31 @@ namespace client
 		if (ecode != boost::asio::error::operation_aborted)
 		{
 			auto dest = i2p::client::context.GetSharedLocalDestination ();
-			if (!dest) return;
-			if (m_IsLoaded && !m_IsDownloading && dest->IsReady ())
+			if (!dest) {
+				LogPrint(eLogWarning, "Addressbook: missing local destination, skip subscription update");
+				return;
+			}
+			if (!m_IsDownloading && dest->IsReady ())
 			{
-				// pick random subscription
-				CryptoPP::AutoSeededRandomPool rnd;
-				auto ind = rnd.GenerateWord32 (0, m_Subscriptions.size() - 1);	
-				m_IsDownloading = true;	
-				m_Subscriptions[ind]->CheckSubscription ();		
+				if (!m_IsLoaded)
+				{
+					// download it from http://i2p-projekt.i2p/hosts.txt 
+					LogPrint (eLogInfo, "Addressbook: trying to download it from default subscription.");
+					if (!m_DefaultSubscription)
+						m_DefaultSubscription.reset (new AddressBookSubscription (*this, DEFAULT_SUBSCRIPTION_ADDRESS));
+					m_IsDownloading = true;	
+					m_DefaultSubscription->CheckSubscription ();
+				}	
+				else if (!m_Subscriptions.empty ())
+				{	
+					// pick random subscription
+					auto ind = rand () % m_Subscriptions.size();	
+					m_IsDownloading = true;	
+					m_Subscriptions[ind]->CheckSubscription ();
+				}	
 			}
 			else
 			{
-				if (!m_IsLoaded)
-					LoadHosts ();
 				// try it again later
 				m_SubscriptionsUpdateTimer->expires_from_now (boost::posix_time::minutes(INITIAL_SUBSCRIPTION_RETRY_TIMEOUT));
 				m_SubscriptionsUpdateTimer->async_wait (std::bind (&AddressBook::HandleSubscriptionsUpdateTimer,
@@ -435,6 +528,94 @@ namespace client
 		}
 	}
 
+	void AddressBook::StartLookups ()
+	{
+		auto dest = i2p::client::context.GetSharedLocalDestination ();
+		if (dest)
+		{
+			auto datagram = dest->GetDatagramDestination ();
+			if (!datagram)
+				datagram = dest->CreateDatagramDestination ();
+			datagram->SetReceiver (std::bind (&AddressBook::HandleLookupResponse, this, 
+				std::placeholders::_1, std::placeholders::_2, std::placeholders::_3, std::placeholders::_4, std::placeholders::_5), 
+				ADDRESS_RESPONSE_DATAGRAM_PORT);
+		}	
+	}
+	
+	void AddressBook::StopLookups ()
+	{
+		auto dest = i2p::client::context.GetSharedLocalDestination ();
+		if (dest)
+		{
+			auto datagram = dest->GetDatagramDestination ();
+			if (datagram)
+			    datagram->ResetReceiver (ADDRESS_RESPONSE_DATAGRAM_PORT);
+		}	
+	}
+
+	void AddressBook::LookupAddress (const std::string& address)
+	{
+		const i2p::data::IdentHash * ident = nullptr;
+		auto dot = address.find ('.');
+		if (dot != std::string::npos)
+			ident = FindAddress (address.substr (dot + 1));
+		if (!ident)
+		{
+			LogPrint (eLogError, "AddressBook: Can't find domain for ", address);
+			return;
+		}	
+		
+		auto dest = i2p::client::context.GetSharedLocalDestination ();
+		if (dest)
+		{
+			auto datagram = dest->GetDatagramDestination ();
+			if (datagram)
+			{
+				uint32_t nonce;
+				RAND_bytes ((uint8_t *)&nonce, 4);
+				{
+					std::unique_lock<std::mutex> l(m_LookupsMutex);
+					m_Lookups[nonce] = address; 
+				}	
+				LogPrint (eLogDebug, "AddressBook: Lookup of ", address, " to ", ident->ToBase32 (), " nonce=", nonce);
+				size_t len = address.length () + 9;
+				uint8_t * buf = new uint8_t[len];
+				memset (buf, 0, 4);
+				htobe32buf (buf + 4, nonce);
+				buf[8] = address.length ();
+				memcpy (buf + 9, address.c_str (), address.length ());
+				datagram->SendDatagramTo (buf, len, *ident, ADDRESS_RESPONSE_DATAGRAM_PORT, ADDRESS_RESOLVER_DATAGRAM_PORT);
+				delete[] buf;
+			}	
+		}		
+	}	
+	
+	void AddressBook::HandleLookupResponse (const i2p::data::IdentityEx& from, uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len)
+	{
+		if (len < 44)
+		{
+			LogPrint (eLogError, "AddressBook: Lookup response is too short ", len);
+			return;
+		}
+		uint32_t nonce = bufbe32toh (buf + 4);
+		LogPrint (eLogDebug, "AddressBook: Lookup response received from ", from.GetIdentHash ().ToBase32 (), " nonce=", nonce);
+		std::string address;
+		{
+			std::unique_lock<std::mutex> l(m_LookupsMutex);
+			auto it = m_Lookups.find (nonce);
+			if (it != m_Lookups.end ())
+			{	
+				address = it->second;
+				m_Lookups.erase (it);
+			}	
+		}	
+		if (address.length () > 0)
+		{
+			// TODO: verify from
+			m_Addresses[address] = buf + 8;
+		}	
+	}
+	
 	AddressBookSubscription::AddressBookSubscription (AddressBook& book, const std::string& link):
 		m_Book (book), m_Link (link)
 	{
@@ -449,38 +630,49 @@ namespace client
 	void AddressBookSubscription::Request ()
 	{
 		// must be run in separate thread	
-		LogPrint (eLogInfo, "Downloading hosts from ", m_Link, " ETag: ", m_Etag, " Last-Modified: ", m_LastModified);
+		LogPrint (eLogInfo, "Addressbook: Downloading hosts database from ", m_Link, " ETag: ", m_Etag, " Last-Modified: ", m_LastModified);
 		bool success = false;	
 		i2p::util::http::url u (m_Link);
 		i2p::data::IdentHash ident;
 		if (m_Book.GetIdentHash (u.host_, ident))
 		{
+			if (!m_Etag.length ())
+			{ 
+				// load ETag
+				m_Book.GetEtag (ident, m_Etag, m_LastModified);
+				LogPrint (eLogInfo, "Addressbook: set ", m_Link, " ETag: ", m_Etag, " Last-Modified: ", m_LastModified);
+			}	
 			std::condition_variable newDataReceived;
 			std::mutex newDataReceivedMutex;
 			auto leaseSet = i2p::client::context.GetSharedLocalDestination ()->FindLeaseSet (ident);
 			if (!leaseSet)
 			{
-				bool found = false;
 				std::unique_lock<std::mutex> l(newDataReceivedMutex);
 				i2p::client::context.GetSharedLocalDestination ()->RequestDestination (ident,
-					[&newDataReceived, &found](bool success)
+					[&newDataReceived, &leaseSet](std::shared_ptr<i2p::data::LeaseSet> ls)
 				    {
-						found = success;
+						leaseSet = ls;
 						newDataReceived.notify_all ();
 					});
 				if (newDataReceived.wait_for (l, std::chrono::seconds (SUBSCRIPTION_REQUEST_TIMEOUT)) == std::cv_status::timeout)
-					LogPrint (eLogError, "Subscription LeseseSet request timeout expired");
-				if (found)
-					leaseSet = i2p::client::context.GetSharedLocalDestination ()->FindLeaseSet (ident);	
+				{	
+					LogPrint (eLogError, "Addressbook: Subscription LeaseSet request timeout expired");
+					i2p::client::context.GetSharedLocalDestination ()->CancelDestinationRequest (ident);
+				}	
 			}
 			if (leaseSet)
 			{
 				std::stringstream request, response;
 				// standard header
-				request << "GET " << u.path_ << " HTTP/1.1\r\nHost: " << u.host_
-				<< "\r\nAccept: */*\r\n" << "User-Agent: Wget/1.11.4\r\n" << "Connection: close\r\n";
+				request << "GET "   << u.path_ << " HTTP/1.1\r\n"
+				        << "Host: " << u.host_ << "\r\n"
+				        << "Accept: */*\r\n"
+				        << "User-Agent: Wget/1.11.4\r\n"
+						//<< "Accept-Encoding: gzip\r\n"
+						<< "X-Accept-Encoding: x-i2p-gzip;q=1.0, identity;q=0.5, deflate;q=0, gzip;q=0, *;q=0\r\n"
+				        << "Connection: close\r\n";
 				if (m_Etag.length () > 0) // etag
-					request << i2p::util::http::IF_NONE_MATCH << ": \"" << m_Etag << "\"\r\n";
+					request << i2p::util::http::IF_NONE_MATCH << ": " << m_Etag << "\r\n";
 				if (m_LastModified.length () > 0) // if-modfief-since
 					request << i2p::util::http::IF_MODIFIED_SINCE << ": " << m_LastModified << "\r\n";
 				request << "\r\n"; // end of header
@@ -503,7 +695,7 @@ namespace client
 						30); // wait for 30 seconds
 					std::unique_lock<std::mutex> l(newDataReceivedMutex);
 					if (newDataReceived.wait_for (l, std::chrono::seconds (SUBSCRIPTION_REQUEST_TIMEOUT)) == std::cv_status::timeout)
-						LogPrint (eLogError, "Subscription timeout expired");
+						LogPrint (eLogError, "Addressbook: subscriptions request timeout expired");
 				}
 				// process remaining buffer
 				while (size_t len = stream->ReadSome (buf, 4096))
@@ -516,7 +708,7 @@ namespace client
 				response >> status; // status
 				if (status == 200) // OK
 				{
-					bool isChunked = false;
+					bool isChunked = false, isGzip = false;
 					std::string header, statusMessage;
 					std::getline (response, statusMessage);
 					// read until new line meaning end of header
@@ -527,6 +719,8 @@ namespace client
 						if (colon != std::string::npos)
 						{
 							std::string field = header.substr (0, colon);
+							boost::to_lower (field); // field are not case-sensitive
+							colon++;
 							header.resize (header.length () - 1); // delete \r	
 							if (field == i2p::util::http::ETAG)
 								m_Etag = header.substr (colon + 1);
@@ -534,39 +728,118 @@ namespace client
 								m_LastModified = header.substr (colon + 1);
 							else if (field == i2p::util::http::TRANSFER_ENCODING)
 								isChunked = !header.compare (colon + 1, std::string::npos, "chunked");
+							else if (field == i2p::util::http::CONTENT_ENCODING)
+								isGzip = !header.compare (colon + 1, std::string::npos, "gzip") ||
+									!header.compare (colon + 1, std::string::npos, "x-i2p-gzip");
 						}	
 					}
-					LogPrint (eLogInfo, m_Link, " ETag: ", m_Etag, " Last-Modified: ", m_LastModified);
+					LogPrint (eLogInfo, "Addressbook: received ", m_Link, " ETag: ", m_Etag, " Last-Modified: ", m_LastModified);
 					if (!response.eof ())	
 					{
 						success = true;
 						if (!isChunked)
-							m_Book.LoadHostsFromStream (response);
+							success = ProcessResponse (response, isGzip);
 						else
 						{
 							// merge chunks
 							std::stringstream merged;
 							i2p::util::http::MergeChunkedResponse (response, merged);
-							m_Book.LoadHostsFromStream (merged);
+							success = ProcessResponse (merged, isGzip);
 						}	
 					}	
 				}
 				else if (status == 304)
 				{	
 					success = true;
-					LogPrint (eLogInfo, "No updates from ", m_Link);
+					LogPrint (eLogInfo, "Addressbook: no updates from ", m_Link);
 				}	
 				else
-					LogPrint (eLogWarning, "Adressbook HTTP response ", status);
+					LogPrint (eLogWarning, "Adressbook: HTTP response ", status);
 			}
 			else
-				LogPrint (eLogError, "Address ", u.host_, " not found");
+				LogPrint (eLogError, "Addressbook: address ", u.host_, " not found");
 		}
 		else
-			LogPrint (eLogError, "Can't resolve ", u.host_);
-		LogPrint (eLogInfo, "Download complete ", success ? "Success" : "Failed");
-		m_Book.DownloadComplete (success);
+			LogPrint (eLogError, "Addressbook: Can't resolve ", u.host_);
+
+		if (!success)
+			LogPrint (eLogError, "Addressbook: download hosts.txt from ", m_Link, " failed");
+
+		m_Book.DownloadComplete (success, ident, m_Etag, m_LastModified);
 	}
+
+	bool AddressBookSubscription::ProcessResponse (std::stringstream& s, bool isGzip)
+	{
+		if (isGzip)
+		{
+			std::stringstream uncompressed;
+			i2p::data::GzipInflator inflator;
+			inflator.Inflate (s, uncompressed);
+			if (!uncompressed.fail ())
+				m_Book.LoadHostsFromStream (uncompressed);
+			else
+				return false;
+		}	
+		else
+			m_Book.LoadHostsFromStream (s);
+		return true;	
+	}
+
+	AddressResolver::AddressResolver (std::shared_ptr<ClientDestination> destination):
+		m_LocalDestination (destination)
+	{
+		if (m_LocalDestination)
+		{
+			auto datagram = m_LocalDestination->GetDatagramDestination ();
+			if (!datagram)
+				datagram = m_LocalDestination->CreateDatagramDestination ();
+			datagram->SetReceiver (std::bind (&AddressResolver::HandleRequest, this, 
+				std::placeholders::_1, std::placeholders::_2, std::placeholders::_3, std::placeholders::_4, std::placeholders::_5), 
+				ADDRESS_RESOLVER_DATAGRAM_PORT);
+		}
+	}
+
+	AddressResolver::~AddressResolver ()
+	{
+		if (m_LocalDestination)
+		{
+			auto datagram = m_LocalDestination->GetDatagramDestination ();
+			if (datagram)
+			    datagram->ResetReceiver (ADDRESS_RESOLVER_DATAGRAM_PORT);
+		}	
+	}	
+		
+	void AddressResolver::HandleRequest (const i2p::data::IdentityEx& from, uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len)
+	{
+		if (len < 9 || len < buf[8] + 9U)
+		{
+			LogPrint (eLogError, "AddressBook: Address request is too short ", len);
+			return;
+		}
+		// read requested address
+		uint8_t l = buf[8];
+		char address[255];
+		memcpy (address, buf + 9, l);
+		address[l] = 0;		
+		LogPrint (eLogDebug, "AddressBook: Address request ", address);
+		// send response
+		uint8_t response[44];
+		memset (response, 0, 4); // reserved
+		memcpy (response + 4, buf + 4, 4); // nonce 	
+		auto it = m_LocalAddresses.find (address); // address lookup
+		if (it != m_LocalAddresses.end ())	
+			memcpy (response + 8, it->second, 32); // ident 
+		else
+			memset (response + 8, 0, 32); // not found 
+		memset (response + 40, 0, 4); // set expiration time to zero
+		m_LocalDestination->GetDatagramDestination ()->SendDatagramTo (response, 44, from.GetIdentHash (), toPort, fromPort);
+	}
+
+	void AddressResolver::AddAddress (const std::string& name, const i2p::data::IdentHash& ident)
+	{
+		m_LocalAddresses[name] = ident;		
+	}
+
 }
 }
 

AddressBook.h

@@ -7,22 +7,26 @@
 #include <vector>
 #include <iostream>
 #include <mutex>
+#include <memory>
 #include <boost/asio.hpp>
-#include "base64.h"
-#include "util.h"
+#include "Base.h"
 #include "Identity.h"
 #include "Log.h"
+#include "Destination.h"
 
 namespace i2p
 {
 namespace client
 {
-	const char DEFAULT_SUBSCRIPTION_ADDRESS[] = "http://udhdrtrcetjm5sxzskjyr5ztpeszydbh4dpl3pl4utgqqw2v4jna.b32.i2p/hosts.txt";
+	const char DEFAULT_SUBSCRIPTION_ADDRESS[] = "http://joajgazyztfssty4w2on5oaqksz6tqoxbduy553y34mf4byv6gpq.b32.i2p/export/alive-hosts.txt";
 	const int INITIAL_SUBSCRIPTION_UPDATE_TIMEOUT = 3; // in minutes	
 	const int INITIAL_SUBSCRIPTION_RETRY_TIMEOUT = 1; // in minutes			
 	const int CONTINIOUS_SUBSCRIPTION_UPDATE_TIMEOUT = 720; // in minutes (12 hours)			
 	const int CONTINIOUS_SUBSCRIPTION_RETRY_TIMEOUT = 5; // in minutes	
 	const int SUBSCRIPTION_REQUEST_TIMEOUT = 60; //in second
+
+	const uint16_t ADDRESS_RESOLVER_DATAGRAM_PORT = 53;	
+	const uint16_t ADDRESS_RESPONSE_DATAGRAM_PORT = 54;
 	
 	inline std::string GetB32Address(const i2p::data::IdentHash& ident) { return ident.ToBase32().append(".b32.i2p"); }
 
@@ -31,15 +35,21 @@ namespace client
 		public:
 
 			virtual ~AddressBookStorage () {};
-			virtual bool GetAddress (const i2p::data::IdentHash& ident, i2p::data::IdentityEx& address) const = 0;	
-			virtual void AddAddress (const i2p::data::IdentityEx& address) = 0;
+			virtual std::shared_ptr<const i2p::data::IdentityEx> GetAddress (const i2p::data::IdentHash& ident) const = 0;	
+			virtual void AddAddress (std::shared_ptr<const i2p::data::IdentityEx> address) = 0;
 			virtual void RemoveAddress (const i2p::data::IdentHash& ident) = 0;
 		
+			virtual bool Init () = 0;
 			virtual int Load (std::map<std::string, i2p::data::IdentHash>& addresses) = 0;
+			virtual int LoadLocal (std::map<std::string, i2p::data::IdentHash>& addresses) = 0;
 			virtual int Save (const std::map<std::string, i2p::data::IdentHash>& addresses) = 0;
+
+			virtual void SaveEtag (const i2p::data::IdentHash& subscription, const std::string& etag, const std::string& lastModified) = 0;
+			virtual bool GetEtag (const i2p::data::IdentHash& subscription, std::string& etag, std::string& lastModified) = 0;
 	};			
 
 	class AddressBookSubscription;
+	class AddressResolver;
 	class AddressBook
 	{
 		public:
@@ -47,37 +57,49 @@ namespace client
 			AddressBook ();
 			~AddressBook ();
 			void Start ();
+			void StartResolvers ();
 			void Stop ();
 			bool GetIdentHash (const std::string& address, i2p::data::IdentHash& ident);
-			bool GetAddress (const std::string& address, i2p::data::IdentityEx& identity);
+			std::shared_ptr<const i2p::data::IdentityEx> GetAddress (const std::string& address);
 			const i2p::data::IdentHash * FindAddress (const std::string& address);
+			void LookupAddress (const std::string& address);
 			void InsertAddress (const std::string& address, const std::string& base64); // for jump service
-			void InsertAddress (const i2p::data::IdentityEx& address);
+			void InsertAddress (std::shared_ptr<const i2p::data::IdentityEx> address);
 
 			void LoadHostsFromStream (std::istream& f);
-			void DownloadComplete (bool success);
+			void DownloadComplete (bool success, const i2p::data::IdentHash& subscription, const std::string& etag, const std::string& lastModified);
 			//This method returns the ".b32.i2p" address
 			std::string ToAddress(const i2p::data::IdentHash& ident) { return GetB32Address(ident); }
-			std::string ToAddress(const i2p::data::IdentityEx& ident) { return ToAddress(ident.GetIdentHash ()); }
+			std::string ToAddress(std::shared_ptr<const i2p::data::IdentityEx> ident) { return ToAddress(ident->GetIdentHash ()); }
+
+			bool GetEtag (const i2p::data::IdentHash& subscription, std::string& etag, std::string& lastModified);
+
 		private:
 
 			void StartSubscriptions ();
 			void StopSubscriptions ();
 			
-			AddressBookStorage * CreateStorage ();	
 			void LoadHosts ();
 			void LoadSubscriptions ();
+			void LoadLocal ();
 
 			void HandleSubscriptionsUpdateTimer (const boost::system::error_code& ecode);
 
+			void StartLookups ();
+			void StopLookups ();
+			void HandleLookupResponse (const i2p::data::IdentityEx& from, uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len);
+			
 		private:	
 
 			std::mutex m_AddressBookMutex;
 			std::map<std::string, i2p::data::IdentHash>  m_Addresses;
+			std::map<i2p::data::IdentHash, std::shared_ptr<AddressResolver> > m_Resolvers; // local destination->resolver
+			std::mutex m_LookupsMutex;
+			std::map<uint32_t, std::string> m_Lookups; // nonce -> address
 			AddressBookStorage * m_Storage;
 			volatile bool m_IsLoaded, m_IsDownloading;
 			std::vector<AddressBookSubscription *> m_Subscriptions;
-			AddressBookSubscription * m_DefaultSubscription; // in case if we don't know any addresses yet
+			std::unique_ptr<AddressBookSubscription> m_DefaultSubscription; // in case if we don't know any addresses yet
 			boost::asio::deadline_timer * m_SubscriptionsUpdateTimer;
 	};
 
@@ -91,11 +113,31 @@ namespace client
 		private:
 
 			void Request ();
+			bool ProcessResponse (std::stringstream& s, bool isGzip = false);
 		
 		private:
 
 			AddressBook& m_Book;
 			std::string m_Link, m_Etag, m_LastModified;
+			// m_Etag must be surrounded by ""
+	};
+
+	class AddressResolver
+	{
+		public:
+
+			AddressResolver (std::shared_ptr<ClientDestination> destination);
+			~AddressResolver ();
+			void AddAddress (const std::string& name, const i2p::data::IdentHash& ident);
+
+		private:
+
+			void HandleRequest (const i2p::data::IdentityEx& from, uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len);
+
+		private:
+
+			std::shared_ptr<ClientDestination> m_LocalDestination;
+			std::map<std::string, i2p::data::IdentHash>  m_LocalAddresses;
 	};
 }
 }

BOB.cpp

@@ -33,27 +33,22 @@ namespace client
 
 	void BOBI2PInboundTunnel::Accept ()
 	{
-		auto receiver = new AddressReceiver ();
-		receiver->socket = new boost::asio::ip::tcp::socket (GetService ());
+		auto receiver = std::make_shared<AddressReceiver> ();
+		receiver->socket = std::make_shared<boost::asio::ip::tcp::socket> (GetService ());
 		m_Acceptor.async_accept (*receiver->socket, std::bind (&BOBI2PInboundTunnel::HandleAccept, this,
 			std::placeholders::_1, receiver));
 	}	
 
-	void BOBI2PInboundTunnel::HandleAccept (const boost::system::error_code& ecode, AddressReceiver * receiver)
+	void BOBI2PInboundTunnel::HandleAccept (const boost::system::error_code& ecode, std::shared_ptr<AddressReceiver> receiver)
 	{
 		if (!ecode)
 		{
 			Accept ();	
 			ReceiveAddress (receiver);
 		}
-		else
-		{	
-			delete receiver->socket;
-			delete receiver;
-		}	
 	}
 
-	void BOBI2PInboundTunnel::ReceiveAddress (AddressReceiver * receiver)
+	void BOBI2PInboundTunnel::ReceiveAddress (std::shared_ptr<AddressReceiver> receiver)
 	{
 		receiver->socket->async_read_some (boost::asio::buffer(
 		        receiver->buffer + receiver->bufferOffset, 
@@ -63,14 +58,10 @@ namespace client
 	}
 	
 	void BOBI2PInboundTunnel::HandleReceivedAddress (const boost::system::error_code& ecode, std::size_t bytes_transferred,
-		AddressReceiver * receiver)
+		std::shared_ptr<AddressReceiver> receiver)
 	{
 		if (ecode)
-		{
-			LogPrint ("BOB inbound tunnel read error: ", ecode.message ());
-			delete receiver->socket;
-			delete receiver;
-		}	
+			LogPrint (eLogError, "BOB: inbound tunnel read error: ", ecode.message ());
 		else
 		{
 			receiver->bufferOffset += bytes_transferred;
@@ -85,9 +76,7 @@ namespace client
 				i2p::data::IdentHash ident;
 				if (!context.GetAddressBook ().GetIdentHash (receiver->buffer, ident)) 
 				{
-					LogPrint (eLogError, "BOB address ", receiver->buffer, " not found");
-					delete receiver->socket;
-					delete receiver;
+					LogPrint (eLogError, "BOB: address ", receiver->buffer, " not found");
 					return;
 				}
 				auto leaseSet = GetLocalDestination ()->FindLeaseSet (ident);
@@ -96,46 +85,32 @@ namespace client
 				else
 					GetLocalDestination ()->RequestDestination (ident, 
 						std::bind (&BOBI2PInboundTunnel::HandleDestinationRequestComplete,
-						this, std::placeholders::_1, receiver, ident));
+						this, std::placeholders::_1, receiver));
 			}
 			else
 			{
 				if (receiver->bufferOffset < BOB_COMMAND_BUFFER_SIZE)
 					ReceiveAddress (receiver);
 				else
-				{	
-					LogPrint ("BOB missing inbound address ");
-					delete receiver->socket;
-					delete receiver;
-				}	
+					LogPrint (eLogError, "BOB: missing inbound address");
 			}			
 		}
 	}
 
-	void BOBI2PInboundTunnel::HandleDestinationRequestComplete (bool success, AddressReceiver * receiver, i2p::data::IdentHash ident)
+	void BOBI2PInboundTunnel::HandleDestinationRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, std::shared_ptr<AddressReceiver> receiver)
 	{
-		if (success)
-		{
-			auto leaseSet = GetLocalDestination ()->FindLeaseSet (ident);
-			if (leaseSet)
-			{
-				CreateConnection (receiver, leaseSet);
-				return;
-			}
-			else
-				LogPrint ("LeaseSet for BOB inbound destination not found");
-		}
-		delete receiver->socket;
-		delete receiver;
+		if (leaseSet)
+			CreateConnection (receiver, leaseSet);
+		else
+			LogPrint (eLogError, "BOB: LeaseSet for inbound destination not found");
 	}	
 
-	void BOBI2PInboundTunnel::CreateConnection (AddressReceiver * receiver, std::shared_ptr<const i2p::data::LeaseSet> leaseSet)
+	void BOBI2PInboundTunnel::CreateConnection (std::shared_ptr<AddressReceiver> receiver, std::shared_ptr<const i2p::data::LeaseSet> leaseSet)
 	{
-		LogPrint ("New BOB inbound connection");
+		LogPrint (eLogDebug, "BOB: New inbound connection");
 		auto connection = std::make_shared<I2PTunnelConnection>(this, receiver->socket, leaseSet);
 		AddHandler (connection);
 		connection->I2PConnect (receiver->data, receiver->dataLen);
-		delete receiver;
 	}
 
 	BOBI2POutboundTunnel::BOBI2POutboundTunnel (const std::string& address, int port, 
@@ -160,14 +135,14 @@ namespace client
 		if (localDestination)
 			localDestination->AcceptStreams (std::bind (&BOBI2POutboundTunnel::HandleAccept, this, std::placeholders::_1));
 		else
-			LogPrint ("Local destination not set for server tunnel");
+			LogPrint (eLogError, "BOB: Local destination not set for server tunnel");
 	}
 
 	void BOBI2POutboundTunnel::HandleAccept (std::shared_ptr<i2p::stream::Stream> stream)
 	{
 		if (stream)
 		{	
-			auto conn = std::make_shared<I2PTunnelConnection> (this, stream, new boost::asio::ip::tcp::socket (GetService ()), m_Endpoint, m_IsQuiet);
+			auto conn = std::make_shared<I2PTunnelConnection> (this, stream, std::make_shared<boost::asio::ip::tcp::socket> (GetService ()), m_Endpoint, m_IsQuiet);
 			AddHandler (conn);
 			conn->Connect ();
 		}	
@@ -254,7 +229,7 @@ namespace client
 	{
 		if (ecode)
 		{
-			LogPrint ("BOB command channel read error: ", ecode.message ());
+			LogPrint (eLogError, "BOB: command channel read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}	
@@ -281,7 +256,7 @@ namespace client
 					(this->*(it->second))(operand, eol - operand);
 				else	
 				{
-					LogPrint (eLogError, "BOB unknown command ", m_ReceiveBuffer);
+					LogPrint (eLogError, "BOB: unknown command ", m_ReceiveBuffer);
 					SendReplyError ("unknown command");
 				}
 
@@ -294,7 +269,7 @@ namespace client
 					m_ReceiveBufferOffset = size;
 				else
 				{
-					LogPrint (eLogError, "Malformed input of the BOB command channel");
+					LogPrint (eLogError, "BOB: Malformed input of the command channel");
 					Terminate ();
 				}
 			}	
@@ -313,7 +288,7 @@ namespace client
 	{
 		if (ecode)
         {
-			LogPrint ("BOB command channel send error: ", ecode.message ());
+			LogPrint (eLogError, "BOB: command channel send error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -433,14 +408,14 @@ namespace client
 	{
 		LogPrint (eLogDebug, "BOB: newkeys");
 		m_Keys = i2p::data::PrivateKeys::CreateRandomKeys ();
-		SendReplyOK (m_Keys.GetPublic ().ToBase64 ().c_str ());
+		SendReplyOK (m_Keys.GetPublic ()->ToBase64 ().c_str ());
 	}	
 
 	void BOBCommandSession::SetkeysCommandHandler (const char * operand, size_t len)
 	{
 		LogPrint (eLogDebug, "BOB: setkeys ", operand);
 		m_Keys.FromBase64 (operand);
-		SendReplyOK (m_Keys.GetPublic ().ToBase64 ().c_str ());
+		SendReplyOK (m_Keys.GetPublic ()->ToBase64 ().c_str ());
 	}
 		
 	void BOBCommandSession::GetkeysCommandHandler (const char * operand, size_t len)
@@ -452,7 +427,7 @@ namespace client
 	void BOBCommandSession::GetdestCommandHandler (const char * operand, size_t len)
 	{
 		LogPrint (eLogDebug, "BOB: getdest");
-		SendReplyOK (m_Keys.GetPublic ().ToBase64 ().c_str ());
+		SendReplyOK (m_Keys.GetPublic ()->ToBase64 ().c_str ());
 	}	
 		
 	void BOBCommandSession::OuthostCommandHandler (const char * operand, size_t len)
@@ -493,13 +468,29 @@ namespace client
 	void BOBCommandSession::LookupCommandHandler (const char * operand, size_t len)
 	{
 		LogPrint (eLogDebug, "BOB: lookup ", operand);
-		i2p::data::IdentityEx addr;
-		if (!context.GetAddressBook ().GetAddress (operand, addr)) 
+		i2p::data::IdentHash ident;
+		if (!context.GetAddressBook ().GetIdentHash (operand, ident) || !m_CurrentDestination) 
 		{
 			SendReplyError ("Address Not found");
 			return;
-		}		
-		SendReplyOK (addr.ToBase64 ().c_str ());
+		}	
+		auto localDestination = m_CurrentDestination->GetLocalDestination ();
+		auto leaseSet = localDestination->FindLeaseSet (ident);
+		if (leaseSet)
+			SendReplyOK (leaseSet->GetIdentity ()->ToBase64 ().c_str ());
+		else
+		{
+			auto s = shared_from_this ();
+			localDestination->RequestDestination (ident, 
+				[s](std::shared_ptr<i2p::data::LeaseSet> ls)
+				{
+					if (ls)
+						s->SendReplyOK (ls->GetIdentity ()->ToBase64 ().c_str ());
+					else	
+						s->SendReplyError ("LeaseSet Not found");
+				}	
+			);
+		}
 	}
 
 	void BOBCommandSession::ClearCommandHandler (const char * operand, size_t len)
@@ -533,9 +524,9 @@ namespace client
 			SendReplyError ("malformed");
 	}	
 		
-	BOBCommandChannel::BOBCommandChannel (int port):
+	BOBCommandChannel::BOBCommandChannel (const std::string& address, int port):
 		m_IsRunning (false), m_Thread (nullptr),
-		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port))
+		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::address::from_string(address), port))
 	{
 		// command -> handler
 		m_CommandHandlers[BOB_COMMAND_ZAP] = &BOBCommandSession::ZapCommandHandler; 
@@ -598,7 +589,7 @@ namespace client
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint (eLogError, "BOB: ", ex.what ());
+				LogPrint (eLogError, "BOB: runtime exception: ", ex.what ());
 			}	
 		}	
 	}
@@ -641,11 +632,11 @@ namespace client
 
 		if (!ecode)
 		{
-			LogPrint (eLogInfo, "New BOB command connection from ", session->GetSocket ().remote_endpoint ());
+			LogPrint (eLogInfo, "BOB: New command connection from ", session->GetSocket ().remote_endpoint ());
 			session->SendVersion ();	
 		}
 		else
-			LogPrint (eLogError, "BOB accept error: ",  ecode.message ());
+			LogPrint (eLogError, "BOB: accept error: ",  ecode.message ());
 	}
 }
 }

BOB.h

@@ -57,9 +57,9 @@ namespace client
 	{
 			struct AddressReceiver
 			{
-				boost::asio::ip::tcp::socket * socket;
+				std::shared_ptr<boost::asio::ip::tcp::socket> socket;
 				char buffer[BOB_COMMAND_BUFFER_SIZE + 1]; // for destination base64 address
-				uint8_t * data; 
+				uint8_t * data; // pointer to buffer
 				size_t dataLen, bufferOffset; 
 
 				AddressReceiver (): data (nullptr), dataLen (0), bufferOffset (0) {};
@@ -76,15 +76,15 @@ namespace client
 		private:
 
 			void Accept ();
-			void HandleAccept (const boost::system::error_code& ecode, AddressReceiver * receiver);
+			void HandleAccept (const boost::system::error_code& ecode, std::shared_ptr<AddressReceiver> receiver);
 
-			void ReceiveAddress (AddressReceiver * receiver);
+			void ReceiveAddress (std::shared_ptr<AddressReceiver> receiver);
 			void HandleReceivedAddress (const boost::system::error_code& ecode, std::size_t bytes_transferred,
-				AddressReceiver * receiver);
+				std::shared_ptr<AddressReceiver> receiver);
 
-			void HandleDestinationRequestComplete (bool success, AddressReceiver * receiver, i2p::data::IdentHash ident);
+			void HandleDestinationRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, std::shared_ptr<AddressReceiver> receiver);
 
-			void CreateConnection (AddressReceiver * receiver, std::shared_ptr<const i2p::data::LeaseSet> leaseSet);
+			void CreateConnection (std::shared_ptr<AddressReceiver> receiver, std::shared_ptr<const i2p::data::LeaseSet> leaseSet);
 
 		private:
 
@@ -127,6 +127,7 @@ namespace client
 			void CreateInboundTunnel (int port);
 			void CreateOutboundTunnel (const std::string& address, int port, bool quiet);
 			const i2p::data::PrivateKeys& GetKeys () const { return m_LocalDestination->GetPrivateKeys (); };
+			std::shared_ptr<ClientDestination> GetLocalDestination () const { return m_LocalDestination; };
 			
 		private:	
 
@@ -198,7 +199,7 @@ namespace client
 	{
 		public:
 
-			BOBCommandChannel (int port);
+			BOBCommandChannel (const std::string& address, int port);
 			~BOBCommandChannel ();
 
 			void Start ();

Base.cpp

@@ -1,10 +1,22 @@
 #include <stdlib.h>
-#include "base64.h"
+#include "Log.h"
+#include "Base.h"
 
 namespace i2p
 {
 namespace data
 {
+	static const char T32[32] = {
+		'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h',
+		'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p',
+		'q', 'r', 's', 't', 'u', 'v', 'w', 'x',
+		'y', 'z', '2', '3', '4', '5', '6', '7',
+	};
+
+	const char * GetBase32SubstitutionTable ()
+	{
+		return T32;
+	}
 
 	static void iT64Build(void);
 
@@ -16,7 +28,7 @@ namespace data
 	* Direct Substitution Table
 	*/
 
-	static char T64[64] = { 
+	static const char T64[64] = {
 		       'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
 		       'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
 		       'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
@@ -154,7 +166,7 @@ namespace data
 		if (isFirstTime) iT64Build();
 		n = InCount/4;
 		m = InCount%4;
-		if (!m) 
+		if (InCount && !m) 
 		     outCount = 3*n;
 		else {
 		     outCount = 0;
@@ -190,6 +202,13 @@ namespace data
 		return outCount;
 	}
 
+	size_t Base64EncodingBufferSize (const size_t input_size) 
+	{
+		auto d = div (input_size, 3);
+		if (d.rem) d.quot++;
+		return 4*d.quot;
+	}
+	
 	/*
 	*
 	* iT64
@@ -265,5 +284,107 @@ namespace data
 		}
 		return ret;
 	}
+
+	GzipInflator::GzipInflator (): m_IsDirty (false)
+	{
+		memset (&m_Inflator, 0, sizeof (m_Inflator));
+		inflateInit2 (&m_Inflator, MAX_WBITS + 16); // gzip
+	}
+	
+	GzipInflator::~GzipInflator ()
+	{
+		inflateEnd (&m_Inflator);
+	}	
+
+	size_t GzipInflator::Inflate (const uint8_t * in, size_t inLen, uint8_t * out, size_t outLen)
+	{
+		if (m_IsDirty) inflateReset (&m_Inflator);
+		m_IsDirty = true;
+		m_Inflator.next_in = const_cast<uint8_t *>(in);
+		m_Inflator.avail_in = inLen;
+		m_Inflator.next_out = out;
+		m_Inflator.avail_out = outLen;
+		int err;
+		if ((err = inflate (&m_Inflator, Z_NO_FLUSH)) == Z_STREAM_END)
+			return outLen - m_Inflator.avail_out;	
+		else
+		{
+			LogPrint (eLogError, "Decompression error ", err);
+			return 0;
+		}	
+	}	
+
+	bool GzipInflator::Inflate (const uint8_t * in, size_t inLen, std::ostream& s)
+	{
+		m_IsDirty = true;
+		uint8_t * out = new uint8_t[GZIP_CHUNK_SIZE];
+		m_Inflator.next_in = const_cast<uint8_t *>(in);
+		m_Inflator.avail_in = inLen;	
+		int ret;
+		do
+		{
+			m_Inflator.next_out = out;
+			m_Inflator.avail_out = GZIP_CHUNK_SIZE;
+			ret = inflate (&m_Inflator, Z_NO_FLUSH);
+			if (ret < 0)
+			{
+				LogPrint (eLogError, "Decompression error ", ret);
+				inflateEnd (&m_Inflator);
+				s.setstate(std::ios_base::failbit);
+				break;
+			}	
+			else
+				s.write ((char *)out, GZIP_CHUNK_SIZE - m_Inflator.avail_out);
+		}
+		while (!m_Inflator.avail_out); // more data to read
+		delete[] out;
+		return ret == Z_STREAM_END || ret < 0;
+	}
+
+	void GzipInflator::Inflate (std::istream& in, std::ostream& out)
+	{
+		uint8_t * buf = new uint8_t[GZIP_CHUNK_SIZE];
+		while (!in.eof ())
+		{
+			in.read ((char *)buf, GZIP_CHUNK_SIZE);
+			Inflate (buf, in.gcount (), out); 
+		}	
+		delete[] buf;
+	}
+
+	GzipDeflator::GzipDeflator (): m_IsDirty (false)
+	{
+		memset (&m_Deflator, 0, sizeof (m_Deflator));
+		deflateInit2 (&m_Deflator, Z_DEFAULT_COMPRESSION, Z_DEFLATED, 15 + 16, 8, Z_DEFAULT_STRATEGY); // 15 + 16 sets gzip
+	}
+	
+	GzipDeflator::~GzipDeflator ()
+	{
+		deflateEnd (&m_Deflator);
+	}	
+
+	void GzipDeflator::SetCompressionLevel (int level)
+	{
+		deflateParams (&m_Deflator, level, Z_DEFAULT_STRATEGY);
+	}	
+	
+	size_t GzipDeflator::Deflate (const uint8_t * in, size_t inLen, uint8_t * out, size_t outLen)
+	{
+		if (m_IsDirty) deflateReset (&m_Deflator);
+		m_IsDirty = true;
+		m_Deflator.next_in = const_cast<uint8_t *>(in);
+		m_Deflator.avail_in = inLen;
+		m_Deflator.next_out = out;
+		m_Deflator.avail_out = outLen;
+		int err;
+		if ((err = deflate (&m_Deflator, Z_FINISH)) == Z_STREAM_END) 
+			return outLen - m_Deflator.avail_out;	
+		else
+		{
+			LogPrint (eLogError, "Compression error ", err);
+			return 0;
+		}	
+	}
 }
 }
+

Base.h

@@ -0,0 +1,134 @@
+#ifndef BASE_H__
+#define BASE_H__
+
+#include <inttypes.h>
+#include <string.h>
+#include <string>
+#include <zlib.h>
+#include <iostream>
+
+namespace i2p
+{
+namespace data
+{
+	size_t ByteStreamToBase64 (const uint8_t * InBuffer, size_t InCount, char * OutBuffer, size_t len);
+	size_t Base64ToByteStream (const char * InBuffer, size_t InCount, uint8_t * OutBuffer, size_t len );
+	const char * GetBase32SubstitutionTable ();
+	const char * GetBase64SubstitutionTable ();	
+	
+	size_t Base32ToByteStream (const char * inBuf, size_t len, uint8_t * outBuf, size_t outLen);
+	size_t ByteStreamToBase32 (const uint8_t * InBuf, size_t len, char * outBuf, size_t outLen);
+
+  /**
+     Compute the size for a buffer to contain encoded base64 given that the size of the input is input_size bytes
+   */
+  size_t Base64EncodingBufferSize(const size_t input_size);
+  
+	template<int sz>
+	class Tag
+	{
+		public:
+
+			Tag (const uint8_t * buf) { memcpy (m_Buf, buf, sz); };
+			Tag (const Tag<sz>& ) = default;
+#ifndef _WIN32 // FIXME!!! msvs 2013 can't compile it
+			Tag (Tag<sz>&& ) = default;
+#endif
+			Tag () = default;
+			
+			Tag<sz>& operator= (const Tag<sz>& ) = default;
+#ifndef _WIN32
+			Tag<sz>& operator= (Tag<sz>&& ) = default;
+#endif
+			
+			uint8_t * operator()() { return m_Buf; };
+			const uint8_t * operator()() const { return m_Buf; };
+
+			operator uint8_t * () { return m_Buf; };
+			operator const uint8_t * () const { return m_Buf; };
+			
+			const uint64_t * GetLL () const { return ll; };
+
+			bool operator== (const Tag<sz>& other) const { return !memcmp (m_Buf, other.m_Buf, sz); };
+			bool operator< (const Tag<sz>& other) const { return memcmp (m_Buf, other.m_Buf, sz) < 0; };
+
+			bool IsZero () const
+			{
+				for (int i = 0; i < sz/8; i++)
+					if (ll[i]) return false;
+				return true;
+			}
+			
+			std::string ToBase64 () const
+			{
+				char str[sz*2];
+				int l = i2p::data::ByteStreamToBase64 (m_Buf, sz, str, sz*2);
+				str[l] = 0;
+				return std::string (str);
+			}
+
+			std::string ToBase32 () const
+			{
+				char str[sz*2];
+				int l = i2p::data::ByteStreamToBase32 (m_Buf, sz, str, sz*2);
+				str[l] = 0;
+				return std::string (str);
+			}	
+
+			void FromBase32 (const std::string& s)
+			{
+				i2p::data::Base32ToByteStream (s.c_str (), s.length (), m_Buf, sz);
+			}
+
+			void FromBase64 (const std::string& s)
+			{
+				i2p::data::Base64ToByteStream (s.c_str (), s.length (), m_Buf, sz);
+			}
+
+		private:
+
+			union // 8 bytes alignment
+			{	
+				uint8_t m_Buf[sz];
+				uint64_t ll[sz/8];
+			};		
+	};
+
+	const size_t GZIP_CHUNK_SIZE = 16384;
+	class GzipInflator
+	{
+		public:
+
+			GzipInflator ();
+			~GzipInflator ();
+
+			size_t Inflate (const uint8_t * in, size_t inLen, uint8_t * out, size_t outLen);
+			bool Inflate (const uint8_t * in, size_t inLen, std::ostream& s); 
+			// return true when finshed or error, s failbit will be set in case of error
+			void Inflate (std::istream& in, std::ostream& out); 			
+
+		private:
+
+			z_stream m_Inflator;
+			bool m_IsDirty;
+	};
+
+	class GzipDeflator
+	{
+		public:
+
+			GzipDeflator ();
+			~GzipDeflator ();
+
+			void SetCompressionLevel (int level);
+			size_t Deflate (const uint8_t * in, size_t inLen, uint8_t * out, size_t outLen);
+			
+		private:
+
+			z_stream m_Deflator;
+			bool m_IsDirty;
+	};
+}
+}
+
+#endif

ClientContext.cpp

@@ -2,7 +2,8 @@
 #include <iostream>
 #include <boost/property_tree/ptree.hpp>
 #include <boost/property_tree/ini_parser.hpp>
-#include "util.h"
+#include "Config.h"
+#include "FS.h"
 #include "Log.h"
 #include "Identity.h"
 #include "ClientContext.h"
@@ -15,7 +16,7 @@ namespace client
 
 	ClientContext::ClientContext (): m_SharedLocalDestination (nullptr),
 		m_HttpProxy (nullptr), m_SocksProxy (nullptr), m_SamBridge (nullptr), 
-		m_BOBCommandChannel (nullptr), m_I2PControlService (nullptr)
+		m_BOBCommandChannel (nullptr)
 	{
 	}
 	
@@ -25,7 +26,6 @@ namespace client
 		delete m_SocksProxy;
 		delete m_SamBridge;
 		delete m_BOBCommandChannel;
-		delete m_I2PControlService;
 	}
 	
 	void ClientContext::Start ()
@@ -33,120 +33,138 @@ namespace client
 		if (!m_SharedLocalDestination)
 		{	
 			m_SharedLocalDestination = CreateNewLocalDestination (); // non-public, DSA
-			m_Destinations[m_SharedLocalDestination->GetIdentity ().GetIdentHash ()] = m_SharedLocalDestination;
+			m_Destinations[m_SharedLocalDestination->GetIdentity ()->GetIdentHash ()] = m_SharedLocalDestination;
 			m_SharedLocalDestination->Start ();
 		}
 
+		m_AddressBook.Start ();	
+		
 		std::shared_ptr<ClientDestination> localDestination;	
-		// proxies	
-		std::string proxyKeys = i2p::util::config::GetArg("-proxykeys", "");
-		if (proxyKeys.length () > 0)
-			localDestination = LoadLocalDestination (proxyKeys, false);
-		m_HttpProxy = new i2p::proxy::HTTPProxy(i2p::util::config::GetArg("-httpproxyport", 4446), localDestination);
-		m_HttpProxy->Start();
-		LogPrint("HTTP Proxy started");
-		m_SocksProxy = new i2p::proxy::SOCKSProxy(i2p::util::config::GetArg("-socksproxyport", 4447), localDestination);
-		m_SocksProxy->Start();
-		LogPrint("SOCKS Proxy Started");
+		bool httproxy; i2p::config::GetOption("httpproxy.enabled", httproxy);
+		if (httproxy) {
+			std::string httpProxyKeys; i2p::config::GetOption("httpproxy.keys",    httpProxyKeys);
+			std::string httpProxyAddr; i2p::config::GetOption("httpproxy.address", httpProxyAddr);
+			uint16_t    httpProxyPort; i2p::config::GetOption("httpproxy.port",    httpProxyPort);
+			LogPrint(eLogInfo, "Clients: starting HTTP Proxy at ", httpProxyAddr, ":", httpProxyPort);
+			if (httpProxyKeys.length () > 0)
+			{
+				i2p::data::PrivateKeys keys;
+				LoadPrivateKeys (keys, httpProxyKeys);
+				localDestination = CreateNewLocalDestination (keys, false);
+			}
+			try {
+			  m_HttpProxy = new i2p::proxy::HTTPProxy(httpProxyAddr, httpProxyPort, localDestination);
+			  m_HttpProxy->Start();
+			} catch (std::exception& e) {
+			  LogPrint(eLogError, "Clients: Exception in HTTP Proxy: ", e.what());
+			}
+		}
+
+		bool socksproxy; i2p::config::GetOption("socksproxy.enabled", socksproxy);
+		if (socksproxy) {
+			std::string socksProxyKeys; i2p::config::GetOption("socksproxy.keys",    socksProxyKeys);
+			std::string socksProxyAddr; i2p::config::GetOption("socksproxy.address", socksProxyAddr);
+			uint16_t    socksProxyPort; i2p::config::GetOption("socksproxy.port",    socksProxyPort);
+			std::string socksOutProxyAddr; i2p::config::GetOption("socksproxy.outproxy",     socksOutProxyAddr);
+			uint16_t    socksOutProxyPort; i2p::config::GetOption("socksproxy.outproxyport", socksOutProxyPort);
+			LogPrint(eLogInfo, "Clients: starting SOCKS Proxy at ", socksProxyAddr, ":", socksProxyPort);
+			if (socksProxyKeys.length () > 0)
+			{
+				i2p::data::PrivateKeys keys;
+				LoadPrivateKeys (keys, socksProxyKeys);
+				localDestination = CreateNewLocalDestination (keys, false);
+			}
+			try {
+			  m_SocksProxy = new i2p::proxy::SOCKSProxy(socksProxyAddr, socksProxyPort, socksOutProxyAddr, socksOutProxyPort, localDestination);
+			  m_SocksProxy->Start();
+			} catch (std::exception& e) {
+			  LogPrint(eLogError, "Clients: Exception in SOCKS Proxy: ", e.what());
+			}
+		}
 	
 		// I2P tunnels
-		std::string ircDestination = i2p::util::config::GetArg("-ircdest", "");
-		if (ircDestination.length () > 0) // ircdest is presented
-		{
-			localDestination = nullptr;
-			std::string ircKeys = i2p::util::config::GetArg("-irckeys", "");	
-			if (ircKeys.length () > 0)
-				localDestination = LoadLocalDestination (ircKeys, false);
-			auto ircPort = i2p::util::config::GetArg("-ircport", 6668);
-			auto ircTunnel = new I2PClientTunnel (ircDestination, ircPort, localDestination);
-			ircTunnel->Start ();
-			m_ClientTunnels.insert (std::make_pair(ircPort, std::unique_ptr<I2PClientTunnel>(ircTunnel)));
-			LogPrint("IRC tunnel started");
-		}	
-		std::string eepKeys = i2p::util::config::GetArg("-eepkeys", "");
-		if (eepKeys.length () > 0) // eepkeys file is presented
-		{
-			localDestination = LoadLocalDestination (eepKeys, true);
-			auto serverTunnel = new I2PServerTunnel (i2p::util::config::GetArg("-eephost", "127.0.0.1"),
- 				i2p::util::config::GetArg("-eepport", 80), localDestination);
-			serverTunnel->Start ();
-			m_ServerTunnels.insert (std::make_pair(localDestination->GetIdentHash (), std::unique_ptr<I2PServerTunnel>(serverTunnel)));
-			LogPrint("Server tunnel started");
-		}
 		ReadTunnels ();
 
 		// SAM
-		int samPort = i2p::util::config::GetArg("-samport", 0);
-		if (samPort)
-		{
-			m_SamBridge = new SAMBridge (samPort);
-			m_SamBridge->Start ();
-			LogPrint("SAM bridge started");
+		bool sam; i2p::config::GetOption("sam.enabled", sam);
+		if (sam) {
+			std::string samAddr; i2p::config::GetOption("sam.address", samAddr);
+			uint16_t    samPort; i2p::config::GetOption("sam.port",    samPort);
+			LogPrint(eLogInfo, "Clients: starting SAM bridge at ", samAddr, ":", samPort);
+			try {
+			  m_SamBridge = new SAMBridge (samAddr, samPort);
+			  m_SamBridge->Start ();
+			} catch (std::exception& e) {
+			  LogPrint(eLogError, "Clients: Exception in SAM bridge: ", e.what());
+			}
 		} 
 
 		// BOB
-		int bobPort = i2p::util::config::GetArg("-bobport", 0);
-		if (bobPort)
-		{
-			m_BOBCommandChannel = new BOBCommandChannel (bobPort);
-			m_BOBCommandChannel->Start ();
-			LogPrint("BOB command channel started");
+		bool bob; i2p::config::GetOption("bob.enabled", bob);
+		if (bob) {
+			std::string bobAddr; i2p::config::GetOption("bob.address", bobAddr);
+			uint16_t    bobPort; i2p::config::GetOption("bob.port",    bobPort);
+			LogPrint(eLogInfo, "Clients: starting BOB command channel at ", bobAddr, ":", bobPort);
+			try {
+			  m_BOBCommandChannel = new BOBCommandChannel (bobAddr, bobPort);
+			  m_BOBCommandChannel->Start ();
+			} catch (std::exception& e) {
+			  LogPrint(eLogError, "Clients: Exception in BOB bridge: ", e.what());
+			}
 		} 
 
-		// I2P Control
-		int i2pcontrolPort = i2p::util::config::GetArg("-i2pcontrolport", 0);
-		if (i2pcontrolPort)
-		{
-			m_I2PControlService = new I2PControlService (i2pcontrolPort);
-			m_I2PControlService->Start ();
-			LogPrint("I2PControl started");
-		}
-		m_AddressBook.Start ();
+		m_AddressBook.StartResolvers ();	
 	}
 		
 	void ClientContext::Stop ()
 	{
-		m_HttpProxy->Stop();
-		delete m_HttpProxy;
-		m_HttpProxy = nullptr;
-		LogPrint("HTTP Proxy stopped");
-		m_SocksProxy->Stop();
-		delete m_SocksProxy;
-		m_SocksProxy = nullptr;
-		LogPrint("SOCKS Proxy stopped");
+		if (m_HttpProxy)
+		{
+			LogPrint(eLogInfo, "Clients: stopping HTTP Proxy");
+			m_HttpProxy->Stop();
+			delete m_HttpProxy;
+			m_HttpProxy = nullptr;
+		}
+
+		if (m_SocksProxy)
+		{
+			LogPrint(eLogInfo, "Clients: stopping SOCKS Proxy");
+			m_SocksProxy->Stop();
+			delete m_SocksProxy;
+			m_SocksProxy = nullptr;
+		}
+
 		for (auto& it: m_ClientTunnels)
 		{
+			LogPrint(eLogInfo, "Clients: stopping I2P client tunnel on port ", it.first);
 			it.second->Stop ();
-			LogPrint("I2P client tunnel on port ", it.first, " stopped");	
 		}
 		m_ClientTunnels.clear ();	
+
 		for (auto& it: m_ServerTunnels)
 		{
+			LogPrint(eLogInfo, "Clients: stopping I2P server tunnel");
 			it.second->Stop ();
-			LogPrint("I2P server tunnel stopped");	
 		}
 		m_ServerTunnels.clear ();	
+
 		if (m_SamBridge)
 		{
+			LogPrint(eLogInfo, "Clients: stopping SAM bridge");
 			m_SamBridge->Stop ();
 			delete m_SamBridge; 
 			m_SamBridge = nullptr;
-			LogPrint("SAM brdige stopped");	
 		}		
+
 		if (m_BOBCommandChannel)
 		{
+			LogPrint(eLogInfo, "Clients: stopping BOB command channel");
 			m_BOBCommandChannel->Stop ();
 			delete m_BOBCommandChannel; 
 			m_BOBCommandChannel = nullptr;
-			LogPrint("BOB command channel stopped");	
-		}			
-		if (m_I2PControlService)
-		{
-			m_I2PControlService->Stop ();
-			delete m_I2PControlService; 
-			m_I2PControlService = nullptr;
-			LogPrint("I2PControl stopped");	
-		}	
+		}
+
+		LogPrint(eLogInfo, "Clients: stopping AddressBook");
 		m_AddressBook.Stop ();		
 		for (auto it: m_Destinations)
 			it.second->Stop ();
@@ -154,11 +172,10 @@ namespace client
 		m_SharedLocalDestination = nullptr; 
 	}	
 	
-	std::shared_ptr<ClientDestination> ClientContext::LoadLocalDestination (const std::string& filename, bool isPublic)
+	void ClientContext::LoadPrivateKeys (i2p::data::PrivateKeys& keys, const std::string& filename, i2p::data::SigningKeyType sigType)
 	{
-		i2p::data::PrivateKeys keys;
-		std::string fullPath = i2p::util::filesystem::GetFullPath (filename);
-		std::ifstream s(fullPath.c_str (), std::ifstream::binary);
+		std::string fullPath = i2p::fs::DataDirPath (filename);
+		std::ifstream s(fullPath, std::ifstream::binary);
 		if (s.is_open ())	
 		{	
 			s.seekg (0, std::ios::end);
@@ -168,12 +185,12 @@ namespace client
 			s.read ((char *)buf, len);
 			keys.FromBuffer (buf, len);
 			delete[] buf;
-			LogPrint ("Local address ", m_AddressBook.ToAddress(keys.GetPublic ().GetIdentHash ()), " loaded");
+			LogPrint (eLogInfo, "Clients: Local address ", m_AddressBook.ToAddress(keys.GetPublic ()->GetIdentHash ()), " loaded");
 		}	
 		else
 		{
-			LogPrint ("Can't open file ", fullPath, " Creating new one");
-			keys = i2p::data::PrivateKeys::CreateRandomKeys (i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256); 
+			LogPrint (eLogError, "Clients: can't open file ", fullPath, " Creating new one with signature type ", sigType);
+			keys = i2p::data::PrivateKeys::CreateRandomKeys (sigType); 
 			std::ofstream f (fullPath, std::ofstream::binary | std::ofstream::out);
 			size_t len = keys.GetFullLen ();
 			uint8_t * buf = new uint8_t[len];
@@ -181,24 +198,8 @@ namespace client
 			f.write ((char *)buf, len);
 			delete[] buf;
 			
-			LogPrint ("New private keys file ", fullPath, " for ", m_AddressBook.ToAddress(keys.GetPublic ().GetIdentHash ()), " created");
+			LogPrint (eLogInfo, "Clients: New private keys file ", fullPath, " for ", m_AddressBook.ToAddress(keys.GetPublic ()->GetIdentHash ()), " created");
 		}	
-
-		std::shared_ptr<ClientDestination> localDestination = nullptr;	
-		std::unique_lock<std::mutex> l(m_DestinationsMutex);	
-		auto it = m_Destinations.find (keys.GetPublic ().GetIdentHash ()); 
-		if (it != m_Destinations.end ())
-		{
-			LogPrint (eLogWarning, "Local destination ",  m_AddressBook.ToAddress(keys.GetPublic ().GetIdentHash ()), " alreday exists");
-			localDestination = it->second;
-		}
-		else
-		{
-			localDestination = std::make_shared<ClientDestination> (keys, isPublic);
-			m_Destinations[localDestination->GetIdentHash ()] = localDestination;
-			localDestination->Start ();
-		}
-		return localDestination;
 	}
 
 	std::shared_ptr<ClientDestination> ClientContext::CreateNewLocalDestination (bool isPublic, i2p::data::SigningKeyType sigType,
@@ -230,10 +231,10 @@ namespace client
 	std::shared_ptr<ClientDestination> ClientContext::CreateNewLocalDestination (const i2p::data::PrivateKeys& keys, bool isPublic,
 		const std::map<std::string, std::string> * params)
 	{
-		auto it = m_Destinations.find (keys.GetPublic ().GetIdentHash ());
+		auto it = m_Destinations.find (keys.GetPublic ()->GetIdentHash ());
 		if (it != m_Destinations.end ())
 		{
-			LogPrint ("Local destination ", m_AddressBook.ToAddress(keys.GetPublic ().GetIdentHash ()), " exists");
+			LogPrint (eLogWarning, "Clients: Local destination ", m_AddressBook.ToAddress(keys.GetPublic ()->GetIdentHash ()), " exists");
 			if (!it->second->IsRunning ())
 			{	
 				it->second->Start ();
@@ -243,7 +244,7 @@ namespace client
 		}	
 		auto localDestination = std::make_shared<ClientDestination> (keys, isPublic, params);
 		std::unique_lock<std::mutex> l(m_DestinationsMutex);
-		m_Destinations[keys.GetPublic ().GetIdentHash ()] = localDestination;
+		m_Destinations[keys.GetPublic ()->GetIdentHash ()] = localDestination;
 		localDestination->Start ();
 		return localDestination;
 	}
@@ -256,16 +257,43 @@ namespace client
 		return nullptr;
 	}	
 
+	template<typename Section, typename Type>
+	std::string ClientContext::GetI2CPOption (const Section& section, const std::string& name, const Type& value) const
+	{
+		return section.second.get (boost::property_tree::ptree::path_type (name, '/'), std::to_string (value));
+	}	
+
+	template<typename Section>
+	void ClientContext::ReadI2CPOptions (const Section& section, std::map<std::string, std::string>& options) const
+	{
+		options[I2CP_PARAM_INBOUND_TUNNEL_LENGTH] = GetI2CPOption (section, I2CP_PARAM_INBOUND_TUNNEL_LENGTH,  DEFAULT_INBOUND_TUNNEL_LENGTH);
+		options[I2CP_PARAM_OUTBOUND_TUNNEL_LENGTH] = GetI2CPOption (section, I2CP_PARAM_OUTBOUND_TUNNEL_LENGTH, DEFAULT_OUTBOUND_TUNNEL_LENGTH);
+		options[I2CP_PARAM_INBOUND_TUNNELS_QUANTITY] = GetI2CPOption (section, I2CP_PARAM_INBOUND_TUNNELS_QUANTITY, DEFAULT_INBOUND_TUNNELS_QUANTITY);
+		options[I2CP_PARAM_OUTBOUND_TUNNELS_QUANTITY] = GetI2CPOption (section, I2CP_PARAM_OUTBOUND_TUNNELS_QUANTITY, DEFAULT_OUTBOUND_TUNNELS_QUANTITY);
+		options[I2CP_PARAM_TAGS_TO_SEND] = GetI2CPOption (section, I2CP_PARAM_TAGS_TO_SEND, DEFAULT_TAGS_TO_SEND);
+	}	
+
 	void ClientContext::ReadTunnels ()
 	{
 		boost::property_tree::ptree pt;
-		try
-		{
-			boost::property_tree::read_ini (i2p::util::filesystem::GetFullPath (TUNNELS_CONFIG_FILENAME), pt);
+		std::string tunConf; i2p::config::GetOption("tunconf", tunConf);
+		if (tunConf == "") {
+			// TODO: cleanup this in 2.8.0
+			tunConf = i2p::fs::DataDirPath ("tunnels.cfg");
+			if (i2p::fs::Exists(tunConf)) {
+				LogPrint(eLogWarning, "FS: please rename tunnels.cfg -> tunnels.conf here: ", tunConf);
+			} else {
+				tunConf = i2p::fs::DataDirPath ("tunnels.conf");
+			}
 		}
-		catch (std::exception& ex)
+		LogPrint(eLogDebug, "FS: tunnels config file: ", tunConf);
+		try 
 		{
-			LogPrint (eLogWarning, "Can't read ", TUNNELS_CONFIG_FILENAME, ": ", ex.what ());
+			boost::property_tree::read_ini (tunConf, pt);
+		} 
+		catch (std::exception& ex) 
+		{
+			LogPrint (eLogWarning, "Clients: Can't read ", tunConf, ": ", ex.what ());
 			return;
 		}
 			
@@ -283,19 +311,30 @@ namespace client
 					int port = section.second.get<int> (I2P_CLIENT_TUNNEL_PORT);
 					// optional params
 					std::string keys = section.second.get (I2P_CLIENT_TUNNEL_KEYS, "");
+					std::string address = section.second.get (I2P_CLIENT_TUNNEL_ADDRESS, "127.0.0.1");
 					int destinationPort = section.second.get (I2P_CLIENT_TUNNEL_DESTINATION_PORT, 0);
+					i2p::data::SigningKeyType sigType = section.second.get (I2P_CLIENT_TUNNEL_SIGNATURE_TYPE, i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256);
+					// I2CP
+					std::map<std::string, std::string> options;			
+					ReadI2CPOptions (section, options);	
 
 					std::shared_ptr<ClientDestination> localDestination = nullptr;
 					if (keys.length () > 0)
-						localDestination = LoadLocalDestination (keys, false);
-					auto clientTunnel = new I2PClientTunnel (dest, port, localDestination, destinationPort);
+					{
+						i2p::data::PrivateKeys k;
+						LoadPrivateKeys (k, keys, sigType);
+						localDestination = FindLocalDestination (k.GetPublic ()->GetIdentHash ());
+						if (!localDestination)
+							localDestination = CreateNewLocalDestination (k, false, &options);
+					}
+					auto clientTunnel = new I2PClientTunnel (name, dest, address, port, localDestination, destinationPort);
 					if (m_ClientTunnels.insert (std::make_pair (port, std::unique_ptr<I2PClientTunnel>(clientTunnel))).second)
 						clientTunnel->Start ();
 					else
-						LogPrint (eLogError, "I2P client tunnel with port ", port, " already exists");
+						LogPrint (eLogError, "Clients: I2P client tunnel with port ", port, " already exists");
 					numClientTunnels++;
 				}
-				else if (type == I2P_TUNNELS_SECTION_TYPE_SERVER)
+				else if (type == I2P_TUNNELS_SECTION_TYPE_SERVER || type == I2P_TUNNELS_SECTION_TYPE_HTTP || type == I2P_TUNNELS_SECTION_TYPE_IRC)
 				{	
 					// mandatory params
 					std::string host = section.second.get<std::string> (I2P_SERVER_TUNNEL_HOST);
@@ -303,10 +342,30 @@ namespace client
 					std::string keys = section.second.get<std::string> (I2P_SERVER_TUNNEL_KEYS);
 					// optional params
 					int inPort = section.second.get (I2P_SERVER_TUNNEL_INPORT, 0);
-					std::string accessList = section.second.get (I2P_SERVER_TUNNEL_ACCESS_LIST, "");					
+					std::string accessList = section.second.get (I2P_SERVER_TUNNEL_ACCESS_LIST, "");
+					std::string hostOverride = section.second.get (I2P_SERVER_TUNNEL_HOST_OVERRIDE, "");
+					std::string webircpass = section.second.get<std::string> (I2P_SERVER_TUNNEL_WEBIRC_PASSWORD, "");
+					bool gzip = section.second.get (I2P_SERVER_TUNNEL_GZIP, true);
+					i2p::data::SigningKeyType sigType = section.second.get (I2P_SERVER_TUNNEL_SIGNATURE_TYPE, i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256);
+					// I2CP
+					std::map<std::string, std::string> options;							 
+					ReadI2CPOptions (section, options);				
+
+					std::shared_ptr<ClientDestination> localDestination = nullptr;
+					i2p::data::PrivateKeys k;
+					LoadPrivateKeys (k, keys, sigType);
+					localDestination = FindLocalDestination (k.GetPublic ()->GetIdentHash ());
+					if (!localDestination)		
+						localDestination = CreateNewLocalDestination (k, true, &options);
+
+					I2PServerTunnel * serverTunnel;
+					if (type == I2P_TUNNELS_SECTION_TYPE_HTTP)
+                    	serverTunnel = new I2PServerTunnelHTTP (name, host, port, localDestination, hostOverride, inPort, gzip);
+               		else if (type == I2P_TUNNELS_SECTION_TYPE_IRC)
+                    	serverTunnel = new I2PServerTunnelIRC (name, host, port, localDestination, webircpass, inPort, gzip);
+					else // regular server tunnel by default
+                   		serverTunnel = new I2PServerTunnel (name, host, port, localDestination, inPort, gzip);
 
-					auto localDestination = LoadLocalDestination (keys, true);
-					auto serverTunnel = new I2PServerTunnel (host, port, localDestination, inPort);
 					if (accessList.length () > 0)
 					{
 						std::set<i2p::data::IdentHash> idents;
@@ -322,23 +381,25 @@ namespace client
 						while (comma != std::string::npos);
 						serverTunnel->SetAccessList (idents);
 					}
-					if (m_ServerTunnels.insert (std::make_pair (localDestination->GetIdentHash (), std::unique_ptr<I2PServerTunnel>(serverTunnel))).second)
+					if (m_ServerTunnels.insert (std::make_pair (
+							std::make_tuple (localDestination->GetIdentHash (), inPort), 
+					        std::unique_ptr<I2PServerTunnel>(serverTunnel))).second)
 						serverTunnel->Start ();
 					else
-						LogPrint (eLogError, "I2P server tunnel for destination ",   m_AddressBook.ToAddress(localDestination->GetIdentHash ()), " already exists");	
+						LogPrint (eLogError, "Clients: I2P server tunnel for destination ",   m_AddressBook.ToAddress(localDestination->GetIdentHash ()), " already exists");
 					numServerTunnels++;
 				}
 				else
-					LogPrint (eLogWarning, "Unknown section type=", type, " of ", name, " in ", TUNNELS_CONFIG_FILENAME);
+					LogPrint (eLogWarning, "Clients: Unknown section type=", type, " of ", name, " in ", tunConf);
 				
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint (eLogError, "Can't read tunnel ", name, " params: ", ex.what ());
+				LogPrint (eLogError, "Clients: Can't read tunnel ", name, " params: ", ex.what ());
 			}
 		}	
-		LogPrint (eLogInfo, numClientTunnels, " I2P client tunnels created");
-		LogPrint (eLogInfo, numServerTunnels, " I2P server tunnels created");
+		LogPrint (eLogInfo, "Clients: ", numClientTunnels, " I2P client tunnels created");
+		LogPrint (eLogInfo, "Clients: ", numServerTunnels, " I2P server tunnels created");
 	}	
 }		
 }	

ClientContext.h

@@ -2,6 +2,7 @@
 #define CLIENT_CONTEXT_H__
 
 #include <map>
+#include <tuple>
 #include <mutex>
 #include <memory>
 #include "Destination.h"
@@ -11,7 +12,6 @@
 #include "SAM.h"
 #include "BOB.h"
 #include "AddressBook.h"
-#include "I2PControl.h"
 
 namespace i2p
 {
@@ -20,16 +20,23 @@ namespace client
 	const char I2P_TUNNELS_SECTION_TYPE[] = "type";
 	const char I2P_TUNNELS_SECTION_TYPE_CLIENT[] = "client";
 	const char I2P_TUNNELS_SECTION_TYPE_SERVER[] = "server";
+	const char I2P_TUNNELS_SECTION_TYPE_HTTP[] = "http";
+	const char I2P_TUNNELS_SECTION_TYPE_IRC[] = "irc";
 	const char I2P_CLIENT_TUNNEL_PORT[] = "port";
+	const char I2P_CLIENT_TUNNEL_ADDRESS[] = "address";
 	const char I2P_CLIENT_TUNNEL_DESTINATION[] = "destination";
 	const char I2P_CLIENT_TUNNEL_KEYS[] = "keys";
+	const char I2P_CLIENT_TUNNEL_SIGNATURE_TYPE[] = "signaturetype";
 	const char I2P_CLIENT_TUNNEL_DESTINATION_PORT[] = "destinationport";	
 	const char I2P_SERVER_TUNNEL_HOST[] = "host";	
+	const char I2P_SERVER_TUNNEL_HOST_OVERRIDE[] = "hostoverride";	
 	const char I2P_SERVER_TUNNEL_PORT[] = "port";
 	const char I2P_SERVER_TUNNEL_KEYS[] = "keys";
+	const char I2P_SERVER_TUNNEL_SIGNATURE_TYPE[] = "signaturetype";
 	const char I2P_SERVER_TUNNEL_INPORT[] = "inport";
 	const char I2P_SERVER_TUNNEL_ACCESS_LIST[] = "accesslist";		
-	const char TUNNELS_CONFIG_FILENAME[] = "tunnels.cfg";
+	const char I2P_SERVER_TUNNEL_GZIP[] = "gzip";
+	const char I2P_SERVER_TUNNEL_WEBIRC_PASSWORD[] = "webircpassword";
 
 	class ClientContext
 	{
@@ -48,7 +55,7 @@ namespace client
 				const std::map<std::string, std::string> * params = nullptr);
 			void DeleteLocalDestination (std::shared_ptr<ClientDestination> destination);
 			std::shared_ptr<ClientDestination> FindLocalDestination (const i2p::data::IdentHash& destination) const;		
-			std::shared_ptr<ClientDestination> LoadLocalDestination (const std::string& filename, bool isPublic);
+			void LoadPrivateKeys (i2p::data::PrivateKeys& keys, const std::string& filename, i2p::data::SigningKeyType sigType = i2p::data::SIGNING_KEY_TYPE_ECDSA_SHA256_P256);
 
 			AddressBook& GetAddressBook () { return m_AddressBook; };
 			const SAMBridge * GetSAMBridge () const { return m_SamBridge; };
@@ -56,7 +63,11 @@ namespace client
 		private:
 
 			void ReadTunnels ();
-	
+			template<typename Section, typename Type>
+			std::string GetI2CPOption (const Section& section, const std::string& name, const Type& value) const;
+			template<typename Section>
+			void ReadI2CPOptions (const Section& section, std::map<std::string, std::string>& options) const;	
+
 		private:
 
 			std::mutex m_DestinationsMutex;
@@ -68,14 +79,15 @@ namespace client
 			i2p::proxy::HTTPProxy * m_HttpProxy;
 			i2p::proxy::SOCKSProxy * m_SocksProxy;
 			std::map<int, std::unique_ptr<I2PClientTunnel> > m_ClientTunnels; // port->tunnel
-			std::map<i2p::data::IdentHash, std::unique_ptr<I2PServerTunnel> > m_ServerTunnels; // destination->tunnel
+			std::map<std::tuple<i2p::data::IdentHash, int>, std::unique_ptr<I2PServerTunnel> > m_ServerTunnels; // <destination,port>->tunnel
 			SAMBridge * m_SamBridge;
 			BOBCommandChannel * m_BOBCommandChannel;
-			I2PControlService * m_I2PControlService;
 
 		public:
 			// for HTTP
 			const decltype(m_Destinations)& GetDestinations () const { return m_Destinations; };
+			const decltype(m_ClientTunnels)& GetClientTunnels () const { return m_ClientTunnels; };
+			const decltype(m_ServerTunnels)& GetServerTunnels () const { return m_ServerTunnels; };
 	};
 	
 	extern ClientContext context;	

Config.cpp

@@ -0,0 +1,247 @@
+/*
+* Copyright (c) 2013-2016, The PurpleI2P Project
+*
+* This file is part of Purple i2pd project and licensed under BSD3
+*
+* See full license text in LICENSE file at top of project tree
+*/
+
+#include <cstdlib>
+#include <iostream>
+#include <fstream>
+#include <map>
+#include <string>
+#include <boost/program_options/cmdline.hpp>
+#include <boost/program_options/options_description.hpp>
+#include <boost/program_options/parsers.hpp>
+#include <boost/program_options/variables_map.hpp>
+
+#include "Config.h"
+#include "version.h"
+
+using namespace boost::program_options;
+
+namespace i2p {
+namespace config {
+  options_description m_OptionsDesc;
+  variables_map       m_Options;
+
+  /* list of renamed options */
+  std::map<std::string, std::string> remapped_options = {
+    { "tunnelscfg",          "tunconf" },
+    { "v6",                  "ipv6" },
+    { "httpaddress",         "http.address" },
+    { "httpport",            "http.port"    },
+    { "httpproxyaddress",    "httpproxy.address"  },
+    { "httpproxyport",       "httpproxy.port"     },
+    { "socksproxyaddress",   "socksproxy.address" },
+    { "socksproxyport",      "socksproxy.port"    },
+    { "samaddress",          "sam.address" },
+    { "samport",             "sam.port"    },
+    { "bobaddress",          "bob.address" },
+    { "bobport",             "bob.port"    },
+    { "i2pcontroladdress",   "i2pcontrol.address" },
+    { "i2pcontroladdress",   "i2pcontrol.port"    },
+    { "proxykeys",           "httpproxy.keys" },
+  };
+  /* list of options, that loose their argument and become simple switch */
+  std::set<std::string> boolean_options = {
+    "daemon", "floodfill", "notransit", "service", "ipv6"
+  };
+
+  /* this function is a solid piece of shit, remove it after 2.6.0 */
+  std::pair<std::string, std::string> old_syntax_parser(const std::string& s) {
+    std::string name  = "";
+    std::string value = "";
+    std::size_t pos = 0;
+    /* shortcuts -- -h */
+    if (s.length() == 2 && s.at(0) == '-' && s.at(1) != '-')
+      return make_pair(s.substr(1), "");
+    /* old-style -- -log, /log, etc */
+    if (s.at(0) == '/' || (s.at(0) == '-' && s.at(1) != '-')) {
+      if ((pos = s.find_first_of("= ")) != std::string::npos) {
+        name  = s.substr(1, pos - 1);
+        value = s.substr(pos + 1);
+      } else {
+        name  = s.substr(1, pos);
+        value = "";
+      }
+      if (boolean_options.count(name) > 0 && value != "")
+        std::cerr << "args: don't give an argument to switch option: " << s << std::endl;
+      if (m_OptionsDesc.find_nothrow(name, false)) {
+        std::cerr << "args: option " << s << " style is DEPRECATED, use --" << name << " instead" << std::endl;
+        return std::make_pair(name, value);
+      }
+      if (remapped_options.count(name) > 0) {
+        name = remapped_options[name];
+        std::cerr << "args: option " << s << " is DEPRECATED, use --" << name << " instead" << std::endl;
+        return std::make_pair(name, value);
+      } /* else */
+    }
+    /* long options -- --help */
+    if (s.substr(0, 2) == "--") {
+      if ((pos = s.find_first_of("= ")) != std::string::npos) {
+        name  = s.substr(2, pos - 2);
+        value = s.substr(pos + 1);
+      } else {
+        name  = s.substr(2, pos);
+        value = "";
+      }
+      if (boolean_options.count(name) > 0 && value != "") {
+        std::cerr << "args: don't give an argument to switch option: " << s << std::endl;
+        value = "";
+      }
+      if (m_OptionsDesc.find_nothrow(name, false))
+        return std::make_pair(name, value);
+      if (remapped_options.count(name) > 0) {
+        name = remapped_options[name];
+        std::cerr << "args: option " << s << " is DEPRECATED, use --" << name << " instead" << std::endl;
+        return std::make_pair(name, value);
+      } /* else */
+    }
+    std::cerr << "args: unknown option -- " << s << std::endl;
+    return std::make_pair("", "");
+  }
+
+  void Init() {
+    options_description general("General options");
+    general.add_options()
+      ("help",     "Show this message")
+      ("conf",      value<std::string>()->default_value(""),     "Path to main i2pd config file (default: try ~/.i2pd/i2pd.conf or /var/lib/i2pd/i2pd.conf)")
+      ("tunconf",   value<std::string>()->default_value(""),     "Path to config with tunnels list and options (default: try ~/.i2pd/tunnels.conf or /var/lib/i2pd/tunnels.conf)")
+      ("pidfile",   value<std::string>()->default_value(""),     "Path to pidfile (default: ~/i2pd/i2pd.pid or /var/lib/i2pd/i2pd.pid)")
+      ("log",       value<std::string>()->default_value(""),     "Logs destination: stdout, file, syslog (stdout if not set)")
+      ("logfile",   value<std::string>()->default_value(""),     "Path to logfile (stdout if not set, autodetect if daemon)")
+      ("loglevel",  value<std::string>()->default_value("info"), "Set the minimal level of log messages (debug, info, warn, error)")
+	  ("family",    value<std::string>()->default_value(""),     "Specify a family, router belongs to")
+	  ("datadir",   value<std::string>()->default_value(""),     "Path to storage of i2pd data (RI, keys, peer profiles, ...)")
+      ("host",      value<std::string>()->default_value("0.0.0.0"),     "External IP")
+      ("port",      value<uint16_t>()->default_value(0),                "Port to listen for incoming connections (default: auto)")
+      ("ipv4",      value<bool>()->zero_tokens()->default_value(true),  "Enable communication through ipv4")
+      ("ipv6",      value<bool>()->zero_tokens()->default_value(false), "Enable communication through ipv6")
+      ("daemon",    value<bool>()->zero_tokens()->default_value(false), "Router will go to background after start")
+      ("service",   value<bool>()->zero_tokens()->default_value(false), "Router will use system folders like '/var/lib/i2pd'")
+      ("notransit", value<bool>()->zero_tokens()->default_value(false), "Router will not accept transit tunnels at startup")
+      ("floodfill", value<bool>()->zero_tokens()->default_value(false), "Router will be floodfill")
+      ("bandwidth", value<std::string>()->default_value(""), "Bandwidth limit: integer in kbps or letters: L (32), O (256), P (2048), X (>9000)")
+#ifdef _WIN32
+      ("svcctl",    value<std::string>()->default_value(""),     "Windows service management ('install' or 'remove')")
+      ("insomnia", value<bool>()->zero_tokens()->default_value(false), "Prevent system from sleeping")
+      ("close", value<std::string>()->default_value("ask"), "Action on close: minimize, exit, ask") // TODO: add custom validator or something
+#endif
+      ;
+
+    options_description httpserver("HTTP Server options");
+    httpserver.add_options()
+      ("http.enabled",        value<bool>()->default_value(true),               "Enable or disable webconsole")
+      ("http.address",        value<std::string>()->default_value("127.0.0.1"), "Webconsole listen address")
+      ("http.port",           value<uint16_t>()->default_value(7070),           "Webconsole listen port")
+      ;
+
+    options_description httpproxy("HTTP Proxy options");
+    httpproxy.add_options()
+      ("httpproxy.enabled",   value<bool>()->default_value(true),                         "Enable or disable HTTP Proxy")
+      ("httpproxy.address",   value<std::string>()->default_value("127.0.0.1"),           "HTTP Proxy listen address")
+      ("httpproxy.port",      value<uint16_t>()->default_value(4444),                     "HTTP Proxy listen port")
+      ("httpproxy.keys",      value<std::string>()->default_value(""),  "File to persist HTTP Proxy keys")
+      ;
+
+    options_description socksproxy("SOCKS Proxy options");
+    socksproxy.add_options()
+      ("socksproxy.enabled",  value<bool>()->default_value(true),                         "Enable or disable SOCKS Proxy")
+      ("socksproxy.address",  value<std::string>()->default_value("127.0.0.1"),           "SOCKS Proxy listen address")
+      ("socksproxy.port",     value<uint16_t>()->default_value(4447),                     "SOCKS Proxy listen port")
+      ("socksproxy.keys",     value<std::string>()->default_value(""), "File to persist SOCKS Proxy keys")
+      ("socksproxy.outproxy", value<std::string>()->default_value("127.0.0.1"), "Upstream outproxy address for SOCKS Proxy")
+      ("socksproxy.outproxyport", value<uint16_t>()->default_value(9050), "Upstream outproxy port for SOCKS Proxy")
+      ;
+
+    options_description sam("SAM bridge options");
+    sam.add_options()
+      ("sam.enabled",         value<bool>()->default_value(false),                        "Enable or disable SAM Application bridge")
+      ("sam.address",         value<std::string>()->default_value("127.0.0.1"),           "SAM listen address")
+      ("sam.port",            value<uint16_t>()->default_value(7656),                     "SAM listen port")
+      ;
+
+    options_description bob("BOB options");
+    bob.add_options()
+      ("bob.enabled",         value<bool>()->default_value(false),                        "Enable or disable BOB command channel")
+      ("bob.address",         value<std::string>()->default_value("127.0.0.1"),           "BOB listen address")
+      ("bob.port",            value<uint16_t>()->default_value(2827),                     "BOB listen port")
+      ;
+
+    options_description i2pcontrol("I2PControl options");
+    i2pcontrol.add_options()
+      ("i2pcontrol.enabled",  value<bool>()->default_value(false),                        "Enable or disable I2P Control Protocol")
+      ("i2pcontrol.address",  value<std::string>()->default_value("127.0.0.1"),           "I2PCP listen address")
+      ("i2pcontrol.port",     value<uint16_t>()->default_value(7650),                     "I2PCP listen port")
+      ("i2pcontrol.password", value<std::string>()->default_value("itoopie"),             "I2PCP access password")
+      ("i2pcontrol.cert",     value<std::string>()->default_value("i2pcontrol.crt.pem"),  "I2PCP connection cerificate")
+      ("i2pcontrol.key",      value<std::string>()->default_value("i2pcontrol.key.pem"),  "I2PCP connection cerificate key")
+      ;
+
+    m_OptionsDesc
+      .add(general)
+      .add(httpserver)
+      .add(httpproxy)
+      .add(socksproxy)
+      .add(sam)
+      .add(bob)
+      .add(i2pcontrol)
+      ;
+  }
+
+  void ParseCmdline(int argc, char* argv[]) {
+    try {
+      auto style = boost::program_options::command_line_style::unix_style
+                 | boost::program_options::command_line_style::allow_long_disguise;
+      style &=   ~ boost::program_options::command_line_style::allow_guessing;
+      store(parse_command_line(argc, argv, m_OptionsDesc, style, old_syntax_parser), m_Options);
+    } catch (boost::program_options::error& e) {
+      std::cerr << "args: " << e.what() << std::endl;
+      exit(EXIT_FAILURE);
+    }
+
+    if (m_Options.count("help") || m_Options.count("h")) {
+      std::cout << "i2pd version " << I2PD_VERSION << " (" << I2P_VERSION << ")" << std::endl;
+      std::cout << m_OptionsDesc;
+      exit(EXIT_SUCCESS);
+    }
+  }
+
+  void ParseConfig(const std::string& path) {
+    if (path == "") return;
+
+    std::ifstream config(path, std::ios::in);
+
+    if (!config.is_open()) 
+	{
+      std::cerr << "missing/unreadable config file: " << path << std::endl;
+      exit(EXIT_FAILURE);
+    }
+
+    try 
+	{
+		store(boost::program_options::parse_config_file(config, m_OptionsDesc), m_Options);
+    } 
+	catch (boost::program_options::error& e) 
+	{
+      std::cerr << e.what() << std::endl;
+      exit(EXIT_FAILURE);
+    };
+  }
+
+  void Finalize() {
+    notify(m_Options);
+  }
+
+  bool IsDefault(const char *name) {
+    if (!m_Options.count(name))
+      throw "try to check non-existent option";
+
+    if (m_Options[name].defaulted())
+      return true;
+    return false;
+  }
+} // namespace config
+} // namespace i2p

Config.h

@@ -0,0 +1,107 @@
+#ifndef CONFIG_H
+#define CONFIG_H
+
+#include <string>
+#include <boost/program_options/options_description.hpp>
+#include <boost/program_options/variables_map.hpp>
+
+/**
+ * Functions to parse and store i2pd parameters
+ *
+ * General usage flow:
+ *   Init() -- early as possible
+ *   ParseCmdline() -- somewhere close to main()
+ *   ParseConfig()  -- after detecting path to config
+ *   Finalize()     -- right after all Parse*() functions called
+ *   GetOption()    -- may be called after Finalize()
+ */
+
+namespace i2p {
+namespace config {
+  extern boost::program_options::variables_map m_Options;
+
+  /**
+   * @brief  Initialize list of acceptable parameters
+   *
+   * Should be called before any Parse* functions.
+   */
+  void Init();
+
+  /**
+   * @brief  Parse cmdline parameters, and show help if requested
+   * @param  argc  Cmdline arguments count, should be passed from main().
+   * @param  argv  Cmdline parameters array, should be passed from main()
+   *
+   * If --help is given in parameters, shows it's list with description
+   * terminates the program with exitcode 0.
+   *
+   * In case of parameter misuse boost throws an exception.
+   * We internally handle type boost::program_options::unknown_option,
+   * and then terminate program with exitcode 1.
+   *
+   * Other exceptions will be passed to higher level.
+   */
+  void ParseCmdline(int argc, char* argv[]);
+
+  /**
+   * @brief  Load and parse given config file
+   * @param  path  Path to config file
+   *
+   * If error occured when opening file path is points to,
+   * we show the error message and terminate program.
+   *
+   * In case of parameter misuse boost throws an exception.
+   * We internally handle type boost::program_options::unknown_option,
+   * and then terminate program with exitcode 1.
+   *
+   * Other exceptions will be passed to higher level.
+   */
+  void ParseConfig(const std::string& path);
+
+  /**
+   * @brief  Used to combine options from cmdline, config and default values
+   */
+  void Finalize();
+
+  /* @brief  Accessor to parameters by name
+   * @param  name  Name of the requested parameter
+   * @param  value Variable where to store option
+   * @return this function returns false if parameter not found
+   *
+   * @example  uint16_t port; GetOption("sam.port", port);
+   */
+  template<typename T>
+  bool GetOption(const char *name, T& value) {
+    if (!m_Options.count(name))
+      return false;
+    value = m_Options[name].as<T>();
+    return true;
+  }
+
+  /**
+   * @brief  Set value of given parameter
+   * @param  name  Name of settable parameter
+   * @param  value New parameter value
+   * @return true if value set up successful, false otherwise
+   *
+   * @example uint16_t port = 2827; SetOption("bob.port", port);
+   */
+  template<typename T>
+  bool SetOption(const char *name, const T& value) {
+    if (!m_Options.count(name))
+      return false;
+    m_Options.at(name).value() = value;
+    notify(m_Options);
+    return true;
+  }
+
+  /**
+   * @brief  Check is value explicitly given or default
+   * @param  name  Name of checked parameter
+   * @return true if value set to default, false othervise
+   */
+  bool IsDefault(const char *name);
+}
+}
+
+#endif // CONFIG_H

Crypto.cpp

@@ -0,0 +1,714 @@
+#include <string.h>
+#include <string>
+#include <vector>
+#include <mutex>
+#include <memory>
+#include <openssl/sha.h>
+#include <openssl/dh.h>
+#include <openssl/md5.h>
+#include <openssl/rand.h>
+#include <openssl/crypto.h>
+#include "TunnelBase.h"
+#include <openssl/ssl.h>
+#include "Log.h"
+#include "Crypto.h"
+
+namespace i2p
+{
+namespace crypto
+{	
+	const uint8_t elgp_[256]=
+	{
+		0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, 
+		0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, 
+		0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD,
+		0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37,
+		0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6,
+ 		0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED,
+		0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6,
+		0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, 
+		0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F,
+		0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB,
+		0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, 
+		0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B,
+		0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F,
+		0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18,
+		0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10,
+		0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF
+	};
+
+	const int elgg_ = 2;
+	
+	const uint8_t dsap_[128]=
+	{
+		0x9c, 0x05, 0xb2, 0xaa, 0x96, 0x0d, 0x9b, 0x97, 0xb8, 0x93, 0x19, 0x63, 0xc9, 0xcc, 0x9e, 0x8c,
+		0x30, 0x26, 0xe9, 0xb8, 0xed, 0x92, 0xfa, 0xd0, 0xa6, 0x9c, 0xc8, 0x86, 0xd5, 0xbf, 0x80, 0x15,
+		0xfc, 0xad, 0xae, 0x31, 0xa0, 0xad, 0x18, 0xfa, 0xb3, 0xf0, 0x1b, 0x00, 0xa3, 0x58, 0xde, 0x23,
+		0x76, 0x55, 0xc4, 0x96, 0x4a, 0xfa, 0xa2, 0xb3, 0x37, 0xe9, 0x6a, 0xd3, 0x16, 0xb9, 0xfb, 0x1c,
+		0xc5, 0x64, 0xb5, 0xae, 0xc5, 0xb6, 0x9a, 0x9f, 0xf6, 0xc3, 0xe4, 0x54, 0x87, 0x07, 0xfe, 0xf8,
+		0x50, 0x3d, 0x91, 0xdd, 0x86, 0x02, 0xe8, 0x67, 0xe6, 0xd3, 0x5d, 0x22, 0x35, 0xc1, 0x86, 0x9c,
+		0xe2, 0x47, 0x9c, 0x3b, 0x9d, 0x54, 0x01, 0xde, 0x04, 0xe0, 0x72, 0x7f, 0xb3, 0x3d, 0x65, 0x11, 
+		0x28, 0x5d, 0x4c, 0xf2, 0x95, 0x38, 0xd9, 0xe3, 0xb6, 0x05, 0x1f, 0x5b, 0x22, 0xcc, 0x1c, 0x93
+	};
+
+	const uint8_t dsaq_[20]=
+	{
+		0xa5, 0xdf, 0xc2, 0x8f, 0xef, 0x4c, 0xa1, 0xe2, 0x86, 0x74, 0x4c, 0xd8, 0xee, 0xd9, 0xd2, 0x9d,
+		0x68, 0x40, 0x46, 0xb7
+	};
+
+	const uint8_t dsag_[128]=
+	{
+		0x0c, 0x1f, 0x4d, 0x27, 0xd4, 0x00, 0x93, 0xb4, 0x29, 0xe9, 0x62, 0xd7, 0x22, 0x38, 0x24, 0xe0,
+		0xbb, 0xc4, 0x7e, 0x7c, 0x83, 0x2a, 0x39, 0x23, 0x6f, 0xc6, 0x83, 0xaf, 0x84, 0x88, 0x95, 0x81,
+		0x07, 0x5f, 0xf9, 0x08, 0x2e, 0xd3, 0x23, 0x53, 0xd4, 0x37, 0x4d, 0x73, 0x01, 0xcd, 0xa1, 0xd2,
+		0x3c, 0x43, 0x1f, 0x46, 0x98, 0x59, 0x9d, 0xda, 0x02, 0x45, 0x18, 0x24, 0xff, 0x36, 0x97, 0x52,
+		0x59, 0x36, 0x47, 0xcc, 0x3d, 0xdc, 0x19, 0x7d, 0xe9, 0x85, 0xe4, 0x3d, 0x13, 0x6c, 0xdc, 0xfc,
+		0x6b, 0xd5, 0x40, 0x9c, 0xd2, 0xf4, 0x50, 0x82, 0x11, 0x42, 0xa5, 0xe6, 0xf8, 0xeb, 0x1c, 0x3a,
+		0xb5, 0xd0, 0x48, 0x4b, 0x81, 0x29, 0xfc, 0xf1, 0x7b, 0xce, 0x4f, 0x7f, 0x33, 0x32, 0x1c, 0x3c, 
+		0xb3, 0xdb, 0xb1, 0x4a, 0x90, 0x5e, 0x7b, 0x2b, 0x3e, 0x93, 0xbe, 0x47, 0x08, 0xcb, 0xcc, 0x82  
+	};
+
+	const int rsae_ = 65537;	
+	
+	struct CryptoConstants
+	{
+		// DH/ElGamal
+		BIGNUM * elgp;
+		BIGNUM * elgg; 
+
+		// DSA
+		BIGNUM * dsap;		
+		BIGNUM * dsaq;
+		BIGNUM * dsag;
+
+		// RSA
+		BIGNUM * rsae;
+		
+		CryptoConstants (const uint8_t * elgp_, int elgg_, const uint8_t * dsap_, 
+			const uint8_t * dsaq_, const uint8_t * dsag_, int rsae_)
+		{
+			elgp = BN_new ();
+			BN_bin2bn (elgp_, 256, elgp);
+			elgg = BN_new ();
+			BN_set_word (elgg, elgg_);
+			dsap = BN_new ();
+			BN_bin2bn (dsap_, 128, dsap);
+			dsaq = BN_new ();
+			BN_bin2bn (dsaq_, 20, dsaq);
+			dsag = BN_new ();
+			BN_bin2bn (dsag_, 128, dsag);
+			rsae = BN_new ();
+			BN_set_word (rsae, rsae_);
+		}
+		
+		~CryptoConstants ()
+		{
+			BN_free (elgp);  BN_free (elgg); BN_free (dsap); BN_free (dsaq); BN_free (dsag); BN_free (rsae);
+		}	
+	};	
+
+	static const CryptoConstants& GetCryptoConstants ()
+	{
+		static CryptoConstants cryptoConstants (elgp_, elgg_, dsap_, dsaq_, dsag_, rsae_);		                                        
+		return cryptoConstants;
+	}	
+
+	bool bn2buf (const BIGNUM * bn, uint8_t * buf, size_t len)
+	{
+		int offset = len - BN_num_bytes (bn);
+		if (offset < 0) return false;
+		BN_bn2bin (bn, buf + offset);
+		memset (buf, 0, offset);
+		return true;
+	}	
+
+// RSA
+	#define rsae GetCryptoConstants ().rsae		
+	const BIGNUM * GetRSAE ()
+	{
+		return rsae;
+	}	
+
+// DSA
+	#define dsap GetCryptoConstants ().dsap	
+	#define dsaq GetCryptoConstants ().dsaq
+	#define dsag GetCryptoConstants ().dsag	
+	DSA * CreateDSA ()
+	{
+		DSA * dsa = DSA_new ();
+		dsa->p = BN_dup (dsap);
+		dsa->q = BN_dup (dsaq);
+		dsa->g = BN_dup (dsag);
+		dsa->priv_key = NULL;
+		dsa->pub_key = NULL;
+		return dsa;
+	}
+
+// DH/ElGamal	
+	#define elgp GetCryptoConstants ().elgp
+	#define elgg GetCryptoConstants ().elgg
+
+// DH
+	
+	DHKeys::DHKeys (): m_IsUpdated (true)
+	{
+		m_DH = DH_new ();
+		m_DH->p = BN_dup (elgp);
+		m_DH->g = BN_dup (elgg);
+		m_DH->priv_key = NULL;
+		m_DH->pub_key = NULL;
+	}
+	
+	DHKeys::~DHKeys ()
+	{
+		DH_free (m_DH);
+	}	
+
+	void DHKeys::GenerateKeys (uint8_t * priv, uint8_t * pub)
+	{
+		if (m_DH->priv_key)  { BN_free (m_DH->priv_key); m_DH->priv_key = NULL; };
+		if (m_DH->pub_key)  { BN_free (m_DH->pub_key); m_DH->pub_key = NULL; };
+		DH_generate_key (m_DH);
+		if (priv) bn2buf (m_DH->priv_key, priv, 256);
+		if (pub) bn2buf (m_DH->pub_key, pub, 256);
+		m_IsUpdated = true;
+	}	
+
+	const uint8_t * DHKeys::GetPublicKey () 
+	{
+		if (m_IsUpdated)
+		{	
+			bn2buf (m_DH->pub_key, m_PublicKey, 256);
+			BN_free (m_DH->pub_key); m_DH->pub_key = NULL;
+			m_IsUpdated= false;
+		}	
+		return m_PublicKey;
+	}	
+	
+	void DHKeys::Agree (const uint8_t * pub, uint8_t * shared)
+	{
+		BIGNUM * pk = BN_bin2bn (pub, 256, NULL);
+		DH_compute_key (shared, pk, m_DH);
+		BN_free (pk);
+	}	
+	
+// ElGamal
+
+	ElGamalEncryption::ElGamalEncryption (const uint8_t * key)
+	{
+		ctx = BN_CTX_new ();
+		// select random k
+		BIGNUM * k = BN_new ();
+		BN_rand_range (k, elgp);
+		if (BN_is_zero (k)) BN_one (k);
+		// caulculate a
+		a = BN_new ();
+		BN_mod_exp (a, elgg, k, elgp, ctx);
+		BIGNUM * y = BN_new ();
+		BN_bin2bn (key, 256, y);
+		// calculate b1
+		b1 = BN_new ();
+		BN_mod_exp (b1, y, k, elgp, ctx);
+		BN_free (y);
+		BN_free (k);
+	}
+
+	ElGamalEncryption::~ElGamalEncryption ()
+	{
+		BN_CTX_free (ctx);
+		BN_free (a);
+		BN_free (b1);
+	}
+			
+	void ElGamalEncryption::Encrypt (const uint8_t * data, int len, uint8_t * encrypted, bool zeroPadding) const
+	{
+		// create m
+		uint8_t m[255];
+		m[0] = 0xFF;
+		memcpy (m+33, data, len);
+		SHA256 (m+33, 222, m+1);
+		// calculate b = b1*m mod p
+		BIGNUM * b = BN_new ();
+		BN_bin2bn (m, 255, b);
+		BN_mod_mul (b, b1, b, elgp, ctx);
+		// copy a and b
+		if (zeroPadding)
+		{
+			encrypted[0] = 0;
+			bn2buf (a, encrypted + 1, 256);
+			encrypted[257] = 0;
+			bn2buf (b, encrypted + 258, 256);
+		}	
+		else
+		{
+			bn2buf (a, encrypted, 256);
+			bn2buf (b, encrypted + 256, 256);
+		}		
+		BN_free (b);
+	}
+	
+	bool ElGamalDecrypt (const uint8_t * key, const uint8_t * encrypted, 
+		uint8_t * data, bool zeroPadding)
+	{
+		BN_CTX * ctx = BN_CTX_new ();
+		BIGNUM * x = BN_new (), * a = BN_new (), * b = BN_new ();
+		BN_bin2bn (key, 256, x);
+		BN_sub (x, elgp, x); BN_sub_word (x, 1); // x = elgp - x- 1
+		BN_bin2bn (zeroPadding ? encrypted + 1 : encrypted, 256, a);
+		BN_bin2bn (zeroPadding ? encrypted + 258 : encrypted + 256, 256, b);
+		// m = b*(a^x mod p) mod p		
+		BN_mod_exp (x, a, x, elgp, ctx);
+		BN_mod_mul (b, b, x, elgp, ctx);	
+		uint8_t m[255];
+		bn2buf (b, m, 255); 
+		BN_free (x); BN_free (a); BN_free (b); 
+		BN_CTX_free (ctx);
+		uint8_t hash[32];
+		SHA256 (m + 33, 222, hash);
+		if (memcmp (m + 1, hash, 32))
+		{
+			LogPrint (eLogError, "ElGamal decrypt hash doesn't match");
+			return false;
+		}	
+		memcpy (data, m + 33, 222);
+		return true;
+	}	
+
+	void GenerateElGamalKeyPair (uint8_t * priv, uint8_t * pub)
+	{
+#if defined(__x86_64__) || defined(__i386__) || defined(_MSC_VER)	
+		RAND_bytes (priv, 256);
+		BN_CTX * ctx = BN_CTX_new ();
+		BIGNUM * p = BN_new ();	
+		BN_bin2bn (priv, 256, p);
+		BN_mod_exp (p, elgg, p, elgp, ctx);
+		bn2buf (p, pub, 256); 
+		BN_free (p);
+		BN_CTX_free (ctx);
+#else
+		DHKeys dh;
+		dh.GenerateKeys (priv, pub);
+		
+#endif		
+	}
+
+// HMAC
+	const uint64_t IPAD = 0x3636363636363636;
+	const uint64_t OPAD = 0x5C5C5C5C5C5C5C5C; 			
+		
+	void HMACMD5Digest (uint8_t * msg, size_t len, const MACKey& key, uint8_t * digest)
+	// key is 32 bytes
+	// digest is 16 bytes
+	// block size is 64 bytes	
+	{
+		uint64_t buf[256];
+		// ikeypad
+		buf[0] = key.GetLL ()[0] ^ IPAD; 
+		buf[1] = key.GetLL ()[1] ^ IPAD; 
+		buf[2] = key.GetLL ()[2] ^ IPAD; 
+		buf[3] = key.GetLL ()[3] ^ IPAD; 
+		buf[4] = IPAD; 
+		buf[5] = IPAD; 
+		buf[6] = IPAD; 
+		buf[7] = IPAD; 		
+		// concatenate with msg
+		memcpy (buf + 8, msg, len);
+		// calculate first hash
+		uint8_t hash[16]; // MD5
+		MD5((uint8_t *)buf, len + 64, hash);
+		
+		// okeypad			
+		buf[0] = key.GetLL ()[0] ^ OPAD; 
+		buf[1] = key.GetLL ()[1] ^ OPAD; 
+		buf[2] = key.GetLL ()[2] ^ OPAD; 
+		buf[3] = key.GetLL ()[3] ^ OPAD; 
+		buf[4] = OPAD; 
+		buf[5] = OPAD; 
+		buf[6] = OPAD; 
+		buf[7] = OPAD; 
+		// copy first hash after okeypad		
+		memcpy (buf + 8, hash, 16);
+		// fill next 16 bytes with zeros (first hash size assumed 32 bytes in I2P)
+		memset (buf + 10, 0, 16);			
+		
+		// calculate digest
+		MD5((uint8_t *)buf, 96, digest);
+	}
+
+// AES
+	#ifdef AESNI
+	
+	#define KeyExpansion256(round0,round1) \
+		"pshufd	$0xff, %%xmm2, %%xmm2 \n" \
+		"movaps	%%xmm1, %%xmm4 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm1 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm1 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm1 \n" \
+		"pxor %%xmm2, %%xmm1 \n" \
+		"movaps	%%xmm1, "#round0"(%[sched]) \n" \
+		"aeskeygenassist $0, %%xmm1, %%xmm4 \n" \
+		"pshufd	$0xaa, %%xmm4, %%xmm2 \n" \
+		"movaps	%%xmm3, %%xmm4 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm3 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm3 \n" \
+		"pslldq	$4, %%xmm4 \n" \
+		"pxor %%xmm4, %%xmm3 \n" \
+		"pxor %%xmm2, %%xmm3 \n" \
+		"movaps	%%xmm3, "#round1"(%[sched]) \n" 
+
+	void ECBCryptoAESNI::ExpandKey (const AESKey& key)
+	{
+		__asm__
+		(
+			"movups (%[key]), %%xmm1 \n"
+			"movups 16(%[key]), %%xmm3 \n"
+			"movaps %%xmm1, (%[sched]) \n"
+			"movaps %%xmm3, 16(%[sched]) \n"
+			"aeskeygenassist $1, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(32,48)
+			"aeskeygenassist $2, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(64,80)
+			"aeskeygenassist $4, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(96,112)
+			"aeskeygenassist $8, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(128,144)
+			"aeskeygenassist $16, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(160,176)
+			"aeskeygenassist $32, %%xmm3, %%xmm2 \n"
+			KeyExpansion256(192,208)
+			"aeskeygenassist $64, %%xmm3, %%xmm2 \n"
+			// key expansion final
+			"pshufd	$0xff, %%xmm2, %%xmm2 \n"
+			"movaps	%%xmm1, %%xmm4 \n" 
+			"pslldq	$4, %%xmm4 \n"
+			"pxor %%xmm4, %%xmm1 \n"
+			"pslldq	$4, %%xmm4 \n"
+			"pxor %%xmm4, %%xmm1 \n"
+			"pslldq	$4, %%xmm4 \n"
+			"pxor %%xmm4, %%xmm1 \n"
+			"pxor %%xmm2, %%xmm1 \n"
+			"movups	%%xmm1, 224(%[sched]) \n"
+			: // output
+			: [key]"r"((const uint8_t *)key), [sched]"r"(GetKeySchedule ()) // input
+			: "%xmm1", "%xmm2", "%xmm3", "%xmm4", "memory" // clogged
+		);
+	}
+
+	#define EncryptAES256(sched) \
+		"pxor (%["#sched"]), %%xmm0 \n" \
+		"aesenc	16(%["#sched"]), %%xmm0 \n" \
+		"aesenc	32(%["#sched"]), %%xmm0 \n" \
+		"aesenc	48(%["#sched"]), %%xmm0 \n" \
+		"aesenc	64(%["#sched"]), %%xmm0 \n" \
+		"aesenc	80(%["#sched"]), %%xmm0 \n" \
+		"aesenc	96(%["#sched"]), %%xmm0 \n" \
+		"aesenc	112(%["#sched"]), %%xmm0 \n" \
+		"aesenc	128(%["#sched"]), %%xmm0 \n" \
+		"aesenc	144(%["#sched"]), %%xmm0 \n" \
+		"aesenc	160(%["#sched"]), %%xmm0 \n" \
+		"aesenc	176(%["#sched"]), %%xmm0 \n" \
+		"aesenc	192(%["#sched"]), %%xmm0 \n" \
+		"aesenc	208(%["#sched"]), %%xmm0 \n" \
+		"aesenclast	224(%["#sched"]), %%xmm0 \n"
+		
+	void ECBEncryptionAESNI::Encrypt (const ChipherBlock * in, ChipherBlock * out)
+	{
+		__asm__
+		(
+			"movups	(%[in]), %%xmm0 \n"
+			EncryptAES256(sched)
+			"movups	%%xmm0, (%[out]) \n"	
+			: : [sched]"r"(GetKeySchedule ()), [in]"r"(in), [out]"r"(out) : "%xmm0", "memory"
+		);
+	}		
+
+	#define DecryptAES256(sched) \
+		"pxor 224(%["#sched"]), %%xmm0 \n" \
+		"aesdec	208(%["#sched"]), %%xmm0 \n" \
+		"aesdec	192(%["#sched"]), %%xmm0 \n" \
+		"aesdec	176(%["#sched"]), %%xmm0 \n" \
+		"aesdec	160(%["#sched"]), %%xmm0 \n" \
+		"aesdec	144(%["#sched"]), %%xmm0 \n" \
+		"aesdec	128(%["#sched"]), %%xmm0 \n" \
+		"aesdec	112(%["#sched"]), %%xmm0 \n" \
+		"aesdec	96(%["#sched"]), %%xmm0 \n" \
+		"aesdec	80(%["#sched"]), %%xmm0 \n" \
+		"aesdec	64(%["#sched"]), %%xmm0 \n" \
+		"aesdec	48(%["#sched"]), %%xmm0 \n" \
+		"aesdec	32(%["#sched"]), %%xmm0 \n" \
+		"aesdec	16(%["#sched"]), %%xmm0 \n" \
+		"aesdeclast (%["#sched"]), %%xmm0 \n"
+	
+	void ECBDecryptionAESNI::Decrypt (const ChipherBlock * in, ChipherBlock * out)
+	{
+		__asm__
+		(
+			"movups	(%[in]), %%xmm0 \n"
+			DecryptAES256(sched)
+			"movups	%%xmm0, (%[out]) \n"	
+			: : [sched]"r"(GetKeySchedule ()), [in]"r"(in), [out]"r"(out) : "%xmm0", "memory"
+		);		
+	}
+
+	#define CallAESIMC(offset) \
+		"movaps "#offset"(%[shed]), %%xmm0 \n"	\
+		"aesimc %%xmm0, %%xmm0 \n" \
+		"movaps %%xmm0, "#offset"(%[shed]) \n" 
+
+	void ECBDecryptionAESNI::SetKey (const AESKey& key)
+	{
+		ExpandKey (key); // expand encryption key first
+		// then  invert it using aesimc
+		__asm__
+		(
+			CallAESIMC(16)
+			CallAESIMC(32)
+			CallAESIMC(48)
+			CallAESIMC(64)
+			CallAESIMC(80)
+			CallAESIMC(96)
+			CallAESIMC(112)
+			CallAESIMC(128)
+			CallAESIMC(144)
+			CallAESIMC(160)
+			CallAESIMC(176)
+			CallAESIMC(192)
+			CallAESIMC(208)
+			: : [shed]"r"(GetKeySchedule ()) : "%xmm0", "memory"
+		);
+	}
+
+#endif		
+
+
+	void CBCEncryption::Encrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+		 	"movups	(%[iv]), %%xmm1 \n"
+		 	"1: \n"
+		 	"movups	(%[in]), %%xmm0 \n"
+		 	"pxor %%xmm1, %%xmm0 \n"
+		 	EncryptAES256(sched)
+		 	"movaps	%%xmm0, %%xmm1 \n"	
+		 	"movups	%%xmm0, (%[out]) \n"
+		 	"add $16, %[in] \n"
+		 	"add $16, %[out] \n"
+		 	"dec %[num] \n"
+		 	"jnz 1b \n"	 	
+		 	"movups	%%xmm1, (%[iv]) \n"
+			: 
+			: [iv]"r"(&m_LastBlock), [sched]"r"(m_ECBEncryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out), [num]"r"(numBlocks)
+			: "%xmm0", "%xmm1", "cc", "memory"
+		); 
+#else		
+		for (int i = 0; i < numBlocks; i++)
+		{
+			m_LastBlock ^= in[i];
+			m_ECBEncryption.Encrypt (&m_LastBlock, &m_LastBlock);
+			out[i] = m_LastBlock;
+		}
+#endif		
+	}
+
+	void CBCEncryption::Encrypt (const uint8_t * in, std::size_t len, uint8_t * out)
+	{
+		// len/16
+		int numBlocks = len >> 4;
+		if (numBlocks > 0)
+			Encrypt (numBlocks, (const ChipherBlock *)in, (ChipherBlock *)out); 
+	}
+
+	void CBCEncryption::Encrypt (const uint8_t * in, uint8_t * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+			"movups	(%[iv]), %%xmm1 \n"
+			"movups	(%[in]), %%xmm0 \n"
+		 	"pxor %%xmm1, %%xmm0 \n"
+		 	EncryptAES256(sched)
+			"movups	%%xmm0, (%[out]) \n"
+			"movups	%%xmm0, (%[iv]) \n"
+			: 
+			: [iv]"r"(&m_LastBlock), [sched]"r"(m_ECBEncryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out)
+			: "%xmm0", "%xmm1", "memory"
+		);		
+#else
+		Encrypt (1, (const ChipherBlock *)in, (ChipherBlock *)out); 
+#endif
+	}
+
+	void CBCDecryption::Decrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+			"movups	(%[iv]), %%xmm1 \n"
+		 	"1: \n"
+		 	"movups	(%[in]), %%xmm0 \n"
+			"movaps %%xmm0, %%xmm2 \n"
+		 	DecryptAES256(sched)
+			"pxor %%xmm1, %%xmm0 \n"
+		 	"movups	%%xmm0, (%[out]) \n"
+			"movaps %%xmm2, %%xmm1 \n"
+		 	"add $16, %[in] \n"
+		 	"add $16, %[out] \n"
+		 	"dec %[num] \n"
+		 	"jnz 1b \n"	 	
+		 	"movups	%%xmm1, (%[iv]) \n"
+			: 
+			: [iv]"r"(&m_IV), [sched]"r"(m_ECBDecryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out), [num]"r"(numBlocks)
+			: "%xmm0", "%xmm1", "%xmm2", "cc", "memory"
+		); 
+#else
+		for (int i = 0; i < numBlocks; i++)
+		{
+			ChipherBlock tmp = in[i];
+			m_ECBDecryption.Decrypt (in + i, out + i);
+			out[i] ^= m_IV;
+			m_IV = tmp;
+		}
+#endif
+	}
+
+	void CBCDecryption::Decrypt (const uint8_t * in, std::size_t len, uint8_t * out)
+	{
+		int numBlocks = len >> 4;
+		if (numBlocks > 0)
+			Decrypt (numBlocks, (const ChipherBlock *)in, (ChipherBlock *)out); 
+	}
+
+	void CBCDecryption::Decrypt (const uint8_t * in, uint8_t * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+			"movups	(%[iv]), %%xmm1 \n"
+		 	"movups	(%[in]), %%xmm0 \n"
+			"movups	%%xmm0, (%[iv]) \n"
+		 	DecryptAES256(sched)
+			"pxor %%xmm1, %%xmm0 \n"
+		 	"movups	%%xmm0, (%[out]) \n"	
+			: 
+			: [iv]"r"(&m_IV), [sched]"r"(m_ECBDecryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out)
+			: "%xmm0", "%xmm1", "memory"
+		);
+#else
+		Decrypt (1, (const ChipherBlock *)in, (ChipherBlock *)out); 
+#endif
+	}
+
+	void TunnelEncryption::Encrypt (const uint8_t * in, uint8_t * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+            // encrypt IV 
+			"movups	(%[in]), %%xmm0 \n"
+			EncryptAES256(sched_iv)
+			"movaps %%xmm0, %%xmm1 \n"
+			// double IV encryption
+			EncryptAES256(sched_iv)
+			"movups %%xmm0, (%[out]) \n"
+			// encrypt data, IV is xmm1
+			"1: \n"
+			"add $16, %[in] \n"
+		    "add $16, %[out] \n"
+		 	"movups	(%[in]), %%xmm0 \n"
+		 	"pxor %%xmm1, %%xmm0 \n"
+		 	EncryptAES256(sched_l)
+		 	"movaps	%%xmm0, %%xmm1 \n"	
+		 	"movups	%%xmm0, (%[out]) \n"
+		 	"dec %[num] \n"
+		 	"jnz 1b \n"	 	
+			: 
+			: [sched_iv]"r"(m_IVEncryption.GetKeySchedule ()), [sched_l]"r"(m_LayerEncryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out), [num]"r"(63) // 63 blocks = 1008 bytes
+			: "%xmm0", "%xmm1", "cc", "memory"
+		);
+#else
+		m_IVEncryption.Encrypt ((const ChipherBlock *)in, (ChipherBlock *)out); // iv
+		m_LayerEncryption.SetIV (out);
+		m_LayerEncryption.Encrypt (in + 16, i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE, out + 16); // data
+		m_IVEncryption.Encrypt ((ChipherBlock *)out, (ChipherBlock *)out); // double iv
+#endif
+	}
+
+	void TunnelDecryption::Decrypt (const uint8_t * in, uint8_t * out)
+	{
+#ifdef AESNI
+		__asm__
+		(
+            // decrypt IV 
+			"movups	(%[in]), %%xmm0 \n"
+			DecryptAES256(sched_iv)
+			"movaps %%xmm0, %%xmm1 \n"
+			// double IV encryption
+			DecryptAES256(sched_iv)
+			"movups %%xmm0, (%[out]) \n"
+			// decrypt data, IV is xmm1
+			"1: \n"
+			"add $16, %[in] \n"
+		    "add $16, %[out] \n"
+			"movups	(%[in]), %%xmm0 \n"
+			"movaps %%xmm0, %%xmm2 \n"
+		 	DecryptAES256(sched_l)
+			"pxor %%xmm1, %%xmm0 \n"
+		 	"movups	%%xmm0, (%[out]) \n"
+			"movaps %%xmm2, %%xmm1 \n"
+		 	"dec %[num] \n"
+		 	"jnz 1b \n"	 	
+			: 
+			: [sched_iv]"r"(m_IVDecryption.GetKeySchedule ()), [sched_l]"r"(m_LayerDecryption.GetKeySchedule ()), 
+			  [in]"r"(in), [out]"r"(out), [num]"r"(63) // 63 blocks = 1008 bytes
+			: "%xmm0", "%xmm1", "%xmm2", "cc", "memory"
+		);
+#else
+		m_IVDecryption.Decrypt ((const ChipherBlock *)in, (ChipherBlock *)out); // iv
+		m_LayerDecryption.SetIV (out);	
+		m_LayerDecryption.Decrypt (in + 16, i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE, out + 16); // data
+		m_IVDecryption.Decrypt ((ChipherBlock *)out, (ChipherBlock *)out); // double iv
+#endif
+	}	
+
+/*	std::vector <std::unique_ptr<std::mutex> >  m_OpenSSLMutexes;
+	static void OpensslLockingCallback(int mode, int type, const char * file, int line)
+	{
+		if (type > 0 && (size_t)type < m_OpenSSLMutexes.size ())
+		{
+			if (mode & CRYPTO_LOCK)
+				m_OpenSSLMutexes[type]->lock ();
+			else
+				m_OpenSSLMutexes[type]->unlock ();
+		}	
+	}*/
+	
+	void InitCrypto ()
+	{
+		SSL_library_init ();
+/*		auto numLocks = CRYPTO_num_locks();
+		for (int i = 0; i < numLocks; i++)
+		     m_OpenSSLMutexes.emplace_back (new std::mutex);
+		CRYPTO_set_locking_callback (OpensslLockingCallback);*/
+	}
+	
+	void TerminateCrypto ()
+	{
+/*		CRYPTO_set_locking_callback (nullptr);
+		m_OpenSSLMutexes.clear ();*/
+	}	
+}
+}
+

Crypto.h

@@ -1,22 +1,76 @@
-#ifndef AES_H__
-#define AES_H__
+#ifndef CRYPTO_H__
+#define CRYPTO_H__
 
 #include <inttypes.h>
-#include <cryptopp/modes.h>
-#include <cryptopp/aes.h>
-#include "Identity.h"
+#include <string>
+#include <openssl/bn.h>
+#include <openssl/dh.h>
+#include <openssl/aes.h>
+#include <openssl/dsa.h>
+#include "Base.h"
 
 namespace i2p
 {
 namespace crypto
-{	
+{
+	bool bn2buf (const BIGNUM * bn, uint8_t * buf, size_t len);
+
+	// DSA
+	DSA * CreateDSA ();	
+
+	// RSA
+	const BIGNUM * GetRSAE ();
+
+	// DH
+	class DHKeys
+	{
+		public:
+			
+			DHKeys ();
+			~DHKeys ();
+
+			void GenerateKeys (uint8_t * priv = nullptr, uint8_t * pub = nullptr);
+			const uint8_t * GetPublicKey ();
+			void Agree (const uint8_t * pub, uint8_t * shared);
+			
+		private:
+
+			DH * m_DH;
+			uint8_t m_PublicKey[256];
+			bool m_IsUpdated;
+	};	
+	
+	// ElGamal
+	class ElGamalEncryption
+	{
+		public:
+
+			ElGamalEncryption (const uint8_t * key);
+			~ElGamalEncryption ();
+			
+			void Encrypt (const uint8_t * data, int len, uint8_t * encrypted, bool zeroPadding = false) const;
+
+		private:
+
+			BN_CTX * ctx;
+			BIGNUM * a, * b1;
+	};
+
+	bool ElGamalDecrypt (const uint8_t * key, const uint8_t * encrypted, uint8_t * data, bool zeroPadding = false);
+	void GenerateElGamalKeyPair (uint8_t * priv, uint8_t * pub);
+
+	// HMAC
+	typedef i2p::data::Tag<32> MACKey;		
+	void HMACMD5Digest (uint8_t * msg, size_t len, const MACKey& key, uint8_t * digest);
+
+	// AES
 	struct ChipherBlock	
 	{
 		uint8_t buf[16];
 
 		void operator^=(const ChipherBlock& other) // XOR
 		{
-#if defined(__x86_64__) // for Intel x64 
+#if defined(__x86_64__) || defined(__SSE__) // for Intel x84 or with SSE
 			__asm__
 			(
 				"movups	(%[buf]), %%xmm0 \n"	
@@ -95,7 +149,7 @@ namespace crypto
 	typedef ECBEncryptionAESNI ECBEncryption;
 	typedef ECBDecryptionAESNI ECBDecryption;
 
-#else // use crypto++
+#else // use openssl
 
 	class ECBEncryption
 	{
@@ -103,16 +157,16 @@ namespace crypto
 		
 			void SetKey (const AESKey& key) 
 			{ 
-				m_Encryption.SetKey (key, 32); 
+				AES_set_encrypt_key (key, 256, &m_Key);
 			}
 			void Encrypt (const ChipherBlock * in, ChipherBlock * out)
 			{
-				m_Encryption.ProcessData (out->buf, in->buf, 16);
+				AES_encrypt (in->buf, out->buf, &m_Key);
 			}	
 
 		private:
 
-			CryptoPP::ECB_Mode<CryptoPP::AES>::Encryption m_Encryption;
+			AES_KEY m_Key;
 	};	
 
 	class ECBDecryption
@@ -121,16 +175,16 @@ namespace crypto
 		
 			void SetKey (const AESKey& key) 
 			{ 
-				m_Decryption.SetKey (key, 32); 
+				AES_set_decrypt_key (key, 256, &m_Key); 
 			}
 			void Decrypt (const ChipherBlock * in, ChipherBlock * out)
 			{
-				m_Decryption.ProcessData (out->buf, in->buf, 16);
+				AES_decrypt (in->buf, out->buf, &m_Key);
 			}	
 
 		private:
 
-			CryptoPP::ECB_Mode<CryptoPP::AES>::Decryption m_Decryption;
+			AES_KEY m_Key;
 	};		
 
 
@@ -185,7 +239,7 @@ namespace crypto
 				m_IVEncryption.SetKey (ivKey);
 			}	
 
-			void Encrypt (uint8_t * payload); // 1024 bytes (16 IV + 1008 data)		
+			void Encrypt (const uint8_t * in, uint8_t * out); // 1024 bytes (16 IV + 1008 data)		
 
 		private:
 
@@ -207,7 +261,7 @@ namespace crypto
 				m_IVDecryption.SetKey (ivKey);
 			}			
 
-			void Decrypt (uint8_t * payload); // 1024 bytes (16 IV + 1008 data)	
+			void Decrypt (const uint8_t * in, uint8_t * out); // 1024 bytes (16 IV + 1008 data)	
 
 		private:
 
@@ -217,9 +271,11 @@ namespace crypto
 #else
 			CBCDecryption m_LayerDecryption;
 #endif
-	};
-}
-}
+	};	
+
+	void InitCrypto ();
+	void TerminateCrypto ();
+}		
+}	
 
 #endif
-

Daemon.cpp

@@ -1,9 +1,12 @@
 #include <thread>
+#include <memory>
 
 #include "Daemon.h"
 
+#include "Config.h"
 #include "Log.h"
-#include "base64.h"
+#include "FS.h"
+#include "Base.h"
 #include "version.h"
 #include "Transports.h"
 #include "NTCPSession.h"
@@ -12,17 +15,17 @@
 #include "Tunnel.h"
 #include "NetDb.h"
 #include "Garlic.h"
-#include "util.h"
 #include "Streaming.h"
 #include "Destination.h"
 #include "HTTPServer.h"
+#include "I2PControl.h"
 #include "ClientContext.h"
+#include "Crypto.h"
 
 #ifdef USE_UPNP
 #include "UPnP.h"
 #endif
 
-
 namespace i2p
 {
 	namespace util
@@ -30,14 +33,15 @@ namespace i2p
 		class Daemon_Singleton::Daemon_Singleton_Private
 		{
 		public:
-			Daemon_Singleton_Private() : httpServer(nullptr)
-			{};
-			~Daemon_Singleton_Private() 
-			{
-				delete httpServer;
-			};
+			Daemon_Singleton_Private() {};
+			~Daemon_Singleton_Private() {};
 
-			i2p::util::HTTPServer *httpServer;
+			std::unique_ptr<i2p::util::HTTPServer> httpServer;
+			std::unique_ptr<i2p::client::I2PControlService> m_I2PControlService;
+
+#ifdef USE_UPNP
+			i2p::transport::UPnP m_UPnP;
+#endif	
 		};
 
 		Daemon_Singleton::Daemon_Singleton() : running(1), d(*new Daemon_Singleton_Private()) {};
@@ -47,107 +51,213 @@ namespace i2p
 
 		bool Daemon_Singleton::IsService () const
 		{
+			bool service = false;
 #ifndef _WIN32
-			return i2p::util::config::GetArg("-service", 0);
-#else
-			return false;
+			i2p::config::GetOption("service", service);
 #endif
+			return service;
 		}
 
 		bool Daemon_Singleton::init(int argc, char* argv[])
 		{
-			i2p::util::config::OptionParser(argc, argv);
+			i2p::config::Init();
+			i2p::config::ParseCmdline(argc, argv);
+
+			std::string config;  i2p::config::GetOption("conf",    config);
+			std::string datadir; i2p::config::GetOption("datadir", datadir);
+			i2p::fs::DetectDataDir(datadir, IsService());
+			i2p::fs::Init();
+
+			datadir = i2p::fs::GetDataDir();
+			// TODO: drop old name detection in v2.8.0
+			if (config == "")
+			{
+				config = i2p::fs::DataDirPath("i2p.conf");
+				if (i2p::fs::Exists (config)) {
+					LogPrint(eLogWarning, "Daemon: please rename i2p.conf to i2pd.conf here: ", config);
+				} else {
+					config = i2p::fs::DataDirPath("i2pd.conf");
+					if (!i2p::fs::Exists (config)) {
+						// use i2pd.conf only if exists
+						config = ""; /* reset */
+					}
+				}
+			}
+
+			i2p::config::ParseConfig(config);
+			i2p::config::Finalize();
+
+			i2p::config::GetOption("daemon", isDaemon);
+
+			std::string logs     = ""; i2p::config::GetOption("log",      logs);
+			std::string logfile  = ""; i2p::config::GetOption("logfile",  logfile);
+			std::string loglevel = ""; i2p::config::GetOption("loglevel", loglevel);
+
+			/* setup logging */
+			if (isDaemon && (logs == "" || logs == "stdout"))
+				logs = "file";
+
+			i2p::log::Logger().SetLogLevel(loglevel);
+			if (logs == "file") {
+				if (logfile == "")
+					logfile = i2p::fs::DataDirPath("i2pd.log");
+				LogPrint(eLogInfo, "Log: will send messages to ", logfile);
+				i2p::log::Logger().SendTo (logfile);
+#ifndef _WIN32
+			} else if (logs == "syslog") {
+				LogPrint(eLogInfo, "Log: will send messages to syslog");
+				i2p::log::Logger().SendTo("i2pd", LOG_DAEMON);
+#endif
+			} else {
+				// use stdout -- default
+			}
+			i2p::log::Logger().Ready();
+
+			LogPrint(eLogInfo,  "i2pd v", VERSION, " starting");
+			LogPrint(eLogDebug, "FS: main config file: ", config);
+			LogPrint(eLogDebug, "FS: data directory: ", datadir);
+
+			i2p::crypto::InitCrypto ();
 			i2p::context.Init ();
 
-			LogPrint("\n\n\n\ni2pd starting\n");
-			LogPrint("Version ", VERSION);
-			LogPrint("data directory: ", i2p::util::filesystem::GetDataDir().string());
-			i2p::util::filesystem::ReadConfigFile(i2p::util::config::mapArgs, i2p::util::config::mapMultiArgs);
-
-			isDaemon = i2p::util::config::GetArg("-daemon", 0);
-			isLogging = i2p::util::config::GetArg("-log", 1);
-
-			int port = i2p::util::config::GetArg("-port", 0);
-			if (port)
-				i2p::context.UpdatePort (port);					
-			const char * host = i2p::util::config::GetCharArg("-host", "");
-			if (host && host[0])
-				i2p::context.UpdateAddress (boost::asio::ip::address::from_string (host));	
-
-			i2p::context.SetSupportsV6 (i2p::util::config::GetArg("-v6", 0));
-			i2p::context.SetFloodfill (i2p::util::config::GetArg("-floodfill", 0));
-			auto bandwidth = i2p::util::config::GetArg("-bandwidth", "");
-			if (bandwidth.length () > 0)
-			{
-				if (bandwidth[0] > 'L')
-					i2p::context.SetHighBandwidth ();
-				else
-					i2p::context.SetLowBandwidth ();
+			uint16_t port; i2p::config::GetOption("port", port);
+			if (!i2p::config::IsDefault("port"))
+			{	
+				LogPrint(eLogInfo, "Daemon: accepting incoming connections at port ", port);
+				i2p::context.UpdatePort (port);
 			}	
 
-			LogPrint("CMD parameters:");
-			for (int i = 0; i < argc; ++i)
-				LogPrint(i, "  ", argv[i]);
+			std::string host; i2p::config::GetOption("host", host);
+			if (!i2p::config::IsDefault("host"))
+			{
+				LogPrint(eLogInfo, "Daemon: setting address for incoming connections to ", host);
+				i2p::context.UpdateAddress (boost::asio::ip::address::from_string (host));	
+			}
 
+			bool ipv6;		i2p::config::GetOption("ipv6", ipv6);
+			bool ipv4;		i2p::config::GetOption("ipv4", ipv4);
+			bool transit; i2p::config::GetOption("notransit", transit);
+			i2p::context.SetSupportsV6		 (ipv6);
+			i2p::context.SetSupportsV4		 (ipv4);
+			i2p::context.SetAcceptsTunnels (!transit);
+
+			bool isFloodfill; i2p::config::GetOption("floodfill", isFloodfill);
+			if (isFloodfill) {
+				LogPrint(eLogInfo, "Daemon: router will be floodfill");
+				i2p::context.SetFloodfill (true);
+			}	else {
+				i2p::context.SetFloodfill (false);
+			}
+
+			/* this section also honors 'floodfill' flag, if set above */
+			std::string bandwidth; i2p::config::GetOption("bandwidth", bandwidth);
+			if (bandwidth.length () > 0)
+			{	
+				if (bandwidth[0] >= 'K' && bandwidth[0] <= 'X') 
+				{
+					i2p::context.SetBandwidth (bandwidth[0]);
+					LogPrint(eLogInfo, "Daemon: bandwidth set to ", i2p::context.GetBandwidthLimit (), "KBps");
+				} 
+				else 
+				{
+					auto value = std::atoi(bandwidth.c_str());
+					if (value > 0) 
+					{	
+						i2p::context.SetBandwidth (value);
+						LogPrint(eLogInfo, "Daemon: bandwidth set to ", i2p::context.GetBandwidthLimit (), " KBps");
+					}
+					else
+					{
+						LogPrint(eLogInfo, "Daemon: unexpected bandwidth ", bandwidth, ". Set to 'low'");
+						i2p::context.SetBandwidth (i2p::data::CAPS_FLAG_LOW_BANDWIDTH2);
+					}	
+				}	
+			}	
+			else if (isFloodfill) 
+			{
+				LogPrint(eLogInfo, "Daemon: floodfill bandwidth set to 'extra'");
+				i2p::context.SetBandwidth (i2p::data::CAPS_FLAG_EXTRA_BANDWIDTH1);
+			} 
+			else
+			{
+				LogPrint(eLogInfo, "Daemon: bandwidth set to 'low'");
+				i2p::context.SetBandwidth (i2p::data::CAPS_FLAG_LOW_BANDWIDTH2);
+			}	
+
+			std::string family; i2p::config::GetOption("family", family);
+			i2p::context.SetFamily (family);
+			if (family.length () > 0)
+				LogPrint(eLogInfo, "Daemon: family set to ", family);	
+			
 			return true;
 		}
 			
 		bool Daemon_Singleton::start()
 		{
-			// initialize log			
-			if (isLogging)
-			{
-				if (isDaemon)
-				{
-					std::string logfile_path = IsService () ? "/var/log" : i2p::util::filesystem::GetDataDir().string();
-#ifndef _WIN32
-					logfile_path.append("/i2pd.log");
-#else
-					logfile_path.append("\\i2pd.log");
-#endif
-					StartLog (logfile_path);
-				}
-				else
-					StartLog (""); // write to stdout
+			bool http; i2p::config::GetOption("http.enabled", http);
+			if (http) {
+				std::string httpAddr; i2p::config::GetOption("http.address", httpAddr);
+				uint16_t    httpPort; i2p::config::GetOption("http.port",    httpPort);
+				LogPrint(eLogInfo, "Daemon: starting HTTP Server at ", httpAddr, ":", httpPort);
+				d.httpServer = std::unique_ptr<i2p::util::HTTPServer>(new i2p::util::HTTPServer(httpAddr, httpPort));
+				d.httpServer->Start();
 			}
 
-			d.httpServer = new i2p::util::HTTPServer(i2p::util::config::GetArg("-httpport", 7070));
-			d.httpServer->Start();
-			LogPrint("HTTP Server started");
+			LogPrint(eLogInfo, "Daemon: starting NetDB");
 			i2p::data::netdb.Start();
-			LogPrint("NetDB started");
-			i2p::transport::transports.Start();
-			LogPrint("Transports started");
-			i2p::tunnel::tunnels.Start();
-			LogPrint("Tunnels started");
-			i2p::client::context.Start ();
-			LogPrint("Client started");
+
 #ifdef USE_UPNP
-            i2p::UPnP::upnpc.Start();
-            LogPrint("UPnP module loaded");
-#endif
+			LogPrint(eLogInfo, "Daemon: starting UPnP");
+			d.m_UPnP.Start ();
+#endif			
+			LogPrint(eLogInfo, "Daemon: starting Transports");
+			i2p::transport::transports.Start();
+
+			LogPrint(eLogInfo, "Daemon: starting Tunnels");
+			i2p::tunnel::tunnels.Start();
+
+			LogPrint(eLogInfo, "Daemon: starting Client");
+			i2p::client::context.Start ();
+
+			// I2P Control Protocol
+			bool i2pcontrol; i2p::config::GetOption("i2pcontrol.enabled", i2pcontrol);
+			if (i2pcontrol) {
+				std::string i2pcpAddr; i2p::config::GetOption("i2pcontrol.address", i2pcpAddr);
+				uint16_t    i2pcpPort; i2p::config::GetOption("i2pcontrol.port",    i2pcpPort);
+				LogPrint(eLogInfo, "Daemon: starting I2PControl at ", i2pcpAddr, ":", i2pcpPort);
+				d.m_I2PControlService = std::unique_ptr<i2p::client::I2PControlService>(new i2p::client::I2PControlService (i2pcpAddr, i2pcpPort));
+				d.m_I2PControlService->Start ();
+			}
 			return true;
 		}
 
 		bool Daemon_Singleton::stop()
 		{
-			LogPrint("Shutdown started.");
+			LogPrint(eLogInfo, "Daemon: shutting down");
+			LogPrint(eLogInfo, "Daemon: stopping Client");
 			i2p::client::context.Stop();
-			LogPrint("Client stopped");
+			LogPrint(eLogInfo, "Daemon: stopping Tunnels");
 			i2p::tunnel::tunnels.Stop();
-			LogPrint("Tunnels stopped");
-			i2p::transport::transports.Stop();
-			LogPrint("Transports stopped");
-			i2p::data::netdb.Stop();
-			LogPrint("NetDB stopped");
-			d.httpServer->Stop();
-			LogPrint("HTTP Server stopped");
 #ifdef USE_UPNP
-			i2p::UPnP::upnpc.Stop();
-#endif
-			StopLog ();
-
-			delete d.httpServer; d.httpServer = nullptr;
+			LogPrint(eLogInfo, "Daemon: stopping UPnP");
+			d.m_UPnP.Stop ();
+#endif			
+			LogPrint(eLogInfo, "Daemon: stopping Transports");
+			i2p::transport::transports.Stop();
+			LogPrint(eLogInfo, "Daemon: stopping NetDB");
+			i2p::data::netdb.Stop();
+			if (d.httpServer) {
+				LogPrint(eLogInfo, "Daemon: stopping HTTP Server");
+				d.httpServer->Stop();
+				d.httpServer = nullptr;
+			}
+			if (d.m_I2PControlService)
+			{
+				LogPrint(eLogInfo, "Daemon: stopping I2PControl");
+				d.m_I2PControlService->Stop ();
+				d.m_I2PControlService = nullptr;
+			}	
+			i2p::crypto::TerminateCrypto ();
 
 			return true;
 		}

Daemon.h

@@ -1,4 +1,6 @@
-#pragma once
+#ifndef DAEMON_H__
+#define DAEMON_H__
+
 #include <string>
 
 #ifdef _WIN32
@@ -18,17 +20,18 @@ namespace i2p
 			virtual bool init(int argc, char* argv[]);
 			virtual bool start();
 			virtual bool stop();
+			virtual void run () {};
 
-			int isLogging;
-			int isDaemon;
-			
-			int running;
+			bool isLogging;
+			bool isDaemon;
+
+			bool running;
 
 		protected:
 			Daemon_Singleton();
 			virtual ~Daemon_Singleton();
 
-			bool IsService () const;				
+			bool IsService () const;
 
 			// d-pointer for httpServer, httpProxy, etc.
 			class Daemon_Singleton_Private;
@@ -45,27 +48,37 @@ namespace i2p
 				return instance;
 			}
 
-			virtual bool init(int argc, char* argv[]);
-			virtual bool start();
-			virtual bool stop();
+			bool init(int argc, char* argv[]);
+			bool start();
+			bool stop();
+			void run ();
 		};
 #else
 		class DaemonLinux : public Daemon_Singleton
 		{
-		public:
-			static DaemonLinux& Instance()
-			{
-				static DaemonLinux instance;
-				return instance;
-			}
+			public:
+				static DaemonLinux& Instance()
+				{
+					static DaemonLinux instance;
+					return instance;
+				}
 
-			virtual bool start();
-			virtual bool stop();
-                private:
-                       std::string pidfile;
-                       int pidFilehandle;
+				bool start();
+				bool stop();
+				void run ();
+
+			private:
+
+				std::string pidfile;
+                int pidFH;
+
+			public:
+
+				int gracefullShutdownInterval; // in seconds
 
 		};
 #endif
 	}
 }
+
+#endif // DAEMON_H__

DaemonLinux.cpp

@@ -4,40 +4,41 @@
 
 #include <signal.h>
 #include <stdlib.h>
+#include <thread>
 #include <unistd.h>
 #include <fcntl.h>
 #include <sys/stat.h>
 
+#include "Config.h"
+#include "FS.h"
 #include "Log.h"
-#include "util.h"
-
+#include "RouterContext.h"
 
 void handle_signal(int sig)
 {
 	switch (sig)
 	{
-	case SIGHUP:
-		if (i2p::util::config::GetArg("daemon", 0) == 1)
-		{
-			static bool first=true;
-			if (first)
-			{
-				first=false;
-				return;
-			}
-		}
-		LogPrint("Reloading config.");
-		i2p::util::filesystem::ReadConfigFile(i2p::util::config::mapArgs, i2p::util::config::mapMultiArgs);
+		case SIGHUP:
+			LogPrint(eLogInfo, "Daemon: Got SIGHUP, reopening log...");
+			i2p::log::Logger().Reopen ();
 		break;
-	case SIGABRT:
-	case SIGTERM:
-	case SIGINT:
-		Daemon.running = 0; // Exit loop
+		case SIGINT:
+			if (i2p::context.AcceptsTunnels () && !Daemon.gracefullShutdownInterval)
+			{	
+				i2p::context.SetAcceptsTunnels (false);
+				Daemon.gracefullShutdownInterval = 10*60; // 10 minutes
+				LogPrint(eLogInfo, "Graceful shutdown after ", Daemon.gracefullShutdownInterval, " seconds");
+			}	
+			else
+				Daemon.running = 0; 
+		break;	
+		case SIGABRT:
+		case SIGTERM:
+			Daemon.running = 0; // Exit loop
 		break;
 	}
 }
 
-
 namespace i2p
 {
 	namespace util
@@ -52,44 +53,60 @@ namespace i2p
 					::exit (EXIT_SUCCESS);
 
 				if (pid < 0) // error
+				{
+					LogPrint(eLogError, "Daemon: could not fork: ", strerror(errno));
 					return false;
+				}
 
 				// child
-				umask(0);
+				umask(S_IWGRP | S_IRWXO); // 0027
 				int sid = setsid();
 				if (sid < 0)
 				{
-					LogPrint("Error, could not create process group.");
+					LogPrint(eLogError, "Daemon: could not create process group.");
+					return false;
+				}
+				std::string d = i2p::fs::GetDataDir();
+				if (chdir(d.c_str()) != 0)
+				{
+					LogPrint(eLogError, "Daemon: could not chdir: ", strerror(errno));
 					return false;
 				}
-				chdir(i2p::util::filesystem::GetDataDir().string().c_str());
 
 				// close stdin/stdout/stderr descriptors
-				::close (0);
-				::open ("/dev/null", O_RDWR);
-				::close (1);
-				::open ("/dev/null", O_RDWR);	
-				::close (2);
-				::open ("/dev/null", O_RDWR);
+				freopen("/dev/null", "r", stdin);
+				freopen("/dev/null", "w", stdout);
+				freopen("/dev/null", "w", stderr);
 			}
 
 			// Pidfile
-			pidfile = IsService () ? "/var/run" : i2p::util::filesystem::GetDataDir().string();
-			pidfile.append("/i2pd.pid");
-			pidFilehandle = open(pidfile.c_str(), O_RDWR | O_CREAT, 0600);
-			if (pidFilehandle == -1)
-			{
-				LogPrint("Error, could not create pid file (", pidfile, ")\nIs an instance already running?");
-				return false;
+			// this code is c-styled and a bit ugly, but we need fd for locking pidfile
+			std::string pidfile; i2p::config::GetOption("pidfile", pidfile);
+			if (pidfile == "") {
+				pidfile = i2p::fs::DataDirPath("i2pd.pid");
 			}
-			if (lockf(pidFilehandle, F_TLOCK, 0) == -1)
-			{
-				LogPrint("Error, could not lock pid file (", pidfile, ")\nIs an instance already running?");
-				return false;
+			if (pidfile != "") {
+				pidFH = open(pidfile.c_str(), O_RDWR | O_CREAT, 0600);
+				if (pidFH < 0)
+				{
+					LogPrint(eLogError, "Daemon: could not create pid file ", pidfile, ": ", strerror(errno));
+					return false;
+				}
+				if (lockf(pidFH, F_TLOCK, 0) != 0)
+				{
+					LogPrint(eLogError, "Daemon: could not lock pid file ", pidfile, ": ", strerror(errno));
+					return false;
+				}
+				char pid[10];
+				sprintf(pid, "%d\n", getpid());
+				ftruncate(pidFH, 0);
+				if (write(pidFH, pid, strlen(pid)) < 0)
+				{
+					LogPrint(eLogError, "Daemon: could not write pidfile: ", strerror(errno));
+					return false;
+				}
 			}
-			char pid[10];
-			sprintf(pid, "%d\n", getpid());
-			write(pidFilehandle, pid, strlen(pid));
+			gracefullShutdownInterval = 0; // not specified
 
 			// Signal handler
 			struct sigaction sa;
@@ -106,12 +123,27 @@ namespace i2p
 
 		bool DaemonLinux::stop()
 		{
-			close(pidFilehandle);
-			unlink(pidfile.c_str());
+			i2p::fs::Remove(pidfile);
 
 			return Daemon_Singleton::stop();			
 		}
 
+		void DaemonLinux::run ()
+		{
+			while (running)
+			{
+				std::this_thread::sleep_for (std::chrono::seconds(1));
+				if (gracefullShutdownInterval)
+				{
+					gracefullShutdownInterval--; // - 1 second
+					if (gracefullShutdownInterval <= 0) 
+					{	
+						LogPrint(eLogInfo, "Graceful shutdown");
+						return;
+					}
+				}	
+			}
+		}
 	}
 }
 

DaemonWin32.cpp

@@ -1,83 +1,113 @@
-#include "Daemon.h"
-#include "util.h"
-#include "Log.h"
-
-#ifdef _WIN32
-
-#include "./Win32/Win32Service.h"
-
-namespace i2p
-{
-	namespace util
-	{
-		bool DaemonWin32::init(int argc, char* argv[])
-		{
-			setlocale(LC_CTYPE, "");
-			SetConsoleCP(1251);
-			SetConsoleOutputCP(1251);
-			setlocale(LC_ALL, "Russian");
-
-			if (!Daemon_Singleton::init(argc, argv)) return false;
-			if (I2PService::isService())
-				isDaemon = 1;
-			else
-				isDaemon = 0;
-
-			std::string serviceControl = i2p::util::config::GetArg("-service", "none");
-			if (serviceControl == "install")
-			{
-				InstallService(
-					SERVICE_NAME,               // Name of service
-					SERVICE_DISPLAY_NAME,       // Name to display
-					SERVICE_START_TYPE,         // Service start type
-					SERVICE_DEPENDENCIES,       // Dependencies
-					SERVICE_ACCOUNT,            // Service running account
-					SERVICE_PASSWORD            // Password of the account
-					);
-				exit(0);
-			}
-			else if (serviceControl == "remove")
-			{
-				UninstallService(SERVICE_NAME);
-				exit(0);
-			}
-			else if (serviceControl != "none")
-			{
-				printf(" --service=install  to install the service.\n");
-				printf(" --service=remove   to remove the service.\n");
-			}
-			
-			if (isDaemon == 1)
-			{
-				LogPrint("Service session");
-				I2PService service(SERVICE_NAME);
-				if (!I2PService::Run(service))
-				{
-					LogPrint("Service failed to run w/err 0x%08lx\n", GetLastError());
-					exit(EXIT_FAILURE);
-				}
-				exit(EXIT_SUCCESS);
-			}
-			else
-				LogPrint("User session");
-
-			return true;
-		}
-		bool DaemonWin32::start()
-		{
-			setlocale(LC_CTYPE, "");
-			SetConsoleCP(1251);
-			SetConsoleOutputCP(1251);
-			setlocale(LC_ALL, "Russian");
-
-			return Daemon_Singleton::start();
-		}
-
-		bool DaemonWin32::stop()
-		{
-			return Daemon_Singleton::stop();
-		}
-	}
-}
-
-#endif
+#include <thread>
+#include "Config.h"
+#include "Daemon.h"
+#include "util.h"
+#include "Log.h"
+
+#ifdef _WIN32
+
+#include "Win32/Win32Service.h"
+#ifdef WIN32_APP
+#include "Win32/Win32App.h"
+#endif
+
+namespace i2p
+{
+	namespace util
+	{
+		bool DaemonWin32::init(int argc, char* argv[])
+		{
+			setlocale(LC_CTYPE, "");
+			SetConsoleCP(1251);
+			SetConsoleOutputCP(1251);
+
+			if (!Daemon_Singleton::init(argc, argv))
+				return false;
+
+			std::string serviceControl; i2p::config::GetOption("svcctl", serviceControl);
+			if (serviceControl == "install")
+			{
+				LogPrint(eLogInfo, "WinSVC: installing ", SERVICE_NAME, " as service");
+				InstallService(
+					SERVICE_NAME,               // Name of service
+					SERVICE_DISPLAY_NAME,       // Name to display
+					SERVICE_START_TYPE,         // Service start type
+					SERVICE_DEPENDENCIES,       // Dependencies
+					SERVICE_ACCOUNT,            // Service running account
+					SERVICE_PASSWORD            // Password of the account
+					);
+				return false;
+			}
+			else if (serviceControl == "remove")
+			{
+				LogPrint(eLogInfo, "WinSVC: uninstalling ", SERVICE_NAME, " service");
+				UninstallService(SERVICE_NAME);
+				return false;
+			}
+
+			if (isDaemon == 1)
+			{
+				LogPrint(eLogDebug, "Daemon: running as service");
+				I2PService service(SERVICE_NAME);
+				if (!I2PService::Run(service))
+				{
+					LogPrint(eLogError, "Daemon: Service failed to run w/err 0x%08lx\n", GetLastError());
+					return false;
+				}
+				return false;
+			}
+			else
+				LogPrint(eLogDebug, "Daemon: running as user");
+
+			return true;
+		}
+
+		bool DaemonWin32::start()
+		{
+			setlocale(LC_CTYPE, "");
+			SetConsoleCP(1251);
+			SetConsoleOutputCP(1251);
+			setlocale(LC_ALL, "Russian");
+#ifdef WIN32_APP
+            if (!i2p::win32::StartWin32App ()) return false;
+
+            // override log
+            i2p::config::SetOption("log", std::string ("file"));
+#endif
+			bool ret = Daemon_Singleton::start();
+			if (ret && i2p::log::Logger().GetLogType() == eLogFile)
+			{
+				// TODO: find out where this garbage to console comes from
+				SetStdHandle(STD_OUTPUT_HANDLE, INVALID_HANDLE_VALUE);
+				SetStdHandle(STD_ERROR_HANDLE, INVALID_HANDLE_VALUE);
+			}
+			bool insomnia; i2p::config::GetOption("insomnia", insomnia);
+			if (insomnia)
+				SetThreadExecutionState(ES_CONTINUOUS | ES_SYSTEM_REQUIRED);
+			return ret;
+		}
+
+		bool DaemonWin32::stop()
+		{
+#ifdef WIN32_APP
+		    i2p::win32::StopWin32App ();
+#endif
+			return Daemon_Singleton::stop();
+		}
+
+		void DaemonWin32::run ()
+        {
+#ifdef WIN32_APP
+            i2p::win32::RunWin32App ();
+#else
+		 while (running)
+		{
+			std::this_thread::sleep_for (std::chrono::seconds(1));
+		}
+ 	
+#endif
+        }
+	}
+}
+
+#endif

Datagram.cpp

@@ -1,7 +1,7 @@
 #include <string.h>
 #include <vector>
-#include <cryptopp/sha.h>
-#include <cryptopp/gzip.h>
+#include <openssl/sha.h>
+#include <openssl/rand.h>
 #include "Log.h"
 #include "TunnelBase.h"
 #include "RouterContext.h"
@@ -12,66 +12,61 @@ namespace i2p
 {
 namespace datagram
 {
-	DatagramDestination::DatagramDestination (i2p::client::ClientDestination& owner): 
+	DatagramDestination::DatagramDestination (std::shared_ptr<i2p::client::ClientDestination> owner): 
 		m_Owner (owner), m_Receiver (nullptr)
 	{
 	}
-
+	
+	DatagramDestination::~DatagramDestination ()
+	{
+	}
+	
 	void DatagramDestination::SendDatagramTo (const uint8_t * payload, size_t len, const i2p::data::IdentHash& ident, uint16_t fromPort, uint16_t toPort)
 	{
 		uint8_t buf[MAX_DATAGRAM_SIZE];
-		auto identityLen = m_Owner.GetIdentity ().ToBuffer (buf, MAX_DATAGRAM_SIZE);
+		auto identityLen = m_Owner->GetIdentity ()->ToBuffer (buf, MAX_DATAGRAM_SIZE);
 		uint8_t * signature = buf + identityLen;
-		auto signatureLen = m_Owner.GetIdentity ().GetSignatureLen ();
+		auto signatureLen = m_Owner->GetIdentity ()->GetSignatureLen ();
 		uint8_t * buf1 = signature + signatureLen;
 		size_t headerLen = identityLen + signatureLen;
 		
 		memcpy (buf1, payload, len);	
-		if (m_Owner.GetIdentity ().GetSigningKeyType () == i2p::data::SIGNING_KEY_TYPE_DSA_SHA1)
+		if (m_Owner->GetIdentity ()->GetSigningKeyType () == i2p::data::SIGNING_KEY_TYPE_DSA_SHA1)
 		{
 			uint8_t hash[32];	
-			CryptoPP::SHA256().CalculateDigest (hash, buf1, len);
-			m_Owner.Sign (hash, 32, signature);
+			SHA256(buf1, len, hash);
+			m_Owner->Sign (hash, 32, signature);
 		}
 		else
-			m_Owner.Sign (buf1, len, signature);
+			m_Owner->Sign (buf1, len, signature);
 
 		auto msg = CreateDataMessage (buf, len + headerLen, fromPort, toPort); 
-		auto remote = m_Owner.FindLeaseSet (ident);
+		auto remote = m_Owner->FindLeaseSet (ident);
 		if (remote)
-			m_Owner.GetService ().post (std::bind (&DatagramDestination::SendMsg, this, msg, remote));
+			m_Owner->GetService ().post (std::bind (&DatagramDestination::SendMsg, this, msg, remote));
 		else
-			m_Owner.RequestDestination (ident, std::bind (&DatagramDestination::HandleLeaseSetRequestComplete, 
-				this, std::placeholders::_1, msg, ident));
+			m_Owner->RequestDestination (ident, std::bind (&DatagramDestination::HandleLeaseSetRequestComplete, this, std::placeholders::_1, msg));
 	}
 
-	void DatagramDestination::HandleLeaseSetRequestComplete (bool success, I2NPMessage * msg, i2p::data::IdentHash ident)
+	void DatagramDestination::HandleLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> remote, std::shared_ptr<I2NPMessage> msg)
 	{
-		if (success)
-		{
-			auto remote = m_Owner.FindLeaseSet (ident);
-			if (remote)
-			{
-				SendMsg (msg, remote);
-				return;
-			}	
-		}
-		DeleteI2NPMessage (msg);
+		if (remote)
+			SendMsg (msg, remote);
 	}	
 		
-	void DatagramDestination::SendMsg (I2NPMessage * msg, std::shared_ptr<const i2p::data::LeaseSet> remote)
+	void DatagramDestination::SendMsg (std::shared_ptr<I2NPMessage> msg, std::shared_ptr<const i2p::data::LeaseSet> remote)
 	{
-		auto outboundTunnel = m_Owner.GetTunnelPool ()->GetNextOutboundTunnel ();
+		auto outboundTunnel = m_Owner->GetTunnelPool ()->GetNextOutboundTunnel ();
 		auto leases = remote->GetNonExpiredLeases ();
 		if (!leases.empty () && outboundTunnel)
 		{
 			std::vector<i2p::tunnel::TunnelMessageBlock> msgs;			
-			uint32_t i = i2p::context.GetRandomNumberGenerator ().GenerateWord32 (0, leases.size () - 1);
-			auto garlic = m_Owner.WrapMessage (remote, msg, true);
+			uint32_t i = rand () % leases.size ();
+			auto garlic = m_Owner->WrapMessage (remote, msg, true);
 			msgs.push_back (i2p::tunnel::TunnelMessageBlock 
 				{ 
 					i2p::tunnel::eDeliveryTypeTunnel,
-					leases[i].tunnelGateway, leases[i].tunnelID,
+					leases[i]->tunnelGateway, leases[i]->tunnelID,
 					garlic
 				});
 			outboundTunnel->SendTunnelDataMsg (msgs);
@@ -82,7 +77,6 @@ namespace datagram
 				LogPrint (eLogWarning, "Failed to send datagram. All leases expired");
 			else
 				LogPrint (eLogWarning, "Failed to send datagram. No outbound tunnels");
-			DeleteI2NPMessage (msg);	
 		}	
 	}
 
@@ -97,7 +91,7 @@ namespace datagram
 		if (identity.GetSigningKeyType () == i2p::data::SIGNING_KEY_TYPE_DSA_SHA1)
 		{
 			uint8_t hash[32];
-			CryptoPP::SHA256().CalculateDigest (hash, buf + headerLen, len - headerLen);
+			SHA256(buf + headerLen, len - headerLen, hash);
 			verified = identity.Verify (hash, 32, signature);
 		}	
 		else	
@@ -105,7 +99,10 @@ namespace datagram
 				
 		if (verified)
 		{
-			if (m_Receiver != nullptr)
+			auto it = m_ReceiversByPorts.find (toPort);
+			if (it != m_ReceiversByPorts.end ())
+				it->second (identity, fromPort, toPort, buf + headerLen, len -headerLen);
+			else if (m_Receiver != nullptr)
 				m_Receiver (identity, fromPort, toPort, buf + headerLen, len -headerLen);
 			else
 				LogPrint (eLogWarning, "Receiver for datagram is not set");	
@@ -117,37 +114,29 @@ namespace datagram
 	void DatagramDestination::HandleDataMessagePayload (uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len)
 	{
 		// unzip it
-		CryptoPP::Gunzip decompressor;
-		decompressor.Put (buf, len);
-		decompressor.MessageEnd();
 		uint8_t uncompressed[MAX_DATAGRAM_SIZE];
-		auto uncompressedLen = decompressor.MaxRetrievable ();
-		if (uncompressedLen <= MAX_DATAGRAM_SIZE)
-		{
-			decompressor.Get (uncompressed, uncompressedLen);
+		size_t uncompressedLen = m_Inflator.Inflate (buf, len, uncompressed, MAX_DATAGRAM_SIZE);
+		if (uncompressedLen)
 			HandleDatagram (fromPort, toPort, uncompressed, uncompressedLen); 
-		}
-		else
-			LogPrint ("Received datagram size ", uncompressedLen,  " exceeds max size");
-
 	}
 
-	I2NPMessage * DatagramDestination::CreateDataMessage (const uint8_t * payload, size_t len, uint16_t fromPort, uint16_t toPort)
+	std::shared_ptr<I2NPMessage> DatagramDestination::CreateDataMessage (const uint8_t * payload, size_t len, uint16_t fromPort, uint16_t toPort)
 	{
-		I2NPMessage * msg = NewI2NPMessage ();
-		CryptoPP::Gzip compressor; // default level
-		compressor.Put (payload, len);
-		compressor.MessageEnd();
-		int size = compressor.MaxRetrievable ();
+		auto msg = NewI2NPMessage ();
 		uint8_t * buf = msg->GetPayload ();
-		htobe32buf (buf, size); // length
-		buf += 4;
-		compressor.Get (buf, size);
-		htobe16buf (buf + 4, fromPort); // source port
-		htobe16buf (buf + 6, toPort); // destination port 
-		buf[9] = i2p::client::PROTOCOL_TYPE_DATAGRAM; // datagram protocol
-		msg->len += size + 4; 
-		FillI2NPMessageHeader (msg, eI2NPData);
+		buf += 4; // reserve for length
+		size_t size = m_Deflator.Deflate (payload, len, buf, msg->maxLen - msg->len);
+		if (size)
+		{
+			htobe32buf (msg->GetPayload (), size); // length
+			htobe16buf (buf + 4, fromPort); // source port
+			htobe16buf (buf + 6, toPort); // destination port 
+			buf[9] = i2p::client::PROTOCOL_TYPE_DATAGRAM; // datagram protocol
+			msg->len += size + 4; 
+			msg->FillI2NPMessageHeader (eI2NPData);
+		}	
+		else
+			msg = nullptr;
 		return msg;
 	}	
 }

Datagram.h

@@ -4,6 +4,8 @@
 #include <inttypes.h>
 #include <memory>
 #include <functional>
+#include <map>
+#include "Base.h"
 #include "Identity.h"
 #include "LeaseSet.h"
 #include "I2NPProtocol.h"
@@ -23,8 +25,8 @@ namespace datagram
 
 		public:
 
-			DatagramDestination (i2p::client::ClientDestination& owner);
-			~DatagramDestination () {};				
+			DatagramDestination (std::shared_ptr<i2p::client::ClientDestination> owner);
+			~DatagramDestination ();				
 
 			void SendDatagramTo (const uint8_t * payload, size_t len, const i2p::data::IdentHash& ident, uint16_t fromPort = 0, uint16_t toPort = 0);
 			void HandleDataMessagePayload (uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len);
@@ -32,18 +34,25 @@ namespace datagram
 			void SetReceiver (const Receiver& receiver) { m_Receiver = receiver; };
 			void ResetReceiver () { m_Receiver = nullptr; };
 
+			void SetReceiver (const Receiver& receiver, uint16_t port) { m_ReceiversByPorts[port] = receiver; };
+			void ResetReceiver (uint16_t port) { m_ReceiversByPorts.erase (port); };
+
 		private:
 
-			void HandleLeaseSetRequestComplete (bool success, I2NPMessage * msg, i2p::data::IdentHash ident);
+			void HandleLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, std::shared_ptr<I2NPMessage> msg);
 			
-			I2NPMessage * CreateDataMessage (const uint8_t * payload, size_t len, uint16_t fromPort, uint16_t toPort);
-			void SendMsg (I2NPMessage * msg, std::shared_ptr<const i2p::data::LeaseSet> remote);
+			std::shared_ptr<I2NPMessage> CreateDataMessage (const uint8_t * payload, size_t len, uint16_t fromPort, uint16_t toPort);
+			void SendMsg (std::shared_ptr<I2NPMessage> msg, std::shared_ptr<const i2p::data::LeaseSet> remote);
 			void HandleDatagram (uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len);
 
 		private:
 
-			i2p::client::ClientDestination& m_Owner;
-			Receiver m_Receiver;
+			std::shared_ptr<i2p::client::ClientDestination> m_Owner;
+			Receiver m_Receiver; // default
+			std::map<uint16_t, Receiver> m_ReceiversByPorts;
+
+			i2p::data::GzipInflator m_Inflator;
+			i2p::data::GzipDeflator m_Deflator;
 	};		
 }
 }

Destination.cpp

@@ -1,12 +1,13 @@
 #include <algorithm>
 #include <cassert>
 #include <boost/lexical_cast.hpp>
+#include <openssl/rand.h>
+
 #include "Log.h"
-#include "util.h"
-#include "ElGamal.h"
+#include "FS.h"
+#include "Crypto.h"
 #include "Timestamp.h"
 #include "NetDb.h"
-#include "AddressBook.h"
 #include "Destination.h"
 
 namespace i2p
@@ -16,12 +17,20 @@ namespace client
 	ClientDestination::ClientDestination (const i2p::data::PrivateKeys& keys, bool isPublic, 
 			const std::map<std::string, std::string> * params):
 		m_IsRunning (false), m_Thread (nullptr), m_Work (m_Service),	
-		m_Keys (keys), m_LeaseSet (nullptr), m_IsPublic (isPublic), m_PublishReplyToken (0),
-		m_DatagramDestination (nullptr), m_PublishConfirmationTimer (m_Service), m_CleanupTimer (m_Service)
+		m_Keys (keys), m_IsPublic (isPublic), m_PublishReplyToken (0),
+		m_DatagramDestination (nullptr), m_PublishConfirmationTimer (m_Service), 
+		m_PublishVerificationTimer (m_Service), m_CleanupTimer (m_Service)
 	{
-		i2p::crypto::GenerateElGamalKeyPair(i2p::context.GetRandomNumberGenerator (), m_EncryptionPrivateKey, m_EncryptionPublicKey);
+		if (m_IsPublic)	
+			PersistTemporaryKeys ();
+		else
+			i2p::crypto::GenerateElGamalKeyPair(m_EncryptionPrivateKey, m_EncryptionPublicKey);
 		int inboundTunnelLen = DEFAULT_INBOUND_TUNNEL_LENGTH;
 		int outboundTunnelLen = DEFAULT_OUTBOUND_TUNNEL_LENGTH;
+		int inboundTunnelsQuantity = DEFAULT_INBOUND_TUNNELS_QUANTITY;
+		int outboundTunnelsQuantity = DEFAULT_OUTBOUND_TUNNELS_QUANTITY;
+		int numTags = DEFAULT_TAGS_TO_SEND;
+		std::shared_ptr<std::vector<i2p::data::IdentHash> > explicitPeers;
 		if (params)
 		{
 			auto it = params->find (I2CP_PARAM_INBOUND_TUNNEL_LENGTH);
@@ -31,7 +40,7 @@ namespace client
 				if (len > 0)
 				{
 					inboundTunnelLen = len;
-					LogPrint (eLogInfo, "Inbound tunnel length set to ", len);
+					LogPrint (eLogInfo, "Destination: Inbound tunnel length set to ", len);
 				}
 			}	
 			it = params->find (I2CP_PARAM_OUTBOUND_TUNNEL_LENGTH);
@@ -41,14 +50,60 @@ namespace client
 				if (len > 0)
 				{
 					outboundTunnelLen = len;
-					LogPrint (eLogInfo, "Outbound tunnel length set to ", len);
+					LogPrint (eLogInfo, "Destination: Outbound tunnel length set to ", len);
 				}
 			}	
+			it = params->find (I2CP_PARAM_INBOUND_TUNNELS_QUANTITY);
+			if (it != params->end ())
+			{
+				int quantity = boost::lexical_cast<int>(it->second);
+				if (quantity > 0)
+				{
+					inboundTunnelsQuantity = quantity;
+					LogPrint (eLogInfo, "Destination: Inbound tunnels quantity set to ", quantity);
+				}	
+			}
+			it = params->find (I2CP_PARAM_OUTBOUND_TUNNELS_QUANTITY);
+			if (it != params->end ())
+			{
+				int quantity = boost::lexical_cast<int>(it->second);
+				if (quantity > 0)
+				{
+					outboundTunnelsQuantity = quantity;
+					LogPrint (eLogInfo, "Destination: Outbound tunnels quantity set to ", quantity);
+				}	
+			}
+			it = params->find (I2CP_PARAM_TAGS_TO_SEND);
+			if (it != params->end ())
+			{
+				int tagsToSend = boost::lexical_cast<int>(it->second);
+				if (tagsToSend > 0)
+				{
+					numTags = tagsToSend;
+					LogPrint (eLogInfo, "Destination: Tags to send set to  ", tagsToSend);
+				}	
+			}	
+			it = params->find (I2CP_PARAM_EXPLICIT_PEERS);
+			if (it != params->end ())
+			{
+				explicitPeers = std::make_shared<std::vector<i2p::data::IdentHash> >();
+				std::stringstream ss(it->second);
+				std::string b64;
+				while (std::getline (ss, b64, ','))
+				{
+					i2p::data::IdentHash ident;
+					ident.FromBase64 (b64);
+					explicitPeers->push_back (ident);
+				}
+				LogPrint (eLogInfo, "Destination: Explicit peers set to ", it->second);
+			}
 		}	
-		m_Pool = i2p::tunnel::tunnels.CreateTunnelPool (this, inboundTunnelLen, outboundTunnelLen);  
+		SetNumTags (numTags);
+		m_Pool = i2p::tunnel::tunnels.CreateTunnelPool (inboundTunnelLen, outboundTunnelLen, inboundTunnelsQuantity, outboundTunnelsQuantity);  
+		if (explicitPeers)
+			m_Pool->SetExplicitPeers (explicitPeers);
 		if (m_IsPublic)
-			LogPrint (eLogInfo, "Local address ", i2p::client::GetB32Address(GetIdentHash()), " created");
-		m_StreamingDestination = std::make_shared<i2p::stream::StreamingDestination> (*this); // TODO:
+			LogPrint (eLogInfo, "Destination: Local address ", GetIdentHash().ToBase32 (), " created");
 	}
 
 	ClientDestination::~ClientDestination ()
@@ -56,7 +111,8 @@ namespace client
 		if (m_IsRunning)	
 			Stop ();
 		for (auto it: m_LeaseSetRequests)
-			delete it.second;
+			if (it.second->requestComplete) it.second->requestComplete (nullptr);
+		m_LeaseSetRequests.clear ();
 		if (m_Pool)
 			i2p::tunnel::tunnels.DeleteTunnelPool (m_Pool);		
 		if (m_DatagramDestination)
@@ -73,7 +129,7 @@ namespace client
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint ("Destination: ", ex.what ());
+				LogPrint (eLogError, "Destination: runtime exception: ", ex.what ());
 			}	
 		}	
 	}	
@@ -83,16 +139,17 @@ namespace client
 		if (!m_IsRunning)
 		{	
 			m_IsRunning = true;
-			m_Pool->SetLocalDestination (this);
-			m_Pool->SetActive (true);
-			m_Thread = new std::thread (std::bind (&ClientDestination::Run, this));
+			m_Pool->SetLocalDestination (shared_from_this ());
+			m_Pool->SetActive (true);			
+			m_Thread = new std::thread (std::bind (&ClientDestination::Run, shared_from_this ()));
+			m_StreamingDestination = std::make_shared<i2p::stream::StreamingDestination> (shared_from_this ()); // TODO:
 			m_StreamingDestination->Start ();	
 			for (auto it: m_StreamingDestinationsByPorts)
 				it.second->Start ();
 			
 			m_CleanupTimer.expires_from_now (boost::posix_time::minutes (DESTINATION_CLEANUP_TIMEOUT));
 			m_CleanupTimer.async_wait (std::bind (&ClientDestination::HandleCleanupTimer,
-				this, std::placeholders::_1));
+				shared_from_this (), std::placeholders::_1));
 		}	
 	}
 		
@@ -101,8 +158,11 @@ namespace client
 		if (m_IsRunning)
 		{	
 			m_CleanupTimer.cancel ();
+			m_PublishConfirmationTimer.cancel ();
+			m_PublishVerificationTimer.cancel ();
 			m_IsRunning = false;
-			m_StreamingDestination->Stop ();	
+			m_StreamingDestination->Stop ();
+			m_StreamingDestination = nullptr;
 			for (auto it: m_StreamingDestinationsByPorts)
 				it.second->Stop ();
 			if (m_DatagramDestination)
@@ -131,16 +191,17 @@ namespace client
 		auto it = m_RemoteLeaseSets.find (ident);
 		if (it != m_RemoteLeaseSets.end ())
 		{	
-			if (it->second->HasNonExpiredLeases ())
+			if (!it->second->IsExpired ())
 				return it->second;
 			else
-				LogPrint ("All leases of remote LeaseSet expired");
+				LogPrint (eLogWarning, "Destination: remote LeaseSet expired");
 		}	
 		else
 		{	
 			auto ls = i2p::data::netdb.FindLeaseSet (ident);
-			if (ls)
+			if (ls && !ls->IsExpired ())
 			{
+				ls->PopulateLeases (); // since we don't store them in netdb
 				m_RemoteLeaseSets[ident] = ls;			
 				return ls;
 			}	
@@ -148,7 +209,7 @@ namespace client
 		return nullptr;
 	}	
 
-	const i2p::data::LeaseSet * ClientDestination::GetLeaseSet ()
+	std::shared_ptr<const i2p::data::LeaseSet> ClientDestination::GetLeaseSet ()
 	{
 		if (!m_Pool) return nullptr;
 		if (!m_LeaseSet)
@@ -158,15 +219,7 @@ namespace client
 
 	void ClientDestination::UpdateLeaseSet ()
 	{
-		auto newLeaseSet = new i2p::data::LeaseSet (*m_Pool);
-		if (!m_LeaseSet)
-			m_LeaseSet = newLeaseSet;
-		else
-		{	
-			// TODO: implement it better
-			*m_LeaseSet = *newLeaseSet;
-			delete newLeaseSet;
-		}	
+		m_LeaseSet.reset (new i2p::data::LeaseSet (m_Pool));
 	}	
 
 	bool ClientDestination::SubmitSessionKey (const uint8_t * key, const uint8_t * tag)
@@ -177,21 +230,22 @@ namespace client
 		} data;	
 		memcpy (data.k, key, 32);
 		memcpy (data.t, tag, 32);
-		m_Service.post ([this,data](void)
+		auto s = shared_from_this ();
+		m_Service.post ([s,data](void)
 			{
-				this->AddSessionKey (data.k, data.t);
+				s->AddSessionKey (data.k, data.t);
 			});
 		return true;
 	}
 
-	void ClientDestination::ProcessGarlicMessage (I2NPMessage * msg)
+	void ClientDestination::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
-		m_Service.post (std::bind (&ClientDestination::HandleGarlicMessage, this, msg)); 
+		m_Service.post (std::bind (&ClientDestination::HandleGarlicMessage, shared_from_this (), msg)); 
 	}
 
-	void ClientDestination::ProcessDeliveryStatusMessage (I2NPMessage * msg)
+	void ClientDestination::ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
 	{
-		m_Service.post (std::bind (&ClientDestination::HandleDeliveryStatusMessage, this, msg)); 
+		m_Service.post (std::bind (&ClientDestination::HandleDeliveryStatusMessage, shared_from_this (), msg)); 
 	}
 
 	void ClientDestination::HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
@@ -202,6 +256,10 @@ namespace client
 			case eI2NPData:
 				HandleDataMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET));
 			break;
+			case eI2NPDeliveryStatus:
+				// we assume tunnel tests non-encrypted
+				HandleDeliveryStatusMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from));
+			break;	
 			case eI2NPDatabaseStore:
 				HandleDatabaseStoreMessage (buf + I2NP_HEADER_SIZE, bufbe16toh (buf + I2NP_HEADER_SIZE_OFFSET));
 			break;
@@ -219,33 +277,60 @@ namespace client
 		size_t offset = DATABASE_STORE_HEADER_SIZE;
 		if (replyToken) 
 		{
-			LogPrint (eLogInfo, "Reply token is ignored for DatabaseStore");
+			LogPrint (eLogInfo, "Destination: Reply token is ignored for DatabaseStore");
 			offset += 36;
 		}
+		std::shared_ptr<i2p::data::LeaseSet> leaseSet;
 		if (buf[DATABASE_STORE_TYPE_OFFSET] == 1) // LeaseSet
 		{
 			LogPrint (eLogDebug, "Remote LeaseSet");
 			auto it = m_RemoteLeaseSets.find (buf + DATABASE_STORE_KEY_OFFSET);
 			if (it != m_RemoteLeaseSets.end ())
 			{
-				it->second->Update (buf + offset, len - offset); 
-				LogPrint (eLogDebug, "Remote LeaseSet updated");
+				leaseSet = it->second;
+				if (leaseSet->IsNewer (buf + offset, len - offset))
+				{	
+					leaseSet->Update (buf + offset, len - offset); 
+					if (leaseSet->IsValid ())
+						LogPrint (eLogDebug, "Remote LeaseSet updated");
+					else
+					{
+						LogPrint (eLogDebug, "Remote LeaseSet update failed");
+						m_RemoteLeaseSets.erase (it);
+						leaseSet = nullptr;
+					}
+				}
+				else
+					LogPrint (eLogDebug, "Remote LeaseSet is older. Not updated");
 			}
 			else
 			{	
-				LogPrint (eLogDebug, "New remote LeaseSet added");
-				m_RemoteLeaseSets[buf + DATABASE_STORE_KEY_OFFSET] = std::make_shared<i2p::data::LeaseSet> (buf + offset, len - offset);
+				leaseSet = std::make_shared<i2p::data::LeaseSet> (buf + offset, len - offset);
+				if (leaseSet->IsValid ())
+				{
+					if (leaseSet->GetIdentHash () != GetIdentHash ())
+					{
+						LogPrint (eLogDebug, "New remote LeaseSet added");
+						m_RemoteLeaseSets[buf + DATABASE_STORE_KEY_OFFSET] = leaseSet;
+					}
+					else
+						LogPrint (eLogDebug, "Own remote LeaseSet dropped");
+				}
+				else
+				{
+					LogPrint (eLogError, "New remote LeaseSet failed");
+					leaseSet = nullptr;
+				}
 			}	
 		}	
 		else
-			LogPrint (eLogError, "Unexpected client's DatabaseStore type ", buf[DATABASE_STORE_TYPE_OFFSET], ". Dropped");
+			LogPrint (eLogError, "Destination: Unexpected client's DatabaseStore type ", buf[DATABASE_STORE_TYPE_OFFSET], ", dropped");
 		
 		auto it1 = m_LeaseSetRequests.find (buf + DATABASE_STORE_KEY_OFFSET);
 		if (it1 != m_LeaseSetRequests.end ())
 		{
 			it1->second->requestTimeoutTimer.cancel ();
-			if (it1->second->requestComplete) it1->second->requestComplete (true);
-			delete it1->second;
+			if (it1->second->requestComplete) it1->second->requestComplete (leaseSet);
 			m_LeaseSetRequests.erase (it1);
 		}	
 	}
@@ -254,11 +339,11 @@ namespace client
 	{
 		i2p::data::IdentHash key (buf);
 		int num = buf[32]; // num
-		LogPrint ("DatabaseSearchReply for ", key.ToBase64 (), " num=", num);
+		LogPrint (eLogDebug, "Destination: DatabaseSearchReply for ", key.ToBase64 (), " num=", num);
 		auto it = m_LeaseSetRequests.find (key);
 		if (it != m_LeaseSetRequests.end ())
 		{
-			LeaseSetRequest * request = it->second;
+			auto request = it->second;
 			bool found = false;
 			if (request->excluded.size () < MAX_NUM_FLOODFILLS_PER_REQUEST)
 			{	
@@ -268,41 +353,43 @@ namespace client
 					auto floodfill = i2p::data::netdb.FindRouter (peerHash);
 					if (floodfill)
 					{
-						LogPrint (eLogInfo, "Requesting ", key.ToBase64 (), " at ", peerHash.ToBase64 ());
+						LogPrint (eLogInfo, "Destination: Requesting ", key.ToBase64 (), " at ", peerHash.ToBase64 ());
 						if (SendLeaseSetRequest (key, floodfill, request))
 							found = true;
 					}	
 					else
 					{	
-						LogPrint (eLogInfo, "Found new floodfill. Request it");
+						LogPrint (eLogInfo, "Destination: Found new floodfill, request it"); // TODO: recheck this message
 						i2p::data::netdb.RequestDestination (peerHash);
 					}	
 				}
 				if (!found)
-					LogPrint (eLogError, "Suggested floodfills are not presented in netDb"); 
+					LogPrint (eLogError, "Destination: Suggested floodfills are not presented in netDb");
 			}	
 			else
-				LogPrint (eLogInfo, key.ToBase64 (), " was not found on ",  MAX_NUM_FLOODFILLS_PER_REQUEST," floodfills");
+				LogPrint (eLogInfo, "Destination: ", key.ToBase64 (), " was not found on ", MAX_NUM_FLOODFILLS_PER_REQUEST, " floodfills");
 			if (!found)
 			{
-				if (request->requestComplete) request->requestComplete (false);
-				delete request;
+				if (request->requestComplete) request->requestComplete (nullptr);
 				m_LeaseSetRequests.erase (key);
 			}	
 		}	
 		else	
-			LogPrint ("Request for ", key.ToBase64 (), " not found");
+			LogPrint (eLogWarning, "Destination: Request for ", key.ToBase64 (), " not found");
 	}	
 		
-	void ClientDestination::HandleDeliveryStatusMessage (I2NPMessage * msg)
+	void ClientDestination::HandleDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		uint32_t msgID = bufbe32toh (msg->GetPayload () + DELIVERY_STATUS_MSGID_OFFSET);
 		if (msgID == m_PublishReplyToken)
 		{
-			LogPrint (eLogDebug, "Publishing confirmed");
+			LogPrint (eLogDebug, "Destination: Publishing LeaseSet confirmed");
 			m_ExcludedFloodfills.clear ();
 			m_PublishReplyToken = 0;
-			i2p::DeleteI2NPMessage (msg);
+			// schedule verification
+			m_PublishVerificationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_VERIFICATION_TIMEOUT));
+			m_PublishVerificationTimer.async_wait (std::bind (&ClientDestination::HandlePublishVerificationTimer,
+			shared_from_this (), std::placeholders::_1));	
 		}
 		else
 			i2p::garlic::GarlicDestination::HandleDeliveryStatusMessage (msg);
@@ -313,42 +400,44 @@ namespace client
 		i2p::garlic::GarlicDestination::SetLeaseSetUpdated ();	
 		UpdateLeaseSet ();
 		if (m_IsPublic)
+		{
+			m_PublishVerificationTimer.cancel ();
 			Publish ();
+		}
 	}
 		
 	void ClientDestination::Publish ()
 	{	
 		if (!m_LeaseSet || !m_Pool) 
 		{
-			LogPrint (eLogError, "Can't publish non-existing LeaseSet");
+			LogPrint (eLogError, "Destination: Can't publish non-existing LeaseSet");
 			return;
 		}
 		if (m_PublishReplyToken)
 		{
-			LogPrint (eLogInfo, "Publishing is pending");
+			LogPrint (eLogDebug, "Destination: Publishing LeaseSet is pending");
 			return;
 		}
 		auto outbound = m_Pool->GetNextOutboundTunnel ();
 		if (!outbound)
 		{
-			LogPrint ("Can't publish LeaseSet. No outbound tunnels");
+			LogPrint (eLogError, "Destination: Can't publish LeaseSet. No outbound tunnels");
 			return;
 		}
-		std::set<i2p::data::IdentHash> excluded; 
 		auto floodfill = i2p::data::netdb.GetClosestFloodfill (m_LeaseSet->GetIdentHash (), m_ExcludedFloodfills);	
 		if (!floodfill)
 		{
-			LogPrint ("Can't publish LeaseSet. No more floodfills found");
+			LogPrint (eLogError, "Destination: Can't publish LeaseSet, no more floodfills found");
 			m_ExcludedFloodfills.clear ();
 			return;
 		}	
 		m_ExcludedFloodfills.insert (floodfill->GetIdentHash ());
-		LogPrint (eLogDebug, "Publish LeaseSet of ", GetIdentHash ().ToBase32 ());
-		m_PublishReplyToken = i2p::context.GetRandomNumberGenerator ().GenerateWord32 ();
+		LogPrint (eLogDebug, "Destination: Publish LeaseSet of ", GetIdentHash ().ToBase32 ());
+		RAND_bytes ((uint8_t *)&m_PublishReplyToken, 4);
 		auto msg = WrapMessage (floodfill, i2p::CreateDatabaseStoreMsg (m_LeaseSet, m_PublishReplyToken));			
 		m_PublishConfirmationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_CONFIRMATION_TIMEOUT));
 		m_PublishConfirmationTimer.async_wait (std::bind (&ClientDestination::HandlePublishConfirmationTimer,
-			this, std::placeholders::_1));	
+			shared_from_this (), std::placeholders::_1));	
 		outbound->SendTunnelDataMsg (floodfill->GetIdentHash (), 0, msg);	
 	}
 
@@ -358,13 +447,41 @@ namespace client
 		{	
 			if (m_PublishReplyToken)
 			{
-				LogPrint (eLogWarning, "Publish confirmation was not received in ", PUBLISH_CONFIRMATION_TIMEOUT,  "seconds. Try again");
+				LogPrint (eLogWarning, "Destination: Publish confirmation was not received in ", PUBLISH_CONFIRMATION_TIMEOUT,  " seconds, will try again");
 				m_PublishReplyToken = 0;
 				Publish ();
 			}
 		}
 	}
 
+	void ClientDestination::HandlePublishVerificationTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{	
+			auto s = shared_from_this ();
+			RequestLeaseSet (GetIdentHash (), 
+				// "this" added due to bug in gcc 4.7-4.8
+				[s,this](std::shared_ptr<i2p::data::LeaseSet> leaseSet)
+				{
+					if (leaseSet)
+					{
+						if (s->m_LeaseSet && *s->m_LeaseSet == *leaseSet)
+						{
+							// we got latest LeasetSet
+							LogPrint (eLogDebug, "Destination: published LeaseSet verified");
+							s->m_PublishVerificationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_REGULAR_VERIFICATION_INTERNAL));
+							s->m_PublishVerificationTimer.async_wait (std::bind (&ClientDestination::HandlePublishVerificationTimer, s, std::placeholders::_1));	
+							return;
+						}		
+					}	
+					else
+						LogPrint (eLogWarning, "Destination: couldn't find published LeaseSet");
+					// we have to publish again
+					s->Publish ();	
+				});
+		}
+	}
+
 	void ClientDestination::HandleDataMessage (const uint8_t * buf, size_t len)
 	{
 		uint32_t length = bufbe32toh (buf);
@@ -381,7 +498,7 @@ namespace client
 				if (dest)
 					dest->HandleDataMessagePayload (buf, length);
 				else
-					LogPrint ("Missing streaming destination");
+					LogPrint (eLogError, "Destination: Missing streaming destination");
 			}
 			break;
 			case PROTOCOL_TYPE_DATAGRAM:
@@ -389,33 +506,33 @@ namespace client
 				if (m_DatagramDestination)
 					m_DatagramDestination->HandleDataMessagePayload (fromPort, toPort, buf, length);
 				else
-					LogPrint ("Missing streaming destination");
+					LogPrint (eLogError, "Destination: Missing datagram destination");
 			break;
 			default:
-				LogPrint ("Data: unexpected protocol ", buf[9]);
+				LogPrint (eLogError, "Destination: Data: unexpected protocol ", buf[9]);
 		}
 	}	
 
-	void ClientDestination::CreateStream (StreamRequestComplete streamRequestComplete, const i2p::data::IdentHash& dest, int port) {
-		assert(streamRequestComplete);
+	void ClientDestination::CreateStream (StreamRequestComplete streamRequestComplete, const i2p::data::IdentHash& dest, int port) 
+	{
+		if (!streamRequestComplete) 
+		{
+			LogPrint (eLogError, "Destination: request callback is not specified in CreateStream");
+			return;
+		}	
 		auto leaseSet = FindLeaseSet (dest);
 		if (leaseSet)
 			streamRequestComplete(CreateStream (leaseSet, port));
 		else
 		{
+			auto s = shared_from_this ();
 			RequestDestination (dest,
-				[this, streamRequestComplete, dest, port](bool success)
+				[s, streamRequestComplete, port](std::shared_ptr<i2p::data::LeaseSet> ls)
 				{
-					if (!success)
-						streamRequestComplete (nullptr);
+					if (ls)
+						streamRequestComplete(s->CreateStream (ls, port));
 					else
-					{
-						auto leaseSet = FindLeaseSet (dest);
-						if (leaseSet)
-							streamRequestComplete(CreateStream (leaseSet, port));
-						else
-							streamRequestComplete (nullptr);
-					}
+						streamRequestComplete (nullptr);
 				});
 		}
 	}
@@ -459,9 +576,9 @@ namespace client
 		return false;
 	}	
 
-	std::shared_ptr<i2p::stream::StreamingDestination> ClientDestination::CreateStreamingDestination (int port)
+	std::shared_ptr<i2p::stream::StreamingDestination> ClientDestination::CreateStreamingDestination (int port, bool gzip)
 	{
-		auto dest = std::make_shared<i2p::stream::StreamingDestination> (*this, port); 
+		auto dest = std::make_shared<i2p::stream::StreamingDestination> (shared_from_this (), port, gzip); 
 		if (port)
 			m_StreamingDestinationsByPorts[port] = dest;
 		else // update default 
@@ -472,7 +589,7 @@ namespace client
 	i2p::datagram::DatagramDestination * ClientDestination::CreateDatagramDestination ()
 	{
 		if (!m_DatagramDestination)
-			m_DatagramDestination = new i2p::datagram::DatagramDestination (*this);
+			m_DatagramDestination = new i2p::datagram::DatagramDestination (shared_from_this ());
 		return m_DatagramDestination;	
 	}
 
@@ -480,69 +597,85 @@ namespace client
 	{
 		if (!m_Pool || !IsReady ()) 
 		{	
-			if (requestComplete) requestComplete (false);
+			if (requestComplete) requestComplete (nullptr);
 			return false;
 		}	
-		m_Service.post (std::bind (&ClientDestination::RequestLeaseSet, this, dest, requestComplete));
+		m_Service.post (std::bind (&ClientDestination::RequestLeaseSet, shared_from_this (), dest, requestComplete));
 		return true;
 	}
 
+	void ClientDestination::CancelDestinationRequest (const i2p::data::IdentHash& dest)
+	{
+		auto s = shared_from_this ();
+		m_Service.post ([dest, s](void)
+			{
+				auto it = s->m_LeaseSetRequests.find (dest);
+				if (it != s->m_LeaseSetRequests.end ())
+				{	
+					auto requestComplete = it->second->requestComplete; 
+					s->m_LeaseSetRequests.erase (it);
+					if (requestComplete) requestComplete (nullptr);
+				}	
+			});				
+	}
+		
 	void ClientDestination::RequestLeaseSet (const i2p::data::IdentHash& dest, RequestComplete requestComplete)
 	{
 		std::set<i2p::data::IdentHash> excluded;
 		auto floodfill = i2p::data::netdb.GetClosestFloodfill (dest, excluded);
 		if (floodfill)
 		{
-			LeaseSetRequest * request = new LeaseSetRequest (m_Service);
+			auto request = std::make_shared<LeaseSetRequest> (m_Service);
 			request->requestComplete = requestComplete;
-			auto ret = m_LeaseSetRequests.insert (std::pair<i2p::data::IdentHash, LeaseSetRequest *>(dest,request));
+			auto ret = m_LeaseSetRequests.insert (std::pair<i2p::data::IdentHash, std::shared_ptr<LeaseSetRequest> >(dest,request));
 			if (ret.second) // inserted
 			{
 				if (!SendLeaseSetRequest (dest, floodfill, request))
 				{
 					// request failed
-					if (request->requestComplete) request->requestComplete (false);
-					delete request;
 					m_LeaseSetRequests.erase (dest);
+					if (request->requestComplete) request->requestComplete (nullptr);
 				}
 			}	
 			else // duplicate
 			{
-				LogPrint (eLogError, "Request of ", dest.ToBase64 (), " is pending already");
+				LogPrint (eLogWarning, "Destination: Request of LeaseSet ", dest.ToBase64 (), " is pending already");
 				// TODO: queue up requests
-				if (request->requestComplete) request->requestComplete (false);
-				delete request;
+				if (request->requestComplete) request->requestComplete (nullptr);
 			}	
 		}	
 		else
-			LogPrint (eLogError, "No floodfills found");	
+		{	
+			LogPrint (eLogError, "Destination: Can't request LeaseSet, no floodfills found");
+			if (requestComplete) requestComplete (nullptr);
+		}	
 	}	
 		
 	bool ClientDestination::SendLeaseSetRequest (const i2p::data::IdentHash& dest, 
-		std::shared_ptr<const i2p::data::RouterInfo>  nextFloodfill, LeaseSetRequest * request)
+		std::shared_ptr<const i2p::data::RouterInfo>  nextFloodfill, std::shared_ptr<LeaseSetRequest> request)
 	{
-		auto replyTunnel = m_Pool->GetNextInboundTunnel ();
-		if (!replyTunnel) LogPrint (eLogError, "No inbound tunnels found");	
-		
-		auto outboundTunnel = m_Pool->GetNextOutboundTunnel ();
-		if (!outboundTunnel) LogPrint (eLogError, "No outbound tunnels found");		
+		if (!request->replyTunnel || !request->replyTunnel->IsEstablished ())
+			request->replyTunnel = m_Pool->GetNextInboundTunnel ();
+		if (!request->replyTunnel) LogPrint (eLogError, "Destination: Can't send LeaseSet request, no inbound tunnels found");
+		if (!request->outboundTunnel || !request->outboundTunnel->IsEstablished ())
+			request->outboundTunnel = m_Pool->GetNextOutboundTunnel ();
+		if (!request->outboundTunnel) LogPrint (eLogError, "Destination: Can't send LeaseSet request, no outbound tunnels found");
 			
-		if (replyTunnel && outboundTunnel)
+		if (request->replyTunnel && request->outboundTunnel)
 		{	
 			request->excluded.insert (nextFloodfill->GetIdentHash ());
 			request->requestTime = i2p::util::GetSecondsSinceEpoch ();
 			request->requestTimeoutTimer.cancel ();
 
-			CryptoPP::AutoSeededRandomPool rnd;
 			uint8_t replyKey[32], replyTag[32];
-			rnd.GenerateBlock (replyKey, 32); // random session key 
-			rnd.GenerateBlock (replyTag, 32); // random session tag
+			RAND_bytes (replyKey, 32); // random session key 
+			RAND_bytes (replyTag, 32); // random session tag
 			AddSessionKey (replyKey, replyTag);
 
-			I2NPMessage * msg = WrapMessage (nextFloodfill,
+			auto msg = WrapMessage (nextFloodfill,
 				CreateLeaseSetDatabaseLookupMsg (dest, request->excluded, 
-					replyTunnel.get (), replyKey, replyTag));
-			outboundTunnel->SendTunnelDataMsg (
+					request->replyTunnel, replyKey, replyTag));
+			request->outboundTunnel->SendTunnelDataMsg (
 				{
 					i2p::tunnel::TunnelMessageBlock 
 					{ 
@@ -552,7 +685,7 @@ namespace client
 				});	
 			request->requestTimeoutTimer.expires_from_now (boost::posix_time::seconds(LEASESET_REQUEST_TIMEOUT));
 			request->requestTimeoutTimer.async_wait (std::bind (&ClientDestination::HandleRequestTimoutTimer,
-				this, std::placeholders::_1, dest));
+				shared_from_this (), std::placeholders::_1, dest));
 		}	
 		else
 			return false;
@@ -572,21 +705,26 @@ namespace client
 				{
 					auto floodfill = i2p::data::netdb.GetClosestFloodfill (dest, it->second->excluded);
 					if (floodfill)
-						 done = !SendLeaseSetRequest (dest, floodfill, it->second);
+					{
+						// reset tunnels, because one them might fail
+						it->second->outboundTunnel = nullptr;
+						it->second->replyTunnel = nullptr;		
+						done = !SendLeaseSetRequest (dest, floodfill, it->second);
+					}
 					else
 						done = true;
 				}
 				else
 				{	
-					LogPrint (eLogInfo, dest.ToBase64 (), " was not found within ",  MAX_LEASESET_REQUEST_TIMEOUT, " seconds");
+					LogPrint (eLogWarning, "Destination: ", dest.ToBase64 (), " was not found within ",  MAX_LEASESET_REQUEST_TIMEOUT, " seconds");
 					done = true;
 				}
 				
 				if (done)
 				{
-					if (it->second->requestComplete) it->second->requestComplete (false);
-					delete it->second;
+					auto requestComplete = it->second->requestComplete; 
 					m_LeaseSetRequests.erase (it);
+					if (requestComplete) requestComplete (nullptr);
 				}	
 			}	
 		}	
@@ -596,26 +734,51 @@ namespace client
 	{
 		if (ecode != boost::asio::error::operation_aborted)
 		{
-			CleanupRoutingSessions ();
+			CleanupExpiredTags ();
 			CleanupRemoteLeaseSets ();
 			m_CleanupTimer.expires_from_now (boost::posix_time::minutes (DESTINATION_CLEANUP_TIMEOUT));
 			m_CleanupTimer.async_wait (std::bind (&ClientDestination::HandleCleanupTimer,
-				this, std::placeholders::_1));
+				shared_from_this (), std::placeholders::_1));
 		}
 	}	
 
 	void ClientDestination::CleanupRemoteLeaseSets ()
 	{
+		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
 		for (auto it = m_RemoteLeaseSets.begin (); it != m_RemoteLeaseSets.end ();)
 		{
-			if (!it->second->HasNonExpiredLeases ()) // all leases expired
+			if (it->second->IsEmpty () || ts > it->second->GetExpirationTime ()) // leaseset expired
 			{
-				LogPrint ("Remote LeaseSet ", it->second->GetIdentHash ().ToBase64 (), " expired");
+				LogPrint (eLogWarning, "Destination: Remote LeaseSet ", it->second->GetIdentHash ().ToBase64 (), " expired");
 				it = m_RemoteLeaseSets.erase (it);
 			}	
 			else 
 				it++;
 		}
 	}
+
+	void ClientDestination::PersistTemporaryKeys ()
+	{
+		std::string ident = GetIdentHash().ToBase32();
+		std::string path  = i2p::fs::DataDirPath("destinations", (ident + ".dat"));
+		std::ifstream f(path, std::ifstream::binary);
+
+		if (f) {
+			f.read ((char *)m_EncryptionPublicKey,  256);
+			f.read ((char *)m_EncryptionPrivateKey, 256);
+			return;
+		}
+
+		LogPrint (eLogInfo, "Destination: Creating new temporary keys for address ", ident, ".b32.i2p");
+		i2p::crypto::GenerateElGamalKeyPair(m_EncryptionPrivateKey, m_EncryptionPublicKey);
+
+		std::ofstream f1 (path, std::ofstream::binary | std::ofstream::out);
+		if (f1) {
+			f1.write ((char *)m_EncryptionPublicKey,  256);
+			f1.write ((char *)m_EncryptionPrivateKey, 256);
+			return;
+		}
+		LogPrint(eLogError, "Destinations: Can't save keys to ", path);
+	}
 }
 }

Destination.h

@@ -11,7 +11,7 @@
 #include <boost/asio.hpp>
 #include "Identity.h"
 #include "TunnelPool.h"
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "LeaseSet.h"
 #include "Garlic.h"
 #include "NetDb.h"
@@ -26,23 +26,34 @@ namespace client
 	const uint8_t PROTOCOL_TYPE_DATAGRAM = 17;
 	const uint8_t PROTOCOL_TYPE_RAW = 18;	
 	const int PUBLISH_CONFIRMATION_TIMEOUT = 5; // in seconds
+	const int PUBLISH_VERIFICATION_TIMEOUT = 10; // in seconds after successfull publish
+	const int PUBLISH_REGULAR_VERIFICATION_INTERNAL = 100; // in seconds periodically	
 	const int LEASESET_REQUEST_TIMEOUT = 5; // in seconds
 	const int MAX_LEASESET_REQUEST_TIMEOUT = 40; // in seconds
-	const int MAX_NUM_FLOODFILLS_PER_REQUEST = 7;
-	const int DESTINATION_CLEANUP_TIMEOUT = 20; // in minutes 
+	const int DESTINATION_CLEANUP_TIMEOUT = 3; // in minutes 
+	const unsigned int MAX_NUM_FLOODFILLS_PER_REQUEST = 7;
 	
 	// I2CP
 	const char I2CP_PARAM_INBOUND_TUNNEL_LENGTH[] = "inbound.length";
 	const int DEFAULT_INBOUND_TUNNEL_LENGTH = 3;
 	const char I2CP_PARAM_OUTBOUND_TUNNEL_LENGTH[] = "outbound.length";
 	const int DEFAULT_OUTBOUND_TUNNEL_LENGTH = 3;
+	const char I2CP_PARAM_INBOUND_TUNNELS_QUANTITY[] = "inbound.quantity";
+	const int DEFAULT_INBOUND_TUNNELS_QUANTITY = 5;
+	const char I2CP_PARAM_OUTBOUND_TUNNELS_QUANTITY[] = "outbound.quantity";
+	const int DEFAULT_OUTBOUND_TUNNELS_QUANTITY = 5;
+	const char I2CP_PARAM_EXPLICIT_PEERS[] = "explicitPeers";
 	const int STREAM_REQUEST_TIMEOUT = 60; //in seconds
+	const char I2CP_PARAM_TAGS_TO_SEND[] = "crypto.tagsToSend";
+	const int DEFAULT_TAGS_TO_SEND = 40;
 
 	typedef std::function<void (std::shared_ptr<i2p::stream::Stream> stream)> StreamRequestComplete;
 
-	class ClientDestination: public i2p::garlic::GarlicDestination
+	class ClientDestination: public i2p::garlic::GarlicDestination,
+		public std::enable_shared_from_this<ClientDestination>
 	{
-		typedef std::function<void (bool success)> RequestComplete;
+		typedef std::function<void (std::shared_ptr<i2p::data::LeaseSet> leaseSet)> RequestComplete;
+		// leaseSet = nullptr means not found
 		struct LeaseSetRequest
 		{
 			LeaseSetRequest (boost::asio::io_service& service): requestTime (0), requestTimeoutTimer (service) {};
@@ -50,6 +61,8 @@ namespace client
 			uint64_t requestTime;
 			boost::asio::deadline_timer requestTimeoutTimer;
 			RequestComplete requestComplete;
+			std::shared_ptr<i2p::tunnel::OutboundTunnel> outboundTunnel;
+			std::shared_ptr<i2p::tunnel::InboundTunnel> replyTunnel;
 		};	
 		
 		
@@ -63,12 +76,13 @@ namespace client
 			bool IsRunning () const { return m_IsRunning; };
 			boost::asio::io_service& GetService () { return m_Service; };
 			std::shared_ptr<i2p::tunnel::TunnelPool> GetTunnelPool () { return m_Pool; }; 
-			bool IsReady () const { return m_LeaseSet && m_LeaseSet->HasNonExpiredLeases (); };
+			bool IsReady () const { return m_LeaseSet && !m_LeaseSet->IsExpired () && m_Pool->GetOutboundTunnels ().size () > 0; };
 			std::shared_ptr<const i2p::data::LeaseSet> FindLeaseSet (const i2p::data::IdentHash& ident);
 			bool RequestDestination (const i2p::data::IdentHash& dest, RequestComplete requestComplete = nullptr);
+			void CancelDestinationRequest (const i2p::data::IdentHash& dest);	
 			
 			// streaming
-			std::shared_ptr<i2p::stream::StreamingDestination> CreateStreamingDestination (int port); // additional
+			std::shared_ptr<i2p::stream::StreamingDestination> CreateStreamingDestination (int port, bool gzip = true); // additional
 			std::shared_ptr<i2p::stream::StreamingDestination> GetStreamingDestination (int port = 0) const;
 			// following methods operate with default streaming destination
 			void CreateStream (StreamRequestComplete streamRequestComplete, const i2p::data::IdentHash& dest, int port = 0);
@@ -87,13 +101,14 @@ namespace client
 			const uint8_t * GetEncryptionPublicKey () const { return m_EncryptionPublicKey; };
 			
 			// implements GarlicDestination
-			const i2p::data::LeaseSet * GetLeaseSet ();
+			std::shared_ptr<const i2p::data::LeaseSet> GetLeaseSet ();
+			std::shared_ptr<i2p::tunnel::TunnelPool> GetTunnelPool () const { return m_Pool; }
 			void HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from);
 
 			// override GarlicDestination
 			bool SubmitSessionKey (const uint8_t * key, const uint8_t * tag);
-			void ProcessGarlicMessage (I2NPMessage * msg);
-			void ProcessDeliveryStatusMessage (I2NPMessage * msg);	
+			void ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			void ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);	
 			void SetLeaseSetUpdated ();
 
 			// I2CP
@@ -105,16 +120,18 @@ namespace client
 			void UpdateLeaseSet ();
 			void Publish ();
 			void HandlePublishConfirmationTimer (const boost::system::error_code& ecode);
+			void HandlePublishVerificationTimer (const boost::system::error_code& ecode);
 			void HandleDatabaseStoreMessage (const uint8_t * buf, size_t len);
 			void HandleDatabaseSearchReplyMessage (const uint8_t * buf, size_t len);
-			void HandleDeliveryStatusMessage (I2NPMessage * msg);		
+			void HandleDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);		
 
 			void RequestLeaseSet (const i2p::data::IdentHash& dest, RequestComplete requestComplete);
-			bool SendLeaseSetRequest (const i2p::data::IdentHash& dest, std::shared_ptr<const i2p::data::RouterInfo>  nextFloodfill, LeaseSetRequest * request);	
+			bool SendLeaseSetRequest (const i2p::data::IdentHash& dest, std::shared_ptr<const i2p::data::RouterInfo>  nextFloodfill, std::shared_ptr<LeaseSetRequest> request);	
 			void HandleRequestTimoutTimer (const boost::system::error_code& ecode, const i2p::data::IdentHash& dest);
 			void HandleCleanupTimer (const boost::system::error_code& ecode);
 			void CleanupRemoteLeaseSets ();
-			
+			void PersistTemporaryKeys ();			
+
 		private:
 
 			volatile bool m_IsRunning;
@@ -124,10 +141,10 @@ namespace client
 			i2p::data::PrivateKeys m_Keys;
 			uint8_t m_EncryptionPublicKey[256], m_EncryptionPrivateKey[256];
 			std::map<i2p::data::IdentHash, std::shared_ptr<i2p::data::LeaseSet> > m_RemoteLeaseSets;
-			std::map<i2p::data::IdentHash, LeaseSetRequest *> m_LeaseSetRequests;
+			std::map<i2p::data::IdentHash, std::shared_ptr<LeaseSetRequest> > m_LeaseSetRequests;
 
 			std::shared_ptr<i2p::tunnel::TunnelPool> m_Pool;
-			i2p::data::LeaseSet * m_LeaseSet;
+			std::shared_ptr<i2p::data::LeaseSet> m_LeaseSet;
 			bool m_IsPublic;
 			uint32_t m_PublishReplyToken;
 			std::set<i2p::data::IdentHash> m_ExcludedFloodfills; // for publishing
@@ -136,7 +153,7 @@ namespace client
 			std::map<uint16_t, std::shared_ptr<i2p::stream::StreamingDestination> > m_StreamingDestinationsByPorts;
 			i2p::datagram::DatagramDestination * m_DatagramDestination;
 	
-			boost::asio::deadline_timer m_PublishConfirmationTimer, m_CleanupTimer;
+			boost::asio::deadline_timer m_PublishConfirmationTimer, m_PublishVerificationTimer, m_CleanupTimer;
 
 		public:
 			

ElGamal.h

@@ -1,89 +0,0 @@
-#ifndef EL_GAMAL_H__
-#define EL_GAMAL_H__
-
-#include <inttypes.h>
-#include <cryptopp/integer.h>
-#include <cryptopp/osrng.h>
-#include <cryptopp/dh.h>
-#include <cryptopp/sha.h>
-#include "CryptoConst.h"
-#include "Log.h"
-
-namespace i2p
-{
-namespace crypto
-{
-
-	class ElGamalEncryption
-	{
-		public:
-
-			ElGamalEncryption (const uint8_t * key)
-			{
-				CryptoPP::AutoSeededRandomPool rnd;	
-				CryptoPP::Integer y (key, 256), k (rnd, CryptoPP::Integer::One(), elgp-1);
-				a = a_exp_b_mod_c (elgg, k, elgp);
-				b1 = a_exp_b_mod_c (y, k, elgp);
-			}
-
-			void Encrypt (const uint8_t * data, int len, uint8_t * encrypted, bool zeroPadding = false)
-			{
-				// calculate b = b1*m mod p
-				uint8_t m[255];
-				m[0] = 0xFF;
-				memcpy (m+33, data, len);
-				CryptoPP::SHA256().CalculateDigest(m+1, m+33, 222);
-				CryptoPP::Integer b (a_times_b_mod_c (b1, CryptoPP::Integer (m, 255), elgp));
-
-				// copy a and b
-				if (zeroPadding)
-				{
-					encrypted[0] = 0;
-					a.Encode (encrypted + 1, 256);
-					encrypted[257] = 0;
-					b.Encode (encrypted + 258, 256);
-				}	
-				else
-				{
-					a.Encode (encrypted, 256);	
-					b.Encode (encrypted + 256, 256);
-				}	
-			}
-
-		private:
-
-			CryptoPP::Integer a, b1;	
-	};
-
-	inline bool ElGamalDecrypt (const uint8_t * key, const uint8_t * encrypted, 
-		uint8_t * data, bool zeroPadding = false)
-	{
-		CryptoPP::Integer x(key, 256), a(zeroPadding? encrypted +1 : encrypted, 256), 
-			b(zeroPadding? encrypted + 258 :encrypted + 256, 256);
-		uint8_t m[255], hash[32];
-		a_times_b_mod_c (b, a_exp_b_mod_c (a, elgp - x - 1, elgp), elgp).Encode (m, 255);
-		CryptoPP::SHA256().CalculateDigest(hash, m+33, 222);
-		for (int i = 0; i < 32; i++)
-			if (hash[i] != m[i+1])
-			{
-				LogPrint ("ElGamal decrypt hash doesn't match");
-				return false;
-			}
-		memcpy (data, m + 33, 222);
-		return true;
-	}	
-
-	inline void GenerateElGamalKeyPair (CryptoPP::RandomNumberGenerator& rnd, uint8_t * priv, uint8_t * pub)
-	{
-#if defined(__x86_64__) || defined(__i386__) || defined(_MSC_VER)	
-		rnd.GenerateBlock (priv, 256);
-		a_exp_b_mod_c (elgg, CryptoPP::Integer (priv, 256), elgp).Encode (pub, 256);
-#else
-		CryptoPP::DH dh (elgp, elgg);
-		dh.GenerateKeyPair(rnd, priv, pub);	
-#endif		
-	}	
-}
-}	
-
-#endif

FS.cpp

@@ -0,0 +1,165 @@
+/*
+* Copyright (c) 2013-2016, The PurpleI2P Project
+*
+* This file is part of Purple i2pd project and licensed under BSD3
+*
+* See full license text in LICENSE file at top of project tree
+*/
+
+#include <algorithm>
+#include <boost/filesystem.hpp>
+
+#ifdef _WIN32
+#include <shlobj.h>
+#endif
+
+#include "Base.h"
+#include "FS.h"
+#include "Log.h"
+
+namespace i2p {
+namespace fs {
+  std::string appName = "i2pd";
+  std::string dataDir = "";
+#ifdef _WIN32
+  std::string dirSep = "\\";
+#else
+  std::string dirSep = "/";
+#endif
+
+  const std::string & GetAppName () {
+    return appName;
+  }
+
+  void SetAppName (const std::string& name) {
+    appName = name;
+  }
+
+  const std::string & GetDataDir () {
+    return dataDir;
+  }
+
+  void DetectDataDir(const std::string & cmdline_param, bool isService) {
+    if (cmdline_param != "") {
+      dataDir = cmdline_param;
+      return;
+    }
+#if defined(WIN32) || defined(_WIN32)
+    char localAppData[MAX_PATH];
+    SHGetFolderPath(NULL, CSIDL_APPDATA, 0, NULL, localAppData);
+    dataDir = std::string(localAppData) + "\\" + appName;
+    return;
+#elif defined(MAC_OSX)
+    char *home = getenv("HOME");
+    dataDir = (home != NULL && strlen(home) > 0) ? home : "";
+    dataDir += "/Library/Application Support/" + appName;
+    return;
+#else /* other unix */
+    char *home = getenv("HOME");
+    if (isService) {
+      dataDir = "/var/lib/" + appName;
+    } else if (home != NULL && strlen(home) > 0) {
+      dataDir = std::string(home) + "/." + appName;
+    } else {
+      dataDir = "/tmp/" + appName;
+    }
+    return;
+#endif
+  }
+
+  bool Init() {
+    if (!boost::filesystem::exists(dataDir))
+      boost::filesystem::create_directory(dataDir);
+    std::string destinations = DataDirPath("destinations");
+    if (!boost::filesystem::exists(destinations))
+      boost::filesystem::create_directory(destinations);
+
+    return true;
+  }
+
+  bool ReadDir(const std::string & path, std::vector<std::string> & files) {
+    if (!boost::filesystem::exists(path))
+      return false;
+    boost::filesystem::directory_iterator it(path);
+    boost::filesystem::directory_iterator end;
+
+    for ( ; it != end; it++) {
+      if (!boost::filesystem::is_regular_file(it->status()))
+        continue;
+      files.push_back(it->path().string());
+    }
+
+    return true;
+  }
+
+  bool Exists(const std::string & path) {
+    return boost::filesystem::exists(path);
+  }
+
+  bool Remove(const std::string & path) {
+    if (!boost::filesystem::exists(path))
+      return false;
+    return boost::filesystem::remove(path);
+  }
+
+  	bool CreateDirectory (const std::string& path)
+	{
+		if (boost::filesystem::exists(path) && 
+			boost::filesystem::is_directory (boost::filesystem::status (path))) return true;
+		return boost::filesystem::create_directory(path);
+	}			
+
+  void HashedStorage::SetPlace(const std::string &path) {
+    root = path + i2p::fs::dirSep + name;
+  }
+
+  bool HashedStorage::Init(const char * chars, size_t count) {
+    if (!boost::filesystem::exists(root)) {
+      boost::filesystem::create_directories(root);
+    }
+    
+    for (size_t i = 0; i < count; i++) {
+      auto p = root + i2p::fs::dirSep + prefix1 + chars[i];
+      if (boost::filesystem::exists(p))
+        continue;
+      if (boost::filesystem::create_directory(p))
+        continue; /* ^ throws exception on failure */
+      return false;
+    }
+    return true;
+  }
+
+  std::string HashedStorage::Path(const std::string & ident) const {
+    std::string safe_ident = ident;
+    std::replace(safe_ident.begin(), safe_ident.end(), '/',  '-');
+    std::replace(safe_ident.begin(), safe_ident.end(), '\\', '-');
+
+    std::stringstream t("");
+    t << this->root << i2p::fs::dirSep;
+    t << prefix1 << safe_ident[0] << i2p::fs::dirSep;
+    t << prefix2 << safe_ident    << "." << suffix;
+
+    return t.str();
+  }
+
+  void HashedStorage::Remove(const std::string & ident) {
+    std::string path = Path(ident);
+    if (!boost::filesystem::exists(path))
+      return;
+    boost::filesystem::remove(path);
+  }
+
+  void HashedStorage::Traverse(std::vector<std::string> & files) {
+    boost::filesystem::path p(root);
+    boost::filesystem::recursive_directory_iterator it(p);
+    boost::filesystem::recursive_directory_iterator end;
+
+    for ( ; it != end; it++) {
+      if (!boost::filesystem::is_regular_file( it->status() ))
+        continue;
+      const std::string & t = it->path().string();
+      files.push_back(t);
+    }
+  }
+} // fs
+} // i2p

FS.h

@@ -0,0 +1,155 @@
+/*
+* Copyright (c) 2013-2016, The PurpleI2P Project
+*
+* This file is part of Purple i2pd project and licensed under BSD3
+*
+* See full license text in LICENSE file at top of project tree
+*/
+
+#ifndef FS_H__
+#define FS_H__
+
+#include <vector>
+#include <string>
+#include <iostream>
+#include <sstream>
+
+namespace i2p {
+namespace fs {
+  extern std::string dirSep;
+
+  /**
+   * @brief Class to work with NetDb & Router profiles
+   *
+   * Usage:
+   *
+   * const char alphabet[8] = {'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h'};
+   * auto h = HashedStorage("name", "y", "z-", ".txt");
+   * h.SetPlace("/tmp/hs-test");
+   * h.GetName()          -> gives "name"
+   * h.GetRoot()          -> gives "/tmp/hs-test/name"
+   * h.Init(alphabet, 8); <- creates needed dirs, 8 is size of alphabet
+   * h.Path("abcd");      <- returns /tmp/hs-test/name/ya/z-abcd.txt
+   * h.Remove("abcd");    <- removes /tmp/hs-test/name/ya/z-abcd.txt, if it exists
+   * std::vector<std::string> files;
+   * h.Traverse(files);   <- finds all files in storage and saves in given vector
+   */
+  class HashedStorage {
+    protected:
+      std::string root;    /**< path to storage with it's name included */
+      std::string name;    /**< name of the storage */
+      std::string prefix1; /**< hashed directory prefix */
+      std::string prefix2; /**< prefix of file in storage */
+      std::string suffix;  /**< suffix of file in storage (extension) */
+
+    public:
+      HashedStorage(const char *n, const char *p1, const char *p2, const char *s):
+        name(n), prefix1(p1), prefix2(p2), suffix(s) {};
+
+      /** create subdirs in storage */
+      bool Init(const char* chars, size_t cnt);
+      const std::string & GetRoot() const { return root; }
+      const std::string & GetName() const { return name; }
+      /** set directory where to place storage directory */
+      void SetPlace(const std::string & path);
+      /** path to file with given ident */
+      std::string Path(const std::string & ident) const;
+      /** remove file by ident */
+      void Remove(const std::string & ident);
+      /** find all files in storage and store list in provided vector */
+      void Traverse(std::vector<std::string> & files);
+  };
+
+  /** @brief Returns current application name, default 'i2pd' */
+	const std::string & GetAppName ();
+  /** @brief Set applicaton name, affects autodetection of datadir */
+	void SetAppName (const std::string& name);
+
+  /** @brief Returns datadir path */
+  const std::string & GetDataDir();
+
+  /**
+   * @brief Set datadir either from cmdline option or using autodetection
+   * @param cmdline_param  Value of cmdline parameter --datadir=<something>
+   * @param isService      Value of cmdline parameter --service
+   *
+   * Examples of autodetected paths:
+   *
+   *   Windows < Vista: C:\Documents and Settings\Username\Application Data\i2pd\
+   *   Windows >= Vista: C:\Users\Username\AppData\Roaming\i2pd\
+   *   Mac: /Library/Application Support/i2pd/ or ~/Library/Application Support/i2pd/
+   *   Unix: /var/lib/i2pd/ (system=1) >> ~/.i2pd/ or /tmp/i2pd/
+   */
+  void DetectDataDir(const std::string & cmdline_datadir, bool isService = false);
+
+  /**
+   * @brief Create subdirectories inside datadir
+   */
+  bool Init();
+
+  /**
+   * @brief Get list of files in directory
+   * @param path  Path to directory
+   * @param files Vector to store found files
+   * @return true on success and false if directory not exists
+   */
+  bool ReadDir(const std::string & path, std::vector<std::string> & files);
+
+  /**
+   * @brief Remove file with given path
+   * @param path Absolute path to file
+   * @return true on success, false if file not exists, throws exception on error
+   */
+  bool Remove(const std::string & path);
+
+  /**
+   * @brief Check existence of file
+   * @param path Absolute path to file
+   * @return true if file exists, false otherwise
+   */
+  bool Exists(const std::string & path);
+ 
+  bool CreateDirectory (const std::string& path);	
+
+  template<typename T>
+  void _ExpandPath(std::stringstream & path, T c) {
+    path << i2p::fs::dirSep << c;
+  }
+
+  template<typename T, typename ... Other>
+  void _ExpandPath(std::stringstream & path, T c, Other ... other) {
+    _ExpandPath(path, c);
+    _ExpandPath(path, other ...);
+  }
+
+  /**
+   * @brief Get path relative to datadir
+   *
+   * Examples (with datadir = "/tmp/i2pd"):
+   *
+   * i2p::fs::Path("test")             -> '/tmp/i2pd/test'
+   * i2p::fs::Path("test", "file.txt") -> '/tmp/i2pd/test/file.txt'
+   */
+  template<typename ... Other>
+  std::string DataDirPath(Other ... components) {
+    std::stringstream s("");
+    s << i2p::fs::GetDataDir();
+    _ExpandPath(s, components ...);
+
+    return s.str();
+  }
+
+	template<typename Storage, typename... Filename>
+	std::string StorageRootPath (const Storage& storage, Filename... filenames)
+	{
+		std::stringstream s("");
+		s << storage.GetRoot ();
+		_ExpandPath(s, filenames...);
+
+		return s.str();
+	}	
+
+} // fs
+} // i2p
+
+#endif // /* FS_H__ */

Family.cpp

@@ -0,0 +1,175 @@
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/ssl.h>
+#include "FS.h"
+#include "Log.h"
+#include "Crypto.h"
+#include "Family.h"
+
+namespace i2p
+{
+namespace data
+{
+	Families::Families ()
+	{
+	}
+
+	Families::~Families ()
+	{
+	}
+
+	void Families::LoadCertificate (const std::string& filename)
+	{
+		SSL_CTX * ctx = SSL_CTX_new (TLSv1_method ());
+		int ret = SSL_CTX_use_certificate_file (ctx, filename.c_str (), SSL_FILETYPE_PEM); 
+		if (ret)
+		{	
+			SSL * ssl = SSL_new (ctx);
+			X509 * cert = SSL_get_certificate (ssl);
+			if (cert)
+			{	
+				std::shared_ptr<i2p::crypto::Verifier> verifier;
+				// extract issuer name
+				char name[100];
+				X509_NAME_oneline (X509_get_issuer_name(cert), name, 100);
+				char * cn = strstr (name, "CN=");
+				if (cn)
+				{	
+					cn += 3;
+					char * family = strstr (cn, ".family");
+					if (family) family[0] = 0;
+				}	
+				auto pkey = X509_get_pubkey (cert);
+				int keyType = EVP_PKEY_type(pkey->type);
+				switch (keyType)
+				{
+					case EVP_PKEY_DSA:
+						// TODO:
+					break;
+					case EVP_PKEY_EC:
+					{
+						EC_KEY * ecKey = EVP_PKEY_get1_EC_KEY (pkey);
+						if (ecKey)
+						{
+							auto group = EC_KEY_get0_group (ecKey);
+							if (group)
+							{
+								int curve = EC_GROUP_get_curve_name (group);
+								if (curve == NID_X9_62_prime256v1)
+								{
+									uint8_t signingKey[64];
+									BIGNUM * x = BN_new(), * y = BN_new();
+									EC_POINT_get_affine_coordinates_GFp (group,
+										EC_KEY_get0_public_key (ecKey), x, y, NULL);
+									i2p::crypto::bn2buf (x, signingKey, 32);
+									i2p::crypto::bn2buf (y, signingKey + 32, 32);
+									BN_free (x); BN_free (y);
+									verifier = std::make_shared<i2p::crypto::ECDSAP256Verifier>(signingKey);
+								}	
+								else
+									LogPrint (eLogWarning, "Family: elliptic curve ", curve, " is not supported");
+							}
+							EC_KEY_free (ecKey);
+						}
+						break;
+					}
+					default:
+						LogPrint (eLogWarning, "Family: Certificate key type ", keyType, " is not supported");
+				}
+				EVP_PKEY_free (pkey);
+				if (verifier && cn)
+					m_SigningKeys[cn] = verifier;
+			}	
+			SSL_free (ssl);			
+		}	
+		else
+			LogPrint (eLogError, "Family: Can't open certificate file ", filename);
+		SSL_CTX_free (ctx);		
+	}
+
+	void Families::LoadCertificates ()
+	{
+		std::string certDir = i2p::fs::DataDirPath("certificates", "family");
+		std::vector<std::string> files;
+		int numCertificates = 0;
+
+		if (!i2p::fs::ReadDir(certDir, files)) {
+			LogPrint(eLogWarning, "Reseed: Can't load reseed certificates from ", certDir);
+			return;
+		}
+
+		for (const std::string & file : files) {
+			if (file.compare(file.size() - 4, 4, ".crt") != 0) {
+				LogPrint(eLogWarning, "Family: ignoring file ", file);
+				continue;
+			}
+			LoadCertificate (file);
+			numCertificates++;
+		}	
+		LogPrint (eLogInfo, "Family: ", numCertificates, " certificates loaded");
+	}
+
+	bool Families::VerifyFamily (const std::string& family, const IdentHash& ident, 
+		const char * signature, const char * key)
+	{
+		uint8_t buf[50], signatureBuf[64];
+		size_t len = family.length (), signatureLen = strlen (signature);
+		memcpy (buf, family.c_str (), len);
+		memcpy (buf + len, (const uint8_t *)ident, 32);
+		len += 32;	
+		Base64ToByteStream (signature, signatureLen, signatureBuf, 64);	
+		auto it = m_SigningKeys.find (family);
+		if (it != m_SigningKeys.end ())
+			return it->second->Verify (buf, len, signatureBuf);
+		// TODO: process key
+		return true;
+	}
+
+	std::string CreateFamilySignature (const std::string& family, const IdentHash& ident)
+	{
+		auto filename = i2p::fs::DataDirPath("family", (family + ".key"));
+		std::string sig;
+		SSL_CTX * ctx = SSL_CTX_new (TLSv1_method ());
+		int ret = SSL_CTX_use_PrivateKey_file (ctx, filename.c_str (), SSL_FILETYPE_PEM); 
+		if (ret)
+		{
+			SSL * ssl = SSL_new (ctx);
+			EVP_PKEY * pkey = SSL_get_privatekey (ssl);
+			EC_KEY * ecKey = EVP_PKEY_get1_EC_KEY (pkey);
+			if (ecKey)
+			{
+				auto group = EC_KEY_get0_group (ecKey);
+				if (group)
+				{
+					int curve = EC_GROUP_get_curve_name (group);
+					if (curve == NID_X9_62_prime256v1)
+					{
+						uint8_t signingPrivateKey[32], buf[50], signature[64];
+						i2p::crypto::bn2buf (EC_KEY_get0_private_key (ecKey), signingPrivateKey, 32);
+						i2p::crypto::ECDSAP256Signer signer (signingPrivateKey);
+						size_t len = family.length ();
+						memcpy (buf, family.c_str (), len);
+						memcpy (buf + len, (const uint8_t *)ident, 32);
+						len += 32;
+						signer.Sign (buf, len, signature);
+						len = Base64EncodingBufferSize (64);
+						char * b64 = new char[len+1];
+						len = ByteStreamToBase64 (signature, 64, b64, len);
+						b64[len] = 0;
+						sig = b64;
+						delete[] b64;
+					}
+					else
+						LogPrint (eLogWarning, "Family: elliptic curve ", curve, " is not supported");
+				}	
+			}	
+			SSL_free (ssl);		
+		}	
+		else
+			LogPrint (eLogError, "Family: Can't open keys file: ", filename);
+		SSL_CTX_free (ctx);	
+		return sig;
+	}	
+}
+}
+

Family.h

@@ -0,0 +1,38 @@
+#ifndef FAMILY_H__
+#define FAMILY_H__
+
+#include <map>
+#include <string>
+#include <memory>
+#include "Signature.h"
+#include "Identity.h"
+
+namespace i2p
+{
+namespace data
+{
+	class Families
+	{
+		public:
+
+			Families ();
+			~Families ();
+			void LoadCertificates ();
+			bool VerifyFamily (const std::string& family, const IdentHash& ident, 
+				const char * signature, const char * key = nullptr);
+
+		private:
+
+			void LoadCertificate (const std::string& filename);
+
+		private:
+
+			std::map<std::string, std::shared_ptr<i2p::crypto::Verifier> > m_SigningKeys;
+	};		
+
+	std::string CreateFamilySignature (const std::string& family, const IdentHash& ident);
+	// return base64 signature of empty string in case of failure
+}
+}
+
+#endif

Garlic.cpp

@@ -2,12 +2,14 @@
 #include "I2PEndian.h"
 #include <map>
 #include <string>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
 #include "RouterContext.h"
 #include "I2NPProtocol.h"
 #include "Tunnel.h"
 #include "TunnelPool.h"
 #include "Timestamp.h"
-#include "Destination.h"
+#include "Log.h"
 #include "Garlic.h"
 
 namespace i2p
@@ -15,17 +17,18 @@ namespace i2p
 namespace garlic
 {
 	GarlicRoutingSession::GarlicRoutingSession (GarlicDestination * owner, 
-	    std::shared_ptr<const i2p::data::RoutingDestination> destination, int numTags):
+	    std::shared_ptr<const i2p::data::RoutingDestination> destination, int numTags, bool attachLeaseSet):
 		m_Owner (owner), m_Destination (destination), m_NumTags (numTags), 
-		m_LeaseSetUpdateStatus (numTags > 0 ? eLeaseSetUpdated : eLeaseSetUpToDate)
+		m_LeaseSetUpdateStatus (attachLeaseSet ? eLeaseSetUpdated : eLeaseSetDoNotSend),
+		m_ElGamalEncryption (new i2p::crypto::ElGamalEncryption (destination->GetEncryptionPublicKey ()))
 	{
 		// create new session tags and session key
-		m_Rnd.GenerateBlock (m_SessionKey, 32);
+		RAND_bytes (m_SessionKey, 32);
 		m_Encryption.SetKey (m_SessionKey);
 	}	
 
 	GarlicRoutingSession::GarlicRoutingSession (const uint8_t * sessionKey, const SessionTag& sessionTag):
-		m_Owner (nullptr), m_Destination (nullptr), m_NumTags (1), m_LeaseSetUpdateStatus (eLeaseSetUpToDate)
+		m_Owner (nullptr), m_Destination (nullptr), m_NumTags (1), m_LeaseSetUpdateStatus (eLeaseSetDoNotSend)
 	{
 		memcpy (m_SessionKey, sessionKey, 32);
 		m_Encryption.SetKey (m_SessionKey);
@@ -39,14 +42,39 @@ namespace garlic
 			delete it.second;
 		m_UnconfirmedTagsMsgs.clear ();
 	}
-	
+
+	std::shared_ptr<GarlicRoutingPath> GarlicRoutingSession::GetSharedRoutingPath ()
+	{
+		if (!m_SharedRoutingPath) return nullptr;
+		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
+		if (m_SharedRoutingPath->numTimesUsed >= ROUTING_PATH_MAX_NUM_TIMES_USED ||
+		    !m_SharedRoutingPath->outboundTunnel->IsEstablished () ||
+			ts*1000LL > m_SharedRoutingPath->remoteLease->endDate ||
+		    ts > m_SharedRoutingPath->updateTime + ROUTING_PATH_EXPIRATION_TIMEOUT)
+				m_SharedRoutingPath = nullptr;
+		if (m_SharedRoutingPath) m_SharedRoutingPath->numTimesUsed++;
+		return m_SharedRoutingPath;
+	}
+		
+	void GarlicRoutingSession::SetSharedRoutingPath (std::shared_ptr<GarlicRoutingPath> path)
+	{	
+		if (path && path->outboundTunnel && path->remoteLease) 
+		{	
+			path->updateTime = i2p::util::GetSecondsSinceEpoch ();
+			path->numTimesUsed = 0;
+		}	
+		else
+			path = nullptr;
+		m_SharedRoutingPath = path;
+	}
+		
 	GarlicRoutingSession::UnconfirmedTags * GarlicRoutingSession::GenerateSessionTags ()
 	{
 		auto tags = new UnconfirmedTags (m_NumTags);
 		tags->tagsCreationTime = i2p::util::GetSecondsSinceEpoch ();		
 		for (int i = 0; i < m_NumTags; i++)
 		{
-			m_Rnd.GenerateBlock (tags->sessionTags[i], 32);
+			RAND_bytes (tags->sessionTags[i], 32);
 			tags->sessionTags[i].creationTime = tags->tagsCreationTime;
 		}			
 		return tags;	
@@ -58,7 +86,7 @@ namespace garlic
 		if (msgID == m_LeaseSetUpdateMsgID)
 		{	
 			m_LeaseSetUpdateStatus = eLeaseSetUpToDate;
-			LogPrint (eLogInfo, "LeaseSet update confirmed");
+			LogPrint (eLogInfo, "Garlic: LeaseSet update confirmed");
 		}	
 		else
 			CleanupExpiredTags ();
@@ -94,22 +122,22 @@ namespace garlic
 		// delete expired unconfirmed tags
 		for (auto it = m_UnconfirmedTagsMsgs.begin (); it != m_UnconfirmedTagsMsgs.end ();)
 		{
-			if (ts >= it->second->tagsCreationTime + OUTGOING_TAGS_EXPIRATION_TIMEOUT)
+			if (ts >= it->second->tagsCreationTime + OUTGOING_TAGS_CONFIRMATION_TIMEOUT)
 			{
 				if (m_Owner)
-					m_Owner->RemoveCreatedSession (it->first);
+					m_Owner->RemoveDeliveryStatusSession (it->first);
 				delete it->second;
 				it = m_UnconfirmedTagsMsgs.erase (it);
 			}	
 			else
 				it++;
 		}	
-		return !m_SessionTags.empty () || m_UnconfirmedTagsMsgs.empty ();
+		return !m_SessionTags.empty () || !m_UnconfirmedTagsMsgs.empty ();
  	}
 
-	I2NPMessage * GarlicRoutingSession::WrapSingleMessage (I2NPMessage * msg)
+	std::shared_ptr<I2NPMessage> GarlicRoutingSession::WrapSingleMessage (std::shared_ptr<const I2NPMessage> msg)
 	{
-		I2NPMessage * m = NewI2NPMessage ();
+		auto m = NewI2NPMessage ();
 		m->Align (12); // in order to get buf aligned to 16 (12 + 4)
 		size_t len = 0;
 		uint8_t * buf = m->GetPayload () + 4; // 4 bytes for length
@@ -136,19 +164,19 @@ namespace garlic
 		// create message
 		if (!tagFound) // new session
 		{
-			LogPrint ("No garlic tags available. Use ElGamal");
+			LogPrint (eLogWarning, "Garlic: No tags available, will use ElGamal");
 			if (!m_Destination)
 			{
-				LogPrint ("Can't use ElGamal for unknown destination");
+				LogPrint (eLogError, "Garlic: Can't use ElGamal for unknown destination");
 				return nullptr;
 			}
 			// create ElGamal block
 			ElGamalBlock elGamal;
 			memcpy (elGamal.sessionKey, m_SessionKey, 32); 
-			m_Rnd.GenerateBlock (elGamal.preIV, 32); // Pre-IV
+			RAND_bytes (elGamal.preIV, 32); // Pre-IV
 			uint8_t iv[32]; // IV is first 16 bytes
-			CryptoPP::SHA256().CalculateDigest(iv, elGamal.preIV, 32); 
-			m_Destination->GetElGamalEncryption ()->Encrypt ((uint8_t *)&elGamal, sizeof(elGamal), buf, true);			
+			SHA256(elGamal.preIV, 32, iv); 
+			m_ElGamalEncryption->Encrypt ((uint8_t *)&elGamal, sizeof(elGamal), buf, true);			
 			m_Encryption.SetIV (iv);
 			buf += 514;
 			len += 514;	
@@ -158,7 +186,7 @@ namespace garlic
 			// session tag
 			memcpy (buf, tag, 32);	
 			uint8_t iv[32]; // IV is first 16 bytes
-			CryptoPP::SHA256().CalculateDigest(iv, tag, 32);
+			SHA256(tag, 32, iv);
 			m_Encryption.SetIV (iv);
 			buf += 32;
 			len += 32;		
@@ -167,13 +195,11 @@ namespace garlic
 		len += CreateAESBlock (buf, msg);
 		htobe32buf (m->GetPayload (), len);
 		m->len += len + 4;
-		FillI2NPMessageHeader (m, eI2NPGarlic);
-		if (msg)
-			DeleteI2NPMessage (msg);
+		m->FillI2NPMessageHeader (eI2NPGarlic);
 		return m;
 	}	
 
-	size_t GarlicRoutingSession::CreateAESBlock (uint8_t * buf, const I2NPMessage * msg)
+	size_t GarlicRoutingSession::CreateAESBlock (uint8_t * buf, std::shared_ptr<const I2NPMessage> msg)
 	{
 		size_t blockSize = 0;
 		bool createNewTags = m_Owner && m_NumTags && ((int)m_SessionTags.size () <= m_NumTags*2/3);
@@ -196,7 +222,7 @@ namespace garlic
 		blockSize++;
 		size_t len = CreateGarlicPayload (buf + blockSize, msg, newTags);
 		htobe32buf (payloadSize, len);
-		CryptoPP::SHA256().CalculateDigest(payloadHash, buf + blockSize, len);
+		SHA256(buf + blockSize, len, payloadHash);
 		blockSize += len;
 		size_t rem = blockSize % 16;
 		if (rem)
@@ -205,10 +231,11 @@ namespace garlic
 		return blockSize;
 	}	
 
-	size_t GarlicRoutingSession::CreateGarlicPayload (uint8_t * payload, const I2NPMessage * msg, UnconfirmedTags * newTags)
+	size_t GarlicRoutingSession::CreateGarlicPayload (uint8_t * payload, std::shared_ptr<const I2NPMessage> msg, UnconfirmedTags * newTags)
 	{
-		uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 5000; // 5 sec
-		uint32_t msgID = m_Rnd.GenerateWord32 ();	
+		uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 8000; // 8 sec
+		uint32_t msgID;
+		RAND_bytes ((uint8_t *)&msgID, 4);
 		size_t size = 0;
 		uint8_t * numCloves = payload + size;
 		*numCloves = 0;
@@ -225,16 +252,17 @@ namespace garlic
 			if (newTags || m_LeaseSetUpdateStatus == eLeaseSetUpdated) // new tags created or leaseset updated
 			{
 				// clove is DeliveryStatus 
-				size += CreateDeliveryStatusClove (payload + size, msgID);
-				if (size > 0) // successive?
+				auto cloveSize = CreateDeliveryStatusClove (payload + size, msgID);
+				if (cloveSize > 0) // successive?
 				{
+					size += cloveSize;
 					(*numCloves)++;
 					if (newTags) // new tags created
 						m_UnconfirmedTagsMsgs[msgID] = newTags;
 					m_Owner->DeliveryStatusSent (shared_from_this (), msgID);
 				}
 				else
-					LogPrint ("DeliveryStatus clove was not created");
+					LogPrint (eLogWarning, "Garlic: DeliveryStatus clove was not created");
 			}	
 			// attach LeaseSet
 			if (m_LeaseSetUpdateStatus == eLeaseSetUpdated) 
@@ -244,8 +272,7 @@ namespace garlic
 				m_LeaseSetSubmissionTime = i2p::util::GetMillisecondsSinceEpoch ();
 				// clove if our leaseSet must be attached
 				auto leaseSet = CreateDatabaseStoreMsg (m_Owner->GetLeaseSet ());
-				size += CreateGarlicClove (payload + size, leaseSet, false);
-				DeleteI2NPMessage (leaseSet);
+				size += CreateGarlicClove (payload + size, leaseSet, false); 
 				(*numCloves)++;
 			}
 		}	
@@ -264,9 +291,9 @@ namespace garlic
 		return size;
 	}	
 
-	size_t GarlicRoutingSession::CreateGarlicClove (uint8_t * buf, const I2NPMessage * msg, bool isDestination)
+	size_t GarlicRoutingSession::CreateGarlicClove (uint8_t * buf, std::shared_ptr<const I2NPMessage> msg, bool isDestination)
 	{
-		uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 5000; // 5 sec
+		uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 8000; // 8 sec
 		size_t size = 0;
 		if (isDestination && m_Destination)
 		{
@@ -283,7 +310,9 @@ namespace garlic
 		
 		memcpy (buf + size, msg->GetBuffer (), msg->GetLength ());
 		size += msg->GetLength ();
-		htobe32buf (buf + size, m_Rnd.GenerateWord32 ()); // CloveID
+		uint32_t cloveID;
+		RAND_bytes ((uint8_t *)&cloveID, 4);
+		htobe32buf (buf + size, cloveID); // CloveID
 		size += 4;
 		htobe64buf (buf + size, ts); // Expiration of clove
 		size += 8;
@@ -297,35 +326,35 @@ namespace garlic
 		size_t size = 0;
 		if (m_Owner)
 		{
-			auto leases = m_Owner->GetLeaseSet ()->GetNonExpiredLeases ();
-			if (!leases.empty ())
+			auto inboundTunnel = m_Owner->GetTunnelPool ()->GetNextInboundTunnel ();
+			if (inboundTunnel)
 			{	
 				buf[size] = eGarlicDeliveryTypeTunnel << 5; // delivery instructions flag tunnel
 				size++;
-				uint32_t i = m_Rnd.GenerateWord32 (0, leases.size () - 1);
 				// hash and tunnelID sequence is reversed for Garlic 
-				memcpy (buf + size, leases[i].tunnelGateway, 32); // To Hash
+				memcpy (buf + size, inboundTunnel->GetNextIdentHash (), 32); // To Hash
 				size += 32;
-				htobe32buf (buf + size, leases[i].tunnelID); // tunnelID
+				htobe32buf (buf + size, inboundTunnel->GetNextTunnelID ()); // tunnelID
 				size += 4; 	
 				// create msg 
-				I2NPMessage * msg = CreateDeliveryStatusMsg (msgID);
+				auto msg = CreateDeliveryStatusMsg (msgID);
 				if (m_Owner)
 				{
 					//encrypt 
 					uint8_t key[32], tag[32];
-					m_Rnd.GenerateBlock (key, 32); // random session key 
-					m_Rnd.GenerateBlock (tag, 32); // random session tag
+					RAND_bytes (key, 32); // random session key 
+					RAND_bytes (tag, 32); // random session tag
 					m_Owner->SubmitSessionKey (key, tag);
 					GarlicRoutingSession garlic (key, tag);
 					msg = garlic.WrapSingleMessage (msg);		
 				}
 				memcpy (buf + size, msg->GetBuffer (), msg->GetLength ());
 				size += msg->GetLength ();
-				DeleteI2NPMessage (msg);
 				// fill clove
-				uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 5000; // 5 sec
-				htobe32buf (buf + size, m_Rnd.GenerateWord32 ()); // CloveID
+				uint64_t ts = i2p::util::GetMillisecondsSinceEpoch () + 8000; // 8 sec
+				uint32_t cloveID;
+				RAND_bytes ((uint8_t *)&cloveID, 4);
+				htobe32buf (buf + size, cloveID); // CloveID
 				size += 4;
 				htobe64buf (buf + size, ts); // Expiration of clove
 				size += 8;
@@ -333,10 +362,10 @@ namespace garlic
 				size += 3;
 			}
 			else	
-				LogPrint ("All tunnels of local LeaseSet expired");	
+				LogPrint (eLogError, "Garlic: No inbound tunnels in the pool for DeliveryStatus");
 		}
 		else
-			LogPrint ("Missing local LeaseSet");
+			LogPrint (eLogWarning, "Garlic: Missing local LeaseSet");
 
 		return size;
 	}
@@ -362,62 +391,49 @@ namespace garlic
 		return true;
 	}
 
-	void GarlicDestination::HandleGarlicMessage (I2NPMessage * msg)
+	void GarlicDestination::HandleGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		uint8_t * buf = msg->GetPayload ();
 		uint32_t length = bufbe32toh (buf);
+		if (length > msg->GetLength ())
+		{
+			LogPrint (eLogWarning, "Garlic: message length ", length, " exceeds I2NP message length ", msg->GetLength ());
+			return;
+		}	
 		buf += 4; // length
 		auto it = m_Tags.find (SessionTag(buf));
 		if (it != m_Tags.end ())
 		{
 			// tag found. Use AES
-			uint8_t iv[32]; // IV is first 16 bytes
-			CryptoPP::SHA256().CalculateDigest(iv, buf, 32);
-			it->second->SetIV (iv);
-			it->second->Decrypt (buf + 32, length - 32, buf + 32);
-			HandleAESBlock (buf + 32, length - 32, it->second, msg->from);
-			m_Tags.erase (it); // tag might be used only once
+			if (length >= 32)
+			{	
+				uint8_t iv[32]; // IV is first 16 bytes
+				SHA256(buf, 32, iv);
+				it->second->SetIV (iv);
+				it->second->Decrypt (buf + 32, length - 32, buf + 32);
+				HandleAESBlock (buf + 32, length - 32, it->second, msg->from);
+			}	
+			else
+				LogPrint (eLogWarning, "Garlic: message length ", length, " is less than 32 bytes");
+			m_Tags.erase (it); // tag might be used only once	
 		}
 		else
 		{
 			// tag not found. Use ElGamal
 			ElGamalBlock elGamal;
-			if (i2p::crypto::ElGamalDecrypt (GetEncryptionPrivateKey (), buf, (uint8_t *)&elGamal, true))
+			if (length >= 514 && i2p::crypto::ElGamalDecrypt (GetEncryptionPrivateKey (), buf, (uint8_t *)&elGamal, true))
 			{	
 				auto decryption = std::make_shared<i2p::crypto::CBCDecryption>();
 				decryption->SetKey (elGamal.sessionKey);
 				uint8_t iv[32]; // IV is first 16 bytes
-				CryptoPP::SHA256().CalculateDigest(iv, elGamal.preIV, 32); 
+				SHA256(elGamal.preIV, 32, iv); 
 				decryption->SetIV (iv);
 				decryption->Decrypt(buf + 514, length - 514, buf + 514);
 				HandleAESBlock (buf + 514, length - 514, decryption, msg->from);
 			}	
 			else
-				LogPrint ("Failed to decrypt garlic");
+				LogPrint (eLogError, "Garlic: Failed to decrypt message");
 		}
-		DeleteI2NPMessage (msg);
-
-		// cleanup expired tags
-		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
-		if (ts > m_LastTagsCleanupTime + INCOMING_TAGS_EXPIRATION_TIMEOUT)
-		{
-			if (m_LastTagsCleanupTime)
-			{
-				int numExpiredTags = 0;
-				for (auto it = m_Tags.begin (); it != m_Tags.end ();)
-				{
-					if (ts > it->first.creationTime + INCOMING_TAGS_EXPIRATION_TIMEOUT)
-					{
-						numExpiredTags++;
-						it = m_Tags.erase (it);
-					}	
-					else
-						it++;
-				}
-				LogPrint (numExpiredTags, " tags expired for ", GetIdentHash().ToBase64 ());
-			}	
-			m_LastTagsCleanupTime = ts;
-		}	
 	}	
 
 	void GarlicDestination::HandleAESBlock (uint8_t * buf, size_t len, std::shared_ptr<i2p::crypto::CBCDecryption> decryption,
@@ -429,7 +445,7 @@ namespace garlic
 		{	
 			if (tagCount*32 > len) 
 			{
-				LogPrint (eLogError, "Tag count ", tagCount, " exceeds length ", len);
+				LogPrint (eLogError, "Garlic: Tag count ", tagCount, " exceeds length ", len);
 				return ;
 			}	
 			uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
@@ -441,7 +457,7 @@ namespace garlic
 		uint32_t payloadSize = bufbe32toh (buf);
 		if (payloadSize > len)
 		{
-			LogPrint (eLogError, "Unexpected payload size ", payloadSize);
+			LogPrint (eLogError, "Garlic: Unexpected payload size ", payloadSize);
 			return;
 		}	
 		buf += 4;
@@ -452,9 +468,11 @@ namespace garlic
 		buf++; // flag
 
 		// payload
-		if (!CryptoPP::SHA256().VerifyDigest (payloadHash, buf, payloadSize)) // payload hash doesn't match
+		uint8_t digest[32];
+		SHA256 (buf, payloadSize, digest);
+		if (memcmp (payloadHash, digest, 32)) // payload hash doesn't match
 		{
-			LogPrint ("Wrong payload hash");
+			LogPrint (eLogError, "Garlic: wrong payload hash");
 			return;
 		}		    
 		HandleGarlicPayload (buf, payloadSize, from);
@@ -462,8 +480,9 @@ namespace garlic
 
 	void GarlicDestination::HandleGarlicPayload (uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
 	{
+		const uint8_t * buf1 = buf;
 		int numCloves = buf[0];
-		LogPrint (numCloves," cloves");
+		LogPrint (eLogDebug, "Garlic: ", numCloves," cloves");
 		buf++;
 		for (int i = 0; i < numCloves; i++)
 		{
@@ -473,24 +492,24 @@ namespace garlic
 			if (flag & 0x80) // encrypted?
 			{
 				// TODO: implement
-				LogPrint ("Clove encrypted");
+				LogPrint (eLogWarning, "Garlic: clove encrypted");
 				buf += 32; 
 			}	
 			GarlicDeliveryType deliveryType = (GarlicDeliveryType)((flag >> 5) & 0x03);
 			switch (deliveryType)
 			{
 				case eGarlicDeliveryTypeLocal:
-					LogPrint ("Garlic type local");
+					LogPrint (eLogDebug, "Garlic: type local");
 					HandleI2NPMessage (buf, len, from);
 				break;	
 				case eGarlicDeliveryTypeDestination:	
-					LogPrint ("Garlic type destination");
+					LogPrint (eLogDebug, "Garlic: type destination");
 					buf += 32; // destination. check it later or for multiple destinations
 					HandleI2NPMessage (buf, len, from);
 				break;
 				case eGarlicDeliveryTypeTunnel:
 				{	
-					LogPrint ("Garlic type tunnel");
+					LogPrint (eLogDebug, "Garlic: type tunnel");
 					// gwHash and gwTunnel sequence is reverted
 					uint8_t * gwHash = buf;
 					buf += 32;
@@ -501,63 +520,82 @@ namespace garlic
 						tunnel = from->GetTunnelPool ()->GetNextOutboundTunnel ();
 					if (tunnel) // we have send it through an outbound tunnel
 					{	
-						I2NPMessage * msg = CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from);
+						auto msg = CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from);
 						tunnel->SendTunnelDataMsg (gwHash, gwTunnel, msg);
 					}	
 					else
-						LogPrint ("No outbound tunnels available for garlic clove");
+						LogPrint (eLogWarning, "Garlic: No outbound tunnels available for garlic clove");
 					break;
 				}
 				case eGarlicDeliveryTypeRouter:
-					LogPrint ("Garlic type router not supported");
+					LogPrint (eLogWarning, "Garlic: type router not supported");
 					buf += 32;
 				break;	
 				default:
-					LogPrint ("Unknow garlic delivery type ", (int)deliveryType);
+					LogPrint (eLogWarning, "Garlic: unknown delivery type ", (int)deliveryType);
 			}
 			buf += GetI2NPMessageLength (buf); //  I2NP
 			buf += 4; // CloveID
 			buf += 8; // Date
 			buf += 3; // Certificate
+			if (buf - buf1  > (int)len)
+			{
+				LogPrint (eLogError, "Garlic: clove is too long");
+				break;
+			}	
 		}	
 	}	
 	
-	I2NPMessage * GarlicDestination::WrapMessage (std::shared_ptr<const i2p::data::RoutingDestination> destination, 
-		I2NPMessage * msg, bool attachLeaseSet)	
+	std::shared_ptr<I2NPMessage> GarlicDestination::WrapMessage (std::shared_ptr<const i2p::data::RoutingDestination> destination, 
+		std::shared_ptr<I2NPMessage> msg, bool attachLeaseSet)	
 	{
-		if (attachLeaseSet) // we should maintain this session
-		{	
-			auto session = GetRoutingSession (destination, 32);  // 32 tags by default
-			return session->WrapSingleMessage (msg);	
-		}
-		else // one time session
-		{
-			GarlicRoutingSession session (this, destination, 0); // don't use tag if no LeaseSet
-			return session.WrapSingleMessage (msg);
-		}	
+		auto session = GetRoutingSession (destination, attachLeaseSet);  
+		return session->WrapSingleMessage (msg);	
 	}
 
 	std::shared_ptr<GarlicRoutingSession> GarlicDestination::GetRoutingSession (
-		std::shared_ptr<const i2p::data::RoutingDestination> destination, int numTags)
+		std::shared_ptr<const i2p::data::RoutingDestination> destination, bool attachLeaseSet)
 	{
-		auto it = m_Sessions.find (destination->GetIdentHash ());
-		std::shared_ptr<GarlicRoutingSession> session;
-		if (it != m_Sessions.end ())
-			session = it->second;
+		GarlicRoutingSessionPtr session;
+		{	
+			std::unique_lock<std::mutex> l(m_SessionsMutex);
+			auto it = m_Sessions.find (destination->GetIdentHash ());
+			if (it != m_Sessions.end ())
+				session = it->second;
+		}
 		if (!session)
 		{
-			session = std::make_shared<GarlicRoutingSession> (this, destination, numTags); 
+			session = std::make_shared<GarlicRoutingSession> (this, destination, 
+				attachLeaseSet ? m_NumTags : 4, attachLeaseSet); // specified num tags for connections and 4 for LS requests
 			std::unique_lock<std::mutex> l(m_SessionsMutex);
 			m_Sessions[destination->GetIdentHash ()] = session;
 		}	
 		return session;
 	}	
 	
-	void GarlicDestination::CleanupRoutingSessions ()
+	void GarlicDestination::CleanupExpiredTags ()
 	{
+		// incoming
+		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
+		int numExpiredTags = 0;
+		for (auto it = m_Tags.begin (); it != m_Tags.end ();)
+		{
+			if (ts > it->first.creationTime + INCOMING_TAGS_EXPIRATION_TIMEOUT)
+			{
+				numExpiredTags++;
+				it = m_Tags.erase (it);
+			}	
+			else
+				it++;
+		}
+		if (numExpiredTags > 0)
+			LogPrint (eLogDebug, "Garlic: ", numExpiredTags, " tags expired for ", GetIdentHash().ToBase64 ());
+
+		// outgoing
 		std::unique_lock<std::mutex> l(m_SessionsMutex);
 		for (auto it = m_Sessions.begin (); it != m_Sessions.end ();)
 		{
+			it->second->GetSharedRoutingPath (); // delete shared path if necessary
 			if (!it->second->CleanupExpiredTags ())
 			{
 				LogPrint (eLogInfo, "Routing session to ", it->first.ToBase32 (), " deleted");
@@ -568,29 +606,28 @@ namespace garlic
 		}
 	}
 	
-	void GarlicDestination::RemoveCreatedSession (uint32_t msgID)
+	void GarlicDestination::RemoveDeliveryStatusSession (uint32_t msgID)
 	{
-		m_CreatedSessions.erase (msgID);
+		m_DeliveryStatusSessions.erase (msgID);
 	}
 
-	void GarlicDestination::DeliveryStatusSent (std::shared_ptr<GarlicRoutingSession> session, uint32_t msgID)
+	void GarlicDestination::DeliveryStatusSent (GarlicRoutingSessionPtr session, uint32_t msgID)
 	{
-		m_CreatedSessions[msgID] = session;
+		m_DeliveryStatusSessions[msgID] = session;
 	}		
 
-	void GarlicDestination::HandleDeliveryStatusMessage (I2NPMessage * msg)
+	void GarlicDestination::HandleDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		uint32_t msgID = bufbe32toh (msg->GetPayload ());
 		{
-			auto it = m_CreatedSessions.find (msgID);
-			if (it != m_CreatedSessions.end ())			
+			auto it = m_DeliveryStatusSessions.find (msgID);
+			if (it != m_DeliveryStatusSessions.end ())			
 			{
 				it->second->MessageConfirmed (msgID);
-				m_CreatedSessions.erase (it);
-				LogPrint (eLogInfo, "Garlic message ", msgID, " acknowledged");
+				m_DeliveryStatusSessions.erase (it);
+				LogPrint (eLogDebug, "Garlic: message ", msgID, " acknowledged");
 			}	
 		}
-		DeleteI2NPMessage (msg);	
 	}
 
 	void GarlicDestination::SetLeaseSetUpdated ()
@@ -600,12 +637,12 @@ namespace garlic
 			it.second->SetLeaseSetUpdated ();
 	}
 
-	void GarlicDestination::ProcessGarlicMessage (I2NPMessage * msg)
+	void GarlicDestination::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		HandleGarlicMessage (msg);
 	}
 
-	void GarlicDestination::ProcessDeliveryStatusMessage (I2NPMessage * msg)
+	void GarlicDestination::ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		HandleDeliveryStatusMessage (msg);
 	}

Garlic.h

@@ -8,15 +8,19 @@
 #include <thread>
 #include <mutex>
 #include <memory>
-#include <cryptopp/osrng.h>
-#include "aes.h"
+#include "Crypto.h"
 #include "I2NPProtocol.h"
 #include "LeaseSet.h"
 #include "Queue.h"
 #include "Identity.h"
 
 namespace i2p
-{	
+{
+namespace tunnel
+{		
+	class OutboundTunnel;
+}
+	
 namespace garlic
 {
 	
@@ -28,18 +32,19 @@ namespace garlic
 		eGarlicDeliveryTypeTunnel = 3
 	};	
 
-#pragma pack(1)
 	struct ElGamalBlock
 	{
 		uint8_t sessionKey[32];
 		uint8_t preIV[32];
 		uint8_t padding[158];
 	};		
-#pragma pack()	
 
 	const int INCOMING_TAGS_EXPIRATION_TIMEOUT = 960; // 16 minutes			
 	const int OUTGOING_TAGS_EXPIRATION_TIMEOUT = 720; // 12 minutes
+	const int OUTGOING_TAGS_CONFIRMATION_TIMEOUT = 10; // 10 seconds 
 	const int LEASET_CONFIRMATION_TIMEOUT = 4000; // in milliseconds
+	const int ROUTING_PATH_EXPIRATION_TIMEOUT = 30; // 30 seconds 
+	const int ROUTING_PATH_MAX_NUM_TIMES_USED = 100; // how many times might be used 
 	
 	struct SessionTag: public i2p::data::Tag<32> 
 	{
@@ -53,7 +58,16 @@ namespace garlic
 #endif
 		uint32_t creationTime; // seconds since epoch	
 	};
-		
+
+	struct GarlicRoutingPath
+	{
+		std::shared_ptr<i2p::tunnel::OutboundTunnel> outboundTunnel;
+		std::shared_ptr<const i2p::data::Lease> remoteLease;
+		int rtt; // RTT
+		uint32_t updateTime; // seconds since epoch
+		int numTimesUsed; 
+	};	
+	
 	class GarlicDestination;
 	class GarlicRoutingSession: public std::enable_shared_from_this<GarlicRoutingSession>
 	{
@@ -61,7 +75,8 @@ namespace garlic
 			{
 				eLeaseSetUpToDate = 0,
 				eLeaseSetUpdated,
-				eLeaseSetSubmitted 
+				eLeaseSetSubmitted,
+				eLeaseSetDoNotSend
 			};
 		
 			struct UnconfirmedTags
@@ -75,20 +90,27 @@ namespace garlic
 
 		public:
 
-			GarlicRoutingSession (GarlicDestination * owner, std::shared_ptr<const i2p::data::RoutingDestination> destination, int numTags);
+			GarlicRoutingSession (GarlicDestination * owner, std::shared_ptr<const i2p::data::RoutingDestination> destination, 
+				int numTags, bool attachLeaseSet);
 			GarlicRoutingSession (const uint8_t * sessionKey, const SessionTag& sessionTag); // one time encryption
 			~GarlicRoutingSession ();
-			I2NPMessage * WrapSingleMessage (I2NPMessage * msg);
+			std::shared_ptr<I2NPMessage> WrapSingleMessage (std::shared_ptr<const I2NPMessage> msg);
 			void MessageConfirmed (uint32_t msgID);
 			bool CleanupExpiredTags (); // returns true if something left 
 
-			void SetLeaseSetUpdated () { m_LeaseSetUpdateStatus = eLeaseSetUpdated; };
+			void SetLeaseSetUpdated () 
+			{ 
+				if (m_LeaseSetUpdateStatus != eLeaseSetDoNotSend) m_LeaseSetUpdateStatus = eLeaseSetUpdated; 
+			};
+
+			std::shared_ptr<GarlicRoutingPath> GetSharedRoutingPath ();
+			void SetSharedRoutingPath (std::shared_ptr<GarlicRoutingPath> path);
 			
 		private:
 
-			size_t CreateAESBlock (uint8_t * buf, const I2NPMessage * msg);
-			size_t CreateGarlicPayload (uint8_t * payload, const I2NPMessage * msg, UnconfirmedTags * newTags);
-			size_t CreateGarlicClove (uint8_t * buf, const I2NPMessage * msg, bool isDestination);
+			size_t CreateAESBlock (uint8_t * buf, std::shared_ptr<const I2NPMessage> msg);
+			size_t CreateGarlicPayload (uint8_t * payload, std::shared_ptr<const I2NPMessage> msg, UnconfirmedTags * newTags);
+			size_t CreateGarlicClove (uint8_t * buf, std::shared_ptr<const I2NPMessage> msg, bool isDestination);
 			size_t CreateDeliveryStatusClove (uint8_t * buf, uint32_t msgID);
 
 			void TagsConfirmed (uint32_t msgID);
@@ -108,37 +130,47 @@ namespace garlic
 			uint64_t m_LeaseSetSubmissionTime; // in milliseconds
 			
 			i2p::crypto::CBCEncryption m_Encryption;
-			CryptoPP::AutoSeededRandomPool m_Rnd;
+			std::unique_ptr<const i2p::crypto::ElGamalEncryption> m_ElGamalEncryption; 
+
+			std::shared_ptr<GarlicRoutingPath> m_SharedRoutingPath;
+			
+		public:
+			// for HTTP only
+			size_t GetNumOutgoingTags () const { return m_SessionTags.size (); };
 	};	
+	//using GarlicRoutingSessionPtr = std::shared_ptr<GarlicRoutingSession>;
+	typedef std::shared_ptr<GarlicRoutingSession> GarlicRoutingSessionPtr; // TODO: replace to using after switch to 4.8	
 
 	class GarlicDestination: public i2p::data::LocalDestination
 	{
 		public:
 
-			GarlicDestination (): m_LastTagsCleanupTime (0) {};
+			GarlicDestination (): m_NumTags (32) {}; // 32 tags by default
 			~GarlicDestination ();
 
-			std::shared_ptr<GarlicRoutingSession> GetRoutingSession (std::shared_ptr<const i2p::data::RoutingDestination> destination, int numTags);	
-			void CleanupRoutingSessions ();
-			void RemoveCreatedSession (uint32_t msgID);
-			I2NPMessage * WrapMessage (std::shared_ptr<const i2p::data::RoutingDestination> destination, 
-			    I2NPMessage * msg, bool attachLeaseSet = false);
+			void SetNumTags (int numTags) { m_NumTags = numTags; };		
+			std::shared_ptr<GarlicRoutingSession> GetRoutingSession (std::shared_ptr<const i2p::data::RoutingDestination> destination, bool attachLeaseSet);	
+			void CleanupExpiredTags ();
+			void RemoveDeliveryStatusSession (uint32_t msgID);
+			std::shared_ptr<I2NPMessage> WrapMessage (std::shared_ptr<const i2p::data::RoutingDestination> destination, 
+			    std::shared_ptr<I2NPMessage> msg, bool attachLeaseSet = false);
 
 			void AddSessionKey (const uint8_t * key, const uint8_t * tag); // one tag
 			virtual bool SubmitSessionKey (const uint8_t * key, const uint8_t * tag); // from different thread
-			void DeliveryStatusSent (std::shared_ptr<GarlicRoutingSession> session, uint32_t msgID);
+			void DeliveryStatusSent (GarlicRoutingSessionPtr session, uint32_t msgID);
 			
-			virtual void ProcessGarlicMessage (I2NPMessage * msg);
-			virtual void ProcessDeliveryStatusMessage (I2NPMessage * msg);			
+			virtual void ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			virtual void ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);			
 			virtual void SetLeaseSetUpdated ();
 			
-			virtual const i2p::data::LeaseSet * GetLeaseSet () = 0; // TODO
+			virtual std::shared_ptr<const i2p::data::LeaseSet> GetLeaseSet () = 0; // TODO
+			virtual std::shared_ptr<i2p::tunnel::TunnelPool> GetTunnelPool () const = 0;
 			virtual void HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from) = 0;
 			
 		protected:
 
-			void HandleGarlicMessage (I2NPMessage * msg);
-			void HandleDeliveryStatusMessage (I2NPMessage * msg);			
+			void HandleGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			void HandleDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);			
 	
 		private:
 
@@ -149,13 +181,19 @@ namespace garlic
 		private:
 			
 			// outgoing sessions
+			int m_NumTags;
 			std::mutex m_SessionsMutex;
-			std::map<i2p::data::IdentHash, std::shared_ptr<GarlicRoutingSession> > m_Sessions;
+			std::map<i2p::data::IdentHash, GarlicRoutingSessionPtr> m_Sessions;
 			// incoming
 			std::map<SessionTag, std::shared_ptr<i2p::crypto::CBCDecryption>> m_Tags;
-			uint32_t m_LastTagsCleanupTime;
 			// DeliveryStatus
-			std::map<uint32_t, std::shared_ptr<GarlicRoutingSession> > m_CreatedSessions; // msgID -> session
+			std::map<uint32_t, GarlicRoutingSessionPtr> m_DeliveryStatusSessions; // msgID -> session
+			
+		public:
+
+			// for HTTP only
+			size_t GetNumIncomingTags () const { return m_Tags.size (); }	
+			const decltype(m_Sessions)& GetSessions () const { return m_Sessions; };
 	};	
 }	
 }

HTTPProxy.cpp

@@ -12,6 +12,7 @@
 #include "ClientContext.h"
 #include "I2PEndian.h"
 #include "I2PTunnel.h"
+#include "Config.h"
 
 namespace i2p
 {
@@ -36,7 +37,9 @@ namespace proxy
 			void Terminate();
 			void AsyncSockRead();
 			void HTTPRequestFailed(/*std::string message*/);
+			void RedirectToJumpService();
 			void ExtractRequest();
+			bool IsI2PAddress();
 			bool ValidateHTTPRequest();
 			void HandleJumpServices();
 			bool CreateHTTPRequest(uint8_t *http_buff, std::size_t len);
@@ -44,7 +47,7 @@ namespace proxy
 			void HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream);
 
 			uint8_t m_http_buff[http_buffer_size];
-			boost::asio::ip::tcp::socket * m_sock;
+			std::shared_ptr<boost::asio::ip::tcp::socket> m_sock;
 			std::string m_request; //Data left to be sent
 			std::string m_url; //URL
 			std::string m_method; //Method
@@ -56,7 +59,7 @@ namespace proxy
 
 		public:
 
-			HTTPProxyHandler(HTTPProxyServer * parent, boost::asio::ip::tcp::socket * sock) : 
+			HTTPProxyHandler(HTTPProxyServer * parent, std::shared_ptr<boost::asio::ip::tcp::socket> sock) : 
 				I2PServiceHandler(parent), m_sock(sock)
 				{ EnterState(GET_METHOD); }
 			~HTTPProxyHandler() { Terminate(); }
@@ -65,22 +68,22 @@ namespace proxy
 
 	void HTTPProxyHandler::AsyncSockRead()
 	{
-		LogPrint(eLogDebug,"--- HTTP Proxy async sock read");
+		LogPrint(eLogDebug, "HTTPProxy: async sock read");
 		if(m_sock) {
 			m_sock->async_receive(boost::asio::buffer(m_http_buff, http_buffer_size),
 						std::bind(&HTTPProxyHandler::HandleSockRecv, shared_from_this(),
 								std::placeholders::_1, std::placeholders::_2));
 		} else {
-			LogPrint(eLogError,"--- HTTP Proxy no socket for read");
+			LogPrint(eLogError, "HTTPProxy: no socket for read");
 		}
 	}
 
 	void HTTPProxyHandler::Terminate() {
 		if (Kill()) return;
-		if (m_sock) {
-			LogPrint(eLogDebug,"--- HTTP Proxy close sock");
+		if (m_sock) 
+		{
+			LogPrint(eLogDebug, "HTTPProxy: close sock");
 			m_sock->close();
-			delete m_sock;
 			m_sock = nullptr;
 		}
 		Done(shared_from_this());
@@ -90,11 +93,22 @@ namespace proxy
 	//TODO: handle this apropriately
 	void HTTPProxyHandler::HTTPRequestFailed(/*HTTPProxyHandler::errTypes error*/)
 	{
-		std::string response = "HTTP/1.0 500 Internal Server Error\r\nContent-type: text/html\r\nContent-length: 0\r\n";
+		static std::string response = "HTTP/1.0 500 Internal Server Error\r\nContent-type: text/html\r\nContent-length: 0\r\n";
 		boost::asio::async_write(*m_sock, boost::asio::buffer(response,response.size()),
 					 std::bind(&HTTPProxyHandler::SentHTTPFailed, shared_from_this(), std::placeholders::_1));
 	}
 
+	void HTTPProxyHandler::RedirectToJumpService(/*HTTPProxyHandler::errTypes error*/)
+	{
+		std::stringstream response;
+		std::string httpAddr; i2p::config::GetOption("http.address", httpAddr);
+		uint16_t    httpPort; i2p::config::GetOption("http.port", httpPort);
+
+		response << "HTTP/1.1 302 Found\r\nLocation: http://" << httpAddr << ":" << httpPort << "/?jumpservices=&address=" << m_address << "\r\n\r\n";
+		boost::asio::async_write(*m_sock, boost::asio::buffer(response.str (),response.str ().length ()),
+					 std::bind(&HTTPProxyHandler::SentHTTPFailed, shared_from_this(), std::placeholders::_1));
+	}
+
 	void HTTPProxyHandler::EnterState(HTTPProxyHandler::state nstate) 
 	{
 		m_state = nstate;
@@ -102,7 +116,7 @@ namespace proxy
 
 	void HTTPProxyHandler::ExtractRequest()
 	{
-		LogPrint(eLogDebug,"--- HTTP Proxy method is: ", m_method, "\nRequest is: ", m_url);
+		LogPrint(eLogDebug, "HTTPProxy: request: ", m_method, " ", m_url);
 		std::string server="";
 		std::string port="80";
 		boost::regex rHTTP("http://(.*?)(:(\\d+))?(/.*)");
@@ -114,7 +128,7 @@ namespace proxy
 			if (m[2].str() != "")  port=m[3].str();
 			path=m[4].str();
 		}
-		LogPrint(eLogDebug,"--- HTTP Proxy server is: ",server, " port is: ", port, "\n path is: ",path);
+		LogPrint(eLogDebug, "HTTPProxy: server: ", server, ", port: ", port, ", path: ", path);
 		m_address = server;
 		m_port = boost::lexical_cast<int>(port);
 		m_path = path;
@@ -124,7 +138,7 @@ namespace proxy
 	{
 		if ( m_version != "HTTP/1.0" && m_version != "HTTP/1.1" ) 
 		{
-			LogPrint(eLogError,"--- HTTP Proxy unsupported version: ", m_version);
+			LogPrint(eLogError, "HTTPProxy: unsupported version: ", m_version);
 			HTTPRequestFailed(); //TODO: send right stuff
 			return false;
 		}
@@ -156,18 +170,39 @@ namespace proxy
 		}
 		auto base64 = m_path.substr (addressHelperPos + strlen(helpermark1));
 		base64 = i2p::util::http::urlDecode(base64); //Some of the symbols may be urlencoded
-		LogPrint (eLogDebug,"Jump service for ", m_address, " found at ", base64, ". Inserting to address book");
+		LogPrint (eLogInfo, "HTTPProxy: jump service for ", m_address, ", inserting to address book");
 		//TODO: this is very dangerous and broken. We should ask the user before doing anything see http://pastethis.i2p/raw/pn5fL4YNJL7OSWj3Sc6N/
 		//TODO: we could redirect the user again to avoid dirtiness in the browser
 		i2p::client::context.GetAddressBook ().InsertAddress (m_address, base64);
 		m_path.erase(addressHelperPos);
 	}
 
+	bool HTTPProxyHandler::IsI2PAddress()
+	{
+		auto pos = m_address.rfind (".i2p");
+		if (pos != std::string::npos && (pos+4) == m_address.length ())
+		{
+			return true;
+		}
+		return false;
+	}
+
 	bool HTTPProxyHandler::CreateHTTPRequest(uint8_t *http_buff, std::size_t len) 
 	{
 		ExtractRequest(); //TODO: parse earlier
 		if (!ValidateHTTPRequest()) return false;
 		HandleJumpServices();
+
+		i2p::data::IdentHash identHash;
+		if (IsI2PAddress ())
+		{
+			if (!i2p::client::context.GetAddressBook ().GetIdentHash (m_address, identHash)){
+				RedirectToJumpService();
+				return false;
+			}
+		}
+		
+
 		m_request = m_method;
 		m_request.push_back(' ');
 		m_request += m_path;
@@ -176,13 +211,39 @@ namespace proxy
 		m_request.push_back('\r');
 		m_request.push_back('\n');
 		m_request.append("Connection: close\r\n");
-		m_request.append(reinterpret_cast<const char *>(http_buff),len);
+		// TODO: temporary shortcut. Must be implemented properly
+		uint8_t * eol = nullptr;
+		bool isEndOfHeader = false;
+		while (!isEndOfHeader && len && (eol = (uint8_t *)memchr (http_buff, '\r', len)))
+		{
+			if (eol)
+			{
+				*eol = 0; eol++;			
+				if (strncmp ((const char *)http_buff, "Referer", 7) && strncmp ((const char *)http_buff, "Connection", 10)) // strip out referer and connection
+				{
+					if (!strncmp ((const char *)http_buff, "User-Agent", 10)) // replace UserAgent
+						m_request.append("User-Agent: MYOB/6.66 (AN/ON)");
+					else
+						m_request.append ((const char *)http_buff);
+					m_request.append ("\r\n");
+				}
+				isEndOfHeader = !http_buff[0];
+				auto l = eol - http_buff;
+				http_buff = eol;
+				len -= l;
+				if (len > 0) // \r
+				{
+					http_buff++;
+					len--;
+				}	
+			}
+		}	
+		m_request.append(reinterpret_cast<const char *>(http_buff),len);	
 		return true;
 	}
 
 	bool HTTPProxyHandler::HandleData(uint8_t *http_buff, std::size_t len)
 	{
-		assert(len); // This should always be called with a least a byte left to parse
 		while (len > 0) 
 		{
 			//TODO: fallback to finding HOst: header if needed
@@ -214,13 +275,13 @@ namespace proxy
 					{
 						case '\n': EnterState(DONE); break;
 						default:
-							LogPrint(eLogError,"--- HTTP Proxy rejected invalid request ending with: ", ((int)*http_buff));
+							LogPrint(eLogError, "HTTPProxy: rejected invalid request ending with: ", ((int)*http_buff));
 							HTTPRequestFailed(); //TODO: add correct code
 							return false;
 					}
 				break;
 				default:
-					LogPrint(eLogError,"--- HTTP Proxy invalid state: ", m_state);
+					LogPrint(eLogError, "HTTPProxy: invalid state: ", m_state);
 					HTTPRequestFailed(); //TODO: add correct code 500
 					return false;
 			}
@@ -234,11 +295,11 @@ namespace proxy
 
 	void HTTPProxyHandler::HandleSockRecv(const boost::system::error_code & ecode, std::size_t len)
 	{
-		LogPrint(eLogDebug,"--- HTTP Proxy sock recv: ", len);
+		LogPrint(eLogDebug, "HTTPProxy: sock recv: ", len, " bytes");
 		if(ecode) 
 		{
-			LogPrint(eLogWarning," --- HTTP Proxy sock recv got error: ", ecode);
-                        Terminate();
+			LogPrint(eLogWarning, "HTTPProxy: sock recv got error: ", ecode);
+			Terminate();
 			return;
 		}
 
@@ -246,7 +307,7 @@ namespace proxy
 		{
 			if (m_state == DONE) 
 			{
-				LogPrint(eLogInfo,"--- HTTP Proxy requested: ", m_url);
+				LogPrint(eLogDebug, "HTTPProxy: requested: ", m_url);
 				GetOwner()->CreateStream (std::bind (&HTTPProxyHandler::HandleStreamRequestComplete,
 						shared_from_this(), std::placeholders::_1), m_address, m_port);
 			} 
@@ -258,13 +319,9 @@ namespace proxy
 
 	void HTTPProxyHandler::SentHTTPFailed(const boost::system::error_code & ecode)
 	{
-		if (!ecode)
-			Terminate();
-		else 
-		{
-			LogPrint (eLogError,"--- HTTP Proxy Closing socket after sending failure because: ", ecode.message ());
-			Terminate();
-		}
+		if (ecode)
+			LogPrint (eLogError, "HTTPProxy: Closing socket after sending failure because: ", ecode.message ());
+		Terminate();
 	}
 
 	void HTTPProxyHandler::HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream)
@@ -272,7 +329,7 @@ namespace proxy
 		if (stream) 
 		{
 			if (Kill()) return;
-			LogPrint (eLogInfo,"--- HTTP Proxy New I2PTunnel connection");
+			LogPrint (eLogInfo, "HTTPProxy: New I2PTunnel connection");
 			auto connection = std::make_shared<i2p::client::I2PTunnelConnection>(GetOwner(), m_sock, stream);
 			GetOwner()->AddHandler (connection);
 			connection->I2PConnect (reinterpret_cast<const uint8_t*>(m_request.data()), m_request.size());
@@ -280,17 +337,17 @@ namespace proxy
 		} 
 		else 
 		{
-			LogPrint (eLogError,"--- HTTP Proxy Issue when creating the stream, check the previous warnings for more info.");
+			LogPrint (eLogError, "HTTPProxy: error when creating the stream, check the previous warnings for more info");
 			HTTPRequestFailed(); // TODO: Send correct error message host unreachable
 		}
 	}
 
-	HTTPProxyServer::HTTPProxyServer(int port, std::shared_ptr<i2p::client::ClientDestination> localDestination): 
-		TCPIPAcceptor(port, localDestination ? localDestination : i2p::client::context.GetSharedLocalDestination ()) 
+	HTTPProxyServer::HTTPProxyServer(const std::string& address, int port, std::shared_ptr<i2p::client::ClientDestination> localDestination): 
+		TCPIPAcceptor(address, port, localDestination ? localDestination : i2p::client::context.GetSharedLocalDestination ()) 
 	{
 	}
 	
-	std::shared_ptr<i2p::client::I2PServiceHandler> HTTPProxyServer::CreateHandler(boost::asio::ip::tcp::socket * socket)
+	std::shared_ptr<i2p::client::I2PServiceHandler> HTTPProxyServer::CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket)
 	{
 		return std::make_shared<HTTPProxyHandler> (this, socket);
 	}

HTTPProxy.h

@@ -16,12 +16,12 @@ namespace proxy
 	{
 		public:
 
-			HTTPProxyServer(int port, std::shared_ptr<i2p::client::ClientDestination> localDestination = nullptr);
+			HTTPProxyServer(const std::string& address, int port, std::shared_ptr<i2p::client::ClientDestination> localDestination = nullptr);
 			~HTTPProxyServer() {};
 
 		protected:
 			// Implements TCPIPAcceptor
-			std::shared_ptr<i2p::client::I2PServiceHandler> CreateHandler(boost::asio::ip::tcp::socket * socket);
+			std::shared_ptr<i2p::client::I2PServiceHandler> CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket);
 			const char* GetName() { return "HTTP Proxy"; }
 	};
 

HTTPServer.h

@@ -15,7 +15,7 @@ namespace util
 {
 	const size_t HTTP_CONNECTION_BUFFER_SIZE = 8192;	
 	const int HTTP_DESTINATION_REQUEST_TIMEOUT = 10; // in seconds
-	class HTTPConnection
+	class HTTPConnection: public std::enable_shared_from_this<HTTPConnection>
 	{
 		protected:
 
@@ -39,22 +39,20 @@ namespace util
 			struct reply
 			{
 				std::vector<header> headers;
-				std::string content;
-
+				std::string status_string, content;
 				std::vector<boost::asio::const_buffer> to_buffers (int status);
 			};
 
 		public:
 
-			HTTPConnection (boost::asio::ip::tcp::socket * socket): 
+			HTTPConnection (std::shared_ptr<boost::asio::ip::tcp::socket> socket): 
 				m_Socket (socket), m_Timer (socket->get_io_service ()), 
-				m_Stream (nullptr), m_BufferLen (0) { Receive (); };
-			virtual ~HTTPConnection() { delete m_Socket; }
-
+				m_Stream (nullptr), m_BufferLen (0) {};
+			void Receive ();
+			
 		private:
 
 			void Terminate ();
-			void Receive ();
 			void HandleReceive (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 			void AsyncStreamReceive ();
 			void HandleStreamReceive (const boost::system::error_code& ecode, std::size_t bytes_transferred);
@@ -64,6 +62,7 @@ namespace util
 
 			void HandleRequest (const std::string& address);
 			void HandleCommand (const std::string& command, std::stringstream& s);
+			void ShowJumpServices (const std::string& address, std::stringstream& s);
 			void ShowTransports (std::stringstream& s);
 			void ShowTunnels (std::stringstream& s);
 			void ShowTransitTunnels (std::stringstream& s);
@@ -71,8 +70,10 @@ namespace util
 			void ShowLocalDestination (const std::string& b32, std::stringstream& s);
 			void ShowSAMSessions (std::stringstream& s);
 			void ShowSAMSession (const std::string& id, std::stringstream& s);
+			void ShowI2PTunnels (std::stringstream& s);
 			void StartAcceptingTunnels (std::stringstream& s);
 			void StopAcceptingTunnels (std::stringstream& s);
+			void RunPeerTest (std::stringstream& s);
 			void FillContent (std::stringstream& s);
 			std::string ExtractAddress ();
 			void ExtractParams (const std::string& str, std::map<std::string, std::string>& params);
@@ -80,7 +81,7 @@ namespace util
 			
 		protected:
 
-			boost::asio::ip::tcp::socket * m_Socket;
+			std::shared_ptr<boost::asio::ip::tcp::socket> m_Socket;
 			boost::asio::deadline_timer m_Timer;
 			std::shared_ptr<i2p::stream::Stream> m_Stream;
 			char m_Buffer[HTTP_CONNECTION_BUFFER_SIZE + 1], m_StreamBuffer[HTTP_CONNECTION_BUFFER_SIZE + 1];
@@ -107,7 +108,7 @@ namespace util
 	{
 		public:
 
-			HTTPServer (int port);
+			HTTPServer (const std::string& address, int port);
 			virtual ~HTTPServer ();
 
 			void Start ();
@@ -117,18 +118,18 @@ namespace util
 
 			void Run ();
  			void Accept ();
-			void HandleAccept(const boost::system::error_code& ecode);
+			void HandleAccept(const boost::system::error_code& ecode,
+				std::shared_ptr<boost::asio::ip::tcp::socket> newSocket);
 			
 		private:
 
-			std::thread * m_Thread;
+			std::unique_ptr<std::thread> m_Thread;
 			boost::asio::io_service m_Service;
 			boost::asio::io_service::work m_Work;
 			boost::asio::ip::tcp::acceptor m_Acceptor;
-			boost::asio::ip::tcp::socket * m_NewSocket;
 
 		protected:
-			virtual void CreateConnection(boost::asio::ip::tcp::socket * m_NewSocket);
+			virtual void CreateConnection(std::shared_ptr<boost::asio::ip::tcp::socket> newSocket);
 	};
 }
 }

I2NPProtocol.cpp

@@ -1,13 +1,15 @@
 #include <string.h>
 #include <atomic>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
+#include "Base.h"
+#include "Log.h"
+#include "Crypto.h"
 #include "I2PEndian.h"
-#include <cryptopp/gzip.h>
-#include "ElGamal.h"
 #include "Timestamp.h"
 #include "RouterContext.h"
 #include "NetDb.h"
 #include "Tunnel.h"
-#include "base64.h"
 #include "Transports.h"
 #include "Garlic.h"
 #include "I2NPProtocol.h"
@@ -16,73 +18,81 @@ using namespace i2p::transport;
 
 namespace i2p
 {
-	I2NPMessage * NewI2NPMessage ()
+	std::shared_ptr<I2NPMessage> NewI2NPMessage ()
 	{
-		return new I2NPMessageBuffer<I2NP_MAX_MESSAGE_SIZE>();
+		return std::make_shared<I2NPMessageBuffer<I2NP_MAX_MESSAGE_SIZE> >();
 	}
 	
-	I2NPMessage * NewI2NPShortMessage ()
+	std::shared_ptr<I2NPMessage> NewI2NPShortMessage ()
 	{
-		return new I2NPMessageBuffer<I2NP_MAX_SHORT_MESSAGE_SIZE>();
+		return std::make_shared<I2NPMessageBuffer<I2NP_MAX_SHORT_MESSAGE_SIZE> >();
 	}
 
-	I2NPMessage * NewI2NPMessage (size_t len)
+	std::shared_ptr<I2NPMessage> NewI2NPMessage (size_t len)
 	{
 		return (len < I2NP_MAX_SHORT_MESSAGE_SIZE/2) ? NewI2NPShortMessage () : NewI2NPMessage ();
 	}	
-	
-	void DeleteI2NPMessage (I2NPMessage * msg)
-	{
-		delete msg;
-	}	
 
-	static std::atomic<uint32_t> I2NPmsgID(0); // TODO: create class
-	void FillI2NPMessageHeader (I2NPMessage * msg, I2NPMessageType msgType, uint32_t replyMsgID)
+	void I2NPMessage::FillI2NPMessageHeader (I2NPMessageType msgType, uint32_t replyMsgID)
 	{
-		msg->SetTypeID (msgType);
-		if (replyMsgID) // for tunnel creation
-			msg->SetMsgID (replyMsgID); 
-		else
-		{	
-			msg->SetMsgID (I2NPmsgID);
-			I2NPmsgID++;
-		}	
-		msg->SetExpiration (i2p::util::GetMillisecondsSinceEpoch () + 5000); // TODO: 5 secs is a magic number
-		msg->UpdateSize ();
-		msg->UpdateChks ();
+		SetTypeID (msgType);
+		if (!replyMsgID) RAND_bytes ((uint8_t *)&replyMsgID, 4);
+		SetMsgID (replyMsgID); 
+		SetExpiration (i2p::util::GetMillisecondsSinceEpoch () + I2NP_MESSAGE_EXPIRATION_TIMEOUT); 
+		UpdateSize ();
+		UpdateChks ();
 	}		
 	
-	void RenewI2NPMessageHeader (I2NPMessage * msg)
+	void I2NPMessage::RenewI2NPMessageHeader ()
 	{
-		if (msg)
-		{
-			msg->SetMsgID (I2NPmsgID);
-			I2NPmsgID++;
-			msg->SetExpiration (i2p::util::GetMillisecondsSinceEpoch () + 5000); 		
-		}
+		uint32_t msgID;
+		RAND_bytes ((uint8_t *)&msgID, 4);
+		SetMsgID (msgID);
+		SetExpiration (i2p::util::GetMillisecondsSinceEpoch () + I2NP_MESSAGE_EXPIRATION_TIMEOUT); 		
 	}
 
-	I2NPMessage * CreateI2NPMessage (I2NPMessageType msgType, const uint8_t * buf, int len, uint32_t replyMsgID)
+	bool I2NPMessage::IsExpired () const
 	{
-		I2NPMessage * msg = NewI2NPMessage (len);
-		memcpy (msg->GetPayload (), buf, len);
-		msg->len += len;
-		FillI2NPMessageHeader (msg, msgType, replyMsgID);
+		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
+		auto exp = GetExpiration ();  	
+		return (ts > exp + I2NP_MESSAGE_CLOCK_SKEW) || (ts < exp - 3*I2NP_MESSAGE_CLOCK_SKEW); // check if expired or too far in future
+	}	
+	
+	std::shared_ptr<I2NPMessage> CreateI2NPMessage (I2NPMessageType msgType, const uint8_t * buf, size_t len, uint32_t replyMsgID)
+	{
+		auto msg = NewI2NPMessage (len);
+		if (msg->Concat (buf, len) < len)
+			LogPrint (eLogError, "I2NP: message length ", len, " exceeds max length ", msg->maxLen);
+		msg->FillI2NPMessageHeader (msgType, replyMsgID);
 		return msg;
 	}	
 
-	I2NPMessage * CreateI2NPMessage (const uint8_t * buf, int len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
+	std::shared_ptr<I2NPMessage> CreateI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
 	{
-		I2NPMessage * msg = NewI2NPMessage ();
-		memcpy (msg->GetBuffer (), buf, len);
-		msg->len = msg->offset + len;
-		msg->from = from;
+		auto msg = NewI2NPMessage ();
+		if (msg->offset + len < msg->maxLen)
+		{
+			memcpy (msg->GetBuffer (), buf, len);
+			msg->len = msg->offset + len;
+			msg->from = from;
+		}
+		else
+			LogPrint (eLogError, "I2NP: message length ", len, " exceeds max length");
 		return msg;
 	}	
-	
-	I2NPMessage * CreateDeliveryStatusMsg (uint32_t msgID)
+
+	std::shared_ptr<I2NPMessage> CopyI2NPMessage (std::shared_ptr<I2NPMessage> msg)
 	{
-		I2NPMessage * m = NewI2NPShortMessage ();
+		if (!msg) return nullptr;
+		auto newMsg = NewI2NPMessage (msg->len);
+		newMsg->offset = msg->offset;
+		*newMsg = *msg;
+		return newMsg;
+	}	
+	
+	std::shared_ptr<I2NPMessage> CreateDeliveryStatusMsg (uint32_t msgID)
+	{
+		auto m = NewI2NPShortMessage ();
 		uint8_t * buf = m->GetPayload ();
 		if (msgID)
 		{
@@ -91,18 +101,19 @@ namespace i2p
 		}
 		else // for SSU establishment
 		{
-			htobe32buf (buf + DELIVERY_STATUS_MSGID_OFFSET, i2p::context.GetRandomNumberGenerator ().GenerateWord32 ());
+			RAND_bytes ((uint8_t *)&msgID, 4);
+			htobe32buf (buf + DELIVERY_STATUS_MSGID_OFFSET, msgID);
 			htobe64buf (buf + DELIVERY_STATUS_TIMESTAMP_OFFSET, 2); // netID = 2
 		}	
 		m->len += DELIVERY_STATUS_SIZE;
-		FillI2NPMessageHeader (m, eI2NPDeliveryStatus);
+		m->FillI2NPMessageHeader (eI2NPDeliveryStatus);
 		return m;
 	}
 
-	I2NPMessage * CreateRouterInfoDatabaseLookupMsg (const uint8_t * key, const uint8_t * from, 
+	std::shared_ptr<I2NPMessage> CreateRouterInfoDatabaseLookupMsg (const uint8_t * key, const uint8_t * from, 
 		uint32_t replyTunnelID, bool exploratory, std::set<i2p::data::IdentHash> * excludedPeers)
 	{
-		I2NPMessage * m = NewI2NPShortMessage ();
+		auto m = excludedPeers ? NewI2NPMessage () : NewI2NPShortMessage ();
 		uint8_t * buf = m->GetPayload ();
 		memcpy (buf, key, 32); // key
 		buf += 32;
@@ -140,15 +151,16 @@ namespace i2p
 		}		
 		
 		m->len += (buf - m->GetPayload ()); 
-		FillI2NPMessageHeader (m, eI2NPDatabaseLookup);
+		m->FillI2NPMessageHeader (eI2NPDatabaseLookup);
 		return m; 
 	}	
 
-	I2NPMessage * CreateLeaseSetDatabaseLookupMsg (const i2p::data::IdentHash& dest, 
+	std::shared_ptr<I2NPMessage> CreateLeaseSetDatabaseLookupMsg (const i2p::data::IdentHash& dest, 
 		const std::set<i2p::data::IdentHash>& excludedFloodfills,
-		const i2p::tunnel::InboundTunnel * replyTunnel, const uint8_t * replyKey, const uint8_t * replyTag)
+		std::shared_ptr<const i2p::tunnel::InboundTunnel> replyTunnel, const uint8_t * replyKey, const uint8_t * replyTag)
 	{
-		I2NPMessage * m = NewI2NPShortMessage ();
+		int cnt = excludedFloodfills.size ();
+		auto m = cnt > 0 ? NewI2NPMessage () : NewI2NPShortMessage ();
 		uint8_t * buf = m->GetPayload ();
 		memcpy (buf, dest, 32); // key
 		buf += 32;
@@ -159,7 +171,6 @@ namespace i2p
 		buf += 5;
 		
 		// excluded
-		int cnt = excludedFloodfills.size ();
 		htobe16buf (buf, cnt);
 		buf += 2;
 		if (cnt > 0)
@@ -177,16 +188,14 @@ namespace i2p
 		buf += 65;
 
 		m->len += (buf - m->GetPayload ()); 
-		FillI2NPMessageHeader (m, eI2NPDatabaseLookup);
+		m->FillI2NPMessageHeader (eI2NPDatabaseLookup);
 		return m; 		  			
-	}		
-			
-	
+	}			
 
-	I2NPMessage * CreateDatabaseSearchReply (const i2p::data::IdentHash& ident, 
+	std::shared_ptr<I2NPMessage> CreateDatabaseSearchReply (const i2p::data::IdentHash& ident, 
 		 std::vector<i2p::data::IdentHash> routers)
 	{
-		I2NPMessage * m = NewI2NPShortMessage ();
+		auto m = NewI2NPShortMessage ();
 		uint8_t * buf = m->GetPayload ();
 		size_t len = 0;
 		memcpy (buf, ident, 32);
@@ -201,16 +210,16 @@ namespace i2p
 		memcpy (buf + len, i2p::context.GetRouterInfo ().GetIdentHash (), 32);
 		len += 32;	
 		m->len += len;
-		FillI2NPMessageHeader (m, eI2NPDatabaseSearchReply);
+		m->FillI2NPMessageHeader (eI2NPDatabaseSearchReply);
 		return m; 
 	}	
 	
-	I2NPMessage * CreateDatabaseStoreMsg (const i2p::data::RouterInfo * router, uint32_t replyToken)
+	std::shared_ptr<I2NPMessage> CreateDatabaseStoreMsg (std::shared_ptr<const i2p::data::RouterInfo> router, uint32_t replyToken)
 	{
 		if (!router) // we send own RouterInfo
-			router = &context.GetRouterInfo ();
+			router = context.GetSharedRouterInfo ();
 
-		I2NPMessage * m = NewI2NPShortMessage ();
+		auto m = NewI2NPShortMessage ();
 		uint8_t * payload = m->GetPayload ();		
 
 		memcpy (payload + DATABASE_STORE_KEY_OFFSET, router->GetIdentHash (), 32);
@@ -225,25 +234,27 @@ namespace i2p
 			buf += 32;
 		}		
 
-		CryptoPP::Gzip compressor;
-		compressor.Put (router->GetBuffer (), router->GetBufferLen ());
-		compressor.MessageEnd();
-		auto size = compressor.MaxRetrievable ();
-		htobe16buf (buf, size); // size
+		uint8_t * sizePtr = buf;
 		buf += 2;
-		// TODO: check if size doesn't exceed buffer
-		compressor.Get (buf, size); 
-		buf += size;
 		m->len += (buf - payload); // payload size
-		FillI2NPMessageHeader (m, eI2NPDatabaseStore);
-		
+		i2p::data::GzipDeflator deflator;
+		size_t size = deflator.Deflate (router->GetBuffer (), router->GetBufferLen (), buf, m->maxLen -m->len);
+		if (size)
+		{	
+			htobe16buf (sizePtr, size); // size
+			m->len += size;
+		}	
+		else
+			m = nullptr;
+		if (m)
+			m->FillI2NPMessageHeader (eI2NPDatabaseStore);
 		return m;
 	}	
 
-	I2NPMessage * CreateDatabaseStoreMsg (const i2p::data::LeaseSet * leaseSet,  uint32_t replyToken)
+	std::shared_ptr<I2NPMessage> CreateDatabaseStoreMsg (std::shared_ptr<const i2p::data::LeaseSet> leaseSet,  uint32_t replyToken)
 	{
 		if (!leaseSet) return nullptr;
-		I2NPMessage * m = NewI2NPShortMessage ();
+		auto m = NewI2NPShortMessage ();
 		uint8_t * payload = m->GetPayload ();	
 		memcpy (payload + DATABASE_STORE_KEY_OFFSET, leaseSet->GetIdentHash (), 32);
 		payload[DATABASE_STORE_TYPE_OFFSET] = 1; // LeaseSet
@@ -254,9 +265,9 @@ namespace i2p
 			auto leases = leaseSet->GetNonExpiredLeases ();
 			if (leases.size () > 0)
 			{
-				htobe32buf (payload + size, leases[0].tunnelID);
+				htobe32buf (payload + size, leases[0]->tunnelID);
 				size += 4; // reply tunnelID
-				memcpy (payload + size, leases[0].tunnelGateway, 32);
+				memcpy (payload + size, leases[0]->tunnelGateway, 32);
 				size += 32; // reply tunnel gateway
 			}
 			else
@@ -265,9 +276,15 @@ namespace i2p
 		memcpy (payload + size, leaseSet->GetBuffer (), leaseSet->GetBufferLen ());
 		size += leaseSet->GetBufferLen ();
 		m->len += size;
-		FillI2NPMessageHeader (m, eI2NPDatabaseStore);
+		m->FillI2NPMessageHeader (eI2NPDatabaseStore);
 		return m;
 	}
+
+	bool IsRouterInfoMsg (std::shared_ptr<I2NPMessage> msg)
+	{
+		if (!msg || msg->GetTypeID () != eI2NPDatabaseStore) return false;
+		return !msg->GetPayload ()[DATABASE_STORE_TYPE_OFFSET]; // 0- RouterInfo
+	}	
 	
 	bool HandleBuildRequestRecords (int num, uint8_t * records, uint8_t * clearText)
 	{
@@ -276,7 +293,7 @@ namespace i2p
 			uint8_t * record = records + i*TUNNEL_BUILD_RECORD_SIZE;
 			if (!memcmp (record + BUILD_REQUEST_RECORD_TO_PEER_OFFSET, (const uint8_t *)i2p::context.GetRouterInfo ().GetIdentHash (), 16))
 			{	
-				LogPrint ("Record ",i," is ours");	
+				LogPrint (eLogDebug, "I2NP: Build request record ", i, " is ours");
 			
 				i2p::crypto::ElGamalDecrypt (i2p::context.GetEncryptionPrivateKey (), record + BUILD_REQUEST_RECORD_ENCRYPTED_OFFSET, clearText);
 				// replace record to reply			
@@ -284,8 +301,7 @@ namespace i2p
 					i2p::tunnel::tunnels.GetTransitTunnels ().size () <= MAX_NUM_TRANSIT_TUNNELS &&
 					!i2p::transport::transports.IsBandwidthExceeded ())
 				{	
-					i2p::tunnel::TransitTunnel * transitTunnel = 
-						i2p::tunnel::CreateTransitTunnel (
+					auto transitTunnel = i2p::tunnel::CreateTransitTunnel (
 							bufbe32toh (clearText + BUILD_REQUEST_RECORD_RECEIVE_TUNNEL_OFFSET), 
 							clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, 
 						    bufbe32toh (clearText + BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET),
@@ -300,8 +316,8 @@ namespace i2p
 					record[BUILD_RESPONSE_RECORD_RET_OFFSET] = 30; // always reject with bandwidth reason (30)
 				
 				//TODO: fill filler
-				CryptoPP::SHA256().CalculateDigest(record + BUILD_RESPONSE_RECORD_HASH_OFFSET, 
-					record + BUILD_RESPONSE_RECORD_PADDING_OFFSET, BUILD_RESPONSE_RECORD_PADDING_SIZE + 1); // + 1 byte of ret
+				SHA256 (record + BUILD_RESPONSE_RECORD_PADDING_OFFSET, BUILD_RESPONSE_RECORD_PADDING_SIZE + 1, // + 1 byte of ret
+					record + BUILD_RESPONSE_RECORD_HASH_OFFSET);       
 				// encrypt reply
 				i2p::crypto::CBCEncryption encryption;
 				for (int j = 0; j < num; j++)
@@ -320,22 +336,27 @@ namespace i2p
 	void HandleVariableTunnelBuildMsg (uint32_t replyMsgID, uint8_t * buf, size_t len)
 	{	
 		int num = buf[0];
-		LogPrint ("VariableTunnelBuild ", num, " records");
+		LogPrint (eLogDebug, "I2NP: VariableTunnelBuild ", num, " records");
+		if (len < num*BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE + 1)
+		{
+			LogPrint (eLogError, "VaribleTunnelBuild message of ", num, " records is too short ", len);
+			return;
+		}	
 
 		auto tunnel =  i2p::tunnel::tunnels.GetPendingInboundTunnel (replyMsgID);
 		if (tunnel)
 		{
 			// endpoint of inbound tunnel
-			LogPrint ("VariableTunnelBuild reply for tunnel ", tunnel->GetTunnelID ());
+			LogPrint (eLogDebug, "I2NP: VariableTunnelBuild reply for tunnel ", tunnel->GetTunnelID ());
 			if (tunnel->HandleTunnelBuildResponse (buf, len))
 			{
-				LogPrint ("Inbound tunnel ", tunnel->GetTunnelID (), " has been created");
+				LogPrint (eLogInfo, "I2NP: Inbound tunnel ", tunnel->GetTunnelID (), " has been created");
 				tunnel->SetState (i2p::tunnel::eTunnelStateEstablished);	
 				i2p::tunnel::tunnels.AddInboundTunnel (tunnel);
 			}
 			else
 			{
-				LogPrint ("Inbound tunnel ", tunnel->GetTunnelID (), " has been declined");
+				LogPrint (eLogInfo, "I2NP: Inbound tunnel ", tunnel->GetTunnelID (), " has been declined");
 				tunnel->SetState (i2p::tunnel::eTunnelStateBuildFailed);	
 			}
 		}
@@ -362,6 +383,11 @@ namespace i2p
 
 	void HandleTunnelBuildMsg (uint8_t * buf, size_t len)
 	{
+		if (len < NUM_TUNNEL_BUILD_RECORDS*BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE)
+		{
+			LogPrint (eLogError, "TunnelBuild message is too short ", len);
+			return;
+		}	
 		uint8_t clearText[BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE];	
 		if (HandleBuildRequestRecords (NUM_TUNNEL_BUILD_RECORDS, buf, clearText))
 		{
@@ -382,60 +408,74 @@ namespace i2p
 
 	void HandleVariableTunnelBuildReplyMsg (uint32_t replyMsgID, uint8_t * buf, size_t len)
 	{	
-		LogPrint ("VariableTunnelBuildReplyMsg replyMsgID=", replyMsgID);
+		int num = buf[0];
+		LogPrint (eLogDebug, "I2NP: VariableTunnelBuildReplyMsg of ", num, " records replyMsgID=", replyMsgID);
+		if (len < num*BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE + 1)
+		{
+			LogPrint (eLogError, "VaribleTunnelBuildReply message of ", num, " records is too short ", len);
+			return;
+		}	
+		
 		auto tunnel = i2p::tunnel::tunnels.GetPendingOutboundTunnel (replyMsgID);
 		if (tunnel)
 		{	
 			// reply for outbound tunnel
 			if (tunnel->HandleTunnelBuildResponse (buf, len))
 			{	
-				LogPrint ("Outbound tunnel ", tunnel->GetTunnelID (), " has been created");
+				LogPrint (eLogInfo, "I2NP: Outbound tunnel ", tunnel->GetTunnelID (), " has been created");
 				tunnel->SetState (i2p::tunnel::eTunnelStateEstablished);	
 				i2p::tunnel::tunnels.AddOutboundTunnel (tunnel);
 			}	
 			else
 			{
-				LogPrint ("Outbound tunnel ", tunnel->GetTunnelID (), " has been declined");
+				LogPrint (eLogInfo, "I2NP: Outbound tunnel ", tunnel->GetTunnelID (), " has been declined");
 				tunnel->SetState (i2p::tunnel::eTunnelStateBuildFailed);	
 			}
 		}	
 		else
-			LogPrint ("Pending tunnel for message ", replyMsgID, " not found");
+			LogPrint (eLogWarning, "I2NP: Pending tunnel for message ", replyMsgID, " not found");
 	}
 
 
-	I2NPMessage * CreateTunnelDataMsg (const uint8_t * buf)
+	std::shared_ptr<I2NPMessage> CreateTunnelDataMsg (const uint8_t * buf)
 	{
-		I2NPMessage * msg = NewI2NPShortMessage ();
-		memcpy (msg->GetPayload (), buf, i2p::tunnel::TUNNEL_DATA_MSG_SIZE);
-		msg->len += i2p::tunnel::TUNNEL_DATA_MSG_SIZE; 
-		FillI2NPMessageHeader (msg, eI2NPTunnelData);
+		auto msg = NewI2NPShortMessage ();
+		msg->Concat (buf, i2p::tunnel::TUNNEL_DATA_MSG_SIZE);	
+		msg->FillI2NPMessageHeader (eI2NPTunnelData);
 		return msg;
 	}	
 
-	I2NPMessage * CreateTunnelDataMsg (uint32_t tunnelID, const uint8_t * payload)	
+	std::shared_ptr<I2NPMessage> CreateTunnelDataMsg (uint32_t tunnelID, const uint8_t * payload)	
 	{
-		I2NPMessage * msg = NewI2NPShortMessage ();
-		memcpy (msg->GetPayload () + 4, payload, i2p::tunnel::TUNNEL_DATA_MSG_SIZE - 4);
+		auto msg = NewI2NPShortMessage ();
 		htobe32buf (msg->GetPayload (), tunnelID);
+		msg->len += 4; // tunnelID
+		msg->Concat (payload, i2p::tunnel::TUNNEL_DATA_MSG_SIZE - 4);
+		msg->FillI2NPMessageHeader (eI2NPTunnelData);
+		return msg;
+	}	
+
+	std::shared_ptr<I2NPMessage> CreateEmptyTunnelDataMsg ()
+	{
+		auto msg = NewI2NPShortMessage ();
 		msg->len += i2p::tunnel::TUNNEL_DATA_MSG_SIZE; 
-		FillI2NPMessageHeader (msg, eI2NPTunnelData);
 		return msg;
 	}	
 	
-	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, const uint8_t * buf, size_t len)
+	std::shared_ptr<I2NPMessage> CreateTunnelGatewayMsg (uint32_t tunnelID, const uint8_t * buf, size_t len)
 	{
-		I2NPMessage * msg = NewI2NPMessage (len);
+		auto msg = NewI2NPMessage (len);
 		uint8_t * payload = msg->GetPayload ();
 		htobe32buf (payload + TUNNEL_GATEWAY_HEADER_TUNNELID_OFFSET, tunnelID);
 		htobe16buf (payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET, len);
-		memcpy (payload + TUNNEL_GATEWAY_HEADER_SIZE, buf, len);
-		msg->len += TUNNEL_GATEWAY_HEADER_SIZE + len;
-		FillI2NPMessageHeader (msg, eI2NPTunnelGateway);
+		msg->len += TUNNEL_GATEWAY_HEADER_SIZE;
+		if (msg->Concat (buf, len) < len)
+			LogPrint (eLogError, "I2NP: tunnel gateway buffer overflow ", msg->maxLen);	
+		msg->FillI2NPMessageHeader (eI2NPTunnelGateway);
 		return msg;
 	}	
 
-	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessage * msg)
+	std::shared_ptr<I2NPMessage> CreateTunnelGatewayMsg (uint32_t tunnelID, std::shared_ptr<I2NPMessage> msg)
 	{
 		if (msg->offset >= I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE)
 		{
@@ -446,33 +486,29 @@ namespace i2p
 			htobe16buf (payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET, len);
 			msg->offset -= (I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE);
 			msg->len = msg->offset + I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE +len;
-			FillI2NPMessageHeader (msg, eI2NPTunnelGateway);
+			msg->FillI2NPMessageHeader (eI2NPTunnelGateway); 
 			return msg;
 		}
 		else
-		{	
-			I2NPMessage * msg1 = CreateTunnelGatewayMsg (tunnelID, msg->GetBuffer (), msg->GetLength ());
-			DeleteI2NPMessage (msg);
-			return msg1;
-		}	                               
+			return CreateTunnelGatewayMsg (tunnelID, msg->GetBuffer (), msg->GetLength ());                             
 	}
 
-	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessageType msgType, 
+	std::shared_ptr<I2NPMessage> CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessageType msgType, 
 		const uint8_t * buf, size_t len, uint32_t replyMsgID)
 	{
-		I2NPMessage * msg = NewI2NPMessage (len);
+		auto msg = NewI2NPMessage (len);
 		size_t gatewayMsgOffset = I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE;
 		msg->offset += gatewayMsgOffset;
 		msg->len += gatewayMsgOffset;
-		memcpy (msg->GetPayload (), buf, len);
-		msg->len += len;
-		FillI2NPMessageHeader (msg, msgType, replyMsgID); // create content message
+		if (msg->Concat (buf, len) < len)
+			LogPrint (eLogError, "I2NP: tunnel gateway buffer overflow ", msg->maxLen);
+		msg->FillI2NPMessageHeader (msgType, replyMsgID); // create content message
 		len = msg->GetLength ();
 		msg->offset -= gatewayMsgOffset;
 		uint8_t * payload = msg->GetPayload ();
 		htobe32buf (payload + TUNNEL_GATEWAY_HEADER_TUNNELID_OFFSET, tunnelID);
 		htobe16buf (payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET, len);
-		FillI2NPMessageHeader (msg, eI2NPTunnelGateway); // gateway message
+		msg->FillI2NPMessageHeader (eI2NPTunnelGateway); // gateway message
 		return msg;
 	}	
 
@@ -485,62 +521,56 @@ namespace i2p
 	{
 		uint8_t typeID = msg[I2NP_HEADER_TYPEID_OFFSET];
 		uint32_t msgID = bufbe32toh (msg + I2NP_HEADER_MSGID_OFFSET);	
-		LogPrint ("I2NP msg received len=", len,", type=", (int)typeID, ", msgID=", (unsigned int)msgID);
+		LogPrint (eLogDebug, "I2NP: msg received len=", len,", type=", (int)typeID, ", msgID=", (unsigned int)msgID);
 
 		uint8_t * buf = msg + I2NP_HEADER_SIZE;
 		int size = bufbe16toh (msg + I2NP_HEADER_SIZE_OFFSET);
 		switch (typeID)
 		{	
 			case eI2NPVariableTunnelBuild:
-				LogPrint ("VariableTunnelBuild");
 				HandleVariableTunnelBuildMsg  (msgID, buf, size);
 			break;	
 			case eI2NPVariableTunnelBuildReply:
-				LogPrint ("VariableTunnelBuildReply");
 				HandleVariableTunnelBuildReplyMsg (msgID, buf, size);
 			break;	
 			case eI2NPTunnelBuild:
-				LogPrint ("TunnelBuild");
 				HandleTunnelBuildMsg  (buf, size);
 			break;	
 			case eI2NPTunnelBuildReply:
-				LogPrint ("TunnelBuildReply");
 				// TODO:
 			break;	
 			default:
-				LogPrint ("Unexpected message ", (int)typeID);
+				LogPrint (eLogWarning, "I2NP: Unexpected message ", (int)typeID);
 		}	
 	}
 
-	void HandleI2NPMessage (I2NPMessage * msg)
+	void HandleI2NPMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		if (msg)
 		{	
-			switch (msg->GetTypeID ())
+			uint8_t typeID = msg->GetTypeID ();
+			LogPrint (eLogDebug, "I2NP: Handling message with type ", (int)typeID);
+			switch (typeID)
 			{	
 				case eI2NPTunnelData:
-					LogPrint ("TunnelData");
 					i2p::tunnel::tunnels.PostTunnelData (msg);
 				break;	
 				case eI2NPTunnelGateway:
-					LogPrint ("TunnelGateway");
 					i2p::tunnel::tunnels.PostTunnelData (msg);
 				break;
 				case eI2NPGarlic:
-					LogPrint ("Garlic");
+				{
 					if (msg->from)
 					{
 						if (msg->from->GetTunnelPool ())
 							msg->from->GetTunnelPool ()->ProcessGarlicMessage (msg);
 						else
-						{
-							LogPrint (eLogInfo, "Local destination for garlic doesn't exist anymore");
-							DeleteI2NPMessage (msg);
-						}	
+							LogPrint (eLogInfo, "I2NP: Local destination for garlic doesn't exist anymore");
 					}
 					else
 						i2p::context.ProcessGarlicMessage (msg); 
-				break;
+					break;
+				}
 				case eI2NPDatabaseStore:
 				case eI2NPDatabaseSearchReply:
 				case eI2NPDatabaseLookup:
@@ -548,12 +578,13 @@ namespace i2p
 					i2p::data::netdb.PostI2NPMsg (msg);
 				break;
 				case eI2NPDeliveryStatus:
-					LogPrint ("DeliveryStatus");
+				{
 					if (msg->from && msg->from->GetTunnelPool ())
 						msg->from->GetTunnelPool ()->ProcessDeliveryStatus (msg);
 					else
 						i2p::context.ProcessDeliveryStatusMessage (msg);
-				break;	
+					break;	
+				}
 				case eI2NPVariableTunnelBuild:		
 				case eI2NPVariableTunnelBuildReply:
 				case eI2NPTunnelBuild:
@@ -563,7 +594,6 @@ namespace i2p
 				break;	
 				default:
 					HandleI2NPMessage (msg->GetBuffer (), msg->GetLength ());
-					DeleteI2NPMessage (msg);
 			}	
 		}	
 	}	
@@ -573,7 +603,7 @@ namespace i2p
 		Flush ();
 	}
 	
-	void I2NPMessagesHandler::PutNextMessage (I2NPMessage * msg)
+	void I2NPMessagesHandler::PutNextMessage (std::shared_ptr<I2NPMessage>  msg)
 	{
 		if (msg)
 		{

I2NPProtocol.h

@@ -5,7 +5,7 @@
 #include <string.h>
 #include <set>
 #include <memory>
-#include <cryptopp/sha.h>
+#include <openssl/sha.h>
 #include "I2PEndian.h"
 #include "Identity.h"
 #include "RouterInfo.h"
@@ -97,7 +97,7 @@ namespace i2p
 	const uint8_t DATABASE_LOOKUP_TYPE_ROUTERINFO_LOOKUP = 0x08; // 1000			
 	const uint8_t DATABASE_LOOKUP_TYPE_EXPLORATORY_LOOKUP = 0x0C; // 1100
 
-	const int MAX_NUM_TRANSIT_TUNNELS = 2500;
+	const unsigned int MAX_NUM_TRANSIT_TUNNELS = 2500;
 
 namespace tunnel
 {		
@@ -107,6 +107,9 @@ namespace tunnel
 
 	const size_t I2NP_MAX_MESSAGE_SIZE = 32768; 
 	const size_t I2NP_MAX_SHORT_MESSAGE_SIZE = 4096; 
+	const unsigned int I2NP_MESSAGE_EXPIRATION_TIMEOUT = 8000; // in milliseconds (as initial RTT)
+	const unsigned int I2NP_MESSAGE_CLOCK_SKEW = 60*1000; // 1 minute in milliseconds 
+
 	struct I2NPMessage
 	{	
 		uint8_t * buf;	
@@ -132,12 +135,13 @@ namespace tunnel
 		void UpdateChks () 
 		{
 			uint8_t hash[32];
-			CryptoPP::SHA256().CalculateDigest(hash, GetPayload (), GetPayloadLength ());
+			SHA256(GetPayload (), GetPayloadLength (), hash);
 			GetHeader ()[I2NP_HEADER_CHKS_OFFSET] = hash[0];
 		}	
 		
 		// payload
 		uint8_t * GetPayload () { return GetBuffer () + I2NP_HEADER_SIZE; };
+		const uint8_t * GetPayload () const { return GetBuffer () + I2NP_HEADER_SIZE; };
 		uint8_t * GetBuffer () { return buf + offset; };
 		const uint8_t * GetBuffer () const { return buf + offset; };
 		size_t GetLength () const { return len - offset; };	
@@ -154,6 +158,15 @@ namespace tunnel
 			}	
 		}
 
+		size_t Concat (const uint8_t * buf1, size_t len1)
+		{
+			// make sure with don't write beyond maxLen
+			if (len + len1 > maxLen) len1 = maxLen - len;
+			memcpy (buf + len, buf1, len1);
+			len += len1;
+			return len1;
+		}
+
 		I2NPMessage& operator=(const I2NPMessage& other)
 		{
 			memcpy (buf + offset, other.buf + other.offset, other.GetLength ());
@@ -161,7 +174,7 @@ namespace tunnel
 			from = other.from;
 			return *this;
 		}	
-
+		
 		// for SSU only
 		uint8_t * GetSSUHeader () { return buf + offset + I2NP_HEADER_SIZE - I2NP_SHORT_HEADER_SIZE; };	
 		void FromSSU (uint32_t msgID) // we have received SSU message and convert it to regular
@@ -183,63 +196,68 @@ namespace tunnel
 			len = offset + I2NP_SHORT_HEADER_SIZE + bufbe16toh (header + I2NP_HEADER_SIZE_OFFSET);
 			return bufbe32toh (header + I2NP_HEADER_MSGID_OFFSET);
 		}	
+
+		void FillI2NPMessageHeader (I2NPMessageType msgType, uint32_t replyMsgID = 0);
+		void RenewI2NPMessageHeader ();
+		bool IsExpired () const;
 	};	
 
 	template<int sz>
 	struct I2NPMessageBuffer: public I2NPMessage
 	{
 		I2NPMessageBuffer () { buf = m_Buffer; maxLen = sz; };
-		uint8_t m_Buffer[sz + 16];
+		uint8_t m_Buffer[sz + 32]; // 16 alignment + 16 padding
 	};
 
-	I2NPMessage * NewI2NPMessage ();
-	I2NPMessage * NewI2NPShortMessage ();
-	I2NPMessage * NewI2NPMessage (size_t len);
-	void DeleteI2NPMessage (I2NPMessage * msg);
-	void FillI2NPMessageHeader (I2NPMessage * msg, I2NPMessageType msgType, uint32_t replyMsgID = 0);
-	void RenewI2NPMessageHeader (I2NPMessage * msg);
-	I2NPMessage * CreateI2NPMessage (I2NPMessageType msgType, const uint8_t * buf, int len, uint32_t replyMsgID = 0);	
-	I2NPMessage * CreateI2NPMessage (const uint8_t * buf, int len, std::shared_ptr<i2p::tunnel::InboundTunnel> from = nullptr);
+	std::shared_ptr<I2NPMessage> NewI2NPMessage ();
+	std::shared_ptr<I2NPMessage> NewI2NPShortMessage ();
+	std::shared_ptr<I2NPMessage> NewI2NPMessage (size_t len);
 	
-	I2NPMessage * CreateDeliveryStatusMsg (uint32_t msgID);
-	I2NPMessage * CreateRouterInfoDatabaseLookupMsg (const uint8_t * key, const uint8_t * from, 
+	std::shared_ptr<I2NPMessage> CreateI2NPMessage (I2NPMessageType msgType, const uint8_t * buf, size_t len, uint32_t replyMsgID = 0);	
+	std::shared_ptr<I2NPMessage> CreateI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from = nullptr);
+	std::shared_ptr<I2NPMessage> CopyI2NPMessage (std::shared_ptr<I2NPMessage> msg);
+
+	std::shared_ptr<I2NPMessage> CreateDeliveryStatusMsg (uint32_t msgID);
+	std::shared_ptr<I2NPMessage> CreateRouterInfoDatabaseLookupMsg (const uint8_t * key, const uint8_t * from, 
 		uint32_t replyTunnelID, bool exploratory = false, std::set<i2p::data::IdentHash> * excludedPeers = nullptr);
-	I2NPMessage * CreateLeaseSetDatabaseLookupMsg (const i2p::data::IdentHash& dest, 
+	std::shared_ptr<I2NPMessage> CreateLeaseSetDatabaseLookupMsg (const i2p::data::IdentHash& dest, 
 		const std::set<i2p::data::IdentHash>& excludedFloodfills,
-		const i2p::tunnel::InboundTunnel * replyTunnel, const uint8_t * replyKey, const uint8_t * replyTag);
-	I2NPMessage * CreateDatabaseSearchReply (const i2p::data::IdentHash& ident, std::vector<i2p::data::IdentHash> routers);
+		std::shared_ptr<const i2p::tunnel::InboundTunnel> replyTunnel, const uint8_t * replyKey, const uint8_t * replyTag);
+	std::shared_ptr<I2NPMessage> CreateDatabaseSearchReply (const i2p::data::IdentHash& ident, std::vector<i2p::data::IdentHash> routers);
 	
-	I2NPMessage * CreateDatabaseStoreMsg (const i2p::data::RouterInfo * router = nullptr, uint32_t replyToken = 0);
-	I2NPMessage * CreateDatabaseStoreMsg (const i2p::data::LeaseSet * leaseSet, uint32_t replyToken = 0);		
-		
+	std::shared_ptr<I2NPMessage> CreateDatabaseStoreMsg (std::shared_ptr<const i2p::data::RouterInfo> router = nullptr, uint32_t replyToken = 0);
+	std::shared_ptr<I2NPMessage> CreateDatabaseStoreMsg (std::shared_ptr<const i2p::data::LeaseSet> leaseSet, uint32_t replyToken = 0);		
+	bool IsRouterInfoMsg (std::shared_ptr<I2NPMessage> msg); 	
+
 	bool HandleBuildRequestRecords (int num, uint8_t * records, uint8_t * clearText);
 	void HandleVariableTunnelBuildMsg (uint32_t replyMsgID, uint8_t * buf, size_t len);
 	void HandleVariableTunnelBuildReplyMsg (uint32_t replyMsgID, uint8_t * buf, size_t len);
 	void HandleTunnelBuildMsg (uint8_t * buf, size_t len);	
 
-	I2NPMessage * CreateTunnelDataMsg (const uint8_t * buf);	
-	I2NPMessage * CreateTunnelDataMsg (uint32_t tunnelID, const uint8_t * payload);		
+	std::shared_ptr<I2NPMessage> CreateTunnelDataMsg (const uint8_t * buf);	
+	std::shared_ptr<I2NPMessage> CreateTunnelDataMsg (uint32_t tunnelID, const uint8_t * payload);		
+	std::shared_ptr<I2NPMessage> CreateEmptyTunnelDataMsg ();
 	
-	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, const uint8_t * buf, size_t len);
-	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessageType msgType, 
+	std::shared_ptr<I2NPMessage> CreateTunnelGatewayMsg (uint32_t tunnelID, const uint8_t * buf, size_t len);
+	std::shared_ptr<I2NPMessage> CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessageType msgType, 
 		const uint8_t * buf, size_t len, uint32_t replyMsgID = 0);
-	I2NPMessage * CreateTunnelGatewayMsg (uint32_t tunnelID, I2NPMessage * msg);
+	std::shared_ptr<I2NPMessage> CreateTunnelGatewayMsg (uint32_t tunnelID, std::shared_ptr<I2NPMessage> msg);
 
 	size_t GetI2NPMessageLength (const uint8_t * msg);
 	void HandleI2NPMessage (uint8_t * msg, size_t len);
-	void HandleI2NPMessage (I2NPMessage * msg);
+	void HandleI2NPMessage (std::shared_ptr<I2NPMessage> msg);
 
 	class I2NPMessagesHandler
 	{
 		public:
 
 			~I2NPMessagesHandler ();
-			void PutNextMessage (I2NPMessage * msg);
+			void PutNextMessage (std::shared_ptr<I2NPMessage> msg);
 			void Flush ();
 			
 		private:
 
-			std::vector<I2NPMessage *> m_TunnelMsgs, m_TunnelGatewayMsgs;
+			std::vector<std::shared_ptr<I2NPMessage> > m_TunnelMsgs, m_TunnelGatewayMsgs;
 	};
 }	
 

I2PControl.cpp

@@ -1,15 +1,21 @@
-// There is bug in boost 1.49 with gcc 4.7 coming with Debian Wheezy
-#define GCC47_BOOST149 ((BOOST_VERSION == 104900) && (__GNUC__ == 4) && (__GNUC_MINOR__ == 7))
-
-#include "I2PControl.h"
+#include <stdio.h>
 #include <sstream>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
 #include <boost/lexical_cast.hpp>
 #include <boost/date_time/local_time/local_time.hpp>
 #include <boost/date_time/posix_time/posix_time.hpp>
+#include <boost/property_tree/ini_parser.hpp>
+
+// There is bug in boost 1.49 with gcc 4.7 coming with Debian Wheezy
+#define GCC47_BOOST149 ((BOOST_VERSION == 104900) && (__GNUC__ == 4) && (__GNUC_MINOR__ >= 7))
 #if !GCC47_BOOST149
 #include <boost/property_tree/json_parser.hpp>
 #endif
+
+#include "FS.h"
 #include "Log.h"
+#include "Config.h"
 #include "NetDb.h"
 #include "RouterContext.h"
 #include "Daemon.h"
@@ -17,38 +23,66 @@
 #include "Timestamp.h"
 #include "Transports.h"
 #include "version.h"
+#include "I2PControl.h"
 
 namespace i2p
 {
 namespace client
 {
-	I2PControlService::I2PControlService (int port):
-		m_Password (I2P_CONTROL_DEFAULT_PASSWORD), m_IsRunning (false), m_Thread (nullptr),
-		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port)),
+	I2PControlService::I2PControlService (const std::string& address, int port):
+		m_IsRunning (false), m_Thread (nullptr),
+		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::address::from_string(address), port)),
+		m_SSLContext (m_Service, boost::asio::ssl::context::sslv23),
 		m_ShutdownTimer (m_Service)
 	{
-		m_MethodHandlers[I2P_CONTROL_METHOD_AUTHENTICATE] = &I2PControlService::AuthenticateHandler; 
-		m_MethodHandlers[I2P_CONTROL_METHOD_ECHO] = &I2PControlService::EchoHandler; 
-		m_MethodHandlers[I2P_CONTROL_METHOD_I2PCONTROL] = &I2PControlService::I2PControlHandler; 
-		m_MethodHandlers[I2P_CONTROL_METHOD_ROUTER_INFO] = &I2PControlService::RouterInfoHandler; 
-		m_MethodHandlers[I2P_CONTROL_METHOD_ROUTER_MANAGER] = &I2PControlService::RouterManagerHandler; 
-		m_MethodHandlers[I2P_CONTROL_METHOD_NETWORK_SETTING] = &I2PControlService::NetworkSettingHandler; 
+		i2p::config::GetOption("i2pcontrol.password", m_Password);
+
+		// certificate / keys
+		std::string i2pcp_crt; i2p::config::GetOption("i2pcontrol.cert", i2pcp_crt);
+		std::string i2pcp_key; i2p::config::GetOption("i2pcontrol.key",  i2pcp_key);
+
+		if (i2pcp_crt.at(0) != '/')
+			i2pcp_crt = i2p::fs::DataDirPath(i2pcp_crt);
+		if (i2pcp_key.at(0) != '/')
+			i2pcp_key = i2p::fs::DataDirPath(i2pcp_key);
+		if (!i2p::fs::Exists (i2pcp_crt) || !i2p::fs::Exists (i2pcp_key)) {
+			LogPrint (eLogInfo, "I2PControl: creating new certificate for control connection");
+			CreateCertificate (i2pcp_crt.c_str(), i2pcp_key.c_str());
+		} else {
+			LogPrint(eLogDebug, "I2PControl: using cert from ", i2pcp_crt);
+		}
+		m_SSLContext.set_options (boost::asio::ssl::context::default_workarounds | boost::asio::ssl::context::no_sslv2 | boost::asio::ssl::context::single_dh_use);
+		m_SSLContext.use_certificate_file (i2pcp_crt, boost::asio::ssl::context::pem);
+		m_SSLContext.use_private_key_file (i2pcp_key, boost::asio::ssl::context::pem);
+
+		// handlers
+		m_MethodHandlers["Authenticate"]   = &I2PControlService::AuthenticateHandler;
+		m_MethodHandlers["Echo"]           = &I2PControlService::EchoHandler;
+		m_MethodHandlers["I2PControl"]     = &I2PControlService::I2PControlHandler;
+		m_MethodHandlers["RouterInfo"]     = &I2PControlService::RouterInfoHandler;
+		m_MethodHandlers["RouterManager"]  = &I2PControlService::RouterManagerHandler;
+		m_MethodHandlers["NetworkSetting"] = &I2PControlService::NetworkSettingHandler;
+
+		// I2PControl
+		m_I2PControlHandlers["i2pcontrol.password"] = &I2PControlService::PasswordHandler; 
 
 		// RouterInfo
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_UPTIME] = &I2PControlService::UptimeHandler;
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_VERSION] = &I2PControlService::VersionHandler;
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_STATUS] = &I2PControlService::StatusHandler;
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_NETDB_KNOWNPEERS] = &I2PControlService::NetDbKnownPeersHandler;
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_NETDB_ACTIVEPEERS] = &I2PControlService::NetDbActivePeersHandler;
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_NET_STATUS] = &I2PControlService::NetStatusHandler;
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_TUNNELS_PARTICIPATING] = &I2PControlService::TunnelsParticipatingHandler;
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_BW_IB_1S] = &I2PControlService::InboundBandwidth1S ;
-		m_RouterInfoHandlers[I2P_CONTROL_ROUTER_INFO_BW_OB_1S] = &I2PControlService::OutboundBandwidth1S ;
+		m_RouterInfoHandlers["i2p.router.uptime"]  = &I2PControlService::UptimeHandler;
+		m_RouterInfoHandlers["i2p.router.version"] = &I2PControlService::VersionHandler;
+		m_RouterInfoHandlers["i2p.router.status"]  = &I2PControlService::StatusHandler;
+		m_RouterInfoHandlers["i2p.router.netdb.knownpeers"]   = &I2PControlService::NetDbKnownPeersHandler;
+		m_RouterInfoHandlers["i2p.router.netdb.activepeers"]  = &I2PControlService::NetDbActivePeersHandler;
+		m_RouterInfoHandlers["i2p.router.net.bw.inbound.1s"]  = &I2PControlService::InboundBandwidth1S;
+		m_RouterInfoHandlers["i2p.router.net.bw.outbound.1s"] = &I2PControlService::OutboundBandwidth1S;
+		m_RouterInfoHandlers["i2p.router.net.status"]         = &I2PControlService::NetStatusHandler;
+		m_RouterInfoHandlers["i2p.router.net.tunnels.participating"] = &I2PControlService::TunnelsParticipatingHandler;
+		m_RouterInfoHandlers["i2p.router.net.total.received.bytes"]  = &I2PControlService::NetTotalReceivedBytes;
+		m_RouterInfoHandlers["i2p.router.net.total.sent.bytes"]      = &I2PControlService::NetTotalSentBytes;
 
 		// RouterManager	
-		m_RouterManagerHandlers[I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN] = &I2PControlService::ShutdownHandler; 
-		m_RouterManagerHandlers[I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN_GRACEFUL] = &I2PControlService::ShutdownGracefulHandler;
-		m_RouterManagerHandlers[I2P_CONTROL_ROUTER_MANAGER_RESEED] = &I2PControlService::ReseedHandler;
+		m_RouterManagerHandlers["Reseed"]           = &I2PControlService::ReseedHandler;
+		m_RouterManagerHandlers["Shutdown"]         = &I2PControlService::ShutdownHandler; 
+		m_RouterManagerHandlers["ShutdownGraceful"] = &I2PControlService::ShutdownGracefulHandler;
 	}
 
 	I2PControlService::~I2PControlService ()
@@ -71,77 +105,86 @@ namespace client
 		if (m_IsRunning)
 		{
 			m_IsRunning = false;
-			m_Acceptor.cancel ();	
+			m_Acceptor.cancel ();
 			m_Service.stop ();
 			if (m_Thread)
-			{	
-				m_Thread->join (); 
+			{
+				m_Thread->join ();
 				delete m_Thread;
 				m_Thread = nullptr;
-			}	
+			}
 		}
 	}
 
-	void I2PControlService::Run () 
-	{ 
+	void I2PControlService::Run ()
+	{
 		while (m_IsRunning)
 		{
-			try
-			{	
+			try {
 				m_Service.run ();
-			}
-			catch (std::exception& ex)
-			{
-				LogPrint (eLogError, "I2PControl: ", ex.what ());
+			} catch (std::exception& ex) {
+				LogPrint (eLogError, "I2PControl: runtime exception: ", ex.what ());
 			}	
 		}	
 	}
 
 	void I2PControlService::Accept ()
 	{
-		auto newSocket = std::make_shared<boost::asio::ip::tcp::socket> (m_Service);
-		m_Acceptor.async_accept (*newSocket, std::bind (&I2PControlService::HandleAccept, this,
+		auto newSocket = std::make_shared<ssl_socket> (m_Service, m_SSLContext);
+		m_Acceptor.async_accept (newSocket->lowest_layer(), std::bind (&I2PControlService::HandleAccept, this,
 			std::placeholders::_1, newSocket));
 	}
 
-	void I2PControlService::HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<boost::asio::ip::tcp::socket> socket)
+	void I2PControlService::HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> socket)
 	{
 		if (ecode != boost::asio::error::operation_aborted)
 			Accept ();
 
-		if (!ecode)
-		{
-			LogPrint (eLogInfo, "New I2PControl request from ", socket->remote_endpoint ());
-			std::this_thread::sleep_for (std::chrono::milliseconds(5));
-			ReadRequest (socket);	
+		if (ecode) {
+			LogPrint (eLogError, "I2PControl: accept error: ",  ecode.message ());
+			return;
 		}
-		else
-			LogPrint (eLogError, "I2PControl accept error: ",  ecode.message ());
+		LogPrint (eLogDebug, "I2PControl: new request from ", socket->lowest_layer ().remote_endpoint ());
+		Handshake (socket);
 	}
 
-	void I2PControlService::ReadRequest (std::shared_ptr<boost::asio::ip::tcp::socket> socket)
+	void I2PControlService::Handshake (std::shared_ptr<ssl_socket> socket)
+	{
+		socket->async_handshake(boost::asio::ssl::stream_base::server,
+        	std::bind( &I2PControlService::HandleHandshake, this, std::placeholders::_1, socket));
+	}
+
+	void I2PControlService::HandleHandshake (const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> socket)
+	{
+		if (ecode) {
+			LogPrint (eLogError, "I2PControl: handshake error: ", ecode.message ());
+			return;
+		}	
+		//std::this_thread::sleep_for (std::chrono::milliseconds(5));
+		ReadRequest (socket);
+	}
+
+	void I2PControlService::ReadRequest (std::shared_ptr<ssl_socket> socket)
 	{
 		auto request = std::make_shared<I2PControlBuffer>();
 		socket->async_read_some (
-#if BOOST_VERSION >= 104900
-			boost::asio::buffer (*request),  
+#if defined(BOOST_ASIO_HAS_STD_ARRAY)
+			boost::asio::buffer (*request),
 #else
-			boost::asio::buffer (request->data (), request->size ()), 
-#endif              
-			std::bind(&I2PControlService::HandleRequestReceived, this, 
+			boost::asio::buffer (request->data (), request->size ()),
+#endif
+			std::bind(&I2PControlService::HandleRequestReceived, this,
 			std::placeholders::_1, std::placeholders::_2, socket, request));
 	}
 
 	void I2PControlService::HandleRequestReceived (const boost::system::error_code& ecode,
- 		size_t bytes_transferred, std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+ 		size_t bytes_transferred, std::shared_ptr<ssl_socket> socket,
 		std::shared_ptr<I2PControlBuffer> buf)
 	{
-		if (ecode)
-		{
-			LogPrint (eLogError, "I2PControl read error: ", ecode.message ());
-		}
-		else
-		{
+		if (ecode) {
+			LogPrint (eLogError, "I2PControl: read error: ", ecode.message ());
+			return;
+		} else {
 			try
 			{
 				bool isHtml = !memcmp (buf->data (), "POST", 4);
@@ -150,42 +193,60 @@ namespace client
 				if (isHtml)
 				{
 					std::string header;
+					size_t contentLength = 0;
 					while (!ss.eof () && header != "\r")
+					{
 						std::getline(ss, header);
+						auto colon = header.find (':');
+						if (colon != std::string::npos && header.substr (0, colon) == "Content-Length")
+							contentLength = std::stoi (header.substr (colon + 1));
+					}
 					if (ss.eof ())
 					{
-						LogPrint (eLogError, "Malformed I2PControl request. HTTP header expected");
+						LogPrint (eLogError, "I2PControl: malformed request, HTTP header expected");
 						return; // TODO:
 					}
+					std::streamoff rem = contentLength + ss.tellg () - bytes_transferred; // more bytes to read
+					if (rem > 0)
+					{
+						bytes_transferred = boost::asio::read (*socket, boost::asio::buffer (buf->data (), rem));
+						ss.write (buf->data (), bytes_transferred);
+					}
 				}
+				std::ostringstream response;
 #if GCC47_BOOST149
-				LogPrint (eLogError, "json_read is not supported due bug in boost 1.49 with gcc 4.7");
+				LogPrint (eLogError, "I2PControl: json_read is not supported due bug in boost 1.49 with gcc 4.7");
+				response << "{\"id\":null,\"error\":";
+				response << "{\"code\":-32603,\"message\":\"JSON requests is not supported with this version of boost\"},";
+				response << "\"jsonrpc\":\"2.0\"}";
 #else
 				boost::property_tree::ptree pt;
 				boost::property_tree::read_json (ss, pt);
 
-				std::string method = pt.get<std::string>(I2P_CONTROL_PROPERTY_METHOD);
+				std::string id     = pt.get<std::string>("id");
+				std::string method = pt.get<std::string>("method");
 				auto it = m_MethodHandlers.find (method);
 				if (it != m_MethodHandlers.end ())
 				{
-					std::ostringstream response;
-					response << "{\"id\":" << pt.get<std::string>(I2P_CONTROL_PROPERTY_ID) << ",\"result\":{";					
-
-					(this->*(it->second))(pt.get_child (I2P_CONTROL_PROPERTY_PARAMS), response);
+					response << "{\"id\":" << id << ",\"result\":{";
+					(this->*(it->second))(pt.get_child ("params"), response);
 					response << "},\"jsonrpc\":\"2.0\"}";
-					SendResponse (socket, buf, response, isHtml);
-				}	
-				else
-					LogPrint (eLogWarning, "Unknown I2PControl method ", method);
+				} else {
+					LogPrint (eLogWarning, "I2PControl: unknown method ", method);
+					response << "{\"id\":null,\"error\":";
+					response << "{\"code\":-32601,\"message\":\"Method not found\"},";
+					response << "\"jsonrpc\":\"2.0\"}";
+				}
 #endif
+				SendResponse (socket, buf, response, isHtml);
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint (eLogError, "I2PControl handle request: ", ex.what ());
+				LogPrint (eLogError, "I2PControl: exception when handle request: ", ex.what ());
 			}
 			catch (...)
 			{
-				LogPrint (eLogError, "I2PControl handle request unknown exception");
+				LogPrint (eLogError, "I2PControl: handle request unknown exception");
 			}
 		}
 	}
@@ -193,23 +254,23 @@ namespace client
 	void I2PControlService::InsertParam (std::ostringstream& ss, const std::string& name, int value) const
 	{
 		ss << "\"" << name << "\":" << value;
-	} 
+	}
 
 	void I2PControlService::InsertParam (std::ostringstream& ss, const std::string& name, const std::string& value) const
 	{
-		ss << "\"" << name << "\":";	
+		ss << "\"" << name << "\":";
 		if (value.length () > 0)
 			ss << "\"" << value << "\"";
 		else
 			ss << "null";
-	} 
-		
+	}
+
 	void I2PControlService::InsertParam (std::ostringstream& ss, const std::string& name, double value) const
 	{
 		ss << "\"" << name << "\":" << std::fixed << std::setprecision(2) << value;
-	}	
+	}
 
-	void I2PControlService::SendResponse (std::shared_ptr<boost::asio::ip::tcp::socket> socket,
+	void I2PControlService::SendResponse (std::shared_ptr<ssl_socket> socket,
 		std::shared_ptr<I2PControlBuffer> buf, std::ostringstream& response, bool isHtml)
 	{
 		size_t len = response.str ().length (), offset = 0;
@@ -223,47 +284,49 @@ namespace client
 			header << "Date: ";
 			auto facet = new boost::local_time::local_time_facet ("%a, %d %b %Y %H:%M:%S GMT");
 			header.imbue(std::locale (header.getloc(), facet));
-			header << boost::posix_time::second_clock::local_time() << "\r\n"; 
+			header << boost::posix_time::second_clock::local_time() << "\r\n";
 			header << "\r\n";
 			offset = header.str ().size ();
 			memcpy (buf->data (), header.str ().c_str (), offset);
-		}	
+		}
 		memcpy (buf->data () + offset, response.str ().c_str (), len);
-		boost::asio::async_write (*socket, boost::asio::buffer (buf->data (), offset + len), 
+		boost::asio::async_write (*socket, boost::asio::buffer (buf->data (), offset + len),
 			boost::asio::transfer_all (),
-			std::bind(&I2PControlService::HandleResponseSent, this, 
+			std::bind(&I2PControlService::HandleResponseSent, this,
 				std::placeholders::_1, std::placeholders::_2, socket, buf));
 	}
 
 	void I2PControlService::HandleResponseSent (const boost::system::error_code& ecode, std::size_t bytes_transferred,
-		std::shared_ptr<boost::asio::ip::tcp::socket> socket, std::shared_ptr<I2PControlBuffer> buf)
+		std::shared_ptr<ssl_socket> socket, std::shared_ptr<I2PControlBuffer> buf)
 	{
-		if (ecode)
-			LogPrint (eLogError, "I2PControl write error: ", ecode.message ());
-		socket->close ();
+		if (ecode) {
+			LogPrint (eLogError, "I2PControl: write error: ", ecode.message ());
+		}
 	}
 
 // handlers
 
 	void I2PControlService::AuthenticateHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
 	{
-		int api = params.get<int> (I2P_CONTROL_PARAM_API);
-		auto password = params.get<std::string> (I2P_CONTROL_PARAM_PASSWORD);
-		LogPrint (eLogDebug, "I2PControl Authenticate API=", api, " Password=", password);
-		if (password != m_Password)
-			LogPrint (eLogError, "I2PControl Authenticate Invalid password ", password, " expected ", m_Password);
-		InsertParam (results, I2P_CONTROL_PARAM_API, api);
+		int api       = params.get<int> ("API");
+		auto password = params.get<std::string> ("Password");
+		LogPrint (eLogDebug, "I2PControl: Authenticate API=", api, " Password=", password);
+		if (password != m_Password) {
+			LogPrint (eLogError, "I2PControl: Authenticate - Invalid password: ", password);
+			return;
+		}
+		InsertParam (results, "API", api);
 		results << ",";
 		std::string token = boost::lexical_cast<std::string>(i2p::util::GetSecondsSinceEpoch ());
 		m_Tokens.insert (token);	
-		InsertParam (results, I2P_CONTROL_PARAM_TOKEN, token);
+		InsertParam (results, "Token", token);
 	}	
 
 	void I2PControlService::EchoHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
 	{
-		auto echo = params.get<std::string> (I2P_CONTROL_PARAM_ECHO);
+		auto echo = params.get<std::string> ("Echo");
 		LogPrint (eLogDebug, "I2PControl Echo Echo=", echo);
-		InsertParam (results, I2P_CONTROL_PARAM_RESULT, echo);	
+		InsertParam (results, "Result", echo);
 	}
 
 
@@ -271,107 +334,129 @@ namespace client
 
 	void I2PControlService::I2PControlHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
 	{
-		LogPrint (eLogDebug, "I2PControl I2PControl");
 		for (auto& it: params)
 		{
-			LogPrint (eLogDebug, it.first);
+			LogPrint (eLogDebug, "I2PControl: I2PControl request: ", it.first);
 			auto it1 = m_I2PControlHandlers.find (it.first);
 			if (it1 != m_I2PControlHandlers.end ())
-				(this->*(it1->second))(it.second.data ());	
+			{
+				(this->*(it1->second))(it.second.data ());
+				InsertParam (results, it.first, "");
+			}
 			else
-				LogPrint (eLogError, "I2PControl NetworkSetting unknown request ", it.first);			
+				LogPrint (eLogError, "I2PControl: I2PControl unknown request: ", it.first);
 		}	
 	}
 
+	void I2PControlService::PasswordHandler (const std::string& value)
+	{
+		LogPrint (eLogWarning, "I2PControl: new password=", value, ", to make it persistent you should update your config!");
+		m_Password = value;
+		m_Tokens.clear ();
+	}
+
 // RouterInfo
 
 	void I2PControlService::RouterInfoHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
 	{
-		LogPrint (eLogDebug, "I2PControl RouterInfo");
 		for (auto it = params.begin (); it != params.end (); it++)
 		{
-			if (it != params.begin ()) results << ",";	
-			LogPrint (eLogDebug, it->first);
+			LogPrint (eLogDebug, "I2PControl: RouterInfo request: ", it->first);
 			auto it1 = m_RouterInfoHandlers.find (it->first);
 			if (it1 != m_RouterInfoHandlers.end ())
-				(this->*(it1->second))(results);	
+			{
+				if (it != params.begin ()) results << ",";
+				(this->*(it1->second))(results);
+			}
 			else
-				LogPrint (eLogError, "I2PControl RouterInfo unknown request ", it->first);
+				LogPrint (eLogError, "I2PControl: RouterInfo unknown request ", it->first);
 		}
 	}
 
 	void I2PControlService::UptimeHandler (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_UPTIME, (int)i2p::context.GetUptime ()*1000);	
+		InsertParam (results, "i2p.router.uptime", (int)i2p::context.GetUptime ()*1000);	
 	}
 
 	void I2PControlService::VersionHandler (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_VERSION, VERSION);	
+		InsertParam (results, "i2p.router.version", VERSION);
 	}	
 
 	void I2PControlService::StatusHandler (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_STATUS, "???"); // TODO:
+		InsertParam (results, "i2p.router.status", "???"); // TODO:
 	}
-		
+
 	void I2PControlService::NetDbKnownPeersHandler (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_NETDB_KNOWNPEERS, i2p::data::netdb.GetNumRouters ());	
+		InsertParam (results, "i2p.router.netdb.knownpeers", i2p::data::netdb.GetNumRouters ());	
 	}
 
 	void I2PControlService::NetDbActivePeersHandler (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_NETDB_ACTIVEPEERS, (int)i2p::transport::transports.GetPeers ().size ());	
+		InsertParam (results, "i2p.router.netdb.activepeers", (int)i2p::transport::transports.GetPeers ().size ());	
 	}
 
 	void I2PControlService::NetStatusHandler (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_NET_STATUS, (int)i2p::context.GetStatus ());
+		InsertParam (results, "i2p.router.net.status", (int)i2p::context.GetStatus ());
 	}
 
 	void I2PControlService::TunnelsParticipatingHandler (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_TUNNELS_PARTICIPATING, (int)i2p::tunnel::tunnels.GetTransitTunnels ().size ());
+		int transit = i2p::tunnel::tunnels.GetTransitTunnels ().size ();
+		InsertParam (results, "i2p.router.net.tunnels.participating", transit);
 	}
 
 	void I2PControlService::InboundBandwidth1S (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_BW_IB_1S, (double)i2p::transport::transports.GetInBandwidth ());
+		double bw = i2p::transport::transports.GetInBandwidth ();
+		InsertParam (results, "i2p.router.net.bw.inbound.1s", bw);
 	}
 
 	void I2PControlService::OutboundBandwidth1S (std::ostringstream& results)
 	{
-		InsertParam (results, I2P_CONTROL_ROUTER_INFO_BW_OB_1S, (double)i2p::transport::transports.GetOutBandwidth ());
+		double bw = i2p::transport::transports.GetOutBandwidth ();
+		InsertParam (results, "i2p.router.net.bw.outbound.1s", bw);
+	}
+
+	void I2PControlService::NetTotalReceivedBytes (std::ostringstream& results)
+	{
+		InsertParam (results, "i2p.router.net.total.received.bytes", (double)i2p::transport::transports.GetTotalReceivedBytes ());
+	}
+
+	void I2PControlService::NetTotalSentBytes (std::ostringstream& results)
+	{
+		InsertParam (results, "i2p.router.net.total.sent.bytes",     (double)i2p::transport::transports.GetTotalSentBytes ());
 	}
 
 // RouterManager
-	
+
 	void I2PControlService::RouterManagerHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
 	{
-		LogPrint (eLogDebug, "I2PControl RouterManager");
 		for (auto it = params.begin (); it != params.end (); it++)
 		{
 			if (it != params.begin ()) results << ",";	
-			LogPrint (eLogDebug, it->first);
+			LogPrint (eLogDebug, "I2PControl: RouterManager request: ", it->first);
 			auto it1 = m_RouterManagerHandlers.find (it->first);
-			if (it1 != m_RouterManagerHandlers.end ())
+			if (it1 != m_RouterManagerHandlers.end ()) {
 				(this->*(it1->second))(results);	
-			else
-				LogPrint (eLogError, "I2PControl RouterManager unknown request ", it->first);			
+			} else
+				LogPrint (eLogError, "I2PControl: RouterManager unknown request: ", it->first);
 		}
-	}	
+	}
 
 
-	void I2PControlService::ShutdownHandler (std::ostringstream& results)	
+	void I2PControlService::ShutdownHandler (std::ostringstream& results)
 	{
-		LogPrint (eLogInfo, "Shutdown requested");
-		InsertParam (results, I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN, "");
+		LogPrint (eLogInfo, "I2PControl: Shutdown requested");
+		InsertParam (results, "Shutdown", "");
 		m_ShutdownTimer.expires_from_now (boost::posix_time::seconds(1)); // 1 second to make sure response has been sent
 		m_ShutdownTimer.async_wait (
 			[](const boost::system::error_code& ecode)
 		    {
-				Daemon.running = 0; 
+				Daemon.running = 0;
 			});
 	}
 
@@ -379,38 +464,85 @@ namespace client
 	{
 		i2p::context.SetAcceptsTunnels (false);
 		int timeout = i2p::tunnel::tunnels.GetTransitTunnelsExpirationTimeout ();
-		LogPrint (eLogInfo, "Graceful shutdown requested. Will shutdown after ", timeout, " seconds");
-		InsertParam (results, I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN_GRACEFUL, "");
+		LogPrint (eLogInfo, "I2PControl: Graceful shutdown requested, ", timeout, " seconds remains");
+		InsertParam (results, "ShutdownGraceful", "");
 		m_ShutdownTimer.expires_from_now (boost::posix_time::seconds(timeout + 1)); // + 1 second
 		m_ShutdownTimer.async_wait (
 			[](const boost::system::error_code& ecode)
 		    {
-				Daemon.running = 0; 
+				Daemon.running = 0;
 			});
 	}
 
 	void I2PControlService::ReseedHandler (std::ostringstream& results)
 	{
-		LogPrint (eLogInfo, "Reseed requested");
-		InsertParam (results, I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN, "");	
+		LogPrint (eLogInfo, "I2PControl: Reseed requested");
+		InsertParam (results, "Reseed", "");
 		i2p::data::netdb.Reseed ();
 	}
 
 // network setting
 	void I2PControlService::NetworkSettingHandler (const boost::property_tree::ptree& params, std::ostringstream& results)
 	{
-		LogPrint (eLogDebug, "I2PControl NetworkSetting");
 		for (auto it = params.begin (); it != params.end (); it++)
 		{
 			if (it != params.begin ()) results << ",";	
-			LogPrint (eLogDebug, it->first);
+			LogPrint (eLogDebug, "I2PControl: NetworkSetting request: ", it->first);
 			auto it1 = m_NetworkSettingHandlers.find (it->first);
-			if (it1 != m_NetworkSettingHandlers.end ())
+			if (it1 != m_NetworkSettingHandlers.end ()) {
 				(this->*(it1->second))(it->second.data (), results);	
-			else
-				LogPrint (eLogError, "I2PControl NetworkSetting unknown request ", it->first);			
+			} else
+				LogPrint (eLogError, "I2PControl: NetworkSetting unknown request: ", it->first);
 		}
 	}
 
+	// certificate	
+	void I2PControlService::CreateCertificate (const char *crt_path, const char *key_path)
+	{
+		FILE *f = NULL;
+		EVP_PKEY * pkey = EVP_PKEY_new ();
+		RSA * rsa = RSA_new ();
+		BIGNUM * e = BN_dup (i2p::crypto::GetRSAE ());
+		RSA_generate_key_ex (rsa, 4096, e, NULL);
+		BN_free (e);
+		if (rsa)
+		{
+			EVP_PKEY_assign_RSA (pkey, rsa);
+			X509 * x509 = X509_new ();
+			ASN1_INTEGER_set (X509_get_serialNumber (x509), 1);
+			X509_gmtime_adj (X509_get_notBefore (x509), 0);
+			X509_gmtime_adj (X509_get_notAfter (x509), I2P_CONTROL_CERTIFICATE_VALIDITY*24*60*60); // expiration
+			X509_set_pubkey (x509, pkey); // public key
+			X509_NAME * name = X509_get_subject_name (x509);
+			X509_NAME_add_entry_by_txt (name, "C",  MBSTRING_ASC, (unsigned char *)"RU", -1, -1, 0); // country (Russia by default)
+			X509_NAME_add_entry_by_txt (name, "O",  MBSTRING_ASC, (unsigned char *)I2P_CONTROL_CERTIFICATE_ORGANIZATION, -1, -1, 0); // organization
+			X509_NAME_add_entry_by_txt (name, "CN", MBSTRING_ASC, (unsigned char *)I2P_CONTROL_CERTIFICATE_COMMON_NAME, -1, -1, 0); // common name
+			X509_set_issuer_name (x509, name); // set issuer to ourselves
+			X509_sign (x509, pkey, EVP_sha1 ()); // sign
+
+			// save cert
+			if ((f = fopen (crt_path, "wb")) != NULL) {
+				LogPrint (eLogInfo, "I2PControl: saving new cert to ", crt_path);
+				PEM_write_X509 (f, x509);
+				fclose (f);
+			} else {
+				LogPrint (eLogError, "I2PControl: can't write cert: ", strerror(errno));
+			}
+
+			// save key
+			if ((f = fopen (key_path, "wb")) != NULL) {
+				LogPrint (eLogInfo, "I2PControl: saving cert key to ", key_path);
+				PEM_write_PrivateKey (f, pkey, NULL, NULL, 0, NULL, NULL);
+				fclose (f);
+			} else {
+				LogPrint (eLogError, "I2PControl: can't write key: ", strerror(errno));
+			}
+
+			X509_free (x509);
+		} else {
+			LogPrint (eLogError, "I2PControl: can't create RSA key for certificate");
+		}
+		EVP_PKEY_free (pkey);
+	}
 }
 }

I2PControl.h

@@ -10,6 +10,7 @@
 #include <map>
 #include <set>
 #include <boost/asio.hpp>
+#include <boost/asio/ssl.hpp>
 #include <boost/property_tree/ptree.hpp>
 
 namespace i2p
@@ -17,56 +18,18 @@ namespace i2p
 namespace client
 {
 	const size_t I2P_CONTROL_MAX_REQUEST_SIZE = 1024;
-	typedef std::array<char, I2P_CONTROL_MAX_REQUEST_SIZE> I2PControlBuffer;		
+	typedef std::array<char, I2P_CONTROL_MAX_REQUEST_SIZE> I2PControlBuffer;
 
-	const char I2P_CONTROL_DEFAULT_PASSWORD[] = "itoopie";	
-
-	const char I2P_CONTROL_PROPERTY_ID[] = "id";
-	const char I2P_CONTROL_PROPERTY_METHOD[] = "method";
-	const char I2P_CONTROL_PROPERTY_PARAMS[] = "params";
-	const char I2P_CONTROL_PROPERTY_RESULT[] = "result";
-
-	// methods	
-	const char I2P_CONTROL_METHOD_AUTHENTICATE[] = "Authenticate";
-	const char I2P_CONTROL_METHOD_ECHO[] = "Echo";
-	const char I2P_CONTROL_METHOD_I2PCONTROL[] = "I2PControl";		
-	const char I2P_CONTROL_METHOD_ROUTER_INFO[] = "RouterInfo";	
-	const char I2P_CONTROL_METHOD_ROUTER_MANAGER[] = "RouterManager";	
-	const char I2P_CONTROL_METHOD_NETWORK_SETTING[] = "NetworkSetting";	
-
-	// params
-	const char I2P_CONTROL_PARAM_API[] = "API";			
-	const char I2P_CONTROL_PARAM_PASSWORD[] = "Password";	
-	const char I2P_CONTROL_PARAM_TOKEN[] = "Token";	
-	const char I2P_CONTROL_PARAM_ECHO[] = "Echo";	
-	const char I2P_CONTROL_PARAM_RESULT[] = "Result";	
-
-	// I2PControl
-	const char I2P_CONTROL_I2PCONTROL_ADDRESS[] = "i2pcontrol.address";		
-	const char I2P_CONTROL_I2PCONTROL_PASSWORD[] = "i2pcontrol.password";
-	const char I2P_CONTROL_I2PCONTROL_PORT[] = "i2pcontrol.port";		
-
-	// RouterInfo requests
-	const char I2P_CONTROL_ROUTER_INFO_UPTIME[] = "i2p.router.uptime";
-	const char I2P_CONTROL_ROUTER_INFO_VERSION[] = "i2p.router.version";
-	const char I2P_CONTROL_ROUTER_INFO_STATUS[] = "i2p.router.status";	
-	const char I2P_CONTROL_ROUTER_INFO_NETDB_KNOWNPEERS[] = "i2p.router.netdb.knownpeers";
-	const char I2P_CONTROL_ROUTER_INFO_NETDB_ACTIVEPEERS[] = "i2p.router.netdb.activepeers";
-	const char I2P_CONTROL_ROUTER_INFO_NET_STATUS[] = "i2p.router.net.status";	
-	const char I2P_CONTROL_ROUTER_INFO_TUNNELS_PARTICIPATING[] = "i2p.router.net.tunnels.participating";
-	const char I2P_CONTROL_ROUTER_INFO_BW_IB_1S[] = "i2p.router.net.bw.inbound.1s";			
-	const char I2P_CONTROL_ROUTER_INFO_BW_OB_1S[] = "i2p.router.net.bw.outbound.1s";		
-
-	// RouterManager requests
-	const char I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN[] = "Shutdown";
-	const char I2P_CONTROL_ROUTER_MANAGER_SHUTDOWN_GRACEFUL[] = "ShutdownGraceful";
-	const char I2P_CONTROL_ROUTER_MANAGER_RESEED[] = "Reseed";		
+	const long I2P_CONTROL_CERTIFICATE_VALIDITY = 365*10; // 10 years
+	const char I2P_CONTROL_CERTIFICATE_COMMON_NAME[] = "i2pd.i2pcontrol";
+	const char I2P_CONTROL_CERTIFICATE_ORGANIZATION[] = "Purple I2P";
 
 	class I2PControlService
 	{
+		typedef boost::asio::ssl::stream<boost::asio::ip::tcp::socket> ssl_socket;
 		public:
 
-			I2PControlService (int port);
+			I2PControlService (const std::string& address, int port);
 			~I2PControlService ();
 
 			void Start ();
@@ -76,14 +39,18 @@ namespace client
 
 			void Run ();
 			void Accept ();
-			void HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<boost::asio::ip::tcp::socket> socket);	
-			void ReadRequest (std::shared_ptr<boost::asio::ip::tcp::socket> socket);
-			void HandleRequestReceived (const boost::system::error_code& ecode, size_t bytes_transferred, 
-				std::shared_ptr<boost::asio::ip::tcp::socket> socket, std::shared_ptr<I2PControlBuffer> buf);
-			void SendResponse (std::shared_ptr<boost::asio::ip::tcp::socket> socket,
+			void HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> socket);
+			void Handshake (std::shared_ptr<ssl_socket> socket);
+			void HandleHandshake (const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> socket);
+			void ReadRequest (std::shared_ptr<ssl_socket> socket);
+			void HandleRequestReceived (const boost::system::error_code& ecode, size_t bytes_transferred,
+				std::shared_ptr<ssl_socket> socket, std::shared_ptr<I2PControlBuffer> buf);
+			void SendResponse (std::shared_ptr<ssl_socket> socket,
 				std::shared_ptr<I2PControlBuffer> buf, std::ostringstream& response, bool isHtml);
 			void HandleResponseSent (const boost::system::error_code& ecode, std::size_t bytes_transferred,
-				std::shared_ptr<boost::asio::ip::tcp::socket> socket, std::shared_ptr<I2PControlBuffer> buf);
+				std::shared_ptr<ssl_socket> socket, std::shared_ptr<I2PControlBuffer> buf);
+
+			void CreateCertificate (const char *crt_path, const char *key_path);
 
 		private:
 
@@ -99,10 +66,11 @@ namespace client
 			void I2PControlHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
 			void RouterInfoHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
 			void RouterManagerHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
-			void NetworkSettingHandler (const boost::property_tree::ptree& params, std::ostringstream& results);			
+			void NetworkSettingHandler (const boost::property_tree::ptree& params, std::ostringstream& results);
 
 			// I2PControl
 			typedef void (I2PControlService::*I2PControlRequestHandler)(const std::string& value);
+			void PasswordHandler (const std::string& value);
 
 			// RouterInfo
 			typedef void (I2PControlService::*RouterInfoRequestHandler)(std::ostringstream& results);
@@ -110,11 +78,13 @@ namespace client
 			void VersionHandler (std::ostringstream& results);
 			void StatusHandler (std::ostringstream& results);
 			void NetDbKnownPeersHandler (std::ostringstream& results);
-			void NetDbActivePeersHandler (std::ostringstream& results);	
-			void NetStatusHandler (std::ostringstream& results);		
+			void NetDbActivePeersHandler (std::ostringstream& results);
+			void NetStatusHandler (std::ostringstream& results);
 			void TunnelsParticipatingHandler (std::ostringstream& results);
 			void InboundBandwidth1S (std::ostringstream& results);
 			void OutboundBandwidth1S (std::ostringstream& results);
+			void NetTotalReceivedBytes (std::ostringstream& results);
+			void NetTotalSentBytes (std::ostringstream& results);
 
 			// RouterManager
 			typedef void (I2PControlService::*RouterManagerRequestHandler)(std::ostringstream& results);
@@ -123,19 +93,20 @@ namespace client
 			void ReseedHandler (std::ostringstream& results);
 
 			// NetworkSetting
-			typedef void (I2PControlService::*NetworkSettingRequestHandler)(const std::string& value, std::ostringstream& results);	
+			typedef void (I2PControlService::*NetworkSettingRequestHandler)(const std::string& value, std::ostringstream& results);
 
 		private:
 
 			std::string m_Password;
 			bool m_IsRunning;
-			std::thread * m_Thread;	
+			std::thread * m_Thread;
 
 			boost::asio::io_service m_Service;
 			boost::asio::ip::tcp::acceptor m_Acceptor;
+			boost::asio::ssl::context m_SSLContext;
 			boost::asio::deadline_timer m_ShutdownTimer;
 			std::set<std::string> m_Tokens;
-			
+
 			std::map<std::string, MethodHandler> m_MethodHandlers;
 			std::map<std::string, I2PControlRequestHandler> m_I2PControlHandlers;
 			std::map<std::string, RouterInfoRequestHandler> m_RouterInfoHandlers;

I2PEndian.h

@@ -3,7 +3,7 @@
 #include <inttypes.h>
 #include <string.h>
 
-#if defined(__linux__) || defined(__FreeBSD_kernel__)
+#if defined(__linux__) || defined(__FreeBSD_kernel__) || defined(__OpenBSD__)
 #include <endian.h>
 #elif __FreeBSD__
 #include <sys/endian.h>

I2PService.cpp

@@ -28,11 +28,143 @@ namespace client
 			m_LocalDestination->CreateStream (streamRequestComplete, identHash, port);
 		else
 		{
-			LogPrint (eLogWarning, "Remote destination ", dest, " not found");
+			LogPrint (eLogWarning, "I2PService: Remote destination ", dest, " not found");
 			streamRequestComplete (nullptr);
 		}
 	}
 
+	TCPIPPipe::TCPIPPipe(I2PService * owner, std::shared_ptr<boost::asio::ip::tcp::socket> upstream, std::shared_ptr<boost::asio::ip::tcp::socket> downstream) : I2PServiceHandler(owner), m_up(upstream), m_down(downstream) {}
+
+	TCPIPPipe::~TCPIPPipe()
+	{
+		Terminate();
+	}
+	
+	void TCPIPPipe::Start()
+	{
+		AsyncReceiveUpstream();
+		AsyncReceiveDownstream();
+	}
+
+	void TCPIPPipe::Terminate()
+	{
+		if(Kill()) return;
+		Done(shared_from_this());
+		if (m_up) {
+			if (m_up->is_open()) {
+				m_up->close();
+			}
+			m_up = nullptr;
+		}
+		if (m_down) {
+			if (m_down->is_open()) {
+				m_down->close();
+			}
+			m_down = nullptr;
+		}
+	}
+	
+	void TCPIPPipe::AsyncReceiveUpstream()
+	{
+		if (m_up) {
+			m_up->async_read_some(boost::asio::buffer(m_upstream_to_down_buf, TCP_IP_PIPE_BUFFER_SIZE),
+															std::bind(&TCPIPPipe::HandleUpstreamReceived, shared_from_this(),
+																				std::placeholders::_1, std::placeholders::_2));
+		} else {
+			LogPrint(eLogError, "TCPIPPipe: no upstream socket for read");
+		}
+	}
+
+	void TCPIPPipe::AsyncReceiveDownstream()
+	{
+		if (m_down) {
+			m_down->async_read_some(boost::asio::buffer(m_downstream_to_up_buf, TCP_IP_PIPE_BUFFER_SIZE),
+															std::bind(&TCPIPPipe::HandleDownstreamReceived, shared_from_this(),
+																				std::placeholders::_1, std::placeholders::_2));
+		} else {
+			LogPrint(eLogError, "TCPIPPipe: no downstream socket for read");
+		}
+	}
+
+	void TCPIPPipe::UpstreamWrite(const uint8_t * buf, size_t len)
+	{
+		if (m_up) {
+			LogPrint(eLogDebug, "TCPIPPipe: write upstream ", (int)len);
+			boost::asio::async_write(*m_up, boost::asio::buffer(buf, len),
+															 boost::asio::transfer_all(),
+															 std::bind(&TCPIPPipe::HandleUpstreamWrite,
+																				 shared_from_this(),
+																				 std::placeholders::_1)
+															 );
+		} else {
+			LogPrint(eLogError, "tcpip pipe upstream socket null");
+		}
+	}
+
+	void TCPIPPipe::DownstreamWrite(const uint8_t * buf, size_t len)
+	{
+		if (m_down) {
+			LogPrint(eLogDebug, "TCPIPPipe: write downstream ", (int)len);
+			boost::asio::async_write(*m_down, boost::asio::buffer(buf, len),
+															 boost::asio::transfer_all(),
+															 std::bind(&TCPIPPipe::HandleDownstreamWrite,
+																				 shared_from_this(),
+																				 std::placeholders::_1)
+															 );
+		} else { 
+			LogPrint(eLogError, "tcpip pipe downstream socket null");
+		}
+	}
+	
+	
+	void TCPIPPipe::HandleDownstreamReceived(const boost::system::error_code & ecode, std::size_t bytes_transfered)
+	{
+		LogPrint(eLogDebug, "TCPIPPipe downstream got ", (int) bytes_transfered);
+		if (ecode) {
+			LogPrint(eLogError, "TCPIPPipe Downstream read error:" , ecode.message());
+			if (ecode != boost::asio::error::operation_aborted)
+				Terminate();
+		} else {
+			if (bytes_transfered > 0 ) {
+				memcpy(m_upstream_buf, m_downstream_to_up_buf, bytes_transfered);
+				UpstreamWrite(m_upstream_buf, bytes_transfered);
+			}
+			AsyncReceiveDownstream();
+		}
+	}
+
+	void TCPIPPipe::HandleDownstreamWrite(const boost::system::error_code & ecode) {
+		if (ecode) {
+			LogPrint(eLogError, "TCPIPPipe Downstream write error:" , ecode.message());
+			if (ecode != boost::asio::error::operation_aborted)
+				Terminate();
+		}
+	}
+	
+	void TCPIPPipe::HandleUpstreamWrite(const boost::system::error_code & ecode) {
+		if (ecode) {
+			LogPrint(eLogError, "TCPIPPipe Upstream write error:" , ecode.message());
+			if (ecode != boost::asio::error::operation_aborted)
+				Terminate();
+		}
+	}
+	
+	void TCPIPPipe::HandleUpstreamReceived(const boost::system::error_code & ecode, std::size_t bytes_transfered)
+	{
+		LogPrint(eLogDebug, "TCPIPPipe upstream got ", (int) bytes_transfered);
+		if (ecode) {
+			LogPrint(eLogError, "TCPIPPipe Upstream read error:" , ecode.message());
+			if (ecode != boost::asio::error::operation_aborted)
+				Terminate();
+		} else {
+			if (bytes_transfered > 0 ) {
+				memcpy(m_upstream_buf, m_upstream_to_down_buf, bytes_transfered);
+				DownstreamWrite(m_upstream_buf, bytes_transfered);
+			}
+			AsyncReceiveUpstream();
+		}
+	}
+	
 	void TCPIPAcceptor::Start ()
 	{
 		m_Acceptor.listen ();
@@ -48,31 +180,30 @@ namespace client
 
 	void TCPIPAcceptor::Accept ()
 	{
-		auto newSocket = new boost::asio::ip::tcp::socket (GetService ());
+		auto newSocket = std::make_shared<boost::asio::ip::tcp::socket> (GetService ());
 		m_Acceptor.async_accept (*newSocket, std::bind (&TCPIPAcceptor::HandleAccept, this,
 			std::placeholders::_1, newSocket));
 	}
 
-	void TCPIPAcceptor::HandleAccept (const boost::system::error_code& ecode, boost::asio::ip::tcp::socket * socket)
+	void TCPIPAcceptor::HandleAccept (const boost::system::error_code& ecode, std::shared_ptr<boost::asio::ip::tcp::socket> socket)
 	{
 		if (!ecode)
 		{
-			LogPrint(eLogDebug,"--- ",GetName()," accepted");
+			LogPrint(eLogDebug, "I2PService: ", GetName(), " accepted");
 			auto handler = CreateHandler(socket);
-			if (handler) {
+			if (handler) 
+			{
 				AddHandler(handler);
 				handler->Handle();
-			} else {
+			} 
+			else 
 				socket->close();
-				delete socket;
-			}
 			Accept();
 		}
 		else
 		{
 			if (ecode != boost::asio::error::operation_aborted)
-				LogPrint (eLogError,"--- ",GetName()," Closing socket on accept because: ", ecode.message ());
-			delete socket;
+				LogPrint (eLogError, "I2PService: ", GetName(), " closing socket on accept because: ", ecode.message ());
 		}
 	}
 

I2PService.h

@@ -76,18 +76,42 @@ namespace client
 			std::atomic<bool> m_Dead; //To avoid cleaning up multiple times
 	};
 
+	const size_t TCP_IP_PIPE_BUFFER_SIZE = 8192;
+
+	// bidirectional pipe for 2 tcp/ip sockets
+	class TCPIPPipe: public I2PServiceHandler, public std::enable_shared_from_this<TCPIPPipe> {
+	public:
+		TCPIPPipe(I2PService * owner, std::shared_ptr<boost::asio::ip::tcp::socket> upstream, std::shared_ptr<boost::asio::ip::tcp::socket> downstream);
+		~TCPIPPipe();
+		void Start();
+	protected:
+		void Terminate();
+		void AsyncReceiveUpstream();
+		void AsyncReceiveDownstream();
+		void HandleUpstreamReceived(const boost::system::error_code & ecode, std::size_t bytes_transferred);
+		void HandleDownstreamReceived(const boost::system::error_code & ecode, std::size_t bytes_transferred);
+		void HandleUpstreamWrite(const boost::system::error_code & ecode);
+		void HandleDownstreamWrite(const boost::system::error_code & ecode);
+		void UpstreamWrite(const uint8_t * buf, size_t len);
+		void DownstreamWrite(const uint8_t * buf, size_t len);
+	private:
+		uint8_t m_upstream_to_down_buf[TCP_IP_PIPE_BUFFER_SIZE], m_downstream_to_up_buf[TCP_IP_PIPE_BUFFER_SIZE];
+		uint8_t m_upstream_buf[TCP_IP_PIPE_BUFFER_SIZE], m_downstream_buf[TCP_IP_PIPE_BUFFER_SIZE];
+		std::shared_ptr<boost::asio::ip::tcp::socket> m_up, m_down;
+	};
+	
 	/* TODO: support IPv6 too */
 	//This is a service that listens for connections on the IP network and interacts with I2P
 	class TCPIPAcceptor: public I2PService
 	{
 		public:
-			TCPIPAcceptor (int port, std::shared_ptr<ClientDestination> localDestination = nullptr) :
+			TCPIPAcceptor (const std::string& address, int port, std::shared_ptr<ClientDestination> localDestination = nullptr) :
 				I2PService(localDestination),
-				m_Acceptor (GetService (), boost::asio::ip::tcp::endpoint (boost::asio::ip::tcp::v4(), port)),
+				m_Acceptor (GetService (), boost::asio::ip::tcp::endpoint (boost::asio::ip::address::from_string(address), port)),
 				m_Timer (GetService ()) {}
-			TCPIPAcceptor (int port, i2p::data::SigningKeyType kt) :
+			TCPIPAcceptor (const std::string& address, int port, i2p::data::SigningKeyType kt) :
 				I2PService(kt),
-				m_Acceptor (GetService (), boost::asio::ip::tcp::endpoint (boost::asio::ip::tcp::v4(), port)),
+				m_Acceptor (GetService (), boost::asio::ip::tcp::endpoint (boost::asio::ip::address::from_string(address), port)),
 				m_Timer (GetService ()) {}
 			virtual ~TCPIPAcceptor () { TCPIPAcceptor::Stop(); }
 			//If you override this make sure you call it from the children
@@ -95,11 +119,11 @@ namespace client
 			//If you override this make sure you call it from the children
 			void Stop ();
 		protected:
-			virtual std::shared_ptr<I2PServiceHandler> CreateHandler(boost::asio::ip::tcp::socket * socket) = 0;
+			virtual std::shared_ptr<I2PServiceHandler> CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket) = 0;
 			virtual const char* GetName() { return "Generic TCP/IP accepting daemon"; }
 		private:
 			void Accept();
-			void HandleAccept(const boost::system::error_code& ecode, boost::asio::ip::tcp::socket * socket);
+			void HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<boost::asio::ip::tcp::socket> socket);
 			boost::asio::ip::tcp::acceptor m_Acceptor;
 			boost::asio::deadline_timer m_Timer;
 	};

I2PTunnel.cpp

@@ -1,5 +1,5 @@
 #include <cassert>
-#include "base64.h"
+#include "Base.h"
 #include "Log.h"
 #include "Destination.h"
 #include "ClientContext.h"
@@ -9,7 +9,7 @@ namespace i2p
 {
 namespace client
 {
-	I2PTunnelConnection::I2PTunnelConnection (I2PService * owner, boost::asio::ip::tcp::socket * socket,
+	I2PTunnelConnection::I2PTunnelConnection (I2PService * owner, std::shared_ptr<boost::asio::ip::tcp::socket> socket,
 		std::shared_ptr<const i2p::data::LeaseSet> leaseSet, int port): 
 		I2PServiceHandler(owner), m_Socket (socket), m_RemoteEndpoint (socket->remote_endpoint ()),
 		m_IsQuiet (true)
@@ -18,14 +18,14 @@ namespace client
 	}	
 
 	I2PTunnelConnection::I2PTunnelConnection (I2PService * owner,
-	    boost::asio::ip::tcp::socket * socket, std::shared_ptr<i2p::stream::Stream> stream):
+	    std::shared_ptr<boost::asio::ip::tcp::socket> socket, std::shared_ptr<i2p::stream::Stream> stream):
 		I2PServiceHandler(owner), m_Socket (socket), m_Stream (stream),
 		m_RemoteEndpoint (socket->remote_endpoint ()), m_IsQuiet (true)
 	{
 	}
 
 	I2PTunnelConnection::I2PTunnelConnection (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,
-	    boost::asio::ip::tcp::socket * socket, const boost::asio::ip::tcp::endpoint& target, bool quiet):
+	    std::shared_ptr<boost::asio::ip::tcp::socket> socket, const boost::asio::ip::tcp::endpoint& target, bool quiet):
 		I2PServiceHandler(owner), m_Socket (socket), m_Stream (stream),
 		m_RemoteEndpoint (target), m_IsQuiet (quiet)
 	{
@@ -78,15 +78,24 @@ namespace client
 	{
 		if (ecode)
 		{
-			LogPrint ("I2PTunnel read error: ", ecode.message ());
+			LogPrint (eLogError, "I2PTunnel: read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
 		else
 		{	
 			if (m_Stream)
-				m_Stream->Send (m_Buffer, bytes_transferred);
-			Receive ();
+			{	
+				auto s = shared_from_this ();
+				m_Stream->AsyncSend (m_Buffer, bytes_transferred,
+					[s](const boost::system::error_code& ecode)
+				    {
+						if (!ecode)
+							s->Receive ();
+						else
+							s->Terminate ();
+					});
+			}	
 		}
 	}	
 
@@ -94,7 +103,7 @@ namespace client
 	{
 		if (ecode)
 		{
-			LogPrint ("I2PTunnel write error: ", ecode.message ());
+			LogPrint (eLogError, "I2PTunnel: write error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -105,43 +114,66 @@ namespace client
 	void I2PTunnelConnection::StreamReceive ()
 	{
 		if (m_Stream)
-			m_Stream->AsyncReceive (boost::asio::buffer (m_StreamBuffer, I2P_TUNNEL_CONNECTION_BUFFER_SIZE),
-				std::bind (&I2PTunnelConnection::HandleStreamReceive, shared_from_this (),
-					std::placeholders::_1, std::placeholders::_2),
-				I2P_TUNNEL_CONNECTION_MAX_IDLE);
+		{
+			if (m_Stream->GetStatus () == i2p::stream::eStreamStatusNew ||
+			    m_Stream->GetStatus () == i2p::stream::eStreamStatusOpen) // regular
+			{	
+				m_Stream->AsyncReceive (boost::asio::buffer (m_StreamBuffer, I2P_TUNNEL_CONNECTION_BUFFER_SIZE),
+					std::bind (&I2PTunnelConnection::HandleStreamReceive, shared_from_this (),
+						std::placeholders::_1, std::placeholders::_2),
+					I2P_TUNNEL_CONNECTION_MAX_IDLE);
+			}	
+			else // closed by peer
+			{
+				// get remaning data
+				auto len = m_Stream->ReadSome (m_StreamBuffer, I2P_TUNNEL_CONNECTION_BUFFER_SIZE);
+				if (len > 0) // still some data
+					Write (m_StreamBuffer, len);
+				else // no more data
+					Terminate (); 
+			}		
+		}	
 	}	
 
 	void I2PTunnelConnection::HandleStreamReceive (const boost::system::error_code& ecode, std::size_t bytes_transferred)
 	{
 		if (ecode)
 		{
-			LogPrint ("I2PTunnel stream read error: ", ecode.message ());
+			LogPrint (eLogError, "I2PTunnel: stream read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
-				Terminate ();
+			{
+				if (bytes_transferred > 0)
+					Write (m_StreamBuffer, bytes_transferred); // postpone termination
+				else	
+					Terminate ();
+			}	
 		}
 		else
-		{
-			boost::asio::async_write (*m_Socket, boost::asio::buffer (m_StreamBuffer, bytes_transferred),
-        		std::bind (&I2PTunnelConnection::HandleWrite, shared_from_this (), std::placeholders::_1));
-		}
+			Write (m_StreamBuffer, bytes_transferred);
+	}
+
+	void I2PTunnelConnection::Write (const uint8_t * buf, size_t len)
+	{
+		boost::asio::async_write (*m_Socket, boost::asio::buffer (buf, len), boost::asio::transfer_all (),
+        	std::bind (&I2PTunnelConnection::HandleWrite, shared_from_this (), std::placeholders::_1));
 	}
 
 	void I2PTunnelConnection::HandleConnect (const boost::system::error_code& ecode)
 	{
 		if (ecode)
 		{
-			LogPrint ("I2PTunnel connect error: ", ecode.message ());
+			LogPrint (eLogError, "I2PTunnel: connect error: ", ecode.message ());
 			Terminate ();
 		}
 		else
 		{
-			LogPrint ("I2PTunnel connected");
+			LogPrint (eLogDebug, "I2PTunnel: connected");
 			if (m_IsQuiet)
 				StreamReceive ();
 			else
 			{
 				// send destination first like received from I2P
-				std::string dest = m_Stream->GetRemoteIdentity ().ToBase64 ();
+				std::string dest = m_Stream->GetRemoteIdentity ()->ToBase64 ();
 				dest += "\n";
 				memcpy (m_StreamBuffer, dest.c_str (), dest.size ());
 				HandleStreamReceive (boost::system::error_code (), dest.size ());
@@ -150,12 +182,111 @@ namespace client
 		}
 	}
 
+	I2PTunnelConnectionHTTP::I2PTunnelConnectionHTTP (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,
+		std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+		const boost::asio::ip::tcp::endpoint& target, const std::string& host):
+		I2PTunnelConnection (owner, stream, socket, target), m_Host (host), m_HeaderSent (false), m_From (stream->GetRemoteIdentity ())
+	{
+	}
+
+	void I2PTunnelConnectionHTTP::Write (const uint8_t * buf, size_t len)
+	{
+		if (m_HeaderSent)
+			I2PTunnelConnection::Write (buf, len);
+		else
+		{	
+			m_InHeader.clear ();
+			m_InHeader.write ((const char *)buf, len);
+			std::string line;
+			bool endOfHeader = false;
+			while (!endOfHeader)
+			{
+				std::getline(m_InHeader, line);
+				if (!m_InHeader.fail ())
+				{
+					if (line == "\r") endOfHeader = true;
+					else
+					{	
+						if (line.find ("Host:") != std::string::npos)
+							m_OutHeader << "Host: " << m_Host << "\r\n";
+						else
+							m_OutHeader << line << "\n";
+					}	
+				}
+				else
+					break;
+			}
+			// add X-I2P fields
+			if (m_From)
+			{
+				m_OutHeader << X_I2P_DEST_B32 << ": " << context.GetAddressBook ().ToAddress(m_From->GetIdentHash ()) << "\r\n";
+				m_OutHeader << X_I2P_DEST_HASH << ": " << m_From->GetIdentHash ().ToBase64 () << "\r\n";
+				m_OutHeader << X_I2P_DEST_B64 << ": " << m_From->ToBase64 () << "\r\n";
+			}
+
+			if (endOfHeader)
+			{
+				m_OutHeader << "\r\n"; // end of header
+				m_OutHeader << m_InHeader.str ().substr (m_InHeader.tellg ()); // data right after header
+				m_HeaderSent = true;
+				I2PTunnelConnection::Write ((uint8_t *)m_OutHeader.str ().c_str (), m_OutHeader.str ().length ());
+			}
+		}	
+	}
+
+	I2PTunnelConnectionIRC::I2PTunnelConnectionIRC (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,
+        std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+       	const boost::asio::ip::tcp::endpoint& target, const std::string& webircpass):
+        I2PTunnelConnection (owner, stream, socket, target), m_From (stream->GetRemoteIdentity ()), 
+        m_NeedsWebIrc (webircpass.length() ? true : false), m_WebircPass (webircpass)
+    {
+    }
+
+    void I2PTunnelConnectionIRC::Write (const uint8_t * buf, size_t len)
+    {
+    	if (m_NeedsWebIrc) {
+        	m_NeedsWebIrc = false;
+        	m_OutPacket.str ("");
+            m_OutPacket << "WEBIRC " << this->m_WebircPass << " cgiirc " << context.GetAddressBook ().ToAddress (m_From->GetIdentHash ()) << " 127.0.0.1\n";
+            I2PTunnelConnection::Write ((uint8_t *)m_OutPacket.str ().c_str (), m_OutPacket.str ().length ());
+        }
+
+    	std::string line;
+        m_OutPacket.str ("");
+        m_InPacket.clear ();
+        m_InPacket.write ((const char *)buf, len);
+        
+        while (!m_InPacket.eof () && !m_InPacket.fail ())
+        {
+            std::getline (m_InPacket, line);
+            if (line.length () == 0 && m_InPacket.eof ()) {
+            	m_InPacket.str ("");
+            }
+            auto pos = line.find ("USER");
+            if (pos != std::string::npos && pos == 0)
+            {
+                pos = line.find (" ");
+                pos++;
+                pos = line.find (" ", pos);
+                pos++;
+                auto nextpos = line.find (" ", pos);
+                m_OutPacket << line.substr (0, pos);
+                m_OutPacket << context.GetAddressBook ().ToAddress (m_From->GetIdentHash ());
+                m_OutPacket << line.substr (nextpos) << '\n';
+            } else {
+                m_OutPacket << line << '\n';
+            }
+        }
+        I2PTunnelConnection::Write ((uint8_t *)m_OutPacket.str ().c_str (), m_OutPacket.str ().length ());
+    }
+
+
 	/* This handler tries to stablish a connection with the desired server and dies if it fails to do so */
 	class I2PClientTunnelHandler: public I2PServiceHandler, public std::enable_shared_from_this<I2PClientTunnelHandler>
 	{
 		public:
 			I2PClientTunnelHandler (I2PClientTunnel * parent, i2p::data::IdentHash destination,
-				int destinationPort, boost::asio::ip::tcp::socket * socket):
+				int destinationPort, std::shared_ptr<boost::asio::ip::tcp::socket> socket):
 				I2PServiceHandler(parent), m_DestinationIdentHash(destination), 
 				m_DestinationPort (destinationPort), m_Socket(socket) {};
 			void Handle();
@@ -164,7 +295,7 @@ namespace client
 			void HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream);
 			i2p::data::IdentHash m_DestinationIdentHash;
 			int m_DestinationPort;
-			boost::asio::ip::tcp::socket * m_Socket;
+			std::shared_ptr<boost::asio::ip::tcp::socket> m_Socket;
 	};
 
 	void I2PClientTunnelHandler::Handle()
@@ -179,7 +310,7 @@ namespace client
 		if (stream)
 		{
 			if (Kill()) return;
-			LogPrint (eLogInfo,"New I2PTunnel connection");
+			LogPrint (eLogDebug, "I2PTunnel: new connection");
 			auto connection = std::make_shared<I2PTunnelConnection>(GetOwner(), m_Socket, stream);
 			GetOwner()->AddHandler (connection);
 			connection->I2PConnect ();
@@ -187,7 +318,7 @@ namespace client
 		}
 		else
 		{
-			LogPrint (eLogError,"I2P Client Tunnel Issue when creating the stream, check the previous warnings for more info.");
+			LogPrint (eLogError, "I2PTunnel: Client Tunnel Issue when creating the stream, check the previous warnings for more info.");
 			Terminate();
 		}
 	}
@@ -198,15 +329,17 @@ namespace client
 		if (m_Socket)
 		{
 			m_Socket->close();
-			delete m_Socket;
 			m_Socket = nullptr;
 		}
 		Done(shared_from_this());
 	}
 
-	I2PClientTunnel::I2PClientTunnel (const std::string& destination, int port, std::shared_ptr<ClientDestination> localDestination, int destinationPort): 
-		TCPIPAcceptor (port,localDestination), m_Destination (destination), m_DestinationIdentHash (nullptr), m_DestinationPort (destinationPort)
-	{}	
+	I2PClientTunnel::I2PClientTunnel (const std::string& name, const std::string& destination, 
+	    const std::string& address, int port, std::shared_ptr<ClientDestination> localDestination, int destinationPort): 
+		TCPIPAcceptor (address, port, localDestination), m_Name (name), m_Destination (destination), 
+		m_DestinationIdentHash (nullptr), m_DestinationPort (destinationPort) 
+	{
+	}	
 
 	void I2PClientTunnel::Start ()
 	{
@@ -231,12 +364,12 @@ namespace client
 			if (i2p::client::context.GetAddressBook ().GetIdentHash (m_Destination, identHash))
 				m_DestinationIdentHash = new i2p::data::IdentHash (identHash);
 			else
-				LogPrint (eLogWarning,"Remote destination ", m_Destination, " not found");
+				LogPrint (eLogWarning, "I2PTunnel: Remote destination ", m_Destination, " not found");
 		}
 		return m_DestinationIdentHash;
 	}
 
-	std::shared_ptr<I2PServiceHandler> I2PClientTunnel::CreateHandler(boost::asio::ip::tcp::socket * socket)
+	std::shared_ptr<I2PServiceHandler> I2PClientTunnel::CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket)
 	{
 		const i2p::data::IdentHash *identHash = GetIdentHash();
 		if (identHash)
@@ -245,16 +378,30 @@ namespace client
 			return nullptr;
 	}
 
-	I2PServerTunnel::I2PServerTunnel (const std::string& address, int port, 
-	    std::shared_ptr<ClientDestination> localDestination, int inport): 
-		I2PService (localDestination), m_Endpoint (boost::asio::ip::address::from_string (address), port),  m_IsAccessList (false)
+	I2PServerTunnel::I2PServerTunnel (const std::string& name, const std::string& address, 
+	    int port, std::shared_ptr<ClientDestination> localDestination, int inport, bool gzip): 
+		I2PService (localDestination), m_Name (name), m_Address (address), m_Port (port), m_IsAccessList (false)
 	{
-		m_PortDestination = localDestination->CreateStreamingDestination (inport > 0 ? inport : port);
+		m_PortDestination = localDestination->CreateStreamingDestination (inport > 0 ? inport : port, gzip);
 	}
 	
 	void I2PServerTunnel::Start ()
 	{
-		Accept ();
+		m_Endpoint.port (m_Port);	
+		boost::system::error_code ec;
+		auto addr = boost::asio::ip::address::from_string (m_Address, ec);
+		if (!ec)	
+		{
+			m_Endpoint.address (addr);
+			Accept ();
+		}
+		else
+		{
+			auto resolver = std::make_shared<boost::asio::ip::tcp::resolver>(GetService ());
+			resolver->async_resolve (boost::asio::ip::tcp::resolver::query (m_Address, ""), 
+				std::bind (&I2PServerTunnel::HandleResolve, this, 
+					std::placeholders::_1, std::placeholders::_2, resolver));
+		}	
 	}
 
 	void I2PServerTunnel::Stop ()
@@ -262,6 +409,20 @@ namespace client
 		ClearHandlers ();
 	}	
 
+	void I2PServerTunnel::HandleResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it, 
+		std::shared_ptr<boost::asio::ip::tcp::resolver> resolver)
+	{	
+		if (!ecode)
+		{	
+			auto addr = (*it).endpoint ().address ();
+			LogPrint (eLogInfo, "I2PTunnel: server tunnel ", (*it).host_name (), " has been resolved to ", addr);
+			m_Endpoint.address (addr);
+			Accept ();	
+		}	
+		else
+			LogPrint (eLogError, "I2PTunnel: Unable to resolve server tunnel address: ", ecode.message ());
+	}
+
 	void I2PServerTunnel::SetAccessList (const std::set<i2p::data::IdentHash>& accessList)
 	{
 		m_AccessList = accessList;
@@ -280,7 +441,7 @@ namespace client
 				localDestination->AcceptStreams (std::bind (&I2PServerTunnel::HandleAccept, this, std::placeholders::_1));
 		}
 		else
-			LogPrint ("Local destination not set for server tunnel");
+			LogPrint (eLogError, "I2PTunnel: Local destination not set for server tunnel");
 	}
 
 	void I2PServerTunnel::HandleAccept (std::shared_ptr<i2p::stream::Stream> stream)
@@ -289,17 +450,54 @@ namespace client
 		{	
 			if (m_IsAccessList)
 			{
-				if (!m_AccessList.count (stream->GetRemoteIdentity ().GetIdentHash ()))
+				if (!m_AccessList.count (stream->GetRemoteIdentity ()->GetIdentHash ()))
 				{
-					LogPrint (eLogWarning, "Address ", stream->GetRemoteIdentity ().GetIdentHash ().ToBase32 (), " is not in white list. Incoming connection dropped");
+					LogPrint (eLogWarning, "I2PTunnel: Address ", stream->GetRemoteIdentity ()->GetIdentHash ().ToBase32 (), " is not in white list. Incoming connection dropped");
 					stream->Close ();
 					return;
 				}
 			}
-			auto conn = std::make_shared<I2PTunnelConnection> (this, stream, new boost::asio::ip::tcp::socket (GetService ()), m_Endpoint);
-			AddHandler (conn);
-			conn->Connect ();
+			CreateI2PConnection (stream);
 		}	
 	}
+
+	void I2PServerTunnel::CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		auto conn = std::make_shared<I2PTunnelConnection> (this, stream, std::make_shared<boost::asio::ip::tcp::socket> (GetService ()), GetEndpoint ());
+		AddHandler (conn);
+		conn->Connect ();
+	}
+
+	I2PServerTunnelHTTP::I2PServerTunnelHTTP (const std::string& name, const std::string& address, 
+	    int port, std::shared_ptr<ClientDestination> localDestination, 
+	    const std::string& host, int inport, bool gzip):
+		I2PServerTunnel (name, address, port, localDestination, inport, gzip), 
+		m_Host (host.length () > 0 ? host : address)
+	{
+	}
+
+	void I2PServerTunnelHTTP::CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream)
+	{
+		auto conn = std::make_shared<I2PTunnelConnectionHTTP> (this, stream, 
+			std::make_shared<boost::asio::ip::tcp::socket> (GetService ()), GetEndpoint (), m_Host);
+		AddHandler (conn);
+		conn->Connect ();
+	}
+
+    I2PServerTunnelIRC::I2PServerTunnelIRC (const std::string& name, const std::string& address, 
+        int port, std::shared_ptr<ClientDestination> localDestination, 
+        const std::string& webircpass, int inport, bool gzip):
+        I2PServerTunnel (name, address, port, localDestination, inport, gzip),
+        m_WebircPass (webircpass)
+    {
+    }
+
+    void I2PServerTunnelIRC::CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream)
+    {
+	    auto conn = std::make_shared<I2PTunnelConnectionIRC> (this, stream, std::make_shared<boost::asio::ip::tcp::socket> (GetService ()), GetEndpoint (), this->m_WebircPass);
+	    AddHandler (conn);
+        conn->Connect ();
+    }
+
 }		
 }	

I2PTunnel.h

@@ -5,6 +5,7 @@
 #include <string>
 #include <set>
 #include <memory>
+#include <sstream>
 #include <boost/asio.hpp>
 #include "Identity.h"
 #include "Destination.h"
@@ -18,28 +19,32 @@ namespace client
 	const size_t I2P_TUNNEL_CONNECTION_BUFFER_SIZE = 8192;
 	const int I2P_TUNNEL_CONNECTION_MAX_IDLE = 3600; // in seconds	
 	const int I2P_TUNNEL_DESTINATION_REQUEST_TIMEOUT = 10; // in seconds
-
+	// for HTTP tunnels		
+	const char X_I2P_DEST_HASH[] = "X-I2P-DestHash"; // hash  in base64
+	const char X_I2P_DEST_B64[] = "X-I2P-DestB64"; // full address in base64
+	const char X_I2P_DEST_B32[] = "X-I2P-DestB32"; // .b32.i2p address
 
 	class I2PTunnelConnection: public I2PServiceHandler, public std::enable_shared_from_this<I2PTunnelConnection>
 	{
 		public:
 
-			I2PTunnelConnection (I2PService * owner, boost::asio::ip::tcp::socket * socket,
+			I2PTunnelConnection (I2PService * owner, std::shared_ptr<boost::asio::ip::tcp::socket> socket,
 				std::shared_ptr<const i2p::data::LeaseSet> leaseSet, int port = 0); // to I2P
-			I2PTunnelConnection (I2PService * owner, boost::asio::ip::tcp::socket * socket,
-				std::shared_ptr<i2p::stream::Stream> stream); // to I2P using simplified API :)
-			I2PTunnelConnection (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,  boost::asio::ip::tcp::socket * socket, 
+			I2PTunnelConnection (I2PService * owner, std::shared_ptr<boost::asio::ip::tcp::socket> socket,
+				std::shared_ptr<i2p::stream::Stream> stream); // to I2P using simplified API 
+			I2PTunnelConnection (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,  std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
 				const boost::asio::ip::tcp::endpoint& target, bool quiet = true); // from I2P
 			~I2PTunnelConnection ();
 			void I2PConnect (const uint8_t * msg = nullptr, size_t len = 0);
 			void Connect ();
 			
-		private:
+		protected:
 
 			void Terminate ();	
 
 			void Receive ();
 			void HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred);	
+			virtual void Write (const uint8_t * buf, size_t len); // can be overloaded
 			void HandleWrite (const boost::system::error_code& ecode);	
 
 			void StreamReceive ();
@@ -49,33 +54,78 @@ namespace client
 		private:
 
 			uint8_t m_Buffer[I2P_TUNNEL_CONNECTION_BUFFER_SIZE], m_StreamBuffer[I2P_TUNNEL_CONNECTION_BUFFER_SIZE];
-			std::unique_ptr<boost::asio::ip::tcp::socket> m_Socket;
+			std::shared_ptr<boost::asio::ip::tcp::socket> m_Socket;
 			std::shared_ptr<i2p::stream::Stream> m_Stream;
 			boost::asio::ip::tcp::endpoint m_RemoteEndpoint;
 			bool m_IsQuiet; // don't send destination
 	};
 
+	class I2PTunnelConnectionHTTP: public I2PTunnelConnection
+	{
+		public:
+			
+			I2PTunnelConnectionHTTP (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,
+				std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+				const boost::asio::ip::tcp::endpoint& target, const std::string& host); 
+
+		protected:
+
+			void Write (const uint8_t * buf, size_t len);
+
+		private:
+		
+			std::string m_Host;
+			std::stringstream m_InHeader, m_OutHeader;
+			bool m_HeaderSent;
+			std::shared_ptr<const i2p::data::IdentityEx> m_From;
+	};
+
+	class I2PTunnelConnectionIRC: public I2PTunnelConnection
+    {
+        public:
+                
+            I2PTunnelConnectionIRC (I2PService * owner, std::shared_ptr<i2p::stream::Stream> stream,
+                std::shared_ptr<boost::asio::ip::tcp::socket> socket, 
+                const boost::asio::ip::tcp::endpoint& target, const std::string& m_WebircPass); 
+
+        protected:
+
+            void Write (const uint8_t * buf, size_t len);
+
+        private:
+   
+            std::shared_ptr<const i2p::data::IdentityEx> m_From;
+            std::stringstream m_OutPacket, m_InPacket;
+			bool m_NeedsWebIrc;
+            std::string m_WebircPass; 
+    };
+
+
 	class I2PClientTunnel: public TCPIPAcceptor
 	{
 		protected:
 
 			// Implements TCPIPAcceptor
-			std::shared_ptr<I2PServiceHandler> CreateHandler(boost::asio::ip::tcp::socket * socket);
-			const char* GetName() { return "I2P Client Tunnel"; }
+			std::shared_ptr<I2PServiceHandler> CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket);
 
 		public:
 
-			I2PClientTunnel (const std::string& destination, int port, std::shared_ptr<ClientDestination> localDestination, int destinationPort = 0);
+			I2PClientTunnel (const std::string& name, const std::string& destination, 
+				const std::string& address, int port, std::shared_ptr<ClientDestination> localDestination, int destinationPort = 0);
 			~I2PClientTunnel () {}
 	
 			void Start ();
 			void Stop ();
 
+			const char* GetName() { return m_Name.c_str (); }	
+			
 		private:
 
 			const i2p::data::IdentHash * GetIdentHash ();
 
-			std::string m_Destination;
+		private:
+			
+			std::string m_Name, m_Destination;
 			const i2p::data::IdentHash * m_DestinationIdentHash;
 			int m_DestinationPort;	
 	};	
@@ -84,26 +134,74 @@ namespace client
 	{
 		public:
 
-			I2PServerTunnel (const std::string& address, int port, 
-				std::shared_ptr<ClientDestination> localDestination, int inport = 0);	
+			I2PServerTunnel (const std::string& name, const std::string& address, int port, 
+				std::shared_ptr<ClientDestination> localDestination, int inport = 0, bool gzip = true);	
 
 			void Start ();
 			void Stop ();
 
 			void SetAccessList (const std::set<i2p::data::IdentHash>& accessList); 
 
+			const std::string& GetAddress() const { return m_Address; }
+			int GetPort () const { return m_Port; };
+			uint16_t GetLocalPort () const { return m_PortDestination->GetLocalPort (); };
+			const boost::asio::ip::tcp::endpoint& GetEndpoint () const { return m_Endpoint; }
+
+			const char* GetName() { return m_Name.c_str (); }	
+			
 		private:
 
+			void HandleResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it, 
+				std::shared_ptr<boost::asio::ip::tcp::resolver> resolver);
+
 			void Accept ();
 			void HandleAccept (std::shared_ptr<i2p::stream::Stream> stream);
+			virtual void CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream);
 
 		private:
 
+			std::string m_Name, m_Address;
+			int m_Port;
 			boost::asio::ip::tcp::endpoint m_Endpoint;	
 			std::shared_ptr<i2p::stream::StreamingDestination> m_PortDestination;
 			std::set<i2p::data::IdentHash> m_AccessList;
 			bool m_IsAccessList;			
 	};
+
+	class I2PServerTunnelHTTP: public I2PServerTunnel
+	{
+		public:
+
+			I2PServerTunnelHTTP (const std::string& name, const std::string& address, int port, 
+				std::shared_ptr<ClientDestination> localDestination, const std::string& host,
+			    int inport = 0, bool gzip = true);	
+
+		private:
+
+			void CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream);
+
+		private:
+
+			std::string m_Host;
+	};
+	
+    class I2PServerTunnelIRC: public I2PServerTunnel
+    {
+        public:
+
+            I2PServerTunnelIRC (const std::string& name, const std::string& address, int port, 
+                std::shared_ptr<ClientDestination> localDestination, const std::string& webircpass,
+                int inport = 0, bool gzip = true);   
+
+        private:
+
+            void CreateI2PConnection (std::shared_ptr<i2p::stream::Stream> stream);
+
+        private:
+
+        	std::string m_WebircPass;
+    };
+
 }
 }	
 

Identity.cpp

@@ -1,14 +1,12 @@
 #include <time.h>
 #include <stdio.h>
-#include <cryptopp/sha.h>
-#include <cryptopp/osrng.h>
-#include <cryptopp/dsa.h>
-#include "base64.h"
-#include "CryptoConst.h"
-#include "ElGamal.h"
-#include "RouterContext.h"
-#include "Identity.h"
+#include <openssl/sha.h>
+#include <openssl/dh.h>
+#include <openssl/rand.h>
+#include "Crypto.h"
 #include "I2PEndian.h"
+#include "Log.h"
+#include "Identity.h"
 
 namespace i2p
 {
@@ -18,12 +16,16 @@ namespace data
 	{
 		// copy public and signing keys together
 		memcpy (publicKey, keys.publicKey, sizeof (publicKey) + sizeof (signingKey));
-		memset (&certificate, 0, sizeof (certificate));		
+		memset (certificate, 0, sizeof (certificate));		
 		return *this;
 	}
 
 	size_t Identity::FromBuffer (const uint8_t * buf, size_t len)
 	{
+		if ( len < DEFAULT_IDENTITY_SIZE ) {
+			// buffer too small, don't overflow
+			return 0;
+		}
 		memcpy (publicKey, buf, DEFAULT_IDENTITY_SIZE);
 		return DEFAULT_IDENTITY_SIZE;
 	}
@@ -31,12 +33,12 @@ namespace data
 	IdentHash Identity::Hash () const
 	{
 		IdentHash hash;
-		CryptoPP::SHA256().CalculateDigest(hash, publicKey, DEFAULT_IDENTITY_SIZE);
+		SHA256(publicKey, DEFAULT_IDENTITY_SIZE, hash);
 		return hash;
 	}	
 	
 	IdentityEx::IdentityEx ():
-		m_Verifier (nullptr), m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
+		m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
 	{
 	}
 
@@ -52,14 +54,14 @@ namespace data
 				case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
 				{	
 					size_t padding =  128 - i2p::crypto::ECDSAP256_KEY_LENGTH; // 64 = 128 - 64
-					i2p::context.GetRandomNumberGenerator ().GenerateBlock (m_StandardIdentity.signingKey, padding);
+					RAND_bytes (m_StandardIdentity.signingKey, padding);
 					memcpy (m_StandardIdentity.signingKey + padding, signingKey, i2p::crypto::ECDSAP256_KEY_LENGTH);
 					break;
 				}
 				case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
 				{	
 					size_t padding = 128 - i2p::crypto::ECDSAP384_KEY_LENGTH; // 32 = 128 - 96
-					i2p::context.GetRandomNumberGenerator ().GenerateBlock (m_StandardIdentity.signingKey, padding);
+					RAND_bytes (m_StandardIdentity.signingKey, padding);
 					memcpy (m_StandardIdentity.signingKey + padding, signingKey, i2p::crypto::ECDSAP384_KEY_LENGTH);
 					break;
 				}	
@@ -94,14 +96,21 @@ namespace data
 					excessBuf = new uint8_t[excessLen];
 					memcpy (excessBuf, signingKey + 128, excessLen);
 					break;
-				}		
+				}	
+				case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
+				{
+					size_t padding =  128 - i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH; // 96 = 128 - 32
+					RAND_bytes (m_StandardIdentity.signingKey, padding);
+					memcpy (m_StandardIdentity.signingKey + padding, signingKey, i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH);
+					break;
+				}	
 				default:
-					LogPrint ("Signing key type ", (int)type, " is not supported");
+					LogPrint (eLogError, "Identity: Signing key type ", (int)type, " is not supported");
 			}	
 			m_ExtendedLen = 4 + excessLen; // 4 bytes extra + excess length
 			// fill certificate
-			m_StandardIdentity.certificate.type = CERTIFICATE_TYPE_KEY;
-			m_StandardIdentity.certificate.length = htobe16 (m_ExtendedLen); 
+			m_StandardIdentity.certificate[0] = CERTIFICATE_TYPE_KEY;
+			htobe16buf (m_StandardIdentity.certificate + 1, m_ExtendedLen); 
 			// fill extended buffer
 			m_ExtendedBuffer = new uint8_t[m_ExtendedLen];
 			htobe16buf (m_ExtendedBuffer, type);
@@ -114,13 +123,13 @@ namespace data
 			// calculate ident hash
 			uint8_t * buf = new uint8_t[GetFullLen ()];
 			ToBuffer (buf, GetFullLen ());
-			CryptoPP::SHA256().CalculateDigest(m_IdentHash, buf, GetFullLen ());
+			SHA256(buf, GetFullLen (), m_IdentHash);
 			delete[] buf;
 		}
 		else // DSA-SHA1
 		{
 			memcpy (m_StandardIdentity.signingKey, signingKey, sizeof (m_StandardIdentity.signingKey));
-			memset (&m_StandardIdentity.certificate, 0, sizeof (m_StandardIdentity.certificate));
+			memset (m_StandardIdentity.certificate, 0, sizeof (m_StandardIdentity.certificate));
 			m_IdentHash = m_StandardIdentity.Hash ();
 			m_ExtendedLen = 0;
 			m_ExtendedBuffer = nullptr;
@@ -129,20 +138,25 @@ namespace data
 	}	
 		
 	IdentityEx::IdentityEx (const uint8_t * buf, size_t len):
-		m_Verifier (nullptr), m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
+		m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
 	{
 		FromBuffer (buf, len);
 	}
 
 	IdentityEx::IdentityEx (const IdentityEx& other):
-		m_Verifier (nullptr), m_ExtendedBuffer (nullptr)
+		m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
 	{
 		*this = other;
 	}	
+
+	IdentityEx::IdentityEx (const Identity& standard):
+		m_ExtendedLen (0), m_ExtendedBuffer (nullptr)
+	{
+		*this = standard;
+	}	
 		
 	IdentityEx::~IdentityEx ()
 	{
-		delete m_Verifier;
 		delete[] m_ExtendedBuffer;
 	}	
 
@@ -161,7 +175,6 @@ namespace data
 		else
 			m_ExtendedBuffer = nullptr;
 		
-		delete m_Verifier;
 		m_Verifier = nullptr;
 		
 		return *this;
@@ -176,7 +189,6 @@ namespace data
 		m_ExtendedBuffer = nullptr;
 		m_ExtendedLen = 0;
 
-		delete m_Verifier;
 		m_Verifier = nullptr;
 		
 		return *this;
@@ -186,15 +198,15 @@ namespace data
 	{
 		if (len < DEFAULT_IDENTITY_SIZE)
 		{
-			LogPrint (eLogError, "Identity buffer length ", len, " is too small");
+			LogPrint (eLogError, "Identity: buffer length ", len, " is too small");
 			return 0;
 		}	
 		memcpy (&m_StandardIdentity, buf, DEFAULT_IDENTITY_SIZE);
 
-		delete[] m_ExtendedBuffer;
-		if (m_StandardIdentity.certificate.length)
+		delete[] m_ExtendedBuffer; m_ExtendedBuffer = nullptr;
+		m_ExtendedLen = bufbe16toh (m_StandardIdentity.certificate + 1);
+		if (m_ExtendedLen)
 		{
-			m_ExtendedLen = be16toh (m_StandardIdentity.certificate.length);
 			if (m_ExtendedLen + DEFAULT_IDENTITY_SIZE <= len)
 			{	
 				m_ExtendedBuffer = new uint8_t[m_ExtendedLen];
@@ -202,7 +214,8 @@ namespace data
 			}	
 			else
 			{
-				LogPrint (eLogError, "Certificate length ", m_ExtendedLen, " exceeds buffer length ", len - DEFAULT_IDENTITY_SIZE);
+				LogPrint (eLogError, "Identity: Certificate length ", m_ExtendedLen, " exceeds buffer length ", len - DEFAULT_IDENTITY_SIZE);
+				m_ExtendedLen = 0;
 				return 0;
 			}	
 		}		
@@ -211,37 +224,40 @@ namespace data
 			m_ExtendedLen = 0;
 			m_ExtendedBuffer = nullptr;
 		}	
-		CryptoPP::SHA256().CalculateDigest(m_IdentHash, buf, GetFullLen ());
+		SHA256(buf, GetFullLen (), m_IdentHash);
 		
-		delete m_Verifier;
 		m_Verifier = nullptr;
 		
 		return GetFullLen ();
 	}	
 
 	size_t IdentityEx::ToBuffer (uint8_t * buf, size_t len) const
-	{		
+	{
+		const size_t fullLen = GetFullLen();
+		if (fullLen > len) return 0; // buffer is too small and may overflow somewhere else
 		memcpy (buf, &m_StandardIdentity, DEFAULT_IDENTITY_SIZE);
 		if (m_ExtendedLen > 0 && m_ExtendedBuffer)
 			memcpy (buf + DEFAULT_IDENTITY_SIZE, m_ExtendedBuffer, m_ExtendedLen);
-		return GetFullLen ();
+		return fullLen;
 	}
 
 	size_t IdentityEx::FromBase64(const std::string& s)
 	{
-		uint8_t buf[1024];
-		auto len = Base64ToByteStream (s.c_str(), s.length(), buf, 1024);
-		return FromBuffer (buf, len);
+		const size_t slen = s.length();
+		std::vector<uint8_t> buf(slen); // binary data can't exceed base64
+		const size_t len = Base64ToByteStream (s.c_str(), slen, buf.data(), slen);
+		return FromBuffer (buf.data(), len);
 	}	
 	
 	std::string IdentityEx::ToBase64 () const
 	{
-		uint8_t buf[1024];
-		char str[1536];
-		size_t l = ToBuffer (buf, 1024);
-		size_t l1 = i2p::data::ByteStreamToBase64 (buf, l, str, 1536);
-		str[l1] = 0;
-		return std::string (str);
+		const size_t bufLen = GetFullLen();
+		const size_t strLen = Base64EncodingBufferSize(bufLen);
+		std::vector<uint8_t> buf(bufLen);
+		std::vector<char> str(strLen);
+		size_t l = ToBuffer (buf.data(), bufLen);
+		size_t l1 = i2p::data::ByteStreamToBase64 (buf.data(), l, str.data(), strLen);
+		return std::string (str.data(), l1);
 	}
 	
 	size_t IdentityEx::GetSigningPublicKeyLen () const
@@ -265,7 +281,7 @@ namespace data
 		if (!m_Verifier) CreateVerifier ();	
 		if (m_Verifier)
 			return m_Verifier->GetSignatureLen ();
-		return 40;
+		return i2p::crypto::DSA_SIGNATURE_LENGTH;
 	}	
 	bool IdentityEx::Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const 
 	{
@@ -277,14 +293,14 @@ namespace data
 
 	SigningKeyType IdentityEx::GetSigningKeyType () const
 	{
-		if (m_StandardIdentity.certificate.type == CERTIFICATE_TYPE_KEY && m_ExtendedBuffer)				
+		if (m_StandardIdentity.certificate[0] == CERTIFICATE_TYPE_KEY && m_ExtendedBuffer)				
 			return bufbe16toh (m_ExtendedBuffer); // signing key
 		return SIGNING_KEY_TYPE_DSA_SHA1;
 	}	
 
 	CryptoKeyType IdentityEx::GetCryptoKeyType () const
 	{
-		if (m_StandardIdentity.certificate.type == CERTIFICATE_TYPE_KEY && m_ExtendedBuffer)				
+		if (m_StandardIdentity.certificate[0] == CERTIFICATE_TYPE_KEY && m_ExtendedBuffer)				
 			return bufbe16toh (m_ExtendedBuffer + 2); // crypto key
 		return CRYPTO_KEY_TYPE_ELGAMAL;
 	}	
@@ -295,18 +311,18 @@ namespace data
 		switch (keyType)
 		{
 			case SIGNING_KEY_TYPE_DSA_SHA1:
-				m_Verifier = new i2p::crypto::DSAVerifier (m_StandardIdentity.signingKey);
+				m_Verifier.reset (new i2p::crypto::DSAVerifier (m_StandardIdentity.signingKey));
 			break;
 			case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
 			{	
 				size_t padding =  128 - i2p::crypto::ECDSAP256_KEY_LENGTH; // 64 = 128 - 64
-				m_Verifier = new i2p::crypto::ECDSAP256Verifier (m_StandardIdentity.signingKey + padding);
+				m_Verifier.reset (new i2p::crypto::ECDSAP256Verifier (m_StandardIdentity.signingKey + padding));
 				break;
 			}	
 			case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
 			{	
 				size_t padding = 128 - i2p::crypto::ECDSAP384_KEY_LENGTH; // 32 = 128 - 96
-				m_Verifier = new i2p::crypto::ECDSAP384Verifier (m_StandardIdentity.signingKey + padding);
+				m_Verifier.reset (new i2p::crypto::ECDSAP384Verifier (m_StandardIdentity.signingKey + padding));
 				break;
 			}	
 			case SIGNING_KEY_TYPE_ECDSA_SHA512_P521:
@@ -315,7 +331,7 @@ namespace data
 				memcpy (signingKey, m_StandardIdentity.signingKey, 128);
 				size_t excessLen = i2p::crypto::ECDSAP521_KEY_LENGTH - 128; // 4 = 132- 128
 				memcpy (signingKey + 128, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
-				m_Verifier = new i2p::crypto::ECDSAP521Verifier (signingKey);
+				m_Verifier.reset (new i2p::crypto::ECDSAP521Verifier (signingKey));
 				break;
 			}		
 			case SIGNING_KEY_TYPE_RSA_SHA256_2048:
@@ -324,7 +340,7 @@ namespace data
 				memcpy (signingKey, m_StandardIdentity.signingKey, 128);
 				size_t excessLen = i2p::crypto::RSASHA2562048_KEY_LENGTH - 128; // 128 = 256- 128
 				memcpy (signingKey + 128, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
-				m_Verifier = new i2p::crypto:: RSASHA2562048Verifier (signingKey);
+				m_Verifier.reset (new i2p::crypto:: RSASHA2562048Verifier (signingKey));
 				break;
 			}	
 			case SIGNING_KEY_TYPE_RSA_SHA384_3072:
@@ -333,7 +349,7 @@ namespace data
 				memcpy (signingKey, m_StandardIdentity.signingKey, 128);
 				size_t excessLen = i2p::crypto::RSASHA3843072_KEY_LENGTH - 128; // 256 = 384- 128
 				memcpy (signingKey + 128, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
-				m_Verifier = new i2p::crypto:: RSASHA3843072Verifier (signingKey);
+				m_Verifier.reset (new i2p::crypto:: RSASHA3843072Verifier (signingKey));
 				break;
 			}	
 			case SIGNING_KEY_TYPE_RSA_SHA512_4096:
@@ -342,27 +358,31 @@ namespace data
 				memcpy (signingKey, m_StandardIdentity.signingKey, 128);
 				size_t excessLen = i2p::crypto::RSASHA5124096_KEY_LENGTH - 128; // 384 = 512- 128
 				memcpy (signingKey + 128, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
-				m_Verifier = new i2p::crypto:: RSASHA5124096Verifier (signingKey);
+				m_Verifier.reset (new i2p::crypto:: RSASHA5124096Verifier (signingKey));
 				break;
-			}		
+			}	
+			case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
+			{
+				size_t padding =  128 - i2p::crypto::EDDSA25519_PUBLIC_KEY_LENGTH; // 96 = 128 - 32
+				m_Verifier.reset (new i2p::crypto::EDDSA25519Verifier (m_StandardIdentity.signingKey + padding));
+				break;
+			}	
 			default:
-				LogPrint ("Signing key type ", (int)keyType, " is not supported");
+				LogPrint (eLogError, "Identity: Signing key type ", (int)keyType, " is not supported");
 		}			
 	}	
 	
-	void IdentityEx::DropVerifier ()
+	void IdentityEx::DropVerifier () const
 	{
-		auto verifier = m_Verifier;
-		m_Verifier = nullptr; // TODO: make this atomic
-		delete verifier;
+		// TODO: potential race condition with Verify
+		m_Verifier = nullptr; 
 	}
 
 	PrivateKeys& PrivateKeys::operator=(const Keys& keys)
 	{
-		m_Public = Identity (keys);
+		m_Public = std::make_shared<IdentityEx>(Identity (keys));
 		memcpy (m_PrivateKey, keys.privateKey, 256); // 256 
-		memcpy (m_SigningPrivateKey, keys.signingPrivateKey, m_Public.GetSigningPrivateKeyLen ());
-		delete m_Signer;
+		memcpy (m_SigningPrivateKey, keys.signingPrivateKey, m_Public->GetSigningPrivateKeyLen ());
 		m_Signer = nullptr;
 		CreateSigner ();
 		return *this;
@@ -370,10 +390,9 @@ namespace data
 
 	PrivateKeys& PrivateKeys::operator=(const PrivateKeys& other)
 	{		
-		m_Public = other.m_Public;
+		m_Public = std::make_shared<IdentityEx>(*other.m_Public);
 		memcpy (m_PrivateKey, other.m_PrivateKey, 256); // 256 
-		memcpy (m_SigningPrivateKey, other.m_SigningPrivateKey, m_Public.GetSigningPrivateKeyLen ()); 
-		delete m_Signer;
+		memcpy (m_SigningPrivateKey, other.m_SigningPrivateKey, m_Public->GetSigningPrivateKeyLen ()); 
 		m_Signer = nullptr;
 		CreateSigner ();
 		return *this;
@@ -381,13 +400,13 @@ namespace data
 		
 	size_t PrivateKeys::FromBuffer (const uint8_t * buf, size_t len)
 	{
-		size_t ret = m_Public.FromBuffer (buf, len);
+		m_Public = std::make_shared<IdentityEx>(buf, len);
+		size_t ret = m_Public->GetFullLen ();
 		memcpy (m_PrivateKey, buf + ret, 256); // private key always 256
 		ret += 256;
-		size_t signingPrivateKeySize = m_Public.GetSigningPrivateKeyLen ();
+		size_t signingPrivateKeySize = m_Public->GetSigningPrivateKeyLen ();
 		memcpy (m_SigningPrivateKey, buf + ret, signingPrivateKeySize); 
 		ret += signingPrivateKeySize;
-		delete m_Signer;
 		m_Signer = nullptr;
 		CreateSigner ();
 		return ret;
@@ -395,10 +414,10 @@ namespace data
 		
 	size_t PrivateKeys::ToBuffer (uint8_t * buf, size_t len) const
 	{
-		size_t ret = m_Public.ToBuffer (buf, len);
+		size_t ret = m_Public->ToBuffer (buf, len);
 		memcpy (buf + ret, m_PrivateKey, 256); // private key always 256
 		ret += 256;
-		size_t signingPrivateKeySize = m_Public.GetSigningPrivateKeyLen (); 
+		size_t signingPrivateKeySize = m_Public->GetSigningPrivateKeyLen (); 
 		memcpy (buf + ret, m_SigningPrivateKey, signingPrivateKeySize); 
 		ret += signingPrivateKeySize;
 		return ret;
@@ -429,36 +448,39 @@ namespace data
 	void PrivateKeys::Sign (const uint8_t * buf, int len, uint8_t * signature) const
 	{
 		if (m_Signer)
-			m_Signer->Sign (i2p::context.GetRandomNumberGenerator (), buf, len, signature);
+			m_Signer->Sign (buf, len, signature);
 	}			
 
 	void PrivateKeys::CreateSigner ()
 	{
-		switch (m_Public.GetSigningKeyType ())
+		switch (m_Public->GetSigningKeyType ())
 		{	
 			case SIGNING_KEY_TYPE_DSA_SHA1:
-				m_Signer = new i2p::crypto::DSASigner (m_SigningPrivateKey);
+				m_Signer.reset (new i2p::crypto::DSASigner (m_SigningPrivateKey));
 			break;	
 			case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
-				m_Signer = new i2p::crypto::ECDSAP256Signer (m_SigningPrivateKey);
+				m_Signer.reset (new i2p::crypto::ECDSAP256Signer (m_SigningPrivateKey));
 			break;
 			case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
-				m_Signer = new i2p::crypto::ECDSAP384Signer (m_SigningPrivateKey);
+				m_Signer.reset (new i2p::crypto::ECDSAP384Signer (m_SigningPrivateKey));
 			break;	
 			case SIGNING_KEY_TYPE_ECDSA_SHA512_P521:
-				m_Signer = new i2p::crypto::ECDSAP521Signer (m_SigningPrivateKey);
+				m_Signer.reset (new i2p::crypto::ECDSAP521Signer (m_SigningPrivateKey));
 			break;	
 			case SIGNING_KEY_TYPE_RSA_SHA256_2048:
-				m_Signer = new i2p::crypto::RSASHA2562048Signer (m_SigningPrivateKey);
+				m_Signer.reset (new i2p::crypto::RSASHA2562048Signer (m_SigningPrivateKey));
 			break;
 			case SIGNING_KEY_TYPE_RSA_SHA384_3072:
-				m_Signer = new i2p::crypto::RSASHA3843072Signer (m_SigningPrivateKey);
+				m_Signer.reset (new i2p::crypto::RSASHA3843072Signer (m_SigningPrivateKey));
 			break;
 			case SIGNING_KEY_TYPE_RSA_SHA512_4096:
-				m_Signer = new i2p::crypto::RSASHA5124096Signer (m_SigningPrivateKey);
+				m_Signer.reset (new i2p::crypto::RSASHA5124096Signer (m_SigningPrivateKey));
 			break;	
+			case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
+				m_Signer.reset (new i2p::crypto::EDDSA25519Signer (m_SigningPrivateKey));
+			break;
 			default:
-				LogPrint ("Signing key type ", (int)m_Public.GetSigningKeyType (), " is not supported");
+				LogPrint (eLogError, "Identity: Signing key type ", (int)m_Public->GetSigningKeyType (), " is not supported");
 		}
 	}	
 		
@@ -467,39 +489,40 @@ namespace data
 		if (type != SIGNING_KEY_TYPE_DSA_SHA1)
 		{
 			PrivateKeys keys;
-			auto& rnd = i2p::context.GetRandomNumberGenerator ();
 			// signature
 			uint8_t signingPublicKey[512]; // signing public key is 512 bytes max 
 			switch (type)
 			{	
 				case SIGNING_KEY_TYPE_ECDSA_SHA256_P256:
-					i2p::crypto::CreateECDSAP256RandomKeys (rnd, keys.m_SigningPrivateKey, signingPublicKey);
+					i2p::crypto::CreateECDSAP256RandomKeys (keys.m_SigningPrivateKey, signingPublicKey);
 				break;	
 				case SIGNING_KEY_TYPE_ECDSA_SHA384_P384:
-					i2p::crypto::CreateECDSAP384RandomKeys (rnd, keys.m_SigningPrivateKey, signingPublicKey);	
+					i2p::crypto::CreateECDSAP384RandomKeys (keys.m_SigningPrivateKey, signingPublicKey);	
 				break;
 				case SIGNING_KEY_TYPE_ECDSA_SHA512_P521:
-					i2p::crypto::CreateECDSAP521RandomKeys (rnd, keys.m_SigningPrivateKey, signingPublicKey);	
+					i2p::crypto::CreateECDSAP521RandomKeys (keys.m_SigningPrivateKey, signingPublicKey);	
 				break;	
 				case SIGNING_KEY_TYPE_RSA_SHA256_2048:
-					i2p::crypto::CreateRSARandomKeys (rnd, i2p::crypto::RSASHA2562048_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
+					i2p::crypto::CreateRSARandomKeys (i2p::crypto::RSASHA2562048_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
 				break;
 				case SIGNING_KEY_TYPE_RSA_SHA384_3072:
-					i2p::crypto::CreateRSARandomKeys (rnd, i2p::crypto::RSASHA3843072_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
+					i2p::crypto::CreateRSARandomKeys (i2p::crypto::RSASHA3843072_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
 				break;
 				case SIGNING_KEY_TYPE_RSA_SHA512_4096:
-					i2p::crypto::CreateRSARandomKeys (rnd, i2p::crypto::RSASHA5124096_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
+					i2p::crypto::CreateRSARandomKeys (i2p::crypto::RSASHA5124096_KEY_LENGTH, keys.m_SigningPrivateKey, signingPublicKey);	
 				break;	
+				case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
+					i2p::crypto::CreateEDDSA25519RandomKeys (keys.m_SigningPrivateKey, signingPublicKey);
+				break;
 				default:
-					LogPrint ("Signing key type ", (int)type, " is not supported. Create DSA-SHA1");
+					LogPrint (eLogError, "Identity: Signing key type ", (int)type, " is not supported. Create DSA-SHA1");
 					return PrivateKeys (i2p::data::CreateRandomKeys ()); // DSA-SHA1
 			}	
 			// encryption
 			uint8_t publicKey[256];
-			CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
-			dh.GenerateKeyPair(rnd, keys.m_PrivateKey, publicKey);
+			i2p::crypto::GenerateElGamalKeyPair (keys.m_PrivateKey, publicKey);
 			// identity
-			keys.m_Public = IdentityEx (publicKey, signingPublicKey, type);
+			keys.m_Public = std::make_shared<IdentityEx> (publicKey, signingPublicKey, type);
 
 			keys.CreateSigner ();
 			return keys;
@@ -510,11 +533,10 @@ namespace data
 	Keys CreateRandomKeys ()
 	{
 		Keys keys;		
-		auto& rnd = i2p::context.GetRandomNumberGenerator ();
 		// encryption
-		i2p::crypto::GenerateElGamalKeyPair(rnd, keys.privateKey, keys.publicKey);
+		i2p::crypto::GenerateElGamalKeyPair(keys.privateKey, keys.publicKey);
 		// signing
-		i2p::crypto::CreateDSARandomKeys (rnd, keys.signingPrivateKey, keys.signingKey);	
+		i2p::crypto::CreateDSARandomKeys (keys.signingPrivateKey, keys.signingKey);	
 		return keys;
 	}	
 
@@ -532,7 +554,7 @@ namespace data
 		sprintf((char *)(buf + 32), "%04i%02i%02i", tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday);
 #endif		
 		IdentHash key;
-		CryptoPP::SHA256().CalculateDigest((uint8_t *)key, buf, 40);
+		SHA256(buf, 40, key);
 		return key;
 	}	
 	

Identity.h

@@ -4,74 +4,20 @@
 #include <inttypes.h>
 #include <string.h>
 #include <string>
-#include "base64.h"
-#include "ElGamal.h"
+#include <memory>
+#include "Base.h"
 #include "Signature.h"
 
 namespace i2p
 {
 namespace data
 {
-	template<int sz>
-	class Tag
-	{
-		public:
-
-			Tag (const uint8_t * buf) { memcpy (m_Buf, buf, sz); };
-			Tag (const Tag<sz>& ) = default;
-#ifndef _WIN32 // FIXME!!! msvs 2013 can't compile it
-			Tag (Tag<sz>&& ) = default;
-#endif
-			Tag () = default;
-			
-			Tag<sz>& operator= (const Tag<sz>& ) = default;
-#ifndef _WIN32
-			Tag<sz>& operator= (Tag<sz>&& ) = default;
-#endif
-			
-			uint8_t * operator()() { return m_Buf; };
-			const uint8_t * operator()() const { return m_Buf; };
-
-			operator uint8_t * () { return m_Buf; };
-			operator const uint8_t * () const { return m_Buf; };
-			
-			const uint64_t * GetLL () const { return ll; };
-
-			bool operator== (const Tag<sz>& other) const { return !memcmp (m_Buf, other.m_Buf, sz); };
-			bool operator< (const Tag<sz>& other) const { return memcmp (m_Buf, other.m_Buf, sz) < 0; };
-
-			std::string ToBase64 () const
-			{
-				char str[sz*2];
-				int l = i2p::data::ByteStreamToBase64 (m_Buf, sz, str, sz*2);
-				str[l] = 0;
-				return std::string (str);
-			}
-
-			std::string ToBase32 () const
-			{
-				char str[sz*2];
-				int l = i2p::data::ByteStreamToBase32 (m_Buf, sz, str, sz*2);
-				str[l] = 0;
-				return std::string (str);
-			}	
-
-			void FromBase32 (const std::string& s)
-			{
-				i2p::data::Base32ToByteStream (s.c_str (), s.length (), m_Buf, sz);
-			}
-
-		private:
-
-			union // 8 bytes alignment
-			{	
-				uint8_t m_Buf[sz];
-				uint64_t ll[sz/8];
-			};		
-	};	
 	typedef Tag<32> IdentHash;
+	inline std::string GetIdentHashAbbreviation (const IdentHash& ident) 
+	{ 
+		return ident.ToBase64 ().substr (0, 4); 
+	}
 
-#pragma pack(1)
 	struct Keys
 	{
 		uint8_t privateKey[256];
@@ -91,11 +37,7 @@ namespace data
 	{
 		uint8_t publicKey[256];
 		uint8_t signingKey[128];
-		struct
-		{
-			uint8_t type;
-			uint16_t length;
-		} certificate;	
+		uint8_t certificate[3];	// byte 1 - type, bytes 2-3 - length
 
 		Identity () = default;
 		Identity (const Keys& keys) { *this = keys; };
@@ -103,7 +45,7 @@ namespace data
 		size_t FromBuffer (const uint8_t * buf, size_t len);
 		IdentHash Hash () const;
 	};
-#pragma pack()
+
 	Keys CreateRandomKeys ();
 	
 	const size_t DEFAULT_IDENTITY_SIZE = sizeof (Identity); // 387 bytes
@@ -116,6 +58,7 @@ namespace data
 	const uint16_t SIGNING_KEY_TYPE_RSA_SHA256_2048 = 4;
 	const uint16_t SIGNING_KEY_TYPE_RSA_SHA384_3072 = 5;
 	const uint16_t SIGNING_KEY_TYPE_RSA_SHA512_4096 = 6;
+	const uint16_t SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519 = 7;
 	typedef uint16_t SigningKeyType;
 	typedef uint16_t CryptoKeyType;	
 	
@@ -128,6 +71,7 @@ namespace data
 				SigningKeyType type = SIGNING_KEY_TYPE_DSA_SHA1);
 			IdentityEx (const uint8_t * buf, size_t len);
 			IdentityEx (const IdentityEx& other);
+			IdentityEx (const Identity& standard);
 			~IdentityEx ();
 			IdentityEx& operator=(const IdentityEx& other);
 			IdentityEx& operator=(const Identity& standard);
@@ -138,6 +82,7 @@ namespace data
 			std::string ToBase64 () const;
 			const Identity& GetStandardIdentity () const { return m_StandardIdentity; };
 			const IdentHash& GetIdentHash () const { return m_IdentHash; };
+			const uint8_t * GetEncryptionPublicKey () const { return m_StandardIdentity.publicKey; };
 			size_t GetFullLen () const { return m_ExtendedLen + DEFAULT_IDENTITY_SIZE; };
 			size_t GetSigningPublicKeyLen () const;
 			size_t GetSigningPrivateKeyLen () const;
@@ -145,7 +90,7 @@ namespace data
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const;
 			SigningKeyType GetSigningKeyType () const;
 			CryptoKeyType GetCryptoKeyType () const;
-			void DropVerifier (); // to save memory			
+			void DropVerifier () const; // to save memory			
 
 		private:
 
@@ -155,7 +100,7 @@ namespace data
 
 			Identity m_StandardIdentity;
 			IdentHash m_IdentHash;
-			mutable i2p::crypto::Verifier * m_Verifier; 
+			mutable std::unique_ptr<i2p::crypto::Verifier> m_Verifier; 
 			size_t m_ExtendedLen;
 			uint8_t * m_ExtendedBuffer;
 	};	
@@ -164,19 +109,19 @@ namespace data
 	{
 		public:
 			
-			PrivateKeys (): m_Signer (nullptr) {};
-			PrivateKeys (const PrivateKeys& other): m_Signer (nullptr) { *this = other; };
-			PrivateKeys (const Keys& keys): m_Signer (nullptr) { *this = keys; };
+			PrivateKeys () = default;
+			PrivateKeys (const PrivateKeys& other) { *this = other; };
+			PrivateKeys (const Keys& keys) { *this = keys; };
 			PrivateKeys& operator=(const Keys& keys);
 			PrivateKeys& operator=(const PrivateKeys& other);
-			~PrivateKeys () { delete m_Signer; };
+			~PrivateKeys () = default;
 			
-			const IdentityEx& GetPublic () const { return m_Public; };
+			std::shared_ptr<const IdentityEx> GetPublic () const { return m_Public; };
 			const uint8_t * GetPrivateKey () const { return m_PrivateKey; };
 			const uint8_t * GetSigningPrivateKey () const { return m_SigningPrivateKey; };
 			void Sign (const uint8_t * buf, int len, uint8_t * signature) const;
 
-			size_t GetFullLen () const { return m_Public.GetFullLen () + 256 + m_Public.GetSigningPrivateKeyLen (); }; 		
+			size_t GetFullLen () const { return m_Public->GetFullLen () + 256 + m_Public->GetSigningPrivateKeyLen (); }; 		
 			size_t FromBuffer (const uint8_t * buf, size_t len);
 			size_t ToBuffer (uint8_t * buf, size_t len) const;
 
@@ -191,10 +136,10 @@ namespace data
 			
 		private:
 
-			IdentityEx m_Public;
+			std::shared_ptr<IdentityEx> m_Public;
 			uint8_t m_PrivateKey[256];
 			uint8_t m_SigningPrivateKey[1024]; // assume private key doesn't exceed 1024 bytes
-			i2p::crypto::Signer * m_Signer;
+			std::unique_ptr<i2p::crypto::Signer> m_Signer;
 	};
 
 	// kademlia
@@ -219,23 +164,12 @@ namespace data
 	{
 		public:
 
-			RoutingDestination (): m_ElGamalEncryption (nullptr) {};
-			virtual ~RoutingDestination () { delete m_ElGamalEncryption; };
+			RoutingDestination () {};
+			virtual ~RoutingDestination () {};
 			
 			virtual const IdentHash& GetIdentHash () const = 0;
 			virtual const uint8_t * GetEncryptionPublicKey () const = 0;
 			virtual bool IsDestination () const = 0; // for garlic 
-
-			i2p::crypto::ElGamalEncryption * GetElGamalEncryption () const
-			{
-				if (!m_ElGamalEncryption)
-					m_ElGamalEncryption = new i2p::crypto::ElGamalEncryption (GetEncryptionPublicKey ());
-				return m_ElGamalEncryption;
-			}
-			
-		private:
-
-			mutable i2p::crypto::ElGamalEncryption * m_ElGamalEncryption; // use lazy initialization
 	};	
 
 	class LocalDestination 
@@ -247,8 +181,8 @@ namespace data
 			virtual const uint8_t * GetEncryptionPrivateKey () const = 0; 
 			virtual const uint8_t * GetEncryptionPublicKey () const = 0; 
 
-			const IdentityEx& GetIdentity () const { return GetPrivateKeys ().GetPublic (); };
-			const IdentHash& GetIdentHash () const { return GetIdentity ().GetIdentHash (); };  
+			std::shared_ptr<const IdentityEx> GetIdentity () const { return GetPrivateKeys ().GetPublic (); };
+			const IdentHash& GetIdentHash () const { return GetIdentity ()->GetIdentHash (); };  
 			void Sign (const uint8_t * buf, int len, uint8_t * signature) const 
 			{ 
 				GetPrivateKeys ().Sign (buf, len, signature); 

LeaseSet.cpp

@@ -1,8 +1,6 @@
 #include <string.h>
 #include "I2PEndian.h"
-#include <cryptopp/dsa.h>
-#include <cryptopp/osrng.h>
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "Log.h"
 #include "Timestamp.h"
 #include "NetDb.h"
@@ -14,34 +12,43 @@ namespace i2p
 namespace data
 {
 	
-	LeaseSet::LeaseSet (const uint8_t * buf, int len)
+	LeaseSet::LeaseSet (const uint8_t * buf, size_t len, bool storeLeases):
+		m_IsValid (true), m_StoreLeases (storeLeases), m_ExpirationTime (0)
 	{
+		m_Buffer = new uint8_t[len];
 		memcpy (m_Buffer, buf, len);
 		m_BufferLen = len;
 		ReadFromBuffer ();
 	}
 
-	LeaseSet::LeaseSet (const i2p::tunnel::TunnelPool& pool)
+	LeaseSet::LeaseSet (std::shared_ptr<const i2p::tunnel::TunnelPool> pool):
+		m_IsValid (true), m_StoreLeases (true), m_ExpirationTime (0)
 	{	
+		if (!pool) return;
 		// header
-		const i2p::data::LocalDestination * localDestination = pool.GetLocalDestination ();
+		auto localDestination = pool->GetLocalDestination ();
 		if (!localDestination)
 		{
+			m_Buffer = nullptr;
 			m_BufferLen = 0;
-			LogPrint (eLogError, "Destination for local LeaseSet doesn't exist");
+			m_IsValid = false;
+			LogPrint (eLogError, "LeaseSet: Destination for local LeaseSet doesn't exist");
 			return;
 		}	
-		m_BufferLen = localDestination->GetIdentity ().ToBuffer (m_Buffer, MAX_LS_BUFFER_SIZE);
+		m_Buffer = new uint8_t[MAX_LS_BUFFER_SIZE];
+		m_BufferLen = localDestination->GetIdentity ()->ToBuffer (m_Buffer, MAX_LS_BUFFER_SIZE);
 		memcpy (m_Buffer + m_BufferLen, localDestination->GetEncryptionPublicKey (), 256);
 		m_BufferLen += 256;
-		auto signingKeyLen = localDestination->GetIdentity ().GetSigningPublicKeyLen ();
+		auto signingKeyLen = localDestination->GetIdentity ()->GetSigningPublicKeyLen ();
 		memset (m_Buffer + m_BufferLen, 0, signingKeyLen);
 		m_BufferLen += signingKeyLen;
-		auto tunnels = pool.GetInboundTunnels (5); // 5 tunnels maximum
+		int numTunnels = pool->GetNumInboundTunnels () + 2; // 2 backup tunnels 
+		if (numTunnels > 16) numTunnels = 16; // 16 tunnels maximum 
+		auto tunnels = pool->GetInboundTunnels (numTunnels);
 		m_Buffer[m_BufferLen] = tunnels.size (); // num leases
 		m_BufferLen++;
 		// leases
-		CryptoPP::AutoSeededRandomPool rnd;	
+		auto currentTime = i2p::util::GetMillisecondsSinceEpoch ();
 		for (auto it: tunnels)
 		{	
 			memcpy (m_Buffer + m_BufferLen, it->GetNextIdentHash (), 32);
@@ -50,37 +57,73 @@ namespace data
 			m_BufferLen += 4; // tunnel id
 			uint64_t ts = it->GetCreationTime () + i2p::tunnel::TUNNEL_EXPIRATION_TIMEOUT - i2p::tunnel::TUNNEL_EXPIRATION_THRESHOLD; // 1 minute before expiration
 			ts *= 1000; // in milliseconds
-			ts += rnd.GenerateWord32 (0, 5); // + random milliseconds
+			if (ts > m_ExpirationTime) m_ExpirationTime = ts;
+			// make sure leaseset is newer than previous, but adding some time to expiration date
+			ts += (currentTime - it->GetCreationTime ()*1000LL)*2/i2p::tunnel::TUNNEL_EXPIRATION_TIMEOUT; // up to 2 secs
 			htobe64buf (m_Buffer + m_BufferLen, ts);
 			m_BufferLen += 8; // end date
 		}
 		// signature
 		localDestination->Sign (m_Buffer, m_BufferLen, m_Buffer + m_BufferLen);
-		m_BufferLen += localDestination->GetIdentity ().GetSignatureLen (); 
-		LogPrint ("Local LeaseSet of ", tunnels.size (), " leases created");
+		m_BufferLen += localDestination->GetIdentity ()->GetSignatureLen (); 
+		LogPrint (eLogDebug, "LeaseSet: Local LeaseSet of ", tunnels.size (), " leases created");
 
 		ReadFromBuffer ();
 	}
 
-	void LeaseSet::Update (const uint8_t * buf, int len)
+	void LeaseSet::Update (const uint8_t * buf, size_t len)
 	{	
-		m_Leases.clear ();
+		if (len > m_BufferLen)
+		{
+			auto oldBuffer = m_Buffer;
+			m_Buffer = new uint8_t[len];
+			delete[] oldBuffer;
+		}	
 		memcpy (m_Buffer, buf, len);
 		m_BufferLen = len;
-		ReadFromBuffer ();
+		ReadFromBuffer (false);
 	}
-	
-	void LeaseSet::ReadFromBuffer ()	
+
+	void LeaseSet::PopulateLeases ()
+	{
+		m_StoreLeases = true;
+		ReadFromBuffer (false);
+	}	
+		
+	void LeaseSet::ReadFromBuffer (bool readIdentity)	
 	{	
-		size_t size = m_Identity.FromBuffer (m_Buffer, m_BufferLen);
+		if (readIdentity || !m_Identity)
+			m_Identity = std::make_shared<IdentityEx>(m_Buffer, m_BufferLen);
+		size_t size = m_Identity->GetFullLen ();
+		if (size > m_BufferLen)
+		{
+			LogPrint (eLogError, "LeaseSet: identity length ", size, " exceeds buffer size ", m_BufferLen);
+			m_IsValid = false;
+			return;
+		}
 		memcpy (m_EncryptionKey, m_Buffer + size, 256);
 		size += 256; // encryption key
-		size += m_Identity.GetSigningPublicKeyLen (); // unused signing key
+		size += m_Identity->GetSigningPublicKeyLen (); // unused signing key
 		uint8_t num = m_Buffer[size];
 		size++; // num
-		LogPrint ("LeaseSet num=", (int)num);
+		LogPrint (eLogDebug, "LeaseSet: read num=", (int)num);
+		if (!num || num > MAX_NUM_LEASES)
+		{	  
+			LogPrint (eLogError, "LeaseSet: incorrect number of leases", (int)num);
+			m_IsValid = false;
+			return;
+		}	
+
+		// reset existing leases	
+		if (m_StoreLeases)
+			for (auto it: m_Leases)
+				it->isUpdated = false;		
+		else	
+			m_Leases.clear ();
 
 		// process leases
+		m_ExpirationTime = 0;
+		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
 		const uint8_t * leases = m_Buffer + size;
 		for (int i = 0; i < num; i++)
 		{
@@ -89,33 +132,98 @@ namespace data
 			leases += 32; // gateway
 			lease.tunnelID = bufbe32toh (leases);
 			leases += 4; // tunnel ID
-			lease.endDate = bufbe64toh (leases);
+			lease.endDate = bufbe64toh (leases); 
 			leases += 8; // end date
-			m_Leases.push_back (lease);
-
-			// check if lease's gateway is in our netDb
-			if (!netdb.FindRouter (lease.tunnelGateway))
-			{
-				// if not found request it
-				LogPrint ("Lease's tunnel gateway not found. Requested");
-				netdb.RequestDestination (lease.tunnelGateway);
-			}	
+			if (ts < lease.endDate + LEASE_ENDDATE_THRESHOLD)
+			{	
+				if (lease.endDate > m_ExpirationTime)
+					m_ExpirationTime = lease.endDate;
+				if (m_StoreLeases)
+				{	
+					auto ret = m_Leases.insert (std::make_shared<Lease>(lease));
+					if (!ret.second) *(*ret.first) = lease; // update existing
+					(*ret.first)->isUpdated = true;
+					// check if lease's gateway is in our netDb
+					if (!netdb.FindRouter (lease.tunnelGateway))
+					{
+						// if not found request it
+						LogPrint (eLogInfo, "LeaseSet: Lease's tunnel gateway not found, requesting");
+						netdb.RequestDestination (lease.tunnelGateway);
+					}
+				}	
+			}
+			else
+				LogPrint (eLogWarning, "LeaseSet: Lease is expired already ");
 		}	
-		
+		if (!m_ExpirationTime)
+		{
+			LogPrint (eLogWarning, "LeaseSet: all leases are expired. Dropped");
+			m_IsValid = false;
+			return;
+		}	
+		m_ExpirationTime += LEASE_ENDDATE_THRESHOLD;
+		// delete old leases	
+		if (m_StoreLeases)
+		{	
+			for (auto it = m_Leases.begin (); it != m_Leases.end ();)
+			{	
+				if (!(*it)->isUpdated)
+				{
+					(*it)->endDate = 0; // somebody might still hold it
+					m_Leases.erase (it++);
+				}	
+				else
+					it++;
+			}
+		}
+
 		// verify
-		if (!m_Identity.Verify (m_Buffer, leases - m_Buffer, leases))
-			LogPrint ("LeaseSet verification failed");
+		if (!m_Identity->Verify (m_Buffer, leases - m_Buffer, leases))
+		{
+			LogPrint (eLogWarning, "LeaseSet: verification failed");
+			m_IsValid = false;
+		}
 	}				
-	
-	const std::vector<Lease> LeaseSet::GetNonExpiredLeases (bool withThreshold) const
+
+	uint64_t LeaseSet::ExtractTimestamp (const uint8_t * buf, size_t len) const 
+	{
+		if (!m_Identity) return 0;
+		size_t size = m_Identity->GetFullLen ();
+		if (size > len) return 0;
+		size += 256; // encryption key
+		size += m_Identity->GetSigningPublicKeyLen (); // unused signing key
+		if (size > len) return 0;
+		uint8_t num = buf[size];
+		size++; // num
+		if (size + num*44 > len) return 0;
+		uint64_t timestamp= 0 ;
+		for (int i = 0; i < num; i++)
+		{
+			size += 36; // gateway (32) + tunnelId(4)
+			auto endDate = bufbe64toh (buf + size); 
+			size += 8; // end date
+			if (!timestamp || endDate < timestamp)
+				timestamp = endDate;
+		}	
+		return timestamp;
+	}	
+
+	bool LeaseSet::IsNewer (const uint8_t * buf, size_t len) const
+	{
+		return ExtractTimestamp (buf, len) > ExtractTimestamp (m_Buffer, m_BufferLen);
+	}	
+		
+	const std::vector<std::shared_ptr<const Lease> > LeaseSet::GetNonExpiredLeases (bool withThreshold) const
 	{
 		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
-		std::vector<Lease> leases;
-		for (auto& it: m_Leases)
+		std::vector<std::shared_ptr<const Lease> > leases;
+		for (auto it: m_Leases)
 		{
-			auto endDate = it.endDate;
-			if (!withThreshold)
-				endDate -= i2p::tunnel::TUNNEL_EXPIRATION_THRESHOLD*1000;
+			auto endDate = it->endDate;
+			if (withThreshold)
+				endDate += LEASE_ENDDATE_THRESHOLD;
+			else
+				endDate -= LEASE_ENDDATE_THRESHOLD;
 			if (ts < endDate)
 				leases.push_back (it);
 		}	
@@ -123,19 +231,18 @@ namespace data
 	}	
 
 	bool LeaseSet::HasExpiredLeases () const
-	{
+ 	{
 		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
-		for (auto& it: m_Leases)
-			if (ts >= it.endDate) return true;
+		for (auto it: m_Leases)
+			if (ts >= it->endDate) return true;
 		return false;
-	}	
+ 	}	
 
-	bool LeaseSet::HasNonExpiredLeases () const
+	bool LeaseSet::IsExpired () const
 	{
+		if (IsEmpty ()) return true;
 		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
-		for (auto& it: m_Leases)
-			if (ts < it.endDate) return true;
-		return false;
+		return ts > m_ExpirationTime;
 	}	
 }		
 }	

LeaseSet.h

@@ -4,6 +4,7 @@
 #include <inttypes.h>
 #include <string.h>
 #include <vector>
+#include <memory>
 #include "Identity.h"
 
 namespace i2p
@@ -16,55 +17,69 @@ namespace tunnel
 
 namespace data
 {	
+	const int LEASE_ENDDATE_THRESHOLD = 51000; // in milliseconds
 	struct Lease
 	{
 		IdentHash tunnelGateway;
 		uint32_t tunnelID;
-		uint64_t endDate;
-
-		bool operator< (const Lease& other) const 
-		{
-			if (endDate != other.endDate)
-				return endDate > other.endDate;
-			else
-				return tunnelID < other.tunnelID; 
-		}	
+		uint64_t endDate; // 0 means invalid
+		bool isUpdated; // trasient 
 	};	
 
-	const int MAX_LS_BUFFER_SIZE = 3072;	
+	struct LeaseCmp
+	{
+		bool operator() (std::shared_ptr<const Lease> l1, std::shared_ptr<const Lease> l2) const
+  		{	
+			if (l1->tunnelID != l2->tunnelID)
+				return l1->tunnelID < l2->tunnelID; 
+			else
+				return l1->tunnelGateway < l2->tunnelGateway; 
+		};
+	};	
+
+	const int MAX_LS_BUFFER_SIZE = 3072;
+	const uint8_t MAX_NUM_LEASES = 16;		
 	class LeaseSet: public RoutingDestination
 	{
 		public:
 
-			LeaseSet (const uint8_t * buf, int len);
-			LeaseSet (const LeaseSet& ) = default;
-			LeaseSet (const i2p::tunnel::TunnelPool& pool);
-			LeaseSet& operator=(const LeaseSet& ) = default;
-			void Update (const uint8_t * buf, int len);
-			const IdentityEx& GetIdentity () const { return m_Identity; };			
+			LeaseSet (const uint8_t * buf, size_t len, bool storeLeases = true);
+			LeaseSet (std::shared_ptr<const i2p::tunnel::TunnelPool> pool);
+			~LeaseSet () { delete[] m_Buffer; };
+			void Update (const uint8_t * buf, size_t len);
+			bool IsNewer (const uint8_t * buf, size_t len) const;
+			void PopulateLeases (); // from buffer
+			std::shared_ptr<const IdentityEx> GetIdentity () const { return m_Identity; };			
 
 			const uint8_t * GetBuffer () const { return m_Buffer; };
 			size_t GetBufferLen () const { return m_BufferLen; };	
+			bool IsValid () const { return m_IsValid; };
+			const std::vector<std::shared_ptr<const Lease> > GetNonExpiredLeases (bool withThreshold = true) const;
+			bool HasExpiredLeases () const;
+			bool IsExpired () const;
+			bool IsEmpty () const { return m_Leases.empty (); };
+			uint64_t GetExpirationTime () const { return m_ExpirationTime; };
+			bool operator== (const LeaseSet& other) const 
+			{ return m_BufferLen == other.m_BufferLen && !memcmp (m_Buffer, other.m_Buffer, m_BufferLen); }; 
 
 			// implements RoutingDestination
-			const IdentHash& GetIdentHash () const { return m_Identity.GetIdentHash (); };
-			const std::vector<Lease>& GetLeases () const { return m_Leases; };
-			const std::vector<Lease> GetNonExpiredLeases (bool withThreshold = true) const;
-			bool HasExpiredLeases () const;
-			bool HasNonExpiredLeases () const;
+			const IdentHash& GetIdentHash () const { return m_Identity->GetIdentHash (); };
 			const uint8_t * GetEncryptionPublicKey () const { return m_EncryptionKey; };
 			bool IsDestination () const { return true; };
 
 		private:
 
-			void ReadFromBuffer ();
+			void ReadFromBuffer (bool readIdentity = true);
+			uint64_t ExtractTimestamp (const uint8_t * buf, size_t len) const; // min expiration time
 			
 		private:
 
-			std::vector<Lease> m_Leases;
-			IdentityEx m_Identity;
+			bool m_IsValid, m_StoreLeases; // we don't need to store leases for floodfill
+			std::set<std::shared_ptr<Lease>, LeaseCmp> m_Leases;
+			uint64_t m_ExpirationTime; // in milliseconds
+			std::shared_ptr<const IdentityEx> m_Identity;
 			uint8_t m_EncryptionKey[256];
-			uint8_t m_Buffer[MAX_LS_BUFFER_SIZE];
+			uint8_t * m_Buffer;
 			size_t m_BufferLen;
 	};	
 }		

Log.cpp

@@ -1,43 +1,167 @@
+/*
+* Copyright (c) 2013-2016, The PurpleI2P Project
+*
+* This file is part of Purple i2pd project and licensed under BSD3
+*
+* See full license text in LICENSE file at top of project tree
+*/
+
 #include "Log.h"
-#include <boost/date_time/posix_time/posix_time.hpp>
 
-Log * g_Log = nullptr;
-
-static const char * g_LogLevelStr[eNumLogLevels] =
-{
-	"error", // eLogError
-	"warn",  // eLogWarning
-	"info",  // eLogInfo
-	"debug"	 // eLogDebug 
-};
-
-void LogMsg::Process()
-{
-	output << boost::posix_time::second_clock::local_time().time_of_day () <<  
-		"/" << g_LogLevelStr[level] << " - ";
-	output << s.str();
-}
-
-void Log::Flush ()
-{
-	if (m_LogStream)
-		m_LogStream->flush();
-}
-
-void Log::SetLogFile (const std::string& fullFilePath)
-{
-	auto logFile = new std::ofstream (fullFilePath, std::ofstream::out | std::ofstream::binary | std::ofstream::trunc);
-	if (logFile->is_open ())
+namespace i2p {
+namespace log {
+	Log logger;
+	/**
+	 * @enum Maps our loglevel to their symbolic name
+	 */
+	static const char * g_LogLevelStr[eNumLogLevels] =
 	{
-		SetLogStream (logFile);
-		LogPrint("Logging to file ",  fullFilePath, " enabled.");
-	}	
-	else
-		delete logFile;
-}
+		"error", // eLogError
+		"warn",  // eLogWarn
+		"info",  // eLogInfo
+		"debug"	 // eLogDebug
+	};
 
-void Log::SetLogStream (std::ostream * logStream)
-{
-	if (m_LogStream) delete m_LogStream;	
-	m_LogStream = logStream;
-}
+#ifndef _WIN32
+	/**
+	 * @brief  Maps our log levels to syslog one
+	 * @return syslog priority LOG_*, as defined in syslog.h
+	 */
+	static inline int GetSyslogPrio (enum LogLevel l) {
+		int priority = LOG_DEBUG;
+		switch (l) {
+			case eLogError   : priority = LOG_ERR;     break;
+			case eLogWarning : priority = LOG_WARNING; break;
+			case eLogInfo    : priority = LOG_INFO;    break;
+			case eLogDebug   : priority = LOG_DEBUG;   break;
+			default          : priority = LOG_DEBUG;   break;
+		}
+		return priority;
+	}
+#endif
+
+	Log::Log():
+	m_Destination(eLogStdout), m_MinLevel(eLogInfo),
+	m_LogStream (nullptr), m_Logfile(""), m_IsReady(false)
+	{
+	}
+
+	Log::~Log ()
+	{
+		switch (m_Destination) {
+#ifndef _WIN32
+			case eLogSyslog :
+				closelog();
+				break;
+#endif
+			case eLogFile:
+			case eLogStream:
+				m_LogStream->flush();
+				break;
+			default:
+				/* do nothing */
+				break;
+		}
+		Process();
+	}
+
+	void Log::SetLogLevel (const std::string& level) {
+		if      (level == "error") { m_MinLevel = eLogError; }
+		else if (level == "warn")  { m_MinLevel = eLogWarning; }
+		else if (level == "info")  { m_MinLevel = eLogInfo;  }
+		else if (level == "debug") { m_MinLevel = eLogDebug; }
+		else {
+			LogPrint(eLogError, "Log: unknown loglevel: ", level);
+			return;
+		}
+		LogPrint(eLogInfo, "Log: min messages level set to ", level);
+	}
+	
+	const char * Log::TimeAsString(std::time_t t) {
+		if (t != m_LastTimestamp) {
+			strftime(m_LastDateTime, sizeof(m_LastDateTime), "%H:%M:%S", localtime(&t));
+			m_LastTimestamp = t;
+		}
+		return m_LastDateTime;
+	}
+
+	/**
+	 * @note This function better to be run in separate thread due to disk i/o.
+	 * Unfortunately, with current startup process with late fork() this
+	 * will give us nothing but pain. Maybe later. See in NetDb as example.
+	 */
+	void Log::Process() {
+		std::unique_lock<std::mutex> l(m_OutputLock);
+		std::hash<std::thread::id> hasher;
+		unsigned short short_tid;
+		while (1) {
+			auto msg = m_Queue.GetNextWithTimeout (1);
+			if (!msg)
+				break;
+			short_tid = (short) (hasher(msg->tid) % 1000);
+			switch (m_Destination) {
+#ifndef _WIN32
+				case eLogSyslog:
+					syslog(GetSyslogPrio(msg->level), "[%03u] %s", short_tid, msg->text.c_str());
+					break;
+#endif
+				case eLogFile:
+				case eLogStream:
+					*m_LogStream << TimeAsString(msg->timestamp)
+						<< "@" << short_tid
+						<< "/" << g_LogLevelStr[msg->level]
+						<< " - " << msg->text << std::endl;
+					break;
+				case eLogStdout:
+				default:
+					std::cout    << TimeAsString(msg->timestamp)
+						<< "@" << short_tid
+						<< "/" << g_LogLevelStr[msg->level]
+						<< " - " << msg->text << std::endl;
+					break;
+			} // switch
+		} // while
+	}
+
+	void Log::Append(std::shared_ptr<i2p::log::LogMsg> & msg) {
+		m_Queue.Put(msg);
+		if (!m_IsReady)
+			return;
+		Process();
+	}
+
+	void Log::SendTo (const std::string& path) {
+		auto flags = std::ofstream::out | std::ofstream::app;
+		auto os = std::make_shared<std::ofstream> (path, flags);
+		if (os->is_open ()) {
+			m_Logfile = path;
+			m_Destination = eLogFile;
+			m_LogStream = os;
+			return;
+		}
+		LogPrint(eLogError, "Log: can't open file ", path);
+	}
+
+	void Log::SendTo (std::shared_ptr<std::ostream> os) {
+		m_Destination = eLogStream;
+		m_LogStream = os;
+	}
+
+#ifndef _WIN32
+	void Log::SendTo(const char *name, int facility) {
+		m_Destination = eLogSyslog;
+		m_LogStream = nullptr;
+		openlog(name, LOG_CONS | LOG_PID, facility);
+	}
+#endif
+
+	void Log::Reopen() {
+		if (m_Destination == eLogFile)
+			SendTo(m_Logfile);
+	}
+
+	Log & Logger() {
+		return logger;
+	}
+} // log
+} // i2p

Log.h

@@ -1,13 +1,27 @@
+/*
+* Copyright (c) 2013-2016, The PurpleI2P Project
+*
+* This file is part of Purple i2pd project and licensed under BSD3
+*
+* See full license text in LICENSE file at top of project tree
+*/
+
 #ifndef LOG_H__
 #define LOG_H__
 
+#include <ctime>
 #include <string>
 #include <iostream>
-#include <sstream>
 #include <fstream>
-#include <functional>
+#include <sstream>
+#include <chrono>
+#include <memory>
 #include "Queue.h"
 
+#ifndef _WIN32
+#include <syslog.h>
+#endif
+
 enum LogLevel
 {
 	eLogError = 0,
@@ -17,101 +31,156 @@ enum LogLevel
 	eNumLogLevels
 };
 
-struct LogMsg
-{
-	std::stringstream s;
-	std::ostream& output;	
-	LogLevel level;
-
-	LogMsg (std::ostream& o = std::cout, LogLevel l = eLogInfo): output (o), level (l) {};
-	
-	void Process();
+enum LogType {
+	eLogStdout = 0,
+	eLogStream,
+	eLogFile,
+#ifndef _WIN32
+	eLogSyslog,
+#endif
 };
 
-class Log: public i2p::util::MsgQueue<LogMsg>
-{
-	public:
+namespace i2p {
+namespace log {
+	struct LogMsg; /* forward declaration */
 
-		Log (): m_LogStream (nullptr) { SetOnEmpty (std::bind (&Log::Flush, this)); };
-		~Log () { delete m_LogStream; };
-
-		void SetLogFile (const std::string& fullFilePath);
-		void SetLogStream (std::ostream * logStream);
-		std::ostream * GetLogStream () const { return m_LogStream; };	
-
-	private:
-
-		void Flush ();
-
-	private:
-		
-		std::ostream * m_LogStream;
-};
-
-extern Log * g_Log;
-
-inline void StartLog (const std::string& fullFilePath)
-{
-	if (!g_Log)
-	{	
-		g_Log = new Log ();
-		if (fullFilePath.length () > 0)
-			g_Log->SetLogFile (fullFilePath);
-	}	
-}
-
-inline void StartLog (std::ostream * s)
-{
-	if (!g_Log)
-	{	
-		g_Log = new Log ();
-		if (s)
-			g_Log->SetLogStream (s);
-	}	
-}
-
-inline void StopLog ()
-{
-	if (g_Log)
+	class Log
 	{
-		delete g_Log;
-		g_Log = nullptr;
-	}		
-}
+		private:
 
+			enum LogType  m_Destination;
+			enum LogLevel m_MinLevel;
+			std::shared_ptr<std::ostream> m_LogStream;
+			std::string m_Logfile;
+			std::time_t m_LastTimestamp;
+			char m_LastDateTime[64];
+			i2p::util::Queue<std::shared_ptr<LogMsg> > m_Queue;
+			volatile bool m_IsReady;
+			mutable std::mutex m_OutputLock;
+
+		private:
+
+			/** prevent making copies */
+			Log (const Log &);
+			const Log& operator=(const Log&);
+
+			/**
+			 * @brief process stored messages in queue
+			 */
+			void Process ();
+
+			/**
+			 * @brief Makes formatted string from unix timestamp
+			 * @param ts  Second since epoch
+			 *
+			 * This function internally caches the result for last provided value
+			 */
+			const char * TimeAsString(std::time_t ts);
+
+		public:
+
+			Log ();
+			~Log ();
+
+			LogType  GetLogType  () { return m_Destination; };
+			LogLevel GetLogLevel () { return m_MinLevel; };
+
+			/**
+			 * @brief  Sets minimal alloed level for log messages
+			 * @param  level  String with wanted minimal msg level
+			 */
+			void     SetLogLevel (const std::string& level);
+
+			/**
+			 * @brief Sets log destination to logfile
+			 * @param path  Path to logfile
+			 */
+			void SendTo (const std::string &path);
+
+			/**
+			 * @brief Sets log destination to given output stream
+			 * @param os  Output stream
+			 */
+			void SendTo (std::shared_ptr<std::ostream> s);
+
+	#ifndef _WIN32
+			/**
+			 * @brief Sets log destination to syslog
+			 * @param name     Wanted program name
+			 * @param facility Wanted log category
+			 */
+			void SendTo (const char *name, int facility);
+	#endif
+
+			/**
+			 * @brief  Format log message and write to output stream/syslog
+			 * @param  msg  Pointer to processed message
+			 */
+			void Append(std::shared_ptr<i2p::log::LogMsg> &);
+
+			/** @brief  Allow log output */
+			void Ready() { m_IsReady = true; }
+
+			/** @brief  Flushes the output log stream */
+			void Flush();
+
+			/** @brief  Reopen log file */
+			void Reopen();
+	};
+
+	/**
+	 * @struct Log message container
+	 *
+	 * We creating it somewhere with LogPrint(),
+	 * then put in MsgQueue for later processing.
+	 */
+	struct LogMsg {
+		std::time_t timestamp;
+		std::string text; /**< message text as single string */
+		LogLevel level;   /**< message level */
+		std::thread::id tid; /**< id of thread that generated message */
+
+		LogMsg (LogLevel lvl, std::time_t ts, const std::string & txt): timestamp(ts), text(txt), level(lvl) {};
+	};
+
+	Log & Logger();
+} // log
+} // i2p
+
+/** internal usage only -- folding args array to single string */
 template<typename TValue>
-void LogPrint (std::stringstream& s, TValue arg) 
+void LogPrint (std::stringstream& s, TValue arg)
 {
 	s << arg;
 }
- 
+
+/** internal usage only -- folding args array to single string */
 template<typename TValue, typename... TArgs>
-void LogPrint (std::stringstream& s, TValue arg, TArgs... args) 
+void LogPrint (std::stringstream& s, TValue arg, TArgs... args)
 {
 	LogPrint (s, arg);
 	LogPrint (s, args...);
 }
 
+/**
+ * @brief Create log message and send it to queue
+ * @param level Message level (eLogError, eLogInfo, ...)
+ * @param args Array of message parts
+ */
 template<typename... TArgs>
-void LogPrint (LogLevel level, TArgs... args) 
+void LogPrint (LogLevel level, TArgs... args)
 {
-	LogMsg * msg = (g_Log && g_Log->GetLogStream ()) ? new LogMsg (*g_Log->GetLogStream (), level) : 
-		new LogMsg (std::cout, level);
-	LogPrint (msg->s, args...);
-	msg->s << std::endl;
-	if (g_Log)	
-		g_Log->Put (msg);
-	else
-	{
-		msg->Process ();
-		delete msg;
-	}
+	i2p::log::Log &log = i2p::log::Logger();
+	if (level > log.GetLogLevel ())
+		return;
+
+	// fold message to single string
+	std::stringstream ss("");
+	LogPrint (ss, args ...);
+
+	auto msg = std::make_shared<i2p::log::LogMsg>(level, std::time(nullptr), ss.str());
+	msg->tid = std::this_thread::get_id();
+	log.Append(msg);
 }
 
-template<typename... TArgs>
-void LogPrint (TArgs... args) 
-{
-	LogPrint (eLogInfo, args...);
-}	
-
-#endif
+#endif // LOG_H__

Makefile

@@ -1,6 +1,9 @@
 UNAME := $(shell uname -s)
 SHLIB := libi2pd.so
-I2PD  := i2p
+ARLIB := libi2pd.a
+SHLIB_CLIENT := libi2pdclient.so
+ARLIB_CLIENT := libi2pdclient.a
+I2PD  := i2pd
 GREP := fgrep
 DEPS := obj/make.dep
 
@@ -18,16 +21,19 @@ else ifeq ($(shell echo $(UNAME) | $(GREP) -c FreeBSD),1)
 else ifeq ($(UNAME),Linux)
 	DAEMON_SRC += DaemonLinux.cpp
 	include Makefile.linux
-else # win32
-	DAEMON_SRC += DaemonWin32.cpp
+else # win32 mingw
+	DAEMON_SRC += DaemonWin32.cpp Win32/Win32Service.cpp Win32/Win32App.cpp
+	include Makefile.mingw
 endif
 
-all: mk_build_dir $(SHLIB) $(I2PD)
+all: mk_obj_dir $(ARLIB) $(ARLIB_CLIENT) $(I2PD)
 
-mk_build_dir:
-	mkdir -p obj
+mk_obj_dir:
+	@mkdir -p obj
+	@mkdir -p obj/Win32
 
-api: $(SHLIB)
+api: mk_obj_dir $(SHLIB) $(ARLIB)
+api_client: mk_obj_dir $(SHLIB) $(ARLIB) $(SHLIB_CLIENT) $(ARLIB_CLIENT)
 
 ## NOTE: The NEEDED_CXXFLAGS are here so that CXXFLAGS can be specified at build time
 ## **without** overwriting the CXXFLAGS which we need in order to build.
@@ -36,19 +42,18 @@ api: $(SHLIB)
 ## -std=c++11. If you want to remove this variable please do so in a way that allows setting
 ## custom FLAGS to work at build-time.
 
-deps:
-	@mkdir -p obj
+deps: mk_obj_dir
 	$(CXX) $(CXXFLAGS) $(NEEDED_CXXFLAGS) -MM *.cpp > $(DEPS)
 	@sed -i -e '/\.o:/ s/^/obj\//' $(DEPS)
 
-obj/%.o : %.cpp
-	@mkdir -p obj
+obj/%.o: %.cpp
 	$(CXX) $(CXXFLAGS) $(NEEDED_CXXFLAGS) $(INCFLAGS) $(CPU_FLAGS) -c -o $@ $<
 
 # '-' is 'ignore if missing' on first run
 -include $(DEPS)
 
-$(I2PD):  $(patsubst %.cpp,obj/%.o,$(DAEMON_SRC))
+DAEMON_OBJS += $(patsubst %.cpp,obj/%.o,$(DAEMON_SRC))
+$(I2PD): $(DAEMON_OBJS) $(ARLIB) $(ARLIB_CLIENT)
 	$(CXX) -o $@ $^ $(LDLIBS) $(LDFLAGS)
 
 $(SHLIB): $(patsubst %.cpp,obj/%.o,$(LIB_SRC))
@@ -56,11 +61,23 @@ ifneq ($(USE_STATIC),yes)
 	$(CXX) $(LDFLAGS) $(LDLIBS) -shared -o $@ $^
 endif
 
+$(SHLIB_CLIENT): $(patsubst %.cpp,obj/%.o,$(LIB_CLIENT_SRC))
+	$(CXX) $(LDFLAGS) $(LDLIBS) -shared -o $@ $^
+
+$(ARLIB): $(patsubst %.cpp,obj/%.o,$(LIB_SRC))
+	ar -r $@ $^
+
+$(ARLIB_CLIENT): $(patsubst %.cpp,obj/%.o,$(LIB_CLIENT_SRC))
+	ar -r $@ $^
+
 clean:
 	rm -rf obj
-	$(RM) $(I2PD) $(SHLIB)
+	$(RM) $(I2PD) $(SHLIB) $(ARLIB) $(SHLIB_CLIENT) $(ARLIB_CLIENT)
 
-LATEST_TAG=$(shell git describe --tags --abbrev=0 master)
+strip: $(I2PD) $(SHLIB_CLIENT) $(SHLIB)
+	strip $^
+
+LATEST_TAG=$(shell git describe --tags --abbrev=0 openssl)
 dist:
 	git archive --format=tar.gz -9 --worktree-attributes \
 	    --prefix=i2pd_$(LATEST_TAG)/ $(LATEST_TAG) -o i2pd_$(LATEST_TAG).tar.gz
@@ -70,4 +87,5 @@ dist:
 .PHONY: deps
 .PHONY: dist
 .PHONY: api
-.PHONY: mk_build_dir
+.PHONY: api_client
+.PHONY: mk_obj_dir

Makefile.bsd

@@ -1,4 +1,4 @@
-CXX = g++
+CXX = clang++
 CXXFLAGS = -O2
 ## NOTE: NEEDED_CXXFLAGS is here so that custom CXXFLAGS can be specified at build time
 ## **without** overwriting the CXXFLAGS which we need in order to build.
@@ -6,7 +6,7 @@ CXXFLAGS = -O2
 ## (e.g. -fstack-protector-strong -Wformat -Werror=format-security), we do not want to remove
 ## -std=c++11. If you want to remove this variable please do so in a way that allows setting
 ## custom FLAGS to work at build-time.
-NEEDED_CXXFLAGS = -std=c++11
+NEEDED_CXXFLAGS = -std=c++11 -D_GLIBCXX_USE_NANOSLEEP=1
 INCFLAGS = -I/usr/include/ -I/usr/local/include/
 LDFLAGS = -Wl,-rpath,/usr/local/lib -L/usr/local/lib
-LDLIBS = -lcryptopp -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
+LDLIBS = -lcrypto -lssl -lz -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread

Makefile.linux

@@ -1,5 +1,6 @@
-CXXFLAGS = -g -Wall
-INCFLAGS =
+# set defaults instead redefine
+CXXFLAGS ?= -g -Wall
+INCFLAGS ?=
 
 ## NOTE: The NEEDED_CXXFLAGS are here so that custom CXXFLAGS can be specified at build time
 ## **without** overwriting the CXXFLAGS which we need in order to build.
@@ -8,15 +9,17 @@ INCFLAGS =
 ## -std=c++11. If you want to remove this variable please do so in a way that allows setting
 ## custom FLAGS to work at build-time.
 
-# detect proper flag for c++11 support by gcc
+# detect proper flag for c++11 support by compilers
 CXXVER := $(shell $(CXX) -dumpversion)
-ifeq ($(shell expr match ${CXXVER} "4\.[0-9][0-9]"),4) # >= 4.10
+ifeq ($(shell expr match $(CXX) 'clang'),5)
+	NEEDED_CXXFLAGS += -std=c++11
+else ifeq ($(shell expr match ${CXXVER} "4\.[0-9][0-9]"),4) # gcc >= 4.10
 	NEEDED_CXXFLAGS += -std=c++11
 else ifeq ($(shell expr match ${CXXVER} "4\.[7-9]"),3) # >= 4.7
-	NEEDED_CXXFLAGS += -std=c++11
+	NEEDED_CXXFLAGS += -std=c++11 -D_GLIBCXX_USE_NANOSLEEP=1
 else ifeq ($(shell expr match ${CXXVER} "4\.6"),3) # = 4.6
 	NEEDED_CXXFLAGS += -std=c++0x
-else ifeq ($(shell expr match $(CXX) 'clang'),5)
+else ifeq ($(shell expr match ${CXXVER} "5\.[0-9]"),3) # gcc >= 5.0
 	NEEDED_CXXFLAGS += -std=c++11
 else # not supported
 	$(error Compiler too old)
@@ -31,11 +34,13 @@ ifeq ($(USE_STATIC),yes)
   LDLIBS += $(LIBDIR)/libboost_filesystem.a
   LDLIBS += $(LIBDIR)/libboost_regex.a
   LDLIBS += $(LIBDIR)/libboost_program_options.a
-  LDLIBS += $(LIBDIR)/libcryptopp.a
+  LDLIBS += $(LIBDIR)/libcrypto.a
+  LDLIBS += $(LIBDIR)/libssl.a
+  LDLIBS += $(LIBDIR)/libz.a
   LDLIBS += -lpthread -static-libstdc++ -static-libgcc
   USE_AESNI := no
 else
-  LDLIBS = -lcryptopp -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
+  LDLIBS = -lcrypto -lssl -lz -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
 endif
 
 # UPNP Support (miniupnpc 1.5 or 1.6)

Makefile.mingw

@@ -0,0 +1,43 @@
+USE_WIN32_APP=yes
+CXX = g++
+WINDRES = windres
+CXXFLAGS = -Os -D_MT -DWIN32 -D_WINDOWS -DWIN32_LEAN_AND_MEAN
+NEEDED_CXXFLAGS = -std=c++11
+BOOST_SUFFIX = -mt
+INCFLAGS = -I/usr/include/ -I/usr/local/include/
+LDFLAGS = -Wl,-rpath,/usr/local/lib \
+  -L/usr/local/lib \
+  -L/c/dev/openssl \
+  -L/c/dev/boost/lib
+LDLIBS = \
+  -Wl,-Bstatic -lboost_system$(BOOST_SUFFIX) \
+  -Wl,-Bstatic -lboost_date_time$(BOOST_SUFFIX) \
+  -Wl,-Bstatic -lboost_filesystem$(BOOST_SUFFIX) \
+  -Wl,-Bstatic -lboost_regex$(BOOST_SUFFIX) \
+  -Wl,-Bstatic -lboost_program_options$(BOOST_SUFFIX) \
+  -Wl,-Bstatic -lssl \
+  -Wl,-Bstatic -lcrypto \
+  -Wl,-Bstatic -lz \
+  -Wl,-Bstatic -lwsock32 \
+  -Wl,-Bstatic -lws2_32 \
+  -Wl,-Bstatic -lgdi32 \
+  -Wl,-Bstatic -liphlpapi \
+  -static-libgcc -static-libstdc++ \
+  -Wl,-Bstatic -lstdc++ \
+  -Wl,-Bstatic -lpthread
+
+ifeq ($(USE_WIN32_APP), yes)
+	CXXFLAGS += -DWIN32_APP
+	LDFLAGS += -mwindows -s
+	DAEMON_RC += Win32/Resource.rc
+	DAEMON_OBJS += $(patsubst %.rc,obj/%.o,$(DAEMON_RC))
+endif
+
+ifeq ($(USE_AESNI),1)
+	CPU_FLAGS = -maes -DAESNI
+else
+	CPU_FLAGS = -msse
+endif
+
+obj/%.o : %.rc
+	$(WINDRES) -i $< -o $@

Makefile.osx

@@ -1,9 +1,9 @@
 CXX = clang++
-CXXFLAGS = -g -Wall -std=c++11 -DCRYPTOPP_DISABLE_ASM -DMAC_OSX
-#CXXFLAGS = -g -O2 -Wall -std=c++11 -DCRYPTOPP_DISABLE_ASM
-INCFLAGS = -I/usr/local/include
-LDFLAGS = -Wl,-rpath,/usr/local/lib -L/usr/local/lib
-LDLIBS = -lcryptopp -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
+CXXFLAGS = -g -Wall -std=c++11 -DMAC_OSX
+#CXXFLAGS = -g -O2 -Wall -std=c++11
+INCFLAGS = -I/usr/local/include -I/usr/local/ssl/include
+LDFLAGS = -Wl,-rpath,/usr/local/lib -L/usr/local/lib -L/usr/local/ssl/lib
+LDLIBS = -lz -lcrypto -lssl -lboost_system -lboost_date_time -lboost_filesystem -lboost_regex -lboost_program_options -lpthread
 
 ifeq ($(USE_UPNP),1)
   LDFLAGS += -ldl

NTCPSession.cpp

@@ -1,11 +1,13 @@
 #include <string.h>
 #include <stdlib.h>
+#include <openssl/dh.h>
+#include <openssl/sha.h>
+#include <zlib.h>
 #include "I2PEndian.h"
-#include <cryptopp/dh.h>
-#include "base64.h"
+#include "Base.h"
 #include "Log.h"
 #include "Timestamp.h"
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "I2NPProtocol.h"
 #include "RouterContext.h"
 #include "Transports.h"
@@ -23,7 +25,6 @@ namespace transport
 		m_TerminationTimer (m_Server.GetService ()), m_IsEstablished (false), m_IsTerminated (false),
 		m_ReceiveBufferOffset (0), m_NextMessage (nullptr), m_IsSending (false)
 	{		
-		m_DHKeysPair = transports.GetNextDHKeysPair ();
 		m_Establisher = new Establisher;
 	}
 	
@@ -34,15 +35,9 @@ namespace transport
 
 	void NTCPSession::CreateAESKey (uint8_t * pubKey, i2p::crypto::AESKey& key)
 	{
-		CryptoPP::DH dh (elgp, elgg);
 		uint8_t sharedKey[256];
-		if (!dh.Agree (sharedKey, m_DHKeysPair->privateKey, pubKey))
-		{    
-		    LogPrint (eLogError, "Couldn't create shared key");
-			Terminate ();
-			return;
-		};
-
+		m_DHKeysPair->Agree (pubKey, sharedKey);
+		
 		uint8_t * aesKey = key;
 		if (sharedKey[0] & 0x80)
 		{
@@ -60,7 +55,7 @@ namespace transport
 				nonZero++;
 				if (nonZero - sharedKey > 32)
 				{
-					LogPrint (eLogWarning, "First 32 bytes of shared key is all zeros. Ignored");
+					LogPrint (eLogWarning, "NTCP: First 32 bytes of shared key is all zeros, ignored");
 					return;
 				}	
 			}
@@ -82,16 +77,10 @@ namespace transport
 			m_Socket.close ();
 			transports.PeerDisconnected (shared_from_this ());
 			m_Server.RemoveNTCPSession (shared_from_this ());
-			for (auto it: m_SendQueue)
-				DeleteI2NPMessage (it);
 			m_SendQueue.clear ();
-			if (m_NextMessage)	
-			{	
-				i2p::DeleteI2NPMessage (m_NextMessage);
-				m_NextMessage = nullptr;
-			}	
+			m_NextMessage = nullptr;
 			m_TerminationTimer.cancel ();
-			LogPrint (eLogInfo, "NTCP session terminated");
+			LogPrint (eLogDebug, "NTCP: session terminated");
 		}	
 	}	
 
@@ -102,12 +91,9 @@ namespace transport
 		delete m_Establisher;
 		m_Establisher = nullptr;
 		
-		delete m_DHKeysPair;
 		m_DHKeysPair = nullptr;	
 
-		SendTimeSyncMessage ();
-		PostI2NPMessage (CreateDatabaseStoreMsg ()); // we tell immediately who we are		
-
+		SendTimeSyncMessage ();		
 		transports.PeerConnected (shared_from_this ());
 	}	
 		
@@ -116,10 +102,10 @@ namespace transport
 		if (!m_DHKeysPair)
 			m_DHKeysPair = transports.GetNextDHKeysPair ();
 		// send Phase1
-		const uint8_t * x = m_DHKeysPair->publicKey;
+		const uint8_t * x = m_DHKeysPair->GetPublicKey ();
 		memcpy (m_Establisher->phase1.pubKey, x, 256);
-		CryptoPP::SHA256().CalculateDigest(m_Establisher->phase1.HXxorHI, x, 256);
-		const uint8_t * ident = m_RemoteIdentity.GetIdentHash ();
+		SHA256(x, 256, m_Establisher->phase1.HXxorHI);
+		const uint8_t * ident = m_RemoteIdentity->GetIdentHash ();
 		for (int i = 0; i < 32; i++)
 			m_Establisher->phase1.HXxorHI[i] ^= ident[i];
 		
@@ -145,9 +131,10 @@ namespace transport
 		
 	void NTCPSession::HandlePhase1Sent (const boost::system::error_code& ecode, std::size_t bytes_transferred)
 	{
+		(void) bytes_transferred;
 		if (ecode)
         {
-			LogPrint (eLogError, "Couldn't send Phase 1 message: ", ecode.message ());
+			LogPrint (eLogInfo, "NTCP: couldn't send Phase 1 message: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -161,9 +148,10 @@ namespace transport
 
 	void NTCPSession::HandlePhase1Received (const boost::system::error_code& ecode, std::size_t bytes_transferred)
 	{
+		(void) bytes_transferred;
 		if (ecode)
         {
-			LogPrint (eLogError, "Phase 1 read error: ", ecode.message ());
+			LogPrint (eLogInfo, "NTCP: phase 1 read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -171,13 +159,13 @@ namespace transport
 		{	
 			// verify ident
 			uint8_t digest[32];
-			CryptoPP::SHA256().CalculateDigest(digest, m_Establisher->phase1.pubKey, 256);
-			const uint8_t * ident = i2p::context.GetRouterInfo ().GetIdentHash ();
+			SHA256(m_Establisher->phase1.pubKey, 256, digest);
+			const uint8_t * ident = i2p::context.GetIdentHash ();
 			for (int i = 0; i < 32; i++)
 			{	
 				if ((m_Establisher->phase1.HXxorHI[i] ^ ident[i]) != digest[i])
 				{
-					LogPrint (eLogError, "Wrong ident");
+					LogPrint (eLogError, "NTCP: phase 1 error: ident mismatch");
 					Terminate ();
 					return;
 				}	
@@ -191,15 +179,15 @@ namespace transport
 	{
 		if (!m_DHKeysPair)
 			m_DHKeysPair = transports.GetNextDHKeysPair ();
-		const uint8_t * y = m_DHKeysPair->publicKey;
+		const uint8_t * y = m_DHKeysPair->GetPublicKey ();
 		memcpy (m_Establisher->phase2.pubKey, y, 256);
 		uint8_t xy[512];
 		memcpy (xy, m_Establisher->phase1.pubKey, 256);
 		memcpy (xy + 256, y, 256);
-		CryptoPP::SHA256().CalculateDigest(m_Establisher->phase2.encrypted.hxy, xy, 512); 
+		SHA256(xy, 512, m_Establisher->phase2.encrypted.hxy); 
 		uint32_t tsB = htobe32 (i2p::util::GetSecondsSinceEpoch ());
-		m_Establisher->phase2.encrypted.timestamp = tsB;
-		// TODO: fill filler
+		memcpy (m_Establisher->phase2.encrypted.timestamp, &tsB, 4);
+		RAND_bytes (m_Establisher->phase2.encrypted.filler, 12);
 
 		i2p::crypto::AESKey aesKey;
 		CreateAESKey (m_Establisher->phase1.pubKey, aesKey);
@@ -216,9 +204,10 @@ namespace transport
 		
 	void NTCPSession::HandlePhase2Sent (const boost::system::error_code& ecode, std::size_t bytes_transferred, uint32_t tsB)
 	{
+		(void) bytes_transferred;
 		if (ecode)
         {
-			LogPrint (eLogError, "Couldn't send Phase 2 message: ", ecode.message ());
+			LogPrint (eLogInfo, "NTCP: Couldn't send Phase 2 message: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -232,13 +221,14 @@ namespace transport
 		
 	void NTCPSession::HandlePhase2Received (const boost::system::error_code& ecode, std::size_t bytes_transferred)
 	{
+		(void) bytes_transferred;
 		if (ecode)
         {
-			LogPrint (eLogError, "Phase 2 read error: ", ecode.message (), ". Wrong ident assumed");
+			LogPrint (eLogInfo, "NTCP: Phase 2 read error: ", ecode.message (), ". Wrong ident assumed");
 			if (ecode != boost::asio::error::operation_aborted)
 			{
 				// this RI is not valid
-				i2p::data::netdb.SetUnreachable (GetRemoteIdentity ().GetIdentHash (), true);
+				i2p::data::netdb.SetUnreachable (GetRemoteIdentity ()->GetIdentHash (), true);
 				transports.ReuseDHKeysPair (m_DHKeysPair);
 				m_DHKeysPair = nullptr;
 				Terminate ();
@@ -256,11 +246,13 @@ namespace transport
 			m_Decryption.Decrypt((uint8_t *)&m_Establisher->phase2.encrypted, sizeof(m_Establisher->phase2.encrypted), (uint8_t *)&m_Establisher->phase2.encrypted);
 			// verify
 			uint8_t xy[512];
-			memcpy (xy, m_DHKeysPair->publicKey, 256);
+			memcpy (xy, m_DHKeysPair->GetPublicKey (), 256);
 			memcpy (xy + 256, m_Establisher->phase2.pubKey, 256);
-			if (!CryptoPP::SHA256().VerifyDigest(m_Establisher->phase2.encrypted.hxy, xy, 512)) 
+			uint8_t digest[32];
+			SHA256 (xy, 512, digest);
+			if (memcmp(m_Establisher->phase2.encrypted.hxy, digest, 32)) 
 			{
-				LogPrint (eLogError, "Incorrect hash");
+				LogPrint (eLogError, "NTCP: Phase 2 process error: incorrect hash");
 				transports.ReuseDHKeysPair (m_DHKeysPair);
 				m_DHKeysPair = nullptr;
 				Terminate ();
@@ -274,19 +266,20 @@ namespace transport
 	{
 		auto keys = i2p::context.GetPrivateKeys ();
 		uint8_t * buf = m_ReceiveBuffer; 
-		htobe16buf (buf, keys.GetPublic ().GetFullLen ());
+		htobe16buf (buf, keys.GetPublic ()->GetFullLen ());
 		buf += 2;
-		buf += i2p::context.GetIdentity ().ToBuffer (buf, NTCP_BUFFER_SIZE);
+		buf += i2p::context.GetIdentity ()->ToBuffer (buf, NTCP_BUFFER_SIZE);
 		uint32_t tsA = htobe32 (i2p::util::GetSecondsSinceEpoch ());
 		htobuf32(buf,tsA);
 		buf += 4;		
-		size_t signatureLen = keys.GetPublic ().GetSignatureLen ();
+		size_t signatureLen = keys.GetPublic ()->GetSignatureLen ();
 		size_t len = (buf - m_ReceiveBuffer) + signatureLen;
 		size_t paddingSize = len & 0x0F; // %16
 		if (paddingSize > 0) 
 		{
 			paddingSize = 16 - paddingSize;
-			// TODO: fill padding with random data
+			// fill padding with random data
+			RAND_bytes(buf, paddingSize);
 			buf += paddingSize;
 			len += paddingSize;
 		}
@@ -294,9 +287,9 @@ namespace transport
 		SignedData s;
 		s.Insert (m_Establisher->phase1.pubKey, 256); // x
 		s.Insert (m_Establisher->phase2.pubKey, 256); // y
-		s.Insert (m_RemoteIdentity.GetIdentHash (), 32); // ident
+		s.Insert (m_RemoteIdentity->GetIdentHash (), 32); // ident
  		s.Insert (tsA);	// tsA
-		s.Insert (m_Establisher->phase2.encrypted.timestamp); // tsB
+		s.Insert (m_Establisher->phase2.encrypted.timestamp, 4); // tsB
 		s.Sign (keys, buf);
 
 		m_Encryption.Encrypt(m_ReceiveBuffer, len, m_ReceiveBuffer);		        
@@ -306,16 +299,17 @@ namespace transport
 		
 	void NTCPSession::HandlePhase3Sent (const boost::system::error_code& ecode, std::size_t bytes_transferred, uint32_t tsA)
 	{
+		(void) bytes_transferred; 
 		if (ecode)
         {
-			LogPrint (eLogError, "Couldn't send Phase 3 message: ", ecode.message ());
+			LogPrint (eLogInfo, "NTCP: Couldn't send Phase 3 message: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
 		else
 		{	
 			// wait for phase4 
-			auto signatureLen = m_RemoteIdentity.GetSignatureLen ();
+			auto signatureLen = m_RemoteIdentity->GetSignatureLen ();
 			size_t paddingSize = signatureLen & 0x0F; // %16
 			if (paddingSize > 0) signatureLen += (16 - paddingSize);	
 			boost::asio::async_read (m_Socket, boost::asio::buffer(m_ReceiveBuffer, signatureLen), boost::asio::transfer_all (),                  
@@ -328,7 +322,7 @@ namespace transport
 	{	
 		if (ecode)
         {
-			LogPrint (eLogError, "Phase 3 read error: ", ecode.message ());
+			LogPrint (eLogInfo, "NTCP: Phase 3 read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -337,20 +331,20 @@ namespace transport
 			m_Decryption.Decrypt (m_ReceiveBuffer, bytes_transferred, m_ReceiveBuffer);
 			uint8_t * buf = m_ReceiveBuffer;
 			uint16_t size = bufbe16toh (buf);
-			m_RemoteIdentity.FromBuffer (buf + 2, size);
-			if (m_Server.FindNTCPSession (m_RemoteIdentity.GetIdentHash ()))
+			SetRemoteIdentity (std::make_shared<i2p::data::IdentityEx> (buf + 2, size));
+			if (m_Server.FindNTCPSession (m_RemoteIdentity->GetIdentHash ()))
 			{
-				LogPrint (eLogError, "NTCP session already exists");
+				LogPrint (eLogInfo, "NTCP: session already exists");
 				Terminate ();
 			}	
-			size_t expectedSize = size + 2/*size*/ + 4/*timestamp*/ + m_RemoteIdentity.GetSignatureLen ();
+			size_t expectedSize = size + 2/*size*/ + 4/*timestamp*/ + m_RemoteIdentity->GetSignatureLen ();
 			size_t paddingLen = expectedSize & 0x0F;
 			if (paddingLen) paddingLen = (16 - paddingLen);	
 			if (expectedSize > NTCP_DEFAULT_PHASE3_SIZE)
 			{
 				// we need more bytes for Phase3
 				expectedSize += paddingLen;	
-				boost::asio::async_read (m_Socket, boost::asio::buffer(m_ReceiveBuffer + NTCP_DEFAULT_PHASE3_SIZE, expectedSize), boost::asio::transfer_all (),                   
+				boost::asio::async_read (m_Socket, boost::asio::buffer(m_ReceiveBuffer + NTCP_DEFAULT_PHASE3_SIZE, expectedSize - NTCP_DEFAULT_PHASE3_SIZE), boost::asio::transfer_all (),                   
 				std::bind(&NTCPSession::HandlePhase3ExtraReceived, shared_from_this (), 
 					std::placeholders::_1, std::placeholders::_2, tsB, paddingLen));
 			}
@@ -363,7 +357,7 @@ namespace transport
 	{
 		if (ecode)
         {
-			LogPrint (eLogError, "Phase 3 extra read error: ", ecode.message ());
+			LogPrint (eLogInfo, "NTCP: Phase 3 extra read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -376,11 +370,22 @@ namespace transport
 
 	void NTCPSession::HandlePhase3 (uint32_t tsB, size_t paddingLen)
 	{
-		uint8_t * buf = m_ReceiveBuffer + m_RemoteIdentity.GetFullLen () + 2 /*size*/;
+		uint8_t * buf = m_ReceiveBuffer + m_RemoteIdentity->GetFullLen () + 2 /*size*/;
 		uint32_t tsA = buf32toh(buf); 
 		buf += 4;
 		buf += paddingLen;	
 
+		// check timestamp
+		auto ts = i2p::util::GetSecondsSinceEpoch ();
+		uint32_t tsA1 = be32toh (tsA);
+		if (tsA1 < ts - NTCP_CLOCK_SKEW || tsA1 > ts + NTCP_CLOCK_SKEW)
+		{
+			LogPrint (eLogError, "NTCP: Phase3 time difference ", ts - tsA1, " exceeds clock skew"); 
+			Terminate ();
+			return;
+		}	
+
+		// check signature
 		SignedData s;
 		s.Insert (m_Establisher->phase1.pubKey, 256); // x
 		s.Insert (m_Establisher->phase2.pubKey, 256); // y
@@ -389,11 +394,10 @@ namespace transport
 		s.Insert (tsB); // tsB			
 		if (!s.Verify (m_RemoteIdentity, buf))
 		{	
-			LogPrint (eLogError, "signature verification failed");
+			LogPrint (eLogError, "NTCP: signature verification failed");
 			Terminate ();
 			return;
 		}	
-		m_RemoteIdentity.DropVerifier (); 
 
 		SendPhase4 (tsA, tsB);
 	}
@@ -403,11 +407,11 @@ namespace transport
 		SignedData s;
 		s.Insert (m_Establisher->phase1.pubKey, 256); // x
 		s.Insert (m_Establisher->phase2.pubKey, 256); // y
-		s.Insert (m_RemoteIdentity.GetIdentHash (), 32); // ident
+		s.Insert (m_RemoteIdentity->GetIdentHash (), 32); // ident
 		s.Insert (tsA); // tsA
 		s.Insert (tsB); // tsB
 		auto keys = i2p::context.GetPrivateKeys ();
- 		auto signatureLen = keys.GetPublic ().GetSignatureLen ();
+ 		auto signatureLen = keys.GetPublic ()->GetSignatureLen ();
 		s.Sign (keys, m_ReceiveBuffer);
 		size_t paddingSize = signatureLen & 0x0F; // %16
 		if (paddingSize > 0) signatureLen += (16 - paddingSize);		
@@ -419,15 +423,16 @@ namespace transport
 
 	void NTCPSession::HandlePhase4Sent (const boost::system::error_code& ecode,  std::size_t bytes_transferred)
 	{
+		(void) bytes_transferred;
 		if (ecode)
         {
-			LogPrint (eLogWarning, "Couldn't send Phase 4 message: ", ecode.message ());
+			LogPrint (eLogWarning, "NTCP: Couldn't send Phase 4 message: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
 		else
 		{	
-			LogPrint (eLogInfo, "NTCP server session from ", m_Socket.remote_endpoint (), " connected");
+			LogPrint (eLogInfo, "NTCP: Server session from ", m_Socket.remote_endpoint (), " connected");
 			m_Server.AddNTCPSession (shared_from_this ());
 
 			Connected ();
@@ -441,11 +446,11 @@ namespace transport
 	{
 		if (ecode)
         {
-			LogPrint (eLogError, "Phase 4 read error: ", ecode.message (), ". Check your clock");
+			LogPrint (eLogError, "NTCP: Phase 4 read error: ", ecode.message (), ". Check your clock");
 			if (ecode != boost::asio::error::operation_aborted)
 			{
 				 // this router doesn't like us	
-				i2p::data::netdb.SetUnreachable (GetRemoteIdentity ().GetIdentHash (), true);
+				i2p::data::netdb.SetUnreachable (GetRemoteIdentity ()->GetIdentHash (), true);
 				Terminate ();
 			}	
 		}
@@ -453,22 +458,31 @@ namespace transport
 		{	
 			m_Decryption.Decrypt(m_ReceiveBuffer, bytes_transferred, m_ReceiveBuffer);
 
+			// check timestamp
+			uint32_t tsB = bufbe32toh (m_Establisher->phase2.encrypted.timestamp);
+			auto ts = i2p::util::GetSecondsSinceEpoch ();
+			if (tsB < ts - NTCP_CLOCK_SKEW || tsB > ts + NTCP_CLOCK_SKEW)
+			{
+				LogPrint (eLogError, "NTCP: Phase4 time difference ", ts - tsB, " exceeds clock skew"); 
+				Terminate ();
+				return;
+			}	
+			
 			// verify signature
 			SignedData s;
 			s.Insert (m_Establisher->phase1.pubKey, 256); // x
 			s.Insert (m_Establisher->phase2.pubKey, 256); // y
-			s.Insert (i2p::context.GetRouterInfo ().GetIdentHash (), 32); // ident
+			s.Insert (i2p::context.GetIdentHash (), 32); // ident
 			s.Insert (tsA); // tsA
-			s.Insert (m_Establisher->phase2.encrypted.timestamp); // tsB
+			s.Insert (m_Establisher->phase2.encrypted.timestamp, 4); // tsB
 
 			if (!s.Verify (m_RemoteIdentity, m_ReceiveBuffer))
 			{	
-				LogPrint (eLogError, "signature verification failed");
+				LogPrint (eLogError, "NTCP: Phase 4 process error: signature verification failed");
 				Terminate ();
 				return;
 			}	
-			m_RemoteIdentity.DropVerifier (); 
-			LogPrint (eLogInfo, "NTCP session to ", m_Socket.remote_endpoint (), " connected");
+			LogPrint (eLogDebug, "NTCP: session to ", m_Socket.remote_endpoint (), " connected");
 			Connected ();
 						
 			m_ReceiveBufferOffset = 0;
@@ -486,12 +500,13 @@ namespace transport
 		
 	void NTCPSession::HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred)
 	{
-		if (ecode)
-        {
-			LogPrint (eLogError, "Read error: ", ecode.message ());
-			if (!m_NumReceivedBytes) m_Server.Ban (m_ConnectedFrom);
+		if (ecode) {
+			if (ecode != boost::asio::error::operation_aborted)
+				LogPrint (eLogDebug, "NTCP: Read error: ", ecode.message ());
+			if (!m_NumReceivedBytes)
+				m_Server.Ban (m_ConnectedFrom);
 			//if (ecode != boost::asio::error::operation_aborted)
-				Terminate ();
+			Terminate ();
 		}
 		else
 		{
@@ -530,7 +545,7 @@ namespace transport
 							moreBytes = m_Socket.read_some (boost::asio::buffer (m_ReceiveBuffer + m_ReceiveBufferOffset, moreBytes));
 							if (ec)
 							{
-								LogPrint (eLogError, "Read more bytes error: ", ec.message ());
+								LogPrint (eLogInfo, "NTCP: Read more bytes error: ", ec.message ());
 								Terminate ();
 								return;
 							}	
@@ -553,19 +568,20 @@ namespace transport
 	{
 		if (!m_NextMessage) // new message, header expected
 		{	
-			// descrypt header and extract length
+			// decrypt header and extract length
 			uint8_t buf[16];
 			m_Decryption.Decrypt (encrypted, buf);
 			uint16_t dataSize = bufbe16toh (buf);
 			if (dataSize)
 			{
 				// new message
-				if (dataSize > NTCP_MAX_MESSAGE_SIZE)
+				if (dataSize + 16U > NTCP_MAX_MESSAGE_SIZE - 2) // + 6 + padding
 				{
-					LogPrint (eLogError, "NTCP data size ", dataSize, " exceeds max size");
+					LogPrint (eLogError, "NTCP: data size ", dataSize, " exceeds max size");
 					return false;
 				}
-				m_NextMessage = dataSize <= I2NP_MAX_SHORT_MESSAGE_SIZE - 2 ? NewI2NPShortMessage () : NewI2NPMessage ();
+				auto msg = (dataSize + 16U) <= I2NP_MAX_SHORT_MESSAGE_SIZE - 2 ? NewI2NPShortMessage () : NewI2NPMessage ();
+				m_NextMessage = msg;	
 				memcpy (m_NextMessage->buf, buf, 16);
 				m_NextMessageOffset = 16;
 				m_NextMessage->offset = 2; // size field
@@ -574,7 +590,7 @@ namespace transport
 			else
 			{	
 				// timestamp
-				LogPrint ("Timestamp");	
+				LogPrint (eLogDebug, "NTCP: Timestamp");
 				return true;
 			}	
 		}	
@@ -587,20 +603,30 @@ namespace transport
 		if (m_NextMessageOffset >= m_NextMessage->len + 4) // +checksum
 		{	
 			// we have a complete I2NP message
-			m_Handler.PutNextMessage (m_NextMessage);
+			uint8_t checksum[4];
+			htobe32buf (checksum, adler32 (adler32 (0, Z_NULL, 0), m_NextMessage->buf, m_NextMessageOffset - 4));
+			if (!memcmp (m_NextMessage->buf + m_NextMessageOffset - 4, checksum, 4))
+			{
+				if (!m_NextMessage->IsExpired ())
+					m_Handler.PutNextMessage (m_NextMessage);
+				else
+					LogPrint (eLogInfo, "NTCP: message expired");
+			}	
+			else
+				LogPrint (eLogWarning, "NTCP: Incorrect adler checksum of message, dropped");
 			m_NextMessage = nullptr;
 		}
 		return true;	
  	}	
 
-	void NTCPSession::Send (i2p::I2NPMessage * msg)
+	void NTCPSession::Send (std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		m_IsSending = true;
 		boost::asio::async_write (m_Socket, CreateMsgBuffer (msg), boost::asio::transfer_all (),                      
-        	std::bind(&NTCPSession::HandleSent, shared_from_this (), std::placeholders::_1, std::placeholders::_2, std::vector<I2NPMessage *>{ msg }));	
+        	std::bind(&NTCPSession::HandleSent, shared_from_this (), std::placeholders::_1, std::placeholders::_2, std::vector<std::shared_ptr<I2NPMessage> >{ msg }));	
 	}
 
-	boost::asio::const_buffers_1 NTCPSession::CreateMsgBuffer (I2NPMessage * msg)
+	boost::asio::const_buffers_1 NTCPSession::CreateMsgBuffer (std::shared_ptr<I2NPMessage> msg)
 	{
 		uint8_t * sendBuffer;
 		int len;
@@ -609,10 +635,7 @@ namespace transport
 		{	
 			// regular I2NP
 			if (msg->offset < 2)
-			{
-				LogPrint (eLogError, "Malformed I2NP message");
-				i2p::DeleteI2NPMessage (msg);
-			}	
+				LogPrint (eLogError, "NTCP: Malformed I2NP message"); // TODO:
 			sendBuffer = msg->GetBuffer () - 2; 
 			len = msg->GetLength ();
 			htobe16buf (sendBuffer, len);
@@ -627,9 +650,12 @@ namespace transport
 		}	
 		int rem = (len + 6) & 0x0F; // %16
 		int padding = 0;
-		if (rem > 0) padding = 16 - rem;
-		// TODO: fill padding 
-		m_Adler.CalculateDigest (sendBuffer + len + 2 + padding, sendBuffer, len + 2+ padding);
+		if (rem > 0) {
+			padding = 16 - rem;
+			// fill with random padding
+			RAND_bytes(sendBuffer + len + 2, padding);
+		}
+		htobe32buf (sendBuffer + len + 2 + padding, adler32 (adler32 (0, Z_NULL, 0), sendBuffer, len + 2+ padding));
 
 		int l = len + padding + 6;
 		m_Encryption.Encrypt(sendBuffer, l, sendBuffer);	
@@ -637,7 +663,7 @@ namespace transport
 	}	
 
 
-	void NTCPSession::Send (const std::vector<I2NPMessage *>& msgs)
+	void NTCPSession::Send (const std::vector<std::shared_ptr<I2NPMessage> >& msgs)
 	{
 		m_IsSending = true;
 		std::vector<boost::asio::const_buffer> bufs;
@@ -647,14 +673,13 @@ namespace transport
         	std::bind(&NTCPSession::HandleSent, shared_from_this (), std::placeholders::_1, std::placeholders::_2, msgs));
 	}
 		
-	void NTCPSession::HandleSent (const boost::system::error_code& ecode, std::size_t bytes_transferred, std::vector<I2NPMessage *> msgs)
+	void NTCPSession::HandleSent (const boost::system::error_code& ecode, std::size_t bytes_transferred, std::vector<std::shared_ptr<I2NPMessage> > msgs)
 	{
+		(void) msgs;
 		m_IsSending = false;
-		for (auto it: msgs)
-			if (it) i2p::DeleteI2NPMessage (it);
 		if (ecode)
         {
-			LogPrint (eLogWarning, "Couldn't send msgs: ", ecode.message ());
+			LogPrint (eLogWarning, "NTCP: Couldn't send msgs: ", ecode.message ());
 			// we shouldn't call Terminate () here, because HandleReceive takes care
 			// TODO: 'delete this' statement in Terminate () must be eliminated later
 			// Terminate ();
@@ -679,40 +704,15 @@ namespace transport
 		Send (nullptr);
 	}	
 
-	void NTCPSession::SendI2NPMessage (I2NPMessage * msg)
-	{
-		m_Server.GetService ().post (std::bind (&NTCPSession::PostI2NPMessage, shared_from_this (), msg));  
-	}	
 
-	void NTCPSession::PostI2NPMessage (I2NPMessage * msg)
-	{
-		if (msg)
-		{
-			if (m_IsTerminated)
-			{
-				DeleteI2NPMessage (msg);
-				return;
-			}
-			if (m_IsSending)
-				m_SendQueue.push_back (msg);
-			else	
-				Send (msg);
-		}	
-	}	
-
-	void NTCPSession::SendI2NPMessages (const std::vector<I2NPMessage *>& msgs)
+	void NTCPSession::SendI2NPMessages (const std::vector<std::shared_ptr<I2NPMessage> >& msgs)
 	{
 		m_Server.GetService ().post (std::bind (&NTCPSession::PostI2NPMessages, shared_from_this (), msgs));  
 	}	
 
-	void NTCPSession::PostI2NPMessages (std::vector<I2NPMessage *> msgs)
+	void NTCPSession::PostI2NPMessages (std::vector<std::shared_ptr<I2NPMessage> > msgs)
 	{
-		if (m_IsTerminated)
-		{
-			for (auto it: msgs)
-				DeleteI2NPMessage (it);
-			return;
-		}	
+		if (m_IsTerminated) return;
 		if (m_IsSending)
 		{
 			for (auto it: msgs)
@@ -734,14 +734,14 @@ namespace transport
 	{
 		if (ecode != boost::asio::error::operation_aborted)
 		{	
-			LogPrint ("No activity fo ", NTCP_TERMINATION_TIMEOUT, " seconds");
+			LogPrint (eLogDebug, "NTCP: No activity for ", NTCP_TERMINATION_TIMEOUT, " seconds");
 			//Terminate ();
 			m_Socket.close ();// invoke Terminate () from HandleReceive 
 		}	
 	}	
 
 //-----------------------------------------
-	NTCPServer::NTCPServer (int port):
+	NTCPServer::NTCPServer ():
 		m_IsRunning (false), m_Thread (nullptr), m_Work (m_Service), 
 		m_NTCPAcceptor (nullptr), m_NTCPV6Acceptor (nullptr)
 	{
@@ -759,15 +759,15 @@ namespace transport
 			m_IsRunning = true;
 			m_Thread = new std::thread (std::bind (&NTCPServer::Run, this));
 			// create acceptors
-			auto addresses = context.GetRouterInfo ().GetAddresses ();
-			for (auto& address : addresses)
+			auto& addresses = context.GetRouterInfo ().GetAddresses ();
+			for (auto address: addresses)
 			{
-				if (address.transportStyle == i2p::data::RouterInfo::eTransportNTCP && address.host.is_v4 ())
+				if (address->transportStyle == i2p::data::RouterInfo::eTransportNTCP && address->host.is_v4 ())
 				{	
 					m_NTCPAcceptor = new boost::asio::ip::tcp::acceptor (m_Service,
-						boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), address.port));
+						boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), address->port));
 
-					LogPrint (eLogInfo, "Start listening TCP port ", address.port);	
+					LogPrint (eLogInfo, "NTCP: Start listening TCP port ", address->port);
 					auto conn = std::make_shared<NTCPSession>(*this);
 					m_NTCPAcceptor->async_accept(conn->GetSocket (), std::bind (&NTCPServer::HandleAccept, this, 
 						conn, std::placeholders::_1));	
@@ -777,10 +777,10 @@ namespace transport
 						m_NTCPV6Acceptor = new boost::asio::ip::tcp::acceptor (m_Service);
 						m_NTCPV6Acceptor->open (boost::asio::ip::tcp::v6());
 						m_NTCPV6Acceptor->set_option (boost::asio::ip::v6_only (true));
-						m_NTCPV6Acceptor->bind (boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v6(), address.port));
+						m_NTCPV6Acceptor->bind (boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v6(), address->port));
 						m_NTCPV6Acceptor->listen ();
 
-						LogPrint (eLogInfo, "Start listening V6 TCP port ", address.port);	
+						LogPrint (eLogInfo, "NTCP: Start listening V6 TCP port ", address->port);
 						auto conn = std::make_shared<NTCPSession> (*this);
 						m_NTCPV6Acceptor->async_accept(conn->GetSocket (), std::bind (&NTCPServer::HandleAcceptV6,
 							this, conn, std::placeholders::_1));
@@ -823,32 +823,33 @@ namespace transport
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint ("NTCP server: ", ex.what ());
+				LogPrint (eLogError, "NTCP: runtime exception: ", ex.what ());
 			}	
 		}	
 	}	
 
-	void NTCPServer::AddNTCPSession (std::shared_ptr<NTCPSession> session)
+	bool NTCPServer::AddNTCPSession (std::shared_ptr<NTCPSession> session)
 	{
-		if (session)
+		if (!session || !session->GetRemoteIdentity ()) return false;
+		auto& ident = session->GetRemoteIdentity ()->GetIdentHash ();
+		auto it = m_NTCPSessions.find (ident);
+		if (it != m_NTCPSessions.end ())
 		{
-			std::unique_lock<std::mutex> l(m_NTCPSessionsMutex);	
-			m_NTCPSessions[session->GetRemoteIdentity ().GetIdentHash ()] = session;
+			LogPrint (eLogWarning, "NTCP: session to ", ident.ToBase64 (), " already exists");
+			return false;
 		}
+		m_NTCPSessions.insert (std::pair<i2p::data::IdentHash, std::shared_ptr<NTCPSession> >(ident, session));
+		return true;
 	}	
 
 	void NTCPServer::RemoveNTCPSession (std::shared_ptr<NTCPSession> session)
 	{
-		if (session)
-		{
-			std::unique_lock<std::mutex> l(m_NTCPSessionsMutex);	
-			m_NTCPSessions.erase (session->GetRemoteIdentity ().GetIdentHash ());
-		}
+		if (session && session->GetRemoteIdentity ())
+			m_NTCPSessions.erase (session->GetRemoteIdentity ()->GetIdentHash ());
 	}	
 
 	std::shared_ptr<NTCPSession> NTCPServer::FindNTCPSession (const i2p::data::IdentHash& ident)
 	{
-		std::unique_lock<std::mutex> l(m_NTCPSessionsMutex);	
 		auto it = m_NTCPSessions.find (ident);
 		if (it != m_NTCPSessions.end ())
 			return it->second;
@@ -863,14 +864,14 @@ namespace transport
 			auto ep = conn->GetSocket ().remote_endpoint(ec);	
 			if (!ec)
 			{
-				LogPrint (eLogInfo, "Connected from ", ep);
+				LogPrint (eLogDebug, "NTCP: Connected from ", ep);
 				auto it = m_BanList.find (ep.address ());
 				if (it != m_BanList.end ())
 				{
 					uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
 					if (ts < it->second)
 					{
-						LogPrint (eLogInfo, ep.address (), " is banned for ", it->second - ts, " more seconds");
+						LogPrint (eLogWarning, "NTCP: ", ep.address (), " is banned for ", it->second - ts, " more seconds");
 						conn = nullptr;
 					}
 					else
@@ -880,7 +881,7 @@ namespace transport
 					conn->ServerLogin ();
 			}
 			else
-				LogPrint (eLogError, "Connected from error ", ec.message ());
+				LogPrint (eLogError, "NTCP: Connected from error ", ec.message ());
 		}
 		
 
@@ -900,14 +901,14 @@ namespace transport
 			auto ep = conn->GetSocket ().remote_endpoint(ec);	
 			if (!ec)
 			{
-				LogPrint (eLogInfo, "Connected from ", ep);
+				LogPrint (eLogDebug, "NTCP: Connected from ", ep);
 				auto it = m_BanList.find (ep.address ());
 				if (it != m_BanList.end ())
 				{
 					uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
 					if (ts < it->second)
 					{
-						LogPrint (eLogInfo, ep.address (), " is banned for ", it->second - ts, " more seconds");
+						LogPrint (eLogWarning, "NTCP: ", ep.address (), " is banned for ", it->second - ts, " more seconds");
 						conn = nullptr;
 					}
 					else
@@ -917,7 +918,7 @@ namespace transport
 					conn->ServerLogin ();
 			}
 			else
-				LogPrint (eLogError, "Connected from error ", ec.message ());
+				LogPrint (eLogError, "NTCP: Connected from error ", ec.message ());
 		}
 
 		if (error != boost::asio::error::operation_aborted)
@@ -930,27 +931,27 @@ namespace transport
 
 	void NTCPServer::Connect (const boost::asio::ip::address& address, int port, std::shared_ptr<NTCPSession> conn)
 	{
-		LogPrint (eLogInfo, "Connecting to ", address ,":",  port);
-		m_Service.post([conn, this]()
-			{           
-				this->AddNTCPSession (conn);
-			});	
-		conn->GetSocket ().async_connect (boost::asio::ip::tcp::endpoint (address, port), 
-			std::bind (&NTCPServer::HandleConnect, this, std::placeholders::_1, conn));
+		LogPrint (eLogDebug, "NTCP: Connecting to ", address ,":",  port);
+		m_Service.post([=]()
+		{           
+			if (this->AddNTCPSession (conn))
+				conn->GetSocket ().async_connect (boost::asio::ip::tcp::endpoint (address, port), 
+					std::bind (&NTCPServer::HandleConnect, this, std::placeholders::_1, conn));	
+		});	
 	}
 
 	void NTCPServer::HandleConnect (const boost::system::error_code& ecode, std::shared_ptr<NTCPSession> conn)
 	{
 		if (ecode)
         {
-			LogPrint (eLogError, "Connect error: ", ecode.message ());
+			LogPrint (eLogError, "NTCP: Connect error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
-				i2p::data::netdb.SetUnreachable (conn->GetRemoteIdentity ().GetIdentHash (), true);
+				i2p::data::netdb.SetUnreachable (conn->GetRemoteIdentity ()->GetIdentHash (), true);
 			conn->Terminate ();
 		}
 		else
 		{
-			LogPrint (eLogInfo, "Connected to ",  conn->GetSocket ().remote_endpoint ());
+			LogPrint (eLogDebug, "NTCP: Connected to ", conn->GetSocket ().remote_endpoint ());
 			if (conn->GetSocket ().local_endpoint ().protocol () == boost::asio::ip::tcp::v6()) // ipv6
 				context.UpdateNTCPV6Address (conn->GetSocket ().local_endpoint ().address ());
 			conn->ClientLogin ();
@@ -961,7 +962,7 @@ namespace transport
 	{
 		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();	
 		m_BanList[addr] = ts + NTCP_BAN_EXPIRATION_TIMEOUT;
-		LogPrint (eLogInfo, addr, " has been banned for ", NTCP_BAN_EXPIRATION_TIMEOUT, " seconds");
+		LogPrint (eLogWarning, "NTCP: ", addr, " has been banned for ", NTCP_BAN_EXPIRATION_TIMEOUT, " seconds");
 	}
 }	
 }	

NTCPSession.h

@@ -7,10 +7,7 @@
 #include <thread>
 #include <mutex>
 #include <boost/asio.hpp>
-#include <cryptopp/modes.h>
-#include <cryptopp/aes.h>
-#include <cryptopp/adler32.h>
-#include "aes.h"
+#include "Crypto.h"
 #include "Identity.h"
 #include "RouterInfo.h"
 #include "I2NPProtocol.h"
@@ -20,8 +17,6 @@ namespace i2p
 {
 namespace transport
 {
-
-#pragma pack(1)
 	struct NTCPPhase1
 	{
 		uint8_t pubKey[256];
@@ -34,18 +29,17 @@ namespace transport
 		struct
 		{
 			uint8_t hxy[32];
-			uint32_t timestamp;
+			uint8_t timestamp[4];
 			uint8_t filler[12];
 		} encrypted;	
 	};	
-	
-#pragma pack()	
 
 	const size_t NTCP_MAX_MESSAGE_SIZE = 16384; 
 	const size_t NTCP_BUFFER_SIZE = 4160; // fits 4 tunnel messages (4*1028)
 	const int NTCP_TERMINATION_TIMEOUT = 120; // 2 minutes
 	const size_t NTCP_DEFAULT_PHASE3_SIZE = 2/*size*/ + i2p::data::DEFAULT_IDENTITY_SIZE/*387*/ + 4/*ts*/ + 15/*padding*/ + 40/*signature*/; // 448 	
 	const int NTCP_BAN_EXPIRATION_TIMEOUT = 70; // in second
+	const int NTCP_CLOCK_SKEW = 60; // in seconds 
 
 	class NTCPServer;
 	class NTCPSession: public TransportSession, public std::enable_shared_from_this<NTCPSession>
@@ -62,13 +56,11 @@ namespace transport
 			
 			void ClientLogin ();
 			void ServerLogin ();
-			void SendI2NPMessage (I2NPMessage * msg);
-			void SendI2NPMessages (const std::vector<I2NPMessage *>& msgs);
+			void SendI2NPMessages (const std::vector<std::shared_ptr<I2NPMessage> >& msgs);
 			
 		private:
 
-			void PostI2NPMessage (I2NPMessage * msg);
-			void PostI2NPMessages (std::vector<I2NPMessage *> msgs);
+			void PostI2NPMessages (std::vector<std::shared_ptr<I2NPMessage> > msgs);
 			void Connected ();
 			void SendTimeSyncMessage ();
 			void SetIsEstablished (bool isEstablished) { m_IsEstablished = isEstablished; }
@@ -97,10 +89,10 @@ namespace transport
 			void HandleReceived (const boost::system::error_code& ecode, std::size_t bytes_transferred);
 			bool DecryptNextBlock (const uint8_t * encrypted);	
 		
-			void Send (i2p::I2NPMessage * msg);
-			boost::asio::const_buffers_1 CreateMsgBuffer (I2NPMessage * msg);
-			void Send (const std::vector<I2NPMessage *>& msgs);
-			void HandleSent (const boost::system::error_code& ecode, std::size_t bytes_transferred, std::vector<I2NPMessage *> msgs);
+			void Send (std::shared_ptr<i2p::I2NPMessage> msg);
+			boost::asio::const_buffers_1 CreateMsgBuffer (std::shared_ptr<I2NPMessage> msg);
+			void Send (const std::vector<std::shared_ptr<I2NPMessage> >& msgs);
+			void HandleSent (const boost::system::error_code& ecode, std::size_t bytes_transferred, std::vector<std::shared_ptr<I2NPMessage> > msgs);
 			
 			
 			// timer
@@ -116,7 +108,6 @@ namespace transport
 			
 			i2p::crypto::CBCDecryption m_Decryption;
 			i2p::crypto::CBCEncryption m_Encryption;
-			CryptoPP::Adler32 m_Adler;
 
 			struct Establisher
 			{	
@@ -128,12 +119,12 @@ namespace transport
 			i2p::crypto::AESAlignedBuffer<16> m_TimeSyncBuffer;
 			int m_ReceiveBufferOffset; 
 
-			i2p::I2NPMessage * m_NextMessage;
+			std::shared_ptr<I2NPMessage> m_NextMessage;
 			size_t m_NextMessageOffset;
 			i2p::I2NPMessagesHandler m_Handler;
 
 			bool m_IsSending;
-			std::vector<I2NPMessage *> m_SendQueue;
+			std::vector<std::shared_ptr<I2NPMessage> > m_SendQueue;
 			
 			boost::asio::ip::address m_ConnectedFrom; // for ban
 	};	
@@ -143,13 +134,13 @@ namespace transport
 	{
 		public:
 
-			NTCPServer (int port);
+			NTCPServer ();
 			~NTCPServer ();
 
 			void Start ();
 			void Stop ();
 
-			void AddNTCPSession (std::shared_ptr<NTCPSession> session);
+			bool AddNTCPSession (std::shared_ptr<NTCPSession> session);
 			void RemoveNTCPSession (std::shared_ptr<NTCPSession> session);
 			std::shared_ptr<NTCPSession> FindNTCPSession (const i2p::data::IdentHash& ident);
 			void Connect (const boost::asio::ip::address& address, int port, std::shared_ptr<NTCPSession> conn);
@@ -172,8 +163,7 @@ namespace transport
 			boost::asio::io_service m_Service;
 			boost::asio::io_service::work m_Work;
 			boost::asio::ip::tcp::acceptor * m_NTCPAcceptor, * m_NTCPV6Acceptor;
-			std::mutex m_NTCPSessionsMutex;
-			std::map<i2p::data::IdentHash, std::shared_ptr<NTCPSession> > m_NTCPSessions;
+			std::map<i2p::data::IdentHash, std::shared_ptr<NTCPSession> > m_NTCPSessions; // access from m_Thread only
 			std::map<boost::asio::ip::address, uint32_t> m_BanList; // IP -> ban expiration time in seconds
 
 		public:

NetDb.h

@@ -8,7 +8,8 @@
 #include <string>
 #include <thread>
 #include <mutex>
-#include <boost/filesystem.hpp>
+#include "Base.h"
+#include "FS.h"
 #include "Queue.h"
 #include "I2NPProtocol.h"
 #include "RouterInfo.h"
@@ -16,44 +17,18 @@
 #include "Tunnel.h"
 #include "TunnelPool.h"
 #include "Reseed.h"
+#include "NetDbRequests.h"
+#include "Family.h"
 
 namespace i2p
 {
 namespace data
 {		
-	class RequestedDestination
-	{	
-		public:
-
-			typedef std::function<void (std::shared_ptr<RouterInfo>)> RequestComplete;
-
-			RequestedDestination (const IdentHash& destination, bool isExploratory = false):
-				m_Destination (destination), m_IsExploratory (isExploratory), m_CreationTime (0) {};
-			~RequestedDestination () { if (m_RequestComplete) m_RequestComplete (nullptr); };			
-
-			const IdentHash& GetDestination () const { return m_Destination; };
-			int GetNumExcludedPeers () const { return m_ExcludedPeers.size (); };
-			const std::set<IdentHash>& GetExcludedPeers () { return m_ExcludedPeers; };
-			void ClearExcludedPeers ();
-			bool IsExploratory () const { return m_IsExploratory; };
-			bool IsExcluded (const IdentHash& ident) const { return m_ExcludedPeers.count (ident); };
-			uint64_t GetCreationTime () const { return m_CreationTime; };
-			I2NPMessage * CreateRequestMessage (std::shared_ptr<const RouterInfo>, std::shared_ptr<const i2p::tunnel::InboundTunnel> replyTunnel);
-			I2NPMessage * CreateRequestMessage (const IdentHash& floodfill);
-			
-			void SetRequestComplete (const RequestComplete& requestComplete) { m_RequestComplete = requestComplete; };
-			bool IsRequestComplete () const { return m_RequestComplete != nullptr; };
-			void Success (std::shared_ptr<RouterInfo> r);
-			void Fail ();
-			
-		private:
-
-			IdentHash m_Destination;
-			bool m_IsExploratory;
-			std::set<IdentHash> m_ExcludedPeers;
-			uint64_t m_CreationTime;
-			RequestComplete m_RequestComplete;
-	};	
+	const int NETDB_MIN_ROUTERS = 90;
+	const int NETDB_FLOODFILL_EXPIRATION_TIMEOUT = 60*60; // 1 hour, in seconds
+	const int NETDB_INTRODUCEE_EXPIRATION_TIMEOUT = 65*60;
+	const int NETDB_MIN_EXPIRATION_TIMEOUT = 90*60; // 1.5 hours
+	const int NETDB_MAX_EXPIRATION_TIMEOUT = 27*60*60; // 27 hours
 	
 	class NetDb
 	{
@@ -65,46 +40,51 @@ namespace data
 			void Start ();
 			void Stop ();
 			
-			void AddRouterInfo (const uint8_t * buf, int len);
-			void AddRouterInfo (const IdentHash& ident, const uint8_t * buf, int len);
-			void AddLeaseSet (const IdentHash& ident, const uint8_t * buf, int len, std::shared_ptr<i2p::tunnel::InboundTunnel> from);
+			bool AddRouterInfo (const uint8_t * buf, int len);
+			bool AddRouterInfo (const IdentHash& ident, const uint8_t * buf, int len);
+			bool AddLeaseSet (const IdentHash& ident, const uint8_t * buf, int len, std::shared_ptr<i2p::tunnel::InboundTunnel> from);
 			std::shared_ptr<RouterInfo> FindRouter (const IdentHash& ident) const;
 			std::shared_ptr<LeaseSet> FindLeaseSet (const IdentHash& destination) const;
+			std::shared_ptr<RouterProfile> FindRouterProfile (const IdentHash& ident) const;
 
 			void RequestDestination (const IdentHash& destination, RequestedDestination::RequestComplete requestComplete = nullptr);			
 			
-			void HandleDatabaseStoreMsg (I2NPMessage * msg);
-			void HandleDatabaseSearchReplyMsg (I2NPMessage * msg);
-			void HandleDatabaseLookupMsg (I2NPMessage * msg);			
+			void HandleDatabaseStoreMsg (std::shared_ptr<const I2NPMessage> msg);
+			void HandleDatabaseSearchReplyMsg (std::shared_ptr<const I2NPMessage> msg);
+			void HandleDatabaseLookupMsg (std::shared_ptr<const I2NPMessage> msg);			
 
 			std::shared_ptr<const RouterInfo> GetRandomRouter () const;
 			std::shared_ptr<const RouterInfo> GetRandomRouter (std::shared_ptr<const RouterInfo> compatibleWith) const;
 			std::shared_ptr<const RouterInfo> GetHighBandwidthRandomRouter (std::shared_ptr<const RouterInfo> compatibleWith) const;
 			std::shared_ptr<const RouterInfo> GetRandomPeerTestRouter () const;
 			std::shared_ptr<const RouterInfo> GetRandomIntroducer () const;
-			std::shared_ptr<const RouterInfo> GetClosestFloodfill (const IdentHash& destination, const std::set<IdentHash>& excluded) const;
+			std::shared_ptr<const RouterInfo> GetClosestFloodfill (const IdentHash& destination, const std::set<IdentHash>& excluded, bool closeThanUsOnly = false) const;
+			std::vector<IdentHash> GetClosestFloodfills (const IdentHash& destination, size_t num,
+				std::set<IdentHash>& excluded, bool closeThanUsOnly = false) const;
 			std::shared_ptr<const RouterInfo> GetClosestNonFloodfill (const IdentHash& destination, const std::set<IdentHash>& excluded) const;
 			void SetUnreachable (const IdentHash& ident, bool unreachable);			
 
-			void PostI2NPMsg (I2NPMessage * msg);
+			void PostI2NPMsg (std::shared_ptr<const I2NPMessage> msg);
 
 			void Reseed ();
+			Families& GetFamilies () { return m_Families; };
 
-			// for web interface and stats
+			// for web interface
 			int GetNumRouters () const { return m_RouterInfos.size (); };
 			int GetNumFloodfills () const { return m_Floodfills.size (); };
 			int GetNumLeaseSets () const { return m_LeaseSets.size (); };
 			
 		private:
 
-			bool CreateNetDb(boost::filesystem::path directory);
-			void Load (const char * directory);
-			void SaveUpdated (const char * directory);
+			void Load ();
+			bool LoadRouterInfo (const std::string & path);
+			void SaveUpdated ();
 			void Run (); // exploratory thread
 			void Explore (int numDestinations);	
 			void Publish ();
 			void ManageLeaseSets ();
 			void ManageRequests ();
+			void ManageLookupResponses ();
 
 			template<typename Filter>
 			std::shared_ptr<const RouterInfo> GetRandomRouter (Filter filter) const;	
@@ -116,16 +96,21 @@ namespace data
 			std::map<IdentHash, std::shared_ptr<RouterInfo> > m_RouterInfos;
 			mutable std::mutex m_FloodfillsMutex;
 			std::list<std::shared_ptr<RouterInfo> > m_Floodfills;
-			std::mutex m_RequestedDestinationsMutex;
-			std::map<IdentHash, std::unique_ptr<RequestedDestination> > m_RequestedDestinations;
 			
 			bool m_IsRunning;
+			uint64_t m_LastLoad;
 			std::thread * m_Thread;	
-			i2p::util::Queue<I2NPMessage> m_Queue; // of I2NPDatabaseStoreMsg
+			i2p::util::Queue<std::shared_ptr<const I2NPMessage> > m_Queue; // of I2NPDatabaseStoreMsg
 
+			GzipInflator m_Inflator;
 			Reseeder * m_Reseeder;
+			Families m_Families;
+			i2p::fs::HashedStorage m_Storage;
 
-			static const char m_NetDbPath[];
+			friend class NetDbRequests; 
+			NetDbRequests m_Requests;
+
+			std::map<IdentHash, std::pair<std::vector<IdentHash>, uint64_t> > m_LookupResponses; // ident->(closest FFs, timestamp)
 	};
 
 	extern NetDb netdb;

NetDbRequests.cpp

@@ -0,0 +1,149 @@
+#include "Log.h"
+#include "I2NPProtocol.h"
+#include "Transports.h"
+#include "NetDb.h"
+#include "NetDbRequests.h"
+
+namespace i2p
+{
+namespace data
+{
+	std::shared_ptr<I2NPMessage> RequestedDestination::CreateRequestMessage (std::shared_ptr<const RouterInfo> router,
+		std::shared_ptr<const i2p::tunnel::InboundTunnel> replyTunnel)
+	{
+		auto msg = i2p::CreateRouterInfoDatabaseLookupMsg (m_Destination, 
+			replyTunnel->GetNextIdentHash (), replyTunnel->GetNextTunnelID (), m_IsExploratory, 
+		    &m_ExcludedPeers);
+		m_ExcludedPeers.insert (router->GetIdentHash ());
+		m_CreationTime = i2p::util::GetSecondsSinceEpoch ();
+		return msg;
+	}	
+
+	std::shared_ptr<I2NPMessage> RequestedDestination::CreateRequestMessage (const IdentHash& floodfill)
+	{
+		auto msg = i2p::CreateRouterInfoDatabaseLookupMsg (m_Destination, 
+			i2p::context.GetRouterInfo ().GetIdentHash () , 0, false, &m_ExcludedPeers);
+		m_ExcludedPeers.insert (floodfill);
+		m_CreationTime = i2p::util::GetSecondsSinceEpoch ();
+		return msg;
+	}	
+
+	void RequestedDestination::ClearExcludedPeers ()
+	{
+		m_ExcludedPeers.clear ();
+	}	
+	
+	void RequestedDestination::Success (std::shared_ptr<RouterInfo> r)
+	{
+		if (m_RequestComplete)
+		{
+			m_RequestComplete (r);
+			m_RequestComplete = nullptr;
+		}
+	}
+
+	void RequestedDestination::Fail ()
+	{
+		if (m_RequestComplete)
+		{
+			m_RequestComplete (nullptr);
+			m_RequestComplete = nullptr;
+		}
+	}
+
+	void NetDbRequests::Start ()
+	{
+	}
+
+	void NetDbRequests::Stop ()
+	{
+		m_RequestedDestinations.clear ();
+	}
+
+
+	std::shared_ptr<RequestedDestination> NetDbRequests::CreateRequest (const IdentHash& destination, bool isExploratory, RequestedDestination::RequestComplete requestComplete)
+	{
+		// request RouterInfo directly
+		auto dest = std::make_shared<RequestedDestination> (destination, isExploratory); 
+		dest->SetRequestComplete (requestComplete);
+		{
+			std::unique_lock<std::mutex> l(m_RequestedDestinationsMutex);
+			if (!m_RequestedDestinations.insert (std::make_pair (destination, 
+				std::shared_ptr<RequestedDestination> (dest))).second) // not inserted
+				return nullptr; 
+		}
+		return dest;
+	}	
+
+	void NetDbRequests::RequestComplete (const IdentHash& ident, std::shared_ptr<RouterInfo> r)
+	{
+		auto it = m_RequestedDestinations.find (ident);
+		if (it != m_RequestedDestinations.end ())
+		{	
+			if (r)
+				it->second->Success (r);
+			else
+				it->second->Fail ();
+			std::unique_lock<std::mutex> l(m_RequestedDestinationsMutex);
+			m_RequestedDestinations.erase (it);
+		}	
+	}
+
+	std::shared_ptr<RequestedDestination> NetDbRequests::FindRequest (const IdentHash& ident) const
+	{
+		auto it = m_RequestedDestinations.find (ident);
+		if (it != m_RequestedDestinations.end ())
+			return it->second;
+		return nullptr;
+	}	
+
+	void NetDbRequests::ManageRequests ()
+	{
+		uint64_t ts = i2p::util::GetSecondsSinceEpoch ();	
+		std::unique_lock<std::mutex> l(m_RequestedDestinationsMutex);	
+		for (auto it = m_RequestedDestinations.begin (); it != m_RequestedDestinations.end ();)
+		{
+			auto& dest = it->second;
+			bool done = false;
+			if (ts < dest->GetCreationTime () + 60) // request is worthless after 1 minute
+			{
+				if (ts > dest->GetCreationTime () + 5) // no response for 5 seconds
+				{
+					auto count = dest->GetExcludedPeers ().size ();
+					if (!dest->IsExploratory () && count < 7)
+					{
+						auto pool = i2p::tunnel::tunnels.GetExploratoryPool ();
+						auto outbound = pool->GetNextOutboundTunnel ();
+						auto inbound = pool->GetNextInboundTunnel ();	
+						auto nextFloodfill = netdb.GetClosestFloodfill (dest->GetDestination (), dest->GetExcludedPeers ());
+						if (nextFloodfill && outbound && inbound)
+							outbound->SendTunnelDataMsg (nextFloodfill->GetIdentHash (), 0,
+								dest->CreateRequestMessage (nextFloodfill, inbound));
+						else
+						{
+							done = true;
+							if (!inbound) LogPrint (eLogWarning, "NetDbReq: No inbound tunnels");
+							if (!outbound) LogPrint (eLogWarning, "NetDbReq: No outbound tunnels");
+							if (!nextFloodfill) LogPrint (eLogWarning, "NetDbReq: No more floodfills");
+						}
+					}	
+					else
+					{
+						if (!dest->IsExploratory ())
+							LogPrint (eLogWarning, "NetDbReq: ", dest->GetDestination ().ToBase64 (), " not found after 7 attempts");
+						done = true;
+					}	 
+				}	
+			}	
+			else // delete obsolete request
+				done = true;
+
+			if (done)
+				it = m_RequestedDestinations.erase (it);
+			else
+				it++;
+		}	
+	}
+}
+}
+

NetDbRequests.h

@@ -0,0 +1,69 @@
+#ifndef NETDB_REQUESTS_H__
+#define NETDB_REQUESTS_H__
+
+#include <memory>
+#include <set>
+#include <map>
+#include "Identity.h"
+#include "RouterInfo.h"
+
+namespace i2p
+{
+namespace data
+{
+	class RequestedDestination
+	{	
+		public:
+
+			typedef std::function<void (std::shared_ptr<RouterInfo>)> RequestComplete;
+
+			RequestedDestination (const IdentHash& destination, bool isExploratory = false):
+				m_Destination (destination), m_IsExploratory (isExploratory), m_CreationTime (0) {};
+			~RequestedDestination () { if (m_RequestComplete) m_RequestComplete (nullptr); };			
+
+			const IdentHash& GetDestination () const { return m_Destination; };
+			int GetNumExcludedPeers () const { return m_ExcludedPeers.size (); };
+			const std::set<IdentHash>& GetExcludedPeers () { return m_ExcludedPeers; };
+			void ClearExcludedPeers ();
+			bool IsExploratory () const { return m_IsExploratory; };
+			bool IsExcluded (const IdentHash& ident) const { return m_ExcludedPeers.count (ident); };
+			uint64_t GetCreationTime () const { return m_CreationTime; };
+			std::shared_ptr<I2NPMessage> CreateRequestMessage (std::shared_ptr<const RouterInfo>, std::shared_ptr<const i2p::tunnel::InboundTunnel> replyTunnel);
+			std::shared_ptr<I2NPMessage> CreateRequestMessage (const IdentHash& floodfill);
+			
+			void SetRequestComplete (const RequestComplete& requestComplete) { m_RequestComplete = requestComplete; };
+			bool IsRequestComplete () const { return m_RequestComplete != nullptr; };
+			void Success (std::shared_ptr<RouterInfo> r);
+			void Fail ();
+			
+		private:
+
+			IdentHash m_Destination;
+			bool m_IsExploratory;
+			std::set<IdentHash> m_ExcludedPeers;
+			uint64_t m_CreationTime;
+			RequestComplete m_RequestComplete;
+	};	
+
+	class NetDbRequests
+	{
+		public:
+
+			void Start ();
+			void Stop ();
+
+			 std::shared_ptr<RequestedDestination> CreateRequest (const IdentHash& destination, bool isExploratory, RequestedDestination::RequestComplete requestComplete = nullptr);
+			void RequestComplete (const IdentHash& ident, std::shared_ptr<RouterInfo> r);
+			std::shared_ptr<RequestedDestination> FindRequest (const IdentHash& ident) const;
+			void ManageRequests ();
+
+		private:
+
+			std::mutex m_RequestedDestinationsMutex;
+			std::map<IdentHash, std::shared_ptr<RequestedDestination> > m_RequestedDestinations;
+	};
+}
+}
+
+#endif
+

Profiling.cpp

@@ -1,24 +1,32 @@
-#include <boost/filesystem.hpp>
+#include <sys/stat.h>
 #include <boost/property_tree/ptree.hpp>
 #include <boost/property_tree/ini_parser.hpp>
-#include "base64.h"
-#include "util.h"
+#include "Base.h"
+#include "FS.h"
+#include "Log.h"
 #include "Profiling.h"
 
 namespace i2p
 {
 namespace data
 {
+	i2p::fs::HashedStorage m_ProfilesStorage("peerProfiles", "p", "profile-", "txt");
+
 	RouterProfile::RouterProfile (const IdentHash& identHash):
 		m_IdentHash (identHash), m_LastUpdateTime (boost::posix_time::second_clock::local_time()),
-		m_NumTunnelsAgreed (0), m_NumTunnelsDeclined (0),
-		m_NumTunnelsNonReplied (0)
+		m_NumTunnelsAgreed (0), m_NumTunnelsDeclined (0), m_NumTunnelsNonReplied (0),
+		m_NumTimesTaken (0), m_NumTimesRejected (0) 
 	{
 	}
 
+	boost::posix_time::ptime RouterProfile::GetTime () const
+	{
+		return boost::posix_time::second_clock::local_time();
+	}	
+		
 	void RouterProfile::UpdateTime ()
 	{
-		m_LastUpdateTime = boost::posix_time::second_clock::local_time();
+		m_LastUpdateTime = GetTime ();
 	}	
 		
 	void RouterProfile::Save ()
@@ -28,88 +36,83 @@ namespace data
 		participation.put (PEER_PROFILE_PARTICIPATION_AGREED, m_NumTunnelsAgreed);
 		participation.put (PEER_PROFILE_PARTICIPATION_DECLINED, m_NumTunnelsDeclined);
 		participation.put (PEER_PROFILE_PARTICIPATION_NON_REPLIED, m_NumTunnelsNonReplied);
+		boost::property_tree::ptree usage;
+		usage.put (PEER_PROFILE_USAGE_TAKEN, m_NumTimesTaken);
+		usage.put (PEER_PROFILE_USAGE_REJECTED, m_NumTimesRejected);
 		// fill property tree
 		boost::property_tree::ptree pt;
 		pt.put (PEER_PROFILE_LAST_UPDATE_TIME, boost::posix_time::to_simple_string (m_LastUpdateTime));
 		pt.put_child (PEER_PROFILE_SECTION_PARTICIPATION, participation);
-		
+		pt.put_child (PEER_PROFILE_SECTION_USAGE, usage);
+
 		// save to file
-		auto path = i2p::util::filesystem::GetDefaultDataDir() / PEER_PROFILES_DIRECTORY;
-		if (!boost::filesystem::exists (path))
-		{
-			// Create directory is necessary
-			if (!boost::filesystem::create_directory (path))
-			{	
-				LogPrint (eLogError, "Failed to create directory ", path);
-				return;
-			}			
-			const char * chars = GetBase64SubstitutionTable (); // 64 bytes
-			for (int i = 0; i < 64; i++)
-			{
-				auto path1 = path / (std::string ("p") + chars[i]);
-				if (!boost::filesystem::create_directory (path1)) 
-				{
-					LogPrint (eLogError, "Failed to create directory ", path1);
-					return;
-				}			
-			}				
+		std::string ident = m_IdentHash.ToBase64 ();
+		std::string path = m_ProfilesStorage.Path(ident);
+
+		try {
+			boost::property_tree::write_ini (path, pt);
+		} catch (std::exception& ex) {
+			/* boost exception verbose enough */
+			LogPrint (eLogError, "Profiling: ", ex.what ());
 		}
-		std::string base64 = m_IdentHash.ToBase64 ();
-		path = path / (std::string ("p") + base64[0]);
-		auto filename = path / (std::string (PEER_PROFILE_PREFIX) + base64 + ".txt");
-		try
-		{
-			boost::property_tree::write_ini (filename.string (), pt);
-		}
-		catch (std::exception& ex)
-		{
-			LogPrint (eLogError, "Can't write ", filename, ": ", ex.what ());
-		}
-	}	
+	}
 
 	void RouterProfile::Load ()
 	{
-		std::string base64 = m_IdentHash.ToBase64 ();
-		auto path = i2p::util::filesystem::GetDefaultDataDir() / PEER_PROFILES_DIRECTORY;
-		path /= std::string ("p") + base64[0];
-		auto filename = path / (std::string (PEER_PROFILE_PREFIX) + base64 + ".txt");
-		if (boost::filesystem::exists (filename))
-		{	
-			boost::property_tree::ptree pt;
-			try
-			{
-				boost::property_tree::read_ini (filename.string (), pt);
+		std::string ident = m_IdentHash.ToBase64 ();
+		std::string path = m_ProfilesStorage.Path(ident);
+		boost::property_tree::ptree pt;
+
+		if (!i2p::fs::Exists(path)) {
+			LogPrint(eLogWarning, "Profiling: no profile yet for ", ident);
+			return;
+		}
+
+		try {
+			boost::property_tree::read_ini (path, pt);
+		} catch (std::exception& ex) {
+			/* boost exception verbose enough */
+			LogPrint (eLogError, "Profiling: ", ex.what ());
+			return;
+		}
+
+		try {
+			auto t = pt.get (PEER_PROFILE_LAST_UPDATE_TIME, "");
+			if (t.length () > 0)
+				m_LastUpdateTime = boost::posix_time::time_from_string (t);
+			if ((GetTime () - m_LastUpdateTime).hours () < PEER_PROFILE_EXPIRATION_TIMEOUT) {
+				try {
+					// read participations
+					auto participations = pt.get_child (PEER_PROFILE_SECTION_PARTICIPATION);
+					m_NumTunnelsAgreed = participations.get (PEER_PROFILE_PARTICIPATION_AGREED, 0);
+					m_NumTunnelsDeclined = participations.get (PEER_PROFILE_PARTICIPATION_DECLINED, 0);
+					m_NumTunnelsNonReplied = participations.get (PEER_PROFILE_PARTICIPATION_NON_REPLIED, 0);
+				}	catch (boost::property_tree::ptree_bad_path& ex) {
+					LogPrint (eLogWarning, "Profiling: Missing section ", PEER_PROFILE_SECTION_PARTICIPATION, " in profile for ", ident);
+				}	
+				try {
+					// read usage
+					auto usage = pt.get_child (PEER_PROFILE_SECTION_USAGE);
+					m_NumTimesTaken = usage.get (PEER_PROFILE_USAGE_TAKEN, 0);
+					m_NumTimesRejected = usage.get (PEER_PROFILE_USAGE_REJECTED, 0);
+				}	catch (boost::property_tree::ptree_bad_path& ex) {
+					LogPrint (eLogWarning, "Missing section ", PEER_PROFILE_SECTION_USAGE, " in profile for ", ident);
+				}
+			} else {
+				*this = RouterProfile (m_IdentHash);
 			}
-			catch (std::exception& ex)
-			{
-				LogPrint (eLogError, "Can't read ", filename, ": ", ex.what ());
-				return;
-			}
-			try
-			{	
-				auto t = pt.get (PEER_PROFILE_LAST_UPDATE_TIME, "");
-				if (t.length () > 0)
-					m_LastUpdateTime = boost::posix_time::time_from_string (t);
-				// read participations
-				auto participations = pt.get_child (PEER_PROFILE_SECTION_PARTICIPATION);
-				m_NumTunnelsAgreed = participations.get (PEER_PROFILE_PARTICIPATION_AGREED, 0);
-				m_NumTunnelsDeclined = participations.get (PEER_PROFILE_PARTICIPATION_DECLINED, 0);
-				m_NumTunnelsNonReplied = participations.get (PEER_PROFILE_PARTICIPATION_NON_REPLIED, 0);
-			}	
-			catch (std::exception& ex)
-			{
-				LogPrint (eLogError, "Can't read profile ", base64, " :", ex.what ());
-			}	
-		}	
-	}	
-		
+		} catch (std::exception& ex) {
+			LogPrint (eLogError, "Profiling: Can't read profile ", ident, " :", ex.what ());
+		}
+	}
+
 	void RouterProfile::TunnelBuildResponse (uint8_t ret)
 	{
+		UpdateTime ();
 		if (ret > 0)
 			m_NumTunnelsDeclined++;
 		else
 			m_NumTunnelsAgreed++;
-		UpdateTime ();
 	}	
 
 	void RouterProfile::TunnelNonReplied ()
@@ -117,6 +120,32 @@ namespace data
 		m_NumTunnelsNonReplied++;
 		UpdateTime ();
 	}	
+
+	bool RouterProfile::IsLowPartcipationRate () const
+	{
+		return 4*m_NumTunnelsAgreed < m_NumTunnelsDeclined; // < 20% rate
+	}	
+
+	bool RouterProfile::IsLowReplyRate () const
+	{
+		auto total = m_NumTunnelsAgreed + m_NumTunnelsDeclined;
+		return m_NumTunnelsNonReplied > 10*(total + 1);
+	}	
+		
+	bool RouterProfile::IsBad ()
+	{ 
+		auto isBad = IsAlwaysDeclining () || IsLowPartcipationRate () /*|| IsLowReplyRate ()*/;
+		if (isBad && m_NumTimesRejected > 10*(m_NumTimesTaken + 1)) 
+		{
+			// reset profile
+			m_NumTunnelsAgreed = 0;
+			m_NumTunnelsDeclined = 0;
+			m_NumTunnelsNonReplied = 0;
+			isBad = false;
+		}		
+		if (isBad) m_NumTimesRejected++; else m_NumTimesTaken++;
+		return isBad;	
+	}
 		
 	std::shared_ptr<RouterProfile> GetRouterProfile (const IdentHash& identHash)
 	{
@@ -124,5 +153,30 @@ namespace data
 		profile->Load (); // if possible
 		return profile;
 	}		
+
+	void InitProfilesStorage ()
+	{
+		m_ProfilesStorage.SetPlace(i2p::fs::GetDataDir());
+		m_ProfilesStorage.Init(i2p::data::GetBase64SubstitutionTable(), 64);
+	}
+
+	void DeleteObsoleteProfiles ()
+	{
+		struct stat st;
+		std::time_t now = std::time(nullptr);
+
+		std::vector<std::string> files;
+		m_ProfilesStorage.Traverse(files);
+		for (auto path: files) {
+			if (stat(path.c_str(), &st) != 0) {
+				LogPrint(eLogWarning, "Profiling: Can't stat(): ", path);
+				continue;
+			}
+			if (((now - st.st_mtime) / 3600) >= PEER_PROFILE_EXPIRATION_TIMEOUT) {
+				LogPrint(eLogDebug, "Profiling: removing expired peer profile: ", path);
+				i2p::fs::Remove(path);
+			}
+		}
+	}
 }		
-}	
+}	

Profiling.h

@@ -9,33 +9,42 @@ namespace i2p
 {
 namespace data
 {	
-	const char PEER_PROFILES_DIRECTORY[] = "peerProfiles";
-	const char PEER_PROFILE_PREFIX[] = "profile-";
 	// sections
 	const char PEER_PROFILE_SECTION_PARTICIPATION[] = "participation";
+	const char PEER_PROFILE_SECTION_USAGE[] = "usage";
 	// params	
 	const char PEER_PROFILE_LAST_UPDATE_TIME[] = "lastupdatetime";
 	const char PEER_PROFILE_PARTICIPATION_AGREED[] = "agreed";
 	const char PEER_PROFILE_PARTICIPATION_DECLINED[] = "declined";
 	const char PEER_PROFILE_PARTICIPATION_NON_REPLIED[] = "nonreplied";	
+	const char PEER_PROFILE_USAGE_TAKEN[] = "taken";
+	const char PEER_PROFILE_USAGE_REJECTED[] = "rejected";
+
+	const int PEER_PROFILE_EXPIRATION_TIMEOUT = 72; // in hours (3 days)
 	
 	class RouterProfile
 	{
 		public:
 
 			RouterProfile (const IdentHash& identHash);
+			RouterProfile& operator= (const RouterProfile& ) = default;
 			
 			void Save ();
 			void Load ();
 
-			bool IsBad () const { return !m_NumTunnelsAgreed && m_NumTunnelsDeclined >= 5; };
+			bool IsBad ();
 			
 			void TunnelBuildResponse (uint8_t ret);
 			void TunnelNonReplied ();
 
 		private:
 
+			boost::posix_time::ptime GetTime () const;
 			void UpdateTime ();
+
+			bool IsAlwaysDeclining () const { return !m_NumTunnelsAgreed && m_NumTunnelsDeclined >= 5; };
+			bool IsLowPartcipationRate () const;
+			bool IsLowReplyRate () const;
 			
 		private:	
 
@@ -45,9 +54,14 @@ namespace data
 			uint32_t m_NumTunnelsAgreed;
 			uint32_t m_NumTunnelsDeclined;	
 			uint32_t m_NumTunnelsNonReplied;
+			// usage
+			uint32_t m_NumTimesTaken;
+			uint32_t m_NumTimesRejected;	
 	};	
 
 	std::shared_ptr<RouterProfile> GetRouterProfile (const IdentHash& identHash); 
+	void InitProfilesStorage ();
+	void DeleteObsoleteProfiles ();
 }		
 }	
 

Queue.h

@@ -17,14 +17,14 @@ namespace util
 	{	
 		public:
 
-			void Put (Element * e)
+			void Put (Element e)
 			{
 				std::unique_lock<std::mutex>  l(m_QueueMutex);
 				m_Queue.push (e);	
 				m_NonEmpty.notify_one ();
 			}
 
-			void Put (const std::vector<Element *>& vec)
+			void Put (const std::vector<Element>& vec)
 			{
 				if (!vec.empty ())
 				{	
@@ -35,10 +35,10 @@ namespace util
 				}	
 			}
 			
-			Element * GetNext ()
+			Element GetNext ()
 			{
 				std::unique_lock<std::mutex> l(m_QueueMutex);
-				Element * el = GetNonThreadSafe ();
+				auto el = GetNonThreadSafe ();
 				if (!el)
 				{
 					m_NonEmpty.wait (l);
@@ -47,10 +47,10 @@ namespace util
 				return el;
 			}
 
-			Element * GetNextWithTimeout (int usec)
+			Element GetNextWithTimeout (int usec)
 			{
 				std::unique_lock<std::mutex> l(m_QueueMutex);
-				Element * el = GetNonThreadSafe ();
+				auto el = GetNonThreadSafe ();
 				if (!el)
 				{
 					m_NonEmpty.wait_for (l, std::chrono::milliseconds (usec));
@@ -85,13 +85,13 @@ namespace util
 
 			void WakeUp () { m_NonEmpty.notify_all (); };
 
-			Element * Get ()
+			Element Get ()
 			{
 				std::unique_lock<std::mutex> l(m_QueueMutex);
 				return GetNonThreadSafe ();
 			}	
 
-			Element * Peek ()
+			Element Peek ()
 			{
 				std::unique_lock<std::mutex> l(m_QueueMutex);
 				return GetNonThreadSafe (true);
@@ -99,11 +99,11 @@ namespace util
 			
 		private:
 
-			Element * GetNonThreadSafe (bool peek = false)
+			Element GetNonThreadSafe (bool peek = false)
 			{
 				if (!m_Queue.empty ())
 				{
-					Element * el = m_Queue.front ();
+					auto el = m_Queue.front ();
 					if (!peek)
 						m_Queue.pop ();
 					return el;
@@ -113,56 +113,10 @@ namespace util
 			
 		private:
 
-			std::queue<Element *> m_Queue;
+			std::queue<Element> m_Queue;
 			std::mutex m_QueueMutex;
 			std::condition_variable m_NonEmpty;
 	};	
-
-	template<class Msg>
-	class MsgQueue: public Queue<Msg>
-	{
-		public:
-
-			typedef std::function<void()> OnEmpty;
-
-			MsgQueue (): m_IsRunning (true), m_Thread (std::bind (&MsgQueue<Msg>::Run, this))  {};
-			~MsgQueue () { Stop (); };
-			void Stop()
-			{
-				if (m_IsRunning)
-				{
-					m_IsRunning = false;
-					Queue<Msg>::WakeUp ();					
-					m_Thread.join();
-				}
-			}
-
-			void SetOnEmpty (OnEmpty const & e) { m_OnEmpty = e; };
-
-		private:
-
-			void Run ()
-			{
-				while (m_IsRunning)
-				{
-					while (Msg * msg = Queue<Msg>::Get ())
-					{
-						msg->Process ();
-						delete msg;
-					}
-					if (m_OnEmpty != nullptr)
-						m_OnEmpty ();
-					if (m_IsRunning)
-						Queue<Msg>::Wait ();
-				}	
-			}	
-			
-		private:
-			
-			volatile bool m_IsRunning;
-			OnEmpty m_OnEmpty;
-			std::thread m_Thread;	
-	};	
 }		
 }	
 

README.md

@@ -1,7 +1,7 @@
 i2pd
 ====
 
-I2P router written in C++
+Independent C++ implementation of I2P router
 
 License
 -------
@@ -9,116 +9,33 @@ License
 This project is licensed under the BSD 3-clause license, which can be found in the file
 LICENSE in the root of the project source code.
 
-Requirements for Linux/FreeBSD/OSX
-----------------------------------
+Donations
+---------
 
-GCC 4.6 or newer, Boost 1.46 or newer, crypto++. Clang can be used instead of
-GCC.
-
-Requirements for Windows
-------------------------
-
-VS2013 (known to work with 12.0.21005.1 or newer), Boost 1.46 or newer,
-crypto++ 5.62. See Win32/README-Build.txt for instructions on how to build i2pd
-and its dependencies.
+BTC: 1K7Ds6KUeR8ya287UC4rYTjvC96vXyZbDY  
+LTC: LKQirrYrDeTuAPnpYq5y7LVKtywfkkHi59  
+ANC: AQJYweYYUqM1nVfLqfoSMpUMfzxvS4Xd7z  
 
 Downloads
 ------------
 
-Official binary releases could be found at:
-http://download.i2p.io/purplei2p/i2pd/releases/
+Official binary releases could be found at:  
+http://i2pd.website/releases/  
+older releases  
+http://download.i2p.io/purplei2p/i2pd/releases/  
 
-
-Build Statuses
----------------
-
-- Linux x64      - [![Build Status](https://jenkins.greyhat.no/buildStatus/icon?job=i2pd-linux)](https://jenkins.nordcloud.no/job/i2pd-linux/)
-- Linux ARM      - To be added
-- Mac OS X       - Got it working, but not well tested. (Only works with clang, not GCC.)
-- Microsoft VC13 - To be added
-
-
-Testing
--------
-
-First, build it.
-
-On Ubuntu/Debian based
-* sudo apt-get install libboost-dev libboost-filesystem-dev libboost-program-options-dev libboost-regex-dev libcrypto++-dev libboost-date-time-dev
-* $ cd i2pd
-* $ make
-
-Then, run it:
-
-$ ./i2p
-
-The client should now reseed by itself.
-
-To visit an I2P page, you need to find the b32 address of your destination.
-After that, go to the webconsole and add it behind the url. (Remove http:// from the address)
-
-This should resulting in for example:
-http://localhost:7070/4oes3rlgrpbkmzv4lqcfili23h3cvpwslqcfjlk6vvguxyggspwa.b32.i2p
-
-
-Cmdline options
----------------
-
-* --host=               - The external IP (deprecated). 
-* --port=               - The port to listen on
-* --httpport=           - The http port to listen on
-* --log=                - Enable or disable logging to file. 1 for yes, 0 for no.
-* --daemon=             - Enable or disable daemon mode. 1 for yes, 0 for no.
-* --service=            - 1 if uses system folders (/var/run/i2pd.pid, /var/log/i2pd.log, /var/lib/i2pd).
-* --v6=                 - 1 if supports communication through ipv6, off by default
-* --floodfill=          - 1 if router is floodfill, off by default
-* --bandwidth=          - L if bandwidth is limited to 32Kbs/sec, O if not. Always O if floodfill, otherwise L by default.
-* --httpproxyport=      - The port to listen on (HTTP Proxy)
-* --socksproxyport=     - The port to listen on (SOCKS Proxy)
-* --proxykeys=          - optional keys file for proxy's local destination
-* --ircport=            - The local port of IRC tunnel to listen on. 6668 by default
-* --ircdest=            - I2P destination address of IRC server. For example irc.postman.i2p
-* --irckeys=            - optional keys file for tunnel's local destination 
-* --eepkeys=            - File name containing destination keys, for example privKeys.dat.
-                          The file will be created if it does not already exist (issue #110).
-* --eephost=            - Address incoming trafic forward to. 127.0.0.1 by default
-* --eepport=            - Port incoming trafic forward to. 80 by default
-* --samport=            - Port of SAM bridge. Usually 7656. SAM is off if not specified
-* --bobport=            - Port of BOB command channel. Usually 2827. BOB is off if not specified
-* --i2pcontrolport=     - Port of I2P control service. Usually 7650. I2PControl is off if not specified
-* --conf=               - Config file (default: ~/.i2pd/i2p.conf or /var/lib/i2pd/i2p.conf)
-                          This parameter will be silently ignored if the specified config file does not exist.
-                          Options specified on the command line take precedence over those in the config file.
-
-Config files
+Supported OS
 ------------
 
-INI-like, syntax is the following : <key> = <value>.
-All command-line parameters are allowed as keys, for example:
+* Linux x86/x64  - [![Build Status](https://travis-ci.org/PurpleI2P/i2pd.svg?branch=openssl)](https://travis-ci.org/PurpleI2P/i2pd)  
+* Windows        - [![Build status](https://ci.appveyor.com/api/projects/status/1908qe4p48ff1x23?svg=true)](https://ci.appveyor.com/project/PurpleI2P/i2pd)  
+* Mac OS X
+* FreeBSD
 
-i2p.conf:
+More documentation
+------------------
 
-	log = 1
-	v6 = 0
-	ircdest = irc.postman.i2p
-
-tunnels.cfg (filename of this config is subject of change):
-
-	 ; outgoing tunnel, to remote service    
-	[tunnel1]  
-	type = client      ; mandatory   
-	port = <integer>   ; mandatory, bind our side of tunnel to this local port  
-	keys = <filename>  ; optional  
-	destination     = <ident>    ; mandatory  
-	destinationport = <integer>  ; optional, port of remote i2p service  
-	   
-	 ; incoming tunnel, for local service(s)   
-	[tunnel2]   
-	type = server      ; mandatory   
-	host = <ident>     ; mandatory, hostname of our i2p service   
-	keys = <filename>  ; mandatory, hostname keys   
-	port = <integer>   ; mandatory, forward incoming connections from i2p to this port      
-	inport = <integer> ; optional, i2p service port   
-	accesslist = <ident>[,<ident>] ; optional, comma-separated list of i2p idents, allowed to connect to service  
-
-Note: '<ident>' type is a string like <hostname.i2p> or <abracadabra.b32.i2p>  
+* [Building from source / unix](docs/build_notes_unix.md)  
+* [Building from source / windows](docs/build_notes_windows.md)  
+* [Configuring your i2pd](docs/configuration.md)  
+* [Github wiki](https://github.com/PurpleI2P/i2pd/wiki/)  

Reseed.cpp

@@ -2,18 +2,19 @@
 #include <fstream>
 #include <sstream>
 #include <boost/regex.hpp>
-#include <boost/filesystem.hpp>
-#include <boost/lexical_cast.hpp>
-#include <cryptopp/asn.h>
-#include <cryptopp/base64.h>
-#include <cryptopp/crc.h>
-#include <cryptopp/hmac.h>
-#include <cryptopp/zinflate.h>
+#include <boost/asio.hpp>
+#include <boost/asio/ssl.hpp>
+#include <openssl/bn.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#include <zlib.h>
+
 #include "I2PEndian.h"
 #include "Reseed.h"
+#include "FS.h"
 #include "Log.h"
 #include "Identity.h"
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "NetDb.h"
 #include "util.h"
 
@@ -22,30 +23,19 @@ namespace i2p
 {
 namespace data
 {
-
-	static std::vector<std::string> httpReseedHostList = {
-				// "http://193.150.121.66/netDb/",  // unstable
-				// "http://us.reseed.i2p2.no/",     // misconfigured, not serving reseed data
-				// "http://jp.reseed.i2p2.no/",     // Really outdated RIs
-				"http://netdb.i2p2.no/",            // only SU3 (v2) support
-				"http://i2p.mooo.com/netDb/",
-				"http://uk.reseed.i2p2.no/",
-				"http://i2p-netdb.innovatio.no/"
-			};
-
-	//TODO: Remember to add custom port support. Not all serves on 443
-	static std::vector<std::string> httpsReseedHostList = {
-				// "https://193.150.121.66/netDb/",  // unstable
-				// "https://i2p-netdb.innovatio.no/",// Vuln to POODLE
-				"https://netdb.i2p2.no/",            // Only SU3 (v2) support
-				"https://reseed.i2p-projekt.de/",    // Only HTTPS
-				"https://cowpuncher.drollette.com/netdb/",  // Only HTTPS and SU3 (v2) support -- will move to a new location
-				// following hosts are fine but don't support AES256 
-				/*"https://i2p.mooo.com/netDb/",
-				"https://link.mx24.eu/",             // Only HTTPS and SU3 (v2) support
-				"https://i2pseed.zarrenspry.info/",  // Only HTTPS and SU3 (v2) support
-				"https://ieb9oopo.mooo.com/"         // Only HTTPS and SU3 (v2) support*/
-			};
+	static std::vector<std::string> httpsReseedHostList = 
+	{
+		"https://reseed.i2p-projekt.de/", // Only HTTPS
+        "https://i2p.mooo.com/netDb/",
+        "https://netdb.i2p2.no/", // Only SU3 (v3) support, SNI required
+		"https://us.reseed.i2p2.no:444/",	
+        "https://uk.reseed.i2p2.no:444/",
+		"https://i2p.manas.ca:8443/",
+		"https://i2p-0.manas.ca:8443/",
+        "https://reseed.i2p.vzaws.com:8443/", // Only SU3 (v3) support
+        "https://user.mx24.eu/", // Only HTTPS and SU3 (v3) support
+        "https://download.xxlspeed.com/" // Only HTTPS and SU3 (v3) support
+	};
 	
 	Reseeder::Reseeder()
 	{
@@ -55,82 +45,18 @@ namespace data
 	{
 	}
 
-	bool Reseeder::reseedNow()
-	{
-		// This method is deprecated
-		try
-		{
-			std::string reseedHost = httpReseedHostList[(rand() % httpReseedHostList.size())];
-			LogPrint("Reseeding from ", reseedHost);
-			std::string content = i2p::util::http::httpRequest(reseedHost);
-			if (content == "")
-			{
-				LogPrint("Reseed failed");
-				return false;
-			}
-			boost::regex e("<\\s*A\\s+[^>]*href\\s*=\\s*\"([^\"]*)\"", boost::regex::normal | boost::regbase::icase);
-			boost::sregex_token_iterator i(content.begin(), content.end(), e, 1);
-			boost::sregex_token_iterator j;
-			//TODO: Ugly code, try to clean up.
-			//TODO: Try to reduce N number of variables
-			std::string name;
-			std::string routerInfo;
-			std::string tmpUrl;
-			std::string filename;
-			std::string ignoreFileSuffix = ".su3";
-			boost::filesystem::path root = i2p::util::filesystem::GetDataDir();
-			while (i != j)
-			{
-				name = *i++;
-				if (name.find(ignoreFileSuffix)!=std::string::npos)
-					continue;
-				LogPrint("Downloading ", name);
-				tmpUrl = reseedHost;
-				tmpUrl.append(name);
-				routerInfo = i2p::util::http::httpRequest(tmpUrl);
-				if (routerInfo.size()==0)
-					continue;
-				filename = root.string();
-#ifndef _WIN32
-				filename += "/netDb/r";
-#else
-				filename += "\\netDb\\r";
-#endif
-				filename += name.at(11); // first char in id
-#ifndef _WIN32
-				filename.append("/");
-#else
-				filename.append("\\");
-#endif
-				filename.append(name.c_str());
-				std::ofstream outfile (filename, std::ios::binary);
-				outfile << routerInfo;
-				outfile.close();
-			}
-			return true;
-		}
-		catch (std::exception& ex)
-		{
-			//TODO: error reporting
-			return false;
-		}
-		return false;
-	}	
-
 	int Reseeder::ReseedNowSU3 ()
 	{
-		CryptoPP::AutoSeededRandomPool rnd;
-		auto ind = rnd.GenerateWord32 (0, httpReseedHostList.size() - 1 +  httpsReseedHostList.size () - 1);
-		std::string reseedHost = (ind < httpReseedHostList.size()) ? httpReseedHostList[ind] : 
-			httpsReseedHostList[ind - httpReseedHostList.size()]; 
-		return ReseedFromSU3 (reseedHost, ind >= httpReseedHostList.size());
+		auto ind = rand () % httpsReseedHostList.size ();
+		std::string& reseedHost = httpsReseedHostList[ind];
+		return ReseedFromSU3 (reseedHost);
 	}
 
-	int Reseeder::ReseedFromSU3 (const std::string& host, bool https)
+	int Reseeder::ReseedFromSU3 (const std::string& host)
 	{
 		std::string url = host + "i2pseeds.su3";
-		LogPrint (eLogInfo, "Dowloading SU3 from ", host);
-		std::string su3 = https ? HttpsRequest (url) : i2p::util::http::httpRequest (url);
+		LogPrint (eLogInfo, "Reseed: Downloading SU3 from ", host);
+		std::string su3 = HttpsRequest (url);
 		if (su3.length () > 0)
 		{
 			std::stringstream s(su3);
@@ -138,7 +64,7 @@ namespace data
 		}
 		else
 		{
-			LogPrint (eLogWarning, "SU3 download failed");
+			LogPrint (eLogWarning, "Reseed: SU3 download failed");
 			return 0;
 		}
 	}
@@ -150,7 +76,7 @@ namespace data
 			return ProcessSU3Stream (s);
 		else
 		{
-			LogPrint (eLogError, "Can't open file ", filename);
+			LogPrint (eLogError, "Reseed: Can't open file ", filename);
 			return 0;
 		}
 	}
@@ -165,7 +91,7 @@ namespace data
 		s.read (magicNumber, 7); // magic number and zero byte 6
 		if (strcmp (magicNumber, SU3_MAGIC_NUMBER))
 		{
-			LogPrint (eLogError, "Unexpected SU3 magic number");	
+			LogPrint (eLogError, "Reseed: Unexpected SU3 magic number");
 			return 0;
 		}			
 		s.seekg (1, std::ios::cur); // su3 file format version
@@ -189,7 +115,7 @@ namespace data
 		s.read ((char *)&fileType, 1);  // file type	
 		if (fileType != 0x00) //  zip file
 		{
-			LogPrint (eLogError, "Can't handle file type ", (int)fileType);	
+			LogPrint (eLogError, "Reseed: Can't handle file type ", (int)fileType);
 			return 0;
 		}
 		s.seekg (1, std::ios::cur); // unused
@@ -197,7 +123,7 @@ namespace data
 		s.read ((char *)&contentType, 1);  // content type	
 		if (contentType != 0x03) // reseed data
 		{
-			LogPrint (eLogError, "Unexpected content type ", (int)contentType);	
+			LogPrint (eLogError, "Reseed: Unexpected content type ", (int)contentType);
 			return 0;
 		}
 		s.seekg (12, std::ios::cur); // unused
@@ -222,19 +148,36 @@ namespace data
 				uint8_t * signature = new uint8_t[signatureLength];
 				s.read ((char *)signature, signatureLength);
 				// RSA-raw
-				i2p::crypto::RSASHA5124096RawVerifier verifier(it->second);
-				verifier.Update (tbs, tbsLen);
-				if (!verifier.Verify (signature))
-					LogPrint (eLogWarning, "SU3 signature verification failed");
+				{
+					// calculate digest
+					uint8_t digest[64];
+					SHA512 (tbs, tbsLen, digest);
+					// encrypt signature
+					BN_CTX * bnctx = BN_CTX_new ();
+					BIGNUM * s = BN_new (), * n = BN_new ();
+					BN_bin2bn (signature, signatureLength, s);
+					BN_bin2bn (it->second, i2p::crypto::RSASHA5124096_KEY_LENGTH, n);
+					BN_mod_exp (s, s, i2p::crypto::GetRSAE (), n, bnctx); // s = s^e mod n 
+					uint8_t * enSigBuf = new uint8_t[signatureLength];
+					i2p::crypto::bn2buf (s, enSigBuf, signatureLength);
+					// digest is right aligned
+					// we can't use RSA_verify due wrong padding in SU3
+					if (memcmp (enSigBuf + (signatureLength - 64), digest, 64))
+						LogPrint (eLogWarning, "Reseed: SU3 signature verification failed");
+					delete[] enSigBuf;
+					BN_free (s); BN_free (n);
+					BN_CTX_free (bnctx);
+				}	
+					
 				delete[] signature;
 				delete[] tbs;
 				s.seekg (pos, std::ios::beg);
 			}
 			else
-				LogPrint (eLogWarning, "Signature type ", signatureType, " is not supported");
+				LogPrint (eLogWarning, "Reseed: Signature type ", signatureType, " is not supported");
 		}
 		else
-			LogPrint (eLogWarning, "Certificate for ", signerID, " not loaded");
+			LogPrint (eLogWarning, "Reseed: Certificate for ", signerID, " not loaded");
 		
 		// handle content
 		int numFiles = 0;
@@ -256,8 +199,9 @@ namespace data
 				compressionMethod = le16toh (compressionMethod);
 				s.seekg (4, std::ios::cur); // skip fields we don't care about
 				uint32_t compressedSize, uncompressedSize; 
-				uint8_t crc32[4];
-				s.read ((char *)crc32, 4);	
+				uint32_t crc_32;
+				s.read ((char *)&crc_32, 4);
+				crc_32 = le32toh (crc_32);
 				s.read ((char *)&compressedSize, 4);	
 				compressedSize = le32toh (compressedSize);	
 				s.read ((char *)&uncompressedSize, 4);
@@ -265,6 +209,11 @@ namespace data
 				uint16_t fileNameLength, extraFieldLength; 
 				s.read ((char *)&fileNameLength, 2);	
 				fileNameLength = le16toh (fileNameLength);
+				if ( fileNameLength > 255 ) {
+					// too big
+					LogPrint(eLogError, "Reseed: SU3 fileNameLength too large: ", fileNameLength);
+					return numFiles;
+				}
 				s.read ((char *)&extraFieldLength, 2);
 				extraFieldLength = le16toh (extraFieldLength);
 				char localFileName[255];
@@ -277,11 +226,11 @@ namespace data
 					size_t pos = s.tellg ();
 					if (!FindZipDataDescriptor (s))
 					{
-						LogPrint (eLogError, "SU3 archive data descriptor not found");
+						LogPrint (eLogError, "Reseed: SU3 archive data descriptor not found");
 						return numFiles;
-					}								
-	
-					s.read ((char *)crc32, 4);	
+					}									
+					s.read ((char *)&crc_32, 4);	
+					crc_32 = le32toh (crc_32);
 					s.read ((char *)&compressedSize, 4);	
 					compressedSize = le32toh (compressedSize) + 4; // ??? we must consider signature as part of compressed data
 					s.read ((char *)&uncompressedSize, 4);
@@ -291,10 +240,10 @@ namespace data
 					s.seekg (pos, std::ios::beg); // back to compressed data
 				}
 
-				LogPrint (eLogDebug, "Proccessing file ", localFileName, " ", compressedSize, " bytes");
+				LogPrint (eLogDebug, "Reseed: Proccessing file ", localFileName, " ", compressedSize, " bytes");
 				if (!compressedSize)
 				{
-					LogPrint (eLogWarning, "Unexpected size 0. Skipped");
+					LogPrint (eLogWarning, "Reseed: Unexpected size 0. Skipped");
 					continue;
 				}	
 				
@@ -302,25 +251,31 @@ namespace data
 				s.read ((char *)compressed, compressedSize);
 				if (compressionMethod) // we assume Deflate
 				{
-					CryptoPP::Inflator decompressor;
-					decompressor.Put (compressed, compressedSize);	
-					decompressor.MessageEnd();
-					if (decompressor.MaxRetrievable () <= uncompressedSize)
-					{
-						uint8_t * uncompressed = new uint8_t[uncompressedSize];	
-						decompressor.Get (uncompressed, uncompressedSize);	
-						if (CryptoPP::CRC32().VerifyDigest (crc32, uncompressed, uncompressedSize))
+					z_stream inflator;
+					memset (&inflator, 0, sizeof (inflator));
+					inflateInit2 (&inflator, -MAX_WBITS); // no zlib header
+					uint8_t * uncompressed = new uint8_t[uncompressedSize];
+					inflator.next_in = compressed;
+					inflator.avail_in = compressedSize;
+					inflator.next_out = uncompressed;
+					inflator.avail_out = uncompressedSize; 
+					int err;
+					if ((err = inflate (&inflator, Z_SYNC_FLUSH)) >= 0)
+					{	
+						uncompressedSize -= inflator.avail_out;
+						if (crc32 (0, uncompressed, uncompressedSize) == crc_32)
 						{
 							i2p::data::netdb.AddRouterInfo (uncompressed, uncompressedSize);
 							numFiles++;
-						}
+						}	
 						else
-							LogPrint (eLogError, "CRC32 verification failed");
-						delete[] uncompressed;
-					}
+							LogPrint (eLogError, "Reseed: CRC32 verification failed");
+					}	
 					else
-						LogPrint (eLogError, "Actual uncompressed size ", decompressor.MaxRetrievable (), " exceed ", uncompressedSize, " from header");
-				}	
+						LogPrint (eLogError, "Reseed: SU3 decompression error ", err);
+					delete[] uncompressed;      
+					inflateEnd (&inflator);
+				}
 				else // no compression
 				{
 					i2p::data::netdb.AddRouterInfo (compressed, compressedSize);
@@ -333,7 +288,7 @@ namespace data
 			else
 			{
 				if (signature != ZIP_CENTRAL_DIRECTORY_HEADER_SIGNATURE)
-					LogPrint (eLogWarning, "Missing zip central directory header");
+					LogPrint (eLogWarning, "Reseed: Missing zip central directory header");
 				break; // no more files
 			}
 			size_t end = s.tellg ();
@@ -363,462 +318,103 @@ namespace data
 		return false;
 	}
 
-	const char CERTIFICATE_HEADER[] = "-----BEGIN CERTIFICATE-----";
-	const char CERTIFICATE_FOOTER[] = "-----END CERTIFICATE-----";
 	void Reseeder::LoadCertificate (const std::string& filename)
 	{
-		std::ifstream s(filename, std::ifstream::binary);
-		if (s.is_open ())	
-		{
-			s.seekg (0, std::ios::end);
-			size_t len = s.tellg ();
-			s.seekg (0, std::ios::beg);
-			char buf[2048];
-			s.read (buf, len);
-			std::string cert (buf, len);
-			// assume file in pem format
-			auto pos1 = cert.find (CERTIFICATE_HEADER);	
-			auto pos2 = cert.find (CERTIFICATE_FOOTER);	
-			if (pos1 == std::string::npos || pos2 == std::string::npos)
-			{
-				LogPrint (eLogError, "Malformed certificate file");
-				return;
+		SSL_CTX * ctx = SSL_CTX_new (TLSv1_method ());
+		int ret = SSL_CTX_use_certificate_file (ctx, filename.c_str (), SSL_FILETYPE_PEM); 
+		if (ret)
+		{	
+			SSL * ssl = SSL_new (ctx);
+			X509 * cert = SSL_get_certificate (ssl);
+			// verify
+			if (cert)
+			{	
+				// extract issuer name
+				char name[100];
+				X509_NAME_oneline (X509_get_issuer_name(cert), name, 100);
+				// extract RSA key (we need n only, e = 65537)
+				RSA * key = X509_get_pubkey (cert)->pkey.rsa;
+				PublicKey value;
+				i2p::crypto::bn2buf (key->n, value, 512);
+				m_SigningKeys[name] = value;
 			}	
-			pos1 += strlen (CERTIFICATE_HEADER);
-			pos2 -= pos1;
-			std::string base64 = cert.substr (pos1, pos2);
-
-			CryptoPP::ByteQueue queue;
-			CryptoPP::Base64Decoder decoder; // regular base64 rather than I2P 
-			decoder.Attach (new CryptoPP::Redirector (queue));
-			decoder.Put ((const uint8_t *)base64.data(), base64.length());
-			decoder.MessageEnd ();
-			
-			LoadCertificate (queue);
-		}
+			SSL_free (ssl);			
+		}	
 		else
-			LogPrint (eLogError, "Can't open certificate file ", filename);
+			LogPrint (eLogError, "Reseed: Can't open certificate file ", filename);
+		SSL_CTX_free (ctx);		
 	}
 
-	std::string Reseeder::LoadCertificate (CryptoPP::ByteQueue& queue)
-	{
-		// extract X.509
-		CryptoPP::BERSequenceDecoder x509Cert (queue);
-		CryptoPP::BERSequenceDecoder tbsCert (x509Cert);
-		// version
-		uint32_t ver;
-		CryptoPP::BERGeneralDecoder context (tbsCert, CryptoPP::CONTEXT_SPECIFIC | CryptoPP::CONSTRUCTED);
-		CryptoPP::BERDecodeUnsigned<uint32_t>(context, ver, CryptoPP::INTEGER);
-		// serial
-		CryptoPP::Integer serial;
-   		serial.BERDecode(tbsCert);	
-		// signature
-		CryptoPP::BERSequenceDecoder signature (tbsCert);
-   		signature.SkipAll();
-		
-		// issuer
-		std::string name;
-		CryptoPP::BERSequenceDecoder issuer (tbsCert);
-		{
-			CryptoPP::BERSetDecoder c (issuer);	c.SkipAll();
-			CryptoPP::BERSetDecoder st (issuer); st.SkipAll();
-			CryptoPP::BERSetDecoder l (issuer); l.SkipAll();
-			CryptoPP::BERSetDecoder o (issuer); o.SkipAll();
-			CryptoPP::BERSetDecoder ou (issuer); ou.SkipAll();
-			CryptoPP::BERSetDecoder cn (issuer);
-			{		
-				CryptoPP::BERSequenceDecoder attributes (cn);
-				{			
-					CryptoPP::BERGeneralDecoder ident(attributes, CryptoPP::OBJECT_IDENTIFIER);
-					ident.SkipAll ();
-					CryptoPP::BERDecodeTextString (attributes, name, CryptoPP::UTF8_STRING);
-				}	
-			}	
-		}	
-   		issuer.SkipAll();
-		// validity
-		CryptoPP::BERSequenceDecoder validity (tbsCert);
-   		validity.SkipAll();
-		// subject
-		CryptoPP::BERSequenceDecoder subject (tbsCert);
-   		subject.SkipAll();
-		// public key
-		CryptoPP::BERSequenceDecoder publicKey (tbsCert);
-		{			
-			CryptoPP::BERSequenceDecoder ident (publicKey);
-			ident.SkipAll ();
-			CryptoPP::BERGeneralDecoder key (publicKey, CryptoPP::BIT_STRING);
-			key.Skip (1); // FIXME: probably bug in crypto++
-			CryptoPP::BERSequenceDecoder keyPair (key);
-			CryptoPP::Integer n;
-   			n.BERDecode (keyPair);
-			if (name.length () > 0) 
-			{	
-				PublicKey value;
-				n.Encode (value, 512);
-				m_SigningKeys[name] = value;
-			}		
-			else
-				LogPrint (eLogWarning, "Unknown issuer. Skipped");
-		}	
-   		publicKey.SkipAll();
-		
-		tbsCert.SkipAll();
-		x509Cert.SkipAll();
-		return name;
-	}	
-	
 	void Reseeder::LoadCertificates ()
 	{
-		boost::filesystem::path reseedDir = i2p::util::filesystem::GetCertificatesDir() / "reseed";
-		
-		if (!boost::filesystem::exists (reseedDir))
-		{
-			LogPrint (eLogWarning, "Reseed certificates not loaded. ", reseedDir, " doesn't exist");
+		std::string certDir = i2p::fs::DataDirPath("certificates", "reseed");
+		std::vector<std::string> files;
+		int numCertificates = 0;
+
+		if (!i2p::fs::ReadDir(certDir, files)) {
+			LogPrint(eLogWarning, "Reseed: Can't load reseed certificates from ", certDir);
 			return;
 		}
 
-		int numCertificates = 0;
-		boost::filesystem::directory_iterator end; // empty
-		for (boost::filesystem::directory_iterator it (reseedDir); it != end; ++it)
-		{
-			if (boost::filesystem::is_regular_file (it->status()) && it->path ().extension () == ".crt")
-			{	
-				LoadCertificate (it->path ().string ());
-				numCertificates++;
-			}	
+		for (const std::string & file : files) {
+			if (file.compare(file.size() - 4, 4, ".crt") != 0) {
+				LogPrint(eLogWarning, "Reseed: ignoring file ", file);
+				continue;
+			}
+			LoadCertificate (file);
+			numCertificates++;
 		}	
-		LogPrint (eLogInfo, numCertificates, " certificates loaded");
+		LogPrint (eLogInfo, "Reseed: ", numCertificates, " certificates loaded");
 	}	
 
 	std::string Reseeder::HttpsRequest (const std::string& address)
 	{
 		i2p::util::http::url u(address);
-		TlsSession session (u.host_, 443);
-		
-		// send request		
-		std::stringstream ss;
-		ss << "GET " << u.path_ << " HTTP/1.1\r\nHost: " << u.host_
-		<< "\r\nAccept: */*\r\n" << "User-Agent: Wget/1.11.4\r\n" << "Connection: close\r\n\r\n";	
-		session.Send ((uint8_t *)ss.str ().c_str (), ss.str ().length ());
+		if (u.port_ == 80) u.port_ = 443; 
 
-		// read response
-		std::stringstream rs;
-		while (session.Receive (rs))
-			;
-		return i2p::util::http::GetHttpContent (rs);
-	}	
-
-	TlsSession::TlsSession (const std::string& host, int port):
-		m_Seqn (0)
-	{
-		m_Site.connect(host, boost::lexical_cast<std::string>(port));
-		if (m_Site.good ())
+		boost::asio::io_service service;
+		boost::system::error_code ecode;
+    	auto it = boost::asio::ip::tcp::resolver(service).resolve (
+			 boost::asio::ip::tcp::resolver::query (u.host_, std::to_string (u.port_)), ecode);
+		if (!ecode)
 		{
-			Handshake ();
+			boost::asio::ssl::context ctx(service, boost::asio::ssl::context::sslv23);
+			ctx.set_verify_mode(boost::asio::ssl::context::verify_none);
+			boost::asio::ssl::stream<boost::asio::ip::tcp::socket> s(service, ctx);
+			s.lowest_layer().connect (*it, ecode);
+			if (!ecode)
+			{
+				s.handshake (boost::asio::ssl::stream_base::client, ecode);
+				if (!ecode)
+				{
+					LogPrint (eLogInfo, "Reseed: Connected to ", u.host_, ":", u.port_);
+					// send request		
+					std::stringstream ss;
+					ss << "GET " << u.path_ << " HTTP/1.1\r\nHost: " << u.host_
+					<< "\r\nAccept: */*\r\n" << "User-Agent: Wget/1.11.4\r\n" << "Connection: close\r\n\r\n";	
+					s.write_some (boost::asio::buffer (ss.str ()));
+					// read response
+					std::stringstream rs;
+					char response[1024]; size_t l = 0;
+					do
+					{
+						l = s.read_some (boost::asio::buffer (response, 1024), ecode);
+						if (l) rs.write (response, l);
+					}
+					while (!ecode && l);
+					// process response
+					return i2p::util::http::GetHttpContent (rs);
+				}
+				else
+					LogPrint (eLogError, "Reseed: SSL handshake failed: ", ecode.message ());
+			}
+			else
+				LogPrint (eLogError, "Reseed: Couldn't connect to ", u.host_, ": ", ecode.message ());
 		}
 		else
-			LogPrint (eLogError, "Can't connect to ", host, ":", port);
+			LogPrint (eLogError, "Reseed: Couldn't resolve address ", u.host_, ": ", ecode.message ());
+		return "";
 	}	
-	
-	void TlsSession::Handshake ()
-	{
-		static uint8_t clientHello[] = 
-		{
-			0x16, // handshake
-			0x03, 0x03, // version (TLS 1.2)
-			0x00, 0x2F, // length of handshake
-			// handshake
-			0x01, // handshake type (client hello)
-			0x00, 0x00, 0x2B, // length of handshake payload 
-			// client hello
-			0x03, 0x03, // highest version supported (TLS 1.2)
-			0x45, 0xFA, 0x01, 0x19, 0x74, 0x55, 0x18, 0x36, 
-			0x42, 0x05, 0xC1, 0xDD, 0x4A, 0x21, 0x80, 0x80, 
-			0xEC, 0x37, 0x11, 0x93, 0x16, 0xF4, 0x66, 0x00, 
-			0x12, 0x67, 0xAB, 0xBA, 0xFF, 0x29, 0x13, 0x9E, // 32 random bytes
-			0x00, // session id length
-			0x00, 0x02, // chiper suites length
-			0x00, 0x3D, // RSA_WITH_AES_256_CBC_SHA256
-			0x01, // compression methods length
-			0x00,  // no compression
-			0x00, 0x00 // extensions length
-		};	
-
-		static uint8_t changeCipherSpecs[] =
-		{
-			0x14, // change cipher specs
-			0x03, 0x03, // version (TLS 1.2)
-			0x00, 0x01, // length
-			0x01 // type
-		};
-
-		static uint8_t finished[] =
-		{
-			0x16, // handshake
-			0x03, 0x03, // version (TLS 1.2)
-			0x00, 0x50, // length of handshake (80 bytes)
-			// handshake (encrypted)
-			// unencrypted context
-			//  0x14 handshake type (finished)
-			// 0x00, 0x00, 0x0C  length of handshake payload 
-			// 12 bytes of verified data
-		};
-	
-		// send ClientHello
-		m_Site.write ((char *)clientHello, sizeof (clientHello));
-		m_FinishedHash.Update (clientHello + 5, sizeof (clientHello) - 5);
-		// read ServerHello
-		uint8_t type;
-		m_Site.read ((char *)&type, 1); 
-		uint16_t version;
-		m_Site.read ((char *)&version, 2); 
-		uint16_t length;
-		m_Site.read ((char *)&length, 2); 
-		length = be16toh (length);
-		char * serverHello = new char[length];
-		m_Site.read (serverHello, length);
-		m_FinishedHash.Update ((uint8_t *)serverHello, length);
-		uint8_t serverRandom[32];
-		if (serverHello[0] == 0x02) // handshake type server hello
-			memcpy (serverRandom, serverHello + 6, 32);
-		else
-			LogPrint (eLogError, "Unexpected handshake type ", (int)serverHello[0]);
-		delete[] serverHello;
-		// read Certificate
-		m_Site.read ((char *)&type, 1); 
-		m_Site.read ((char *)&version, 2); 
-		m_Site.read ((char *)&length, 2); 
-		length = be16toh (length);
-		char * certificate = new char[length];
-		m_Site.read (certificate, length);
-		m_FinishedHash.Update ((uint8_t *)certificate, length);
-		CryptoPP::RSA::PublicKey publicKey;
-		// 0 - handshake type
-		// 1 - 3 - handshake payload length
-		// 4 - 6 - length of array of certificates
-		// 7 - 9 - length of certificate
-		if (certificate[0] == 0x0B) // handshake type certificate
-			publicKey = ExtractPublicKey ((uint8_t *)certificate + 10, length - 10);
-		else
-			LogPrint (eLogError, "Unexpected handshake type ", (int)certificate[0]);
-		delete[] certificate;
-		// read ServerHelloDone
-		m_Site.read ((char *)&type, 1); 
-		m_Site.read ((char *)&version, 2); 
-		m_Site.read ((char *)&length, 2); 
-		length = be16toh (length);
-		char * serverHelloDone = new char[length];
-		m_Site.read (serverHelloDone, length);
-		m_FinishedHash.Update ((uint8_t *)serverHelloDone, length);
-		if (serverHelloDone[0] != 0x0E) // handshake type hello done
-			LogPrint (eLogError, "Unexpected handshake type ", (int)serverHelloDone[0]);
-		delete[] serverHelloDone;
-		// our turn now
-		// generate secret key
-		uint8_t secret[48]; 
-		secret[0] = 3; secret[1] = 3; // version
-		m_Rnd.GenerateBlock (secret + 2, 46); // 46 random bytes
-		// encrypt RSA
- 		CryptoPP::RSAES_PKCS1v15_Encryptor encryptor(publicKey);
-		size_t encryptedLen = encryptor.CiphertextLength (48); // number of bytes for encrypted 48 bytes, usually 256 (2048 bits key)
-		uint8_t * encrypted = new uint8_t[encryptedLen + 2]; // + 2 bytes for length
-		htobe16buf (encrypted, encryptedLen); // first two bytes means length 
-		encryptor.Encrypt (m_Rnd, secret, 48, encrypted + 2);
-		// send ClientKeyExchange
-		// 0x10 - handshake type "client key exchange"
-		SendHandshakeMsg (0x10, encrypted, encryptedLen + 2);
-		delete[] encrypted;
-		// send ChangeCipherSpecs
-		m_Site.write ((char *)changeCipherSpecs, sizeof (changeCipherSpecs));
-		// calculate master secret
-		uint8_t masterSecret[48], random[64];
-		memcpy (random, clientHello + 11, 32);
-		memcpy (random + 32, serverRandom, 32);
-		PRF (secret, "master secret", random, 64, 48, masterSecret);
-		// expand master secret			
-		uint8_t keys[128]; // clientMACKey(32), serverMACKey(32), clientKey(32), serverKey(32)
-		memcpy (random, serverRandom, 32);
-		memcpy (random + 32, clientHello + 11, 32);
-		PRF (masterSecret, "key expansion", random, 64, 128, keys); 
-		memcpy (m_MacKey, keys, 32);
-		m_Encryption.SetKey (keys + 64);
-		m_Decryption.SetKey (keys + 96);
-
-		// send finished
-		uint8_t finishedHashDigest[32], finishedPayload[40], encryptedPayload[80];
-		finishedPayload[0] = 0x14; // handshake type (finished)
-		finishedPayload[1] = 0; finishedPayload[2] = 0; finishedPayload[3] = 0x0C; // 12 bytes
-		m_FinishedHash.Final (finishedHashDigest);
-		PRF (masterSecret, "client finished", finishedHashDigest, 32, 12, finishedPayload + 4);
-		uint8_t mac[32];
-		CalculateMAC (0x16, finishedPayload, 16, mac);
-		Encrypt (finishedPayload, 16, mac, encryptedPayload);
-		m_Site.write ((char *)finished, sizeof (finished));
-		m_Site.write ((char *)encryptedPayload, 80);
-		// read ChangeCipherSpecs
-		uint8_t changeCipherSpecs1[6];
-		m_Site.read ((char *)changeCipherSpecs1, 6);
-		// read finished
-		m_Site.read ((char *)&type, 1); 
-		m_Site.read ((char *)&version, 2); 
-		m_Site.read ((char *)&length, 2); 
-		length = be16toh (length);
-		char * finished1 = new char[length];
-		m_Site.read (finished1, length);
-		delete[] finished1;
-	}
-
-	void TlsSession::SendHandshakeMsg (uint8_t handshakeType, uint8_t * data, size_t len)
-	{
-		uint8_t handshakeHeader[9];
-		handshakeHeader[0] = 0x16; // handshake
- 		handshakeHeader[1] = 0x03; handshakeHeader[2] = 0x03; // version is always TLS 1.2 (3,3) 
-		htobe16buf (handshakeHeader + 3, len + 4); // length of payload
-		//payload starts
-		handshakeHeader[5] = handshakeType; // handshake type
-		handshakeHeader[6] = 0; // highest byte of payload length is always zero
-		htobe16buf (handshakeHeader + 7, len); // length of data
-		m_Site.write ((char *)handshakeHeader, 9);
-		m_FinishedHash.Update (handshakeHeader + 5, 4); // only payload counts
-		m_Site.write ((char *)data, len);
-		m_FinishedHash.Update (data, len);
-	}
-
-	void TlsSession::PRF (const uint8_t * secret, const char * label, const uint8_t * random, size_t randomLen,
-		size_t len, uint8_t * buf)
-	{
-		// secret is assumed 48 bytes	
-		// random is not more than 64 bytes
- 		CryptoPP::HMAC<CryptoPP::SHA256> hmac (secret, 48);	
-		uint8_t seed[96]; size_t seedLen;
-		seedLen = strlen (label);	
-		memcpy (seed, label, seedLen);
-		memcpy (seed + seedLen, random, randomLen);
-		seedLen += randomLen;
-
-		size_t offset = 0;
-		uint8_t a[128];
-		hmac.CalculateDigest (a, seed, seedLen);
-		while (offset < len)
-		{
-			memcpy (a + 32, seed, seedLen);
-			hmac.CalculateDigest (buf + offset, a, seedLen + 32);
-			offset += 32;
-			hmac.CalculateDigest (a, a, 32);
-		}
-	}
-
-	size_t TlsSession::Encrypt (const uint8_t * in, size_t len, const uint8_t * mac, uint8_t * out)
-	{
-		size_t size = 0;
-		m_Rnd.GenerateBlock (out, 16); // iv
-		size += 16;
-		m_Encryption.SetIV (out);
-		memcpy (out + size, in, len);
-		size += len;
-		memcpy (out + size, mac, 32);
-		size += 32;	
-		uint8_t paddingSize = len + 1;
-		paddingSize &= 0x0F;  // %16
-		if (paddingSize > 0) paddingSize = 16 - paddingSize;
-		memset (out + size, paddingSize, paddingSize + 1); // paddind and last byte are equal to padding size
-		size += paddingSize + 1;
-		m_Encryption.Encrypt (out + 16, size - 16, out + 16);
-		return size;	
-	}
-
-	size_t TlsSession::Decrypt (uint8_t * buf, size_t len)
-	{
-		m_Decryption.SetIV (buf);
-		m_Decryption.Decrypt (buf + 16, len - 16, buf + 16);
-		return len - 48 - buf[len -1] - 1; // IV(16), mac(32) and padding
-	}
-
-	void TlsSession::CalculateMAC (uint8_t type, const uint8_t * buf, size_t len, uint8_t * mac)
-	{
-		uint8_t header[13]; // seqn (8) + type (1) + version (2) + length (2)
-		htobe64buf (header, m_Seqn);
-		header[8] = type; header[9] = 3; header[10] = 3; // 3,3 means TLS 1.2 
-		htobe16buf (header + 11, len);
-		CryptoPP::HMAC<CryptoPP::SHA256> hmac (m_MacKey, 32);	
-		hmac.Update (header, 13);
-		hmac.Update (buf, len);
-		hmac.Final (mac);	
-		m_Seqn++;
-	}
-
-	CryptoPP::RSA::PublicKey TlsSession::ExtractPublicKey (const uint8_t * certificate, size_t len)
-	{
-		CryptoPP::ByteQueue queue;
-		queue.Put (certificate, len);	
-		queue.MessageEnd ();
-		// extract X.509
-		CryptoPP::BERSequenceDecoder x509Cert (queue);
-		CryptoPP::BERSequenceDecoder tbsCert (x509Cert);
-		// version
-		uint32_t ver;
-		CryptoPP::BERGeneralDecoder context (tbsCert, CryptoPP::CONTEXT_SPECIFIC | CryptoPP::CONSTRUCTED);
-		CryptoPP::BERDecodeUnsigned<uint32_t>(context, ver, CryptoPP::INTEGER);
-		// serial
-		CryptoPP::Integer serial;
-   		serial.BERDecode(tbsCert);	
-		// signature
-		CryptoPP::BERSequenceDecoder signature (tbsCert);
-   		signature.SkipAll();
-		// issuer
-		CryptoPP::BERSequenceDecoder issuer (tbsCert);
-   		issuer.SkipAll();
-		// validity
-		CryptoPP::BERSequenceDecoder validity (tbsCert);
-   		validity.SkipAll();
-		// subject
-		CryptoPP::BERSequenceDecoder subject (tbsCert);
-   		subject.SkipAll();
-		// public key
-		CryptoPP::BERSequenceDecoder publicKey (tbsCert);			
-		CryptoPP::BERSequenceDecoder ident (publicKey);
-		ident.SkipAll ();
-		CryptoPP::BERGeneralDecoder key (publicKey, CryptoPP::BIT_STRING);
-		key.Skip (1); // FIXME: probably bug in crypto++
-		CryptoPP::BERSequenceDecoder keyPair (key);
-		CryptoPP::Integer n, e;
-		n.BERDecode (keyPair);
-		e.BERDecode (keyPair);
-
-		CryptoPP::RSA::PublicKey ret; 
-		ret.Initialize (n, e);
-		return ret;
-	}		
-
-	void TlsSession::Send (const uint8_t * buf, size_t len)
-	{
-		uint8_t * out = new uint8_t[len + 64 + 5]; // 64 = 32 mac + 16 iv + upto 16 padding, 5 = header
-		out[0] = 0x17; // application data
-		out[1] = 0x03; out[2] = 0x03; // version
-		uint8_t mac[32];
-		CalculateMAC (0x17, buf, len, mac);
-		size_t encryptedLen = Encrypt (buf, len, mac, out + 5);
-		htobe16buf (out + 3, encryptedLen);
-		m_Site.write ((char *)out, encryptedLen + 5);
-		delete[] out;
-	}
-
-	bool TlsSession::Receive (std::ostream& rs)
-	{
-		if (m_Site.eof ()) return false;
-		uint8_t type; uint16_t version, length;
-		m_Site.read ((char *)&type, 1); 
-		m_Site.read ((char *)&version, 2); 
-		m_Site.read ((char *)&length, 2); 
-		length = be16toh (length);
-		uint8_t * buf = new uint8_t[length];
-		m_Site.read ((char *)buf, length);
-		size_t decryptedLen = Decrypt (buf, length);
-		rs.write ((char *)buf + 16, decryptedLen);
-		delete[] buf;
-		return true;
-	}
 }
 }
 

Reseed.h

@@ -5,11 +5,8 @@
 #include <string>
 #include <vector>
 #include <map>
-#include <cryptopp/osrng.h>
-#include <cryptopp/rsa.h>
-#include <boost/asio.hpp>
 #include "Identity.h"
-#include "aes.h"
+#include "Crypto.h"
 
 namespace i2p
 {
@@ -24,7 +21,6 @@ namespace data
 		
 			Reseeder();
 			~Reseeder();
-			bool reseedNow(); // depreacted
 			int ReseedNowSU3 ();
 
 			void LoadCertificates ();
@@ -32,9 +28,8 @@ namespace data
 		private:
 
 			void LoadCertificate (const std::string& filename);
-			std::string LoadCertificate (CryptoPP::ByteQueue& queue); // returns issuer's name
-			
-			int ReseedFromSU3 (const std::string& host, bool https = false);
+						
+			int ReseedFromSU3 (const std::string& host);
 			int ProcessSU3File (const char * filename);	
 			int ProcessSU3Stream (std::istream& s);	
 
@@ -46,36 +41,6 @@ namespace data
 
 			std::map<std::string, PublicKey> m_SigningKeys;
 	};
-
-	class TlsSession
-	{
-		public:
-
-			TlsSession (const std::string& host, int port);
-			void Send (const uint8_t * buf, size_t len);
-			bool Receive (std::ostream& rs);
-
-		private:
-
-			void Handshake ();
-			void SendHandshakeMsg (uint8_t handshakeType, uint8_t * data, size_t len);
-			CryptoPP::RSA::PublicKey ExtractPublicKey (const uint8_t * certificate, size_t len);
-			void PRF (const uint8_t * secret, const char * label, const uint8_t * random, size_t randomLen,
-				size_t len, uint8_t * buf);
-			void CalculateMAC (uint8_t type, const uint8_t * buf, size_t len, uint8_t * mac);
-			size_t Encrypt (const uint8_t * in, size_t len, const uint8_t * mac, uint8_t * out);
-			size_t Decrypt (uint8_t * buf, size_t len); // pyaload is buf + 16		
-
-		private:
-
-			uint64_t m_Seqn;
-			boost::asio::ip::tcp::iostream m_Site;
-			CryptoPP::SHA256 m_FinishedHash;
-			CryptoPP::AutoSeededRandomPool m_Rnd;
-			i2p::crypto::CBCEncryption m_Encryption;
-			i2p::crypto::CBCDecryption m_Decryption; 
-			uint8_t m_MacKey[32]; // client	
-	};
 }
 }
 

RouterContext.cpp

@@ -1,14 +1,16 @@
 #include <fstream>
-#include <cryptopp/dh.h>
-#include <cryptopp/dsa.h>
 #include <boost/lexical_cast.hpp>
-#include "CryptoConst.h"
-#include "RouterContext.h"
+#include "Config.h"
+#include "Crypto.h"
 #include "Timestamp.h"
 #include "I2NPProtocol.h"
 #include "NetDb.h"
+#include "FS.h"
 #include "util.h"
 #include "version.h"
+#include "Log.h"
+#include "Family.h"
+#include "RouterContext.h"
 
 namespace i2p
 {
@@ -22,6 +24,7 @@ namespace i2p
 
 	void RouterContext::Init ()
 	{
+		srand (i2p::util::GetMillisecondsSinceEpoch () % 1000);
 		m_StartupTime = i2p::util::GetSecondsSinceEpoch ();
 		if (!Load ())
 			CreateNewRouter ();
@@ -30,7 +33,11 @@ namespace i2p
 
 	void RouterContext::CreateNewRouter ()
 	{
-		m_Keys = i2p::data::CreateRandomKeys ();
+#if defined(__x86_64__) || defined(__i386__) || defined(_MSC_VER)			
+		m_Keys = i2p::data::PrivateKeys::CreateRandomKeys (i2p::data::SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519);
+#else
+		m_Keys = i2p::data::PrivateKeys::CreateRandomKeys (i2p::data::SIGNING_KEY_TYPE_DSA_SHA1);
+#endif		
 		SaveKeys ();
 		NewRouterInfo ();
 	}
@@ -39,36 +46,57 @@ namespace i2p
 	{
 		i2p::data::RouterInfo routerInfo;
 		routerInfo.SetRouterIdentity (GetIdentity ());
-		int port = i2p::util::config::GetArg("-port", 0);
+		uint16_t port; i2p::config::GetOption("port", port);
 		if (!port)
-			port = m_Rnd.GenerateWord32 (9111, 30777); // I2P network ports range
-		routerInfo.AddSSUAddress (i2p::util::config::GetCharArg("-host", "127.0.0.1"), port, routerInfo.GetIdentHash ());
-		routerInfo.AddNTCPAddress (i2p::util::config::GetCharArg("-host", "127.0.0.1"), port);
+			port = rand () % (30777 - 9111) + 9111; // I2P network ports range
+		std::string host; i2p::config::GetOption("host", host);
+		if (i2p::config::IsDefault("host"))
+			host = "127.0.0.1"; // replace default address with safe value
+		routerInfo.AddSSUAddress  (host.c_str(), port, routerInfo.GetIdentHash ());
+		routerInfo.AddNTCPAddress (host.c_str(), port);
 		routerInfo.SetCaps (i2p::data::RouterInfo::eReachable | 
 			i2p::data::RouterInfo::eSSUTesting | i2p::data::RouterInfo::eSSUIntroducer); // LR, BC
-		routerInfo.SetProperty ("coreVersion", I2P_VERSION);
-		routerInfo.SetProperty ("netId", "2");
+		routerInfo.SetProperty ("netId", std::to_string (I2PD_NET_ID));
 		routerInfo.SetProperty ("router.version", I2P_VERSION);
-		routerInfo.SetProperty ("stat_uptime", "90m");
 		routerInfo.CreateBuffer (m_Keys);
+		m_RouterInfo.SetRouterIdentity (GetIdentity ());
 		m_RouterInfo.Update (routerInfo.GetBuffer (), routerInfo.GetBufferLen ());
 	}
 
 	void RouterContext::UpdateRouterInfo ()
 	{
 		m_RouterInfo.CreateBuffer (m_Keys);
-		m_RouterInfo.SaveToFile (i2p::util::filesystem::GetFullPath (ROUTER_INFO));
+		m_RouterInfo.SaveToFile (i2p::fs::DataDirPath (ROUTER_INFO));
 		m_LastUpdateTime = i2p::util::GetSecondsSinceEpoch ();
 	}	
 
+	void RouterContext::SetStatus (RouterStatus status) 
+	{ 
+		if (status != m_Status)
+		{	
+			m_Status = status;
+			switch (m_Status)
+			{	
+				case eRouterStatusOK:
+					SetReachable ();
+				break;
+				case eRouterStatusFirewalled:
+					SetUnreachable ();
+				break;	
+				default:
+					;
+			}
+		}	
+	}
+		
 	void RouterContext::UpdatePort (int port)
 	{
 		bool updated = false;
-		for (auto& address : m_RouterInfo.GetAddresses ())
+		for (auto address : m_RouterInfo.GetAddresses ())
 		{
-			if (address.port != port)
+			if (address->port != port)
 			{	
-				address.port = port;
+				address->port = port;
 				updated = true;
 			}	
 		}	
@@ -79,11 +107,11 @@ namespace i2p
 	void RouterContext::UpdateAddress (const boost::asio::ip::address& host)
 	{
 		bool updated = false;
-		for (auto& address : m_RouterInfo.GetAddresses ())
+		for (auto address : m_RouterInfo.GetAddresses ())
 		{
-			if (address.host != host && address.IsCompatible (host))
+			if (address->host != host && address->IsCompatible (host))
 			{	
-				address.host = host;
+				address->host = host;
 				updated = true;
 			}	
 		}	
@@ -92,16 +120,11 @@ namespace i2p
 			UpdateRouterInfo ();
 	}
 
-	bool RouterContext::AddIntroducer (const i2p::data::RouterInfo& routerInfo, uint32_t tag)
+	bool RouterContext::AddIntroducer (const i2p::data::RouterInfo::Introducer& introducer)
 	{
-		bool ret = false;
-		auto address = routerInfo.GetSSUAddress ();
-		if (address)
-		{	
-			ret = m_RouterInfo.AddIntroducer (address, tag);
-			if (ret)
-				UpdateRouterInfo ();
-		}	
+		bool ret = m_RouterInfo.AddIntroducer (introducer);
+		if (ret)
+			UpdateRouterInfo ();	
 		return ret;
 	}	
 
@@ -120,28 +143,69 @@ namespace i2p
 		{
 			m_RouterInfo.SetCaps (m_RouterInfo.GetCaps () & ~i2p::data::RouterInfo::eFloodfill);
 			// we don't publish number of routers and leaseset for non-floodfill
-			m_RouterInfo.DeleteProperty (ROUTER_INFO_PROPERTY_LEASESETS);
-			m_RouterInfo.DeleteProperty (ROUTER_INFO_PROPERTY_ROUTERS);
+			m_RouterInfo.DeleteProperty (i2p::data::ROUTER_INFO_PROPERTY_LEASESETS);
+			m_RouterInfo.DeleteProperty (i2p::data::ROUTER_INFO_PROPERTY_ROUTERS);
 		}
 		UpdateRouterInfo ();
 	}
 
-	void RouterContext::SetHighBandwidth ()
+	void RouterContext::SetFamily (const std::string& family)
 	{
-		if (!m_RouterInfo.IsHighBandwidth ())
+		std::string signature;
+		if (family.length () > 0)
+			signature = i2p::data::CreateFamilySignature (family, GetIdentHash ());
+		if (signature.length () > 0)
 		{
-			m_RouterInfo.SetCaps (m_RouterInfo.GetCaps () | i2p::data::RouterInfo::eHighBandwidth);
-			UpdateRouterInfo ();
+			m_RouterInfo.SetProperty (i2p::data::ROUTER_INFO_PROPERTY_FAMILY, family);
+			m_RouterInfo.SetProperty (i2p::data::ROUTER_INFO_PROPERTY_FAMILY_SIG, signature);
+		}	
+		else
+		{
+			m_RouterInfo.DeleteProperty (i2p::data::ROUTER_INFO_PROPERTY_FAMILY);
+			m_RouterInfo.DeleteProperty (i2p::data::ROUTER_INFO_PROPERTY_FAMILY_SIG);
+		}	
+	}	
+
+	void RouterContext::SetBandwidth (char L) {
+		uint16_t limit = 0;
+		enum { low, high, extra } type = high;
+		/* detect parameters */
+		switch (L) 
+		{
+			case i2p::data::CAPS_FLAG_LOW_BANDWIDTH1   : limit =   12; type = low;   break;
+			case i2p::data::CAPS_FLAG_LOW_BANDWIDTH2   : limit =   48; type = low;   break;
+			case i2p::data::CAPS_FLAG_HIGH_BANDWIDTH1  : limit =   64; type = high;  break;
+			case i2p::data::CAPS_FLAG_HIGH_BANDWIDTH2  : limit =  128; type = high;  break;
+			case i2p::data::CAPS_FLAG_HIGH_BANDWIDTH3  : limit =  256; type = high;  break;
+			case i2p::data::CAPS_FLAG_EXTRA_BANDWIDTH1 : limit = 2048; type = extra; break;
+			case i2p::data::CAPS_FLAG_EXTRA_BANDWIDTH2 : limit = 9999; type = extra; break;
+			default:
+				 limit =  48; type = low;
 		}
+		/* update caps & flags in RI */
+		auto caps = m_RouterInfo.GetCaps ();
+		caps &= ~i2p::data::RouterInfo::eHighBandwidth;
+		caps &= ~i2p::data::RouterInfo::eExtraBandwidth;
+		switch (type) 
+		{
+			case low   : /* not set */; break;
+			case high  : caps |= i2p::data::RouterInfo::eHighBandwidth;  break;
+			case extra : caps |= i2p::data::RouterInfo::eExtraBandwidth; break;
+		}
+		m_RouterInfo.SetCaps (caps);
+		UpdateRouterInfo ();
+		m_BandwidthLimit = limit;
 	}
 
-	void RouterContext::SetLowBandwidth ()
+	void RouterContext::SetBandwidth (int limit) 
 	{
-		if (m_RouterInfo.IsHighBandwidth ())
-		{
-			m_RouterInfo.SetCaps (m_RouterInfo.GetCaps () & ~i2p::data::RouterInfo::eHighBandwidth);
-			UpdateRouterInfo ();
-		}
+		if      (limit > 2000) { SetBandwidth('X'); }
+		else if (limit >  256) { SetBandwidth('P'); }
+		else if (limit >  128) { SetBandwidth('O'); }
+		else if (limit >   64) { SetBandwidth('N'); }
+		else if (limit >   48) { SetBandwidth('M'); }
+		else if (limit >   12) { SetBandwidth('L'); }
+		else                   { SetBandwidth('K'); }
 	}
 
 	bool RouterContext::IsUnreachable () const
@@ -157,15 +221,15 @@ namespace i2p
 		auto& addresses = m_RouterInfo.GetAddresses ();
 		for (size_t i = 0; i < addresses.size (); i++)
 		{
-			if (addresses[i].transportStyle == i2p::data::RouterInfo::eTransportNTCP)
+			if (addresses[i]->transportStyle == i2p::data::RouterInfo::eTransportNTCP)
 			{
 				addresses.erase (addresses.begin () + i);
 				break;
 			}
 		}	
 		// delete previous introducers
-		for (auto& addr : addresses)
-			addr.introducers.clear ();
+		for (auto addr : addresses)
+			addr->introducers.clear ();
 	
 		// update
 		UpdateRouterInfo ();
@@ -186,16 +250,16 @@ namespace i2p
 		auto& addresses = m_RouterInfo.GetAddresses ();
 		for (size_t i = 0; i < addresses.size (); i++)
 		{
-			if (addresses[i].transportStyle == i2p::data::RouterInfo::eTransportSSU)
+			if (addresses[i]->transportStyle == i2p::data::RouterInfo::eTransportSSU)
 			{
-				// insert NTCP address with host/port form SSU
-				m_RouterInfo.AddNTCPAddress (addresses[i].host.to_string ().c_str (), addresses[i].port);
+				// insert NTCP address with host/port from SSU
+				m_RouterInfo.AddNTCPAddress (addresses[i]->host.to_string ().c_str (), addresses[i]->port);
 				break;
 			}
 		}		
 		// delete previous introducers
-		for (auto& addr : addresses)
-			addr.introducers.clear ();
+		for (auto addr : addresses)
+			addr->introducers.clear ();
 		
 		// update
 		UpdateRouterInfo ();
@@ -208,26 +272,36 @@ namespace i2p
 		else
 			m_RouterInfo.DisableV6 ();
 		UpdateRouterInfo ();
-	}	
+	}
+  	
+	void RouterContext::SetSupportsV4 (bool supportsV4)
+	{
+		if (supportsV4)
+			m_RouterInfo.EnableV4 ();
+		else
+			m_RouterInfo.DisableV4 ();
+		UpdateRouterInfo ();
+	}
+  
 
 	void RouterContext::UpdateNTCPV6Address (const boost::asio::ip::address& host)
 	{
 		bool updated = false, found = false;	
 		int port = 0;
 		auto& addresses = m_RouterInfo.GetAddresses ();
-		for (auto& addr : addresses)
+		for (auto addr: addresses)
 		{
-			if (addr.host.is_v6 () && addr.transportStyle == i2p::data::RouterInfo::eTransportNTCP)
+			if (addr->host.is_v6 () && addr->transportStyle == i2p::data::RouterInfo::eTransportNTCP)
 			{
-				if (addr.host != host)
+				if (addr->host != host)
 				{
-					addr.host = host;
+					addr->host = host;
 					updated = true;
 				}
 				found = true;	
 			}	
 			else
-				port = addr.port;	
+				port = addr->port;	
 		}	
 		if (!found)
 		{
@@ -236,8 +310,11 @@ namespace i2p
 			auto mtu = i2p::util::net::GetMTU (host);
 			if (mtu)
 			{	
-				LogPrint ("Our v6 MTU=", mtu);
-				if (mtu > 1472) mtu = 1472; 
+				LogPrint (eLogDebug, "Router: Our v6 MTU=", mtu);
+				if (mtu > 1472) { // TODO: magic constant
+					mtu = 1472;
+					LogPrint(eLogWarning, "Router: MTU dropped to upper limit of 1472 bytes");
+				}
 			}	
 			m_RouterInfo.AddSSUAddress (host.to_string ().c_str (), port, GetIdentHash (), mtu ? mtu : 1472); // TODO
 			updated = true;
@@ -251,26 +328,44 @@ namespace i2p
 		if (m_IsFloodfill)
 		{
 			// update routers and leasesets
-			m_RouterInfo.SetProperty (ROUTER_INFO_PROPERTY_LEASESETS, boost::lexical_cast<std::string>(i2p::data::netdb.GetNumLeaseSets ()));
-			m_RouterInfo.SetProperty (ROUTER_INFO_PROPERTY_ROUTERS, boost::lexical_cast<std::string>(i2p::data::netdb.GetNumRouters ()));
+			m_RouterInfo.SetProperty (i2p::data::ROUTER_INFO_PROPERTY_LEASESETS, boost::lexical_cast<std::string>(i2p::data::netdb.GetNumLeaseSets ()));
+			m_RouterInfo.SetProperty (i2p::data::ROUTER_INFO_PROPERTY_ROUTERS, boost::lexical_cast<std::string>(i2p::data::netdb.GetNumRouters ()));
 			UpdateRouterInfo (); 
 		}
 	}
 		
 	bool RouterContext::Load ()
 	{
-		std::ifstream fk (i2p::util::filesystem::GetFullPath (ROUTER_KEYS).c_str (), std::ifstream::binary | std::ofstream::in);
+		std::ifstream fk (i2p::fs::DataDirPath (ROUTER_KEYS), std::ifstream::in | std::ifstream::binary);
 		if (!fk.is_open ())	return false;
-		
-		i2p::data::Keys keys;	
-		fk.read ((char *)&keys, sizeof (keys));
-		m_Keys = keys;
+		fk.seekg (0, std::ios::end);
+		size_t len = fk.tellg();
+		fk.seekg (0, std::ios::beg);		
 
-		i2p::data::RouterInfo routerInfo(i2p::util::filesystem::GetFullPath (ROUTER_INFO)); // TODO
+		if (len == sizeof (i2p::data::Keys)) // old keys file format
+		{
+			i2p::data::Keys keys;	
+			fk.read ((char *)&keys, sizeof (keys));
+			m_Keys = keys;
+		}
+		else // new keys file format
+		{
+			uint8_t * buf = new uint8_t[len];
+			fk.read ((char *)buf, len);
+			m_Keys.FromBuffer (buf, len);
+			delete[] buf;
+		}
+
+		i2p::data::RouterInfo routerInfo(i2p::fs::DataDirPath (ROUTER_INFO)); // TODO
+		m_RouterInfo.SetRouterIdentity (GetIdentity ());
 		m_RouterInfo.Update (routerInfo.GetBuffer (), routerInfo.GetBufferLen ());
 		m_RouterInfo.SetProperty ("coreVersion", I2P_VERSION);
 		m_RouterInfo.SetProperty ("router.version", I2P_VERSION);
 
+		// Migration to 0.9.24. TODO: remove later
+		m_RouterInfo.DeleteProperty ("coreVersion");
+		m_RouterInfo.DeleteProperty ("stat_uptime");
+		
 		if (IsUnreachable ())
 			SetReachable (); // we assume reachable until we discover firewall through peer tests
 		
@@ -279,21 +374,37 @@ namespace i2p
 
 	void RouterContext::SaveKeys ()
 	{	
-		std::ofstream fk (i2p::util::filesystem::GetFullPath (ROUTER_KEYS).c_str (), std::ofstream::binary | std::ofstream::out);
-		i2p::data::Keys keys;
-		memcpy (keys.privateKey, m_Keys.GetPrivateKey (), sizeof (keys.privateKey));
-		memcpy (keys.signingPrivateKey, m_Keys.GetSigningPrivateKey (), sizeof (keys.signingPrivateKey));
-		auto& ident = GetIdentity ().GetStandardIdentity ();	
-		memcpy (keys.publicKey, ident.publicKey, sizeof (keys.publicKey));
-		memcpy (keys.signingKey, ident.signingKey, sizeof (keys.signingKey));
-		fk.write ((char *)&keys, sizeof (keys));	
+		// save in the same format as .dat files
+		std::ofstream fk (i2p::fs::DataDirPath (ROUTER_KEYS), std::ofstream::binary | std::ofstream::out);
+		size_t len = m_Keys.GetFullLen ();
+		uint8_t * buf = new uint8_t[len];
+		m_Keys.ToBuffer (buf, len);
+		fk.write ((char *)buf, len);
+		delete[] buf;
 	}
 
+	std::shared_ptr<i2p::tunnel::TunnelPool> RouterContext::GetTunnelPool () const
+	{
+		return i2p::tunnel::tunnels.GetExploratoryPool (); 
+	}	
+		
 	void RouterContext::HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from)
 	{
 		i2p::HandleI2NPMessage (CreateI2NPMessage (buf, GetI2NPMessageLength (buf), from));
 	}
 
+	void RouterContext::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
+	{
+		std::unique_lock<std::mutex> l(m_GarlicMutex);
+		i2p::garlic::GarlicDestination::ProcessGarlicMessage (msg);
+	}	
+			
+	void RouterContext::ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg)
+	{
+		std::unique_lock<std::mutex> l(m_GarlicMutex);
+		i2p::garlic::GarlicDestination::ProcessDeliveryStatusMessage (msg);
+	}	
+		
 	uint32_t RouterContext::GetUptime () const
 	{
 		return i2p::util::GetSecondsSinceEpoch () - m_StartupTime;

RouterContext.h

@@ -4,9 +4,8 @@
 #include <inttypes.h>
 #include <string>
 #include <memory>
+#include <mutex>
 #include <boost/asio.hpp>
-#include <cryptopp/dsa.h>
-#include <cryptopp/osrng.h>
 #include "Identity.h"
 #include "RouterInfo.h"
 #include "Garlic.h"
@@ -16,9 +15,6 @@ namespace i2p
 	const char ROUTER_INFO[] = "router.info";
 	const char ROUTER_KEYS[] = "router.keys";	
 	const int ROUTER_INFO_UPDATE_INTERVAL = 1800; // 30 minutes
-	
-	const char ROUTER_INFO_PROPERTY_LEASESETS[] = "netdb.knownLeaseSets";
-	const char ROUTER_INFO_PROPERTY_ROUTERS[] = "netdb.knownRouters";		
 
 	enum RouterStatus
 	{
@@ -40,40 +36,55 @@ namespace i2p
 				return std::shared_ptr<const i2p::data::RouterInfo> (&m_RouterInfo, 
 					[](const i2p::data::RouterInfo *) {});
 			}
-			CryptoPP::RandomNumberGenerator& GetRandomNumberGenerator () { return m_Rnd; };	
+			std::shared_ptr<i2p::garlic::GarlicDestination> GetSharedDestination () 
+			{
+				return std::shared_ptr<i2p::garlic::GarlicDestination> (this, 
+					[](i2p::garlic::GarlicDestination *) {});
+			}
+
 			uint32_t GetUptime () const;
 			uint32_t GetStartupTime () const { return m_StartupTime; };
 			uint64_t GetLastUpdateTime () const { return m_LastUpdateTime; };
+			uint64_t GetBandwidthLimit () const { return m_BandwidthLimit; };
 			RouterStatus GetStatus () const { return m_Status; };
-			void SetStatus (RouterStatus status) { m_Status = status; };
+			void SetStatus (RouterStatus status);
 
 			void UpdatePort (int port); // called from Daemon
 			void UpdateAddress (const boost::asio::ip::address& host);	// called from SSU or Daemon
-			bool AddIntroducer (const i2p::data::RouterInfo& routerInfo, uint32_t tag);
+			bool AddIntroducer (const i2p::data::RouterInfo::Introducer& introducer);
 			void RemoveIntroducer (const boost::asio::ip::udp::endpoint& e);
 			bool IsUnreachable () const;
 			void SetUnreachable ();		
 			void SetReachable ();
 			bool IsFloodfill () const { return m_IsFloodfill; };	
 			void SetFloodfill (bool floodfill);	
-			void SetHighBandwidth ();
-			void SetLowBandwidth ();
+			void SetFamily (const std::string& family);
+			void SetBandwidth (int limit); /* in kilobytes */
+			void SetBandwidth (char L); /* by letter */
 			bool AcceptsTunnels () const { return m_AcceptsTunnels; };
 			void SetAcceptsTunnels (bool acceptsTunnels) { m_AcceptsTunnels = acceptsTunnels; };
 			bool SupportsV6 () const { return m_RouterInfo.IsV6 (); };
+			bool SupportsV4 () const { return m_RouterInfo.IsV4 (); };
 			void SetSupportsV6 (bool supportsV6);
+			void SetSupportsV4 (bool supportsV4);
+
 			void UpdateNTCPV6Address (const boost::asio::ip::address& host); // called from NTCP session		
 			void UpdateStats ();		
 
 			// implements LocalDestination
 			const i2p::data::PrivateKeys& GetPrivateKeys () const { return m_Keys; };
 			const uint8_t * GetEncryptionPrivateKey () const { return m_Keys.GetPrivateKey (); };
-			const uint8_t * GetEncryptionPublicKey () const { return GetIdentity ().GetStandardIdentity ().publicKey; };
+			const uint8_t * GetEncryptionPublicKey () const { return GetIdentity ()->GetStandardIdentity ().publicKey; };
 			void SetLeaseSetUpdated () {};
 
 			// implements GarlicDestination
-			const i2p::data::LeaseSet * GetLeaseSet () { return nullptr; };
+			std::shared_ptr<const i2p::data::LeaseSet> GetLeaseSet () { return nullptr; };
+			std::shared_ptr<i2p::tunnel::TunnelPool> GetTunnelPool () const;
 			void HandleI2NPMessage (const uint8_t * buf, size_t len, std::shared_ptr<i2p::tunnel::InboundTunnel> from);
+
+			// override GarlicDestination
+			void ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			void ProcessDeliveryStatusMessage (std::shared_ptr<I2NPMessage> msg);	
 			
 		private:
 
@@ -87,11 +98,12 @@ namespace i2p
 
 			i2p::data::RouterInfo m_RouterInfo;
 			i2p::data::PrivateKeys m_Keys; 
-			CryptoPP::AutoSeededRandomPool m_Rnd;
 			uint64_t m_LastUpdateTime;
 			bool m_AcceptsTunnels, m_IsFloodfill;
 			uint64_t m_StartupTime; // in seconds since epoch
+			uint32_t m_BandwidthLimit; // allowed bandwidth
 			RouterStatus m_Status;
+			std::mutex m_GarlicMutex;
 	};
 
 	extern RouterContext context;

RouterInfo.cpp

@@ -3,15 +3,13 @@
 #include "I2PEndian.h"
 #include <fstream>
 #include <boost/lexical_cast.hpp>
-#include <cryptopp/sha.h>
-#include <cryptopp/dsa.h>
-#include "CryptoConst.h"
-#include "base64.h"
+#include "version.h"
+#include "Crypto.h"
+#include "Base.h"
 #include "Timestamp.h"
 #include "Log.h"
+#include "NetDb.h"
 #include "RouterInfo.h"
-#include "RouterContext.h"
-
 
 namespace i2p
 {
@@ -36,26 +34,42 @@ namespace data
 
 	RouterInfo::~RouterInfo ()
 	{
-		delete m_Buffer;
+		delete[] m_Buffer;
 	}	
 		
 	void RouterInfo::Update (const uint8_t * buf, int len)
 	{
-		if (!m_Buffer)	
-			m_Buffer = new uint8_t[MAX_RI_BUFFER_SIZE];
-		m_IsUpdated = true;
-		m_IsUnreachable = false;
-		m_SupportedTransports = 0;
-		m_Caps = 0;
-		m_Addresses.clear ();
-		m_Properties.clear ();
-		memcpy (m_Buffer, buf, len);
-		m_BufferLen = len;
-		ReadFromBuffer (true);
-		// don't delete buffer until save to file
+		// verify signature since we have indentity already
+		int l = len - m_RouterIdentity->GetSignatureLen ();
+		if (m_RouterIdentity->Verify (buf, l, buf + l))
+		{
+			// clean up
+			m_IsUpdated = true;
+			m_IsUnreachable = false;
+			m_SupportedTransports = 0;
+			m_Caps = 0;
+			m_Addresses.clear ();
+			m_Properties.clear ();
+			// copy buffer
+			if (!m_Buffer)	
+				m_Buffer = new uint8_t[MAX_RI_BUFFER_SIZE];
+			memcpy (m_Buffer, buf, len);
+			m_BufferLen = len;
+			// skip identity
+			size_t identityLen = m_RouterIdentity->GetFullLen ();
+			// read new RI	
+			std::stringstream str (std::string ((char *)m_Buffer + identityLen, m_BufferLen - identityLen));
+			ReadFromStream (str);
+			// don't delete buffer until saved to the file
+		}
+		else
+		{	
+			LogPrint (eLogError, "RouterInfo: signature verification failed");
+			m_IsUnreachable = true;
+		}
 	}	
 		
-	void RouterInfo::SetRouterIdentity (const IdentityEx& identity)
+	void RouterInfo::SetRouterIdentity (std::shared_ptr<const IdentityEx> identity)
 	{	
 		m_RouterIdentity = identity;
 		m_Timestamp = i2p::util::GetMillisecondsSinceEpoch ();
@@ -63,14 +77,14 @@ namespace data
 	
 	bool RouterInfo::LoadFile ()
 	{
-		std::ifstream s(m_FullPath.c_str (), std::ifstream::binary);
+		std::ifstream s(m_FullPath, std::ifstream::binary);
 		if (s.is_open ())	
 		{	
 			s.seekg (0,std::ios::end);
 			m_BufferLen = s.tellg ();
-			if (m_BufferLen < 40)
+			if (m_BufferLen < 40 || m_BufferLen > MAX_RI_BUFFER_SIZE)
 			{
-				LogPrint(eLogError, "File", m_FullPath, " is malformed");
+				LogPrint(eLogError, "RouterInfo: File", m_FullPath, " is malformed");
 				return false;
 			}
 			s.seekg(0, std::ios::beg);
@@ -80,7 +94,7 @@ namespace data
 		}	
 		else
 		{
-			LogPrint (eLogError, "Can't open file ", m_FullPath);
+			LogPrint (eLogError, "RouterInfo: Can't open file ", m_FullPath);
 			return false;		
 		}
 		return true;
@@ -94,19 +108,32 @@ namespace data
 
 	void RouterInfo::ReadFromBuffer (bool verifySignature)
 	{
-		size_t identityLen = m_RouterIdentity.FromBuffer (m_Buffer, m_BufferLen);
+		m_RouterIdentity = std::make_shared<IdentityEx>(m_Buffer, m_BufferLen);
+		size_t identityLen = m_RouterIdentity->GetFullLen ();
+		if (identityLen >= m_BufferLen)
+		{
+			LogPrint (eLogError, "RouterInfo: identity length ", identityLen, " exceeds buffer size ", m_BufferLen);
+			m_IsUnreachable = true;
+			return;
+		}
 		std::stringstream str (std::string ((char *)m_Buffer + identityLen, m_BufferLen - identityLen));
 		ReadFromStream (str);
+		if (!str)
+		{
+			LogPrint (eLogError, "RouterInfo: malformed message");
+			m_IsUnreachable = true;
+			return;
+		}
 		if (verifySignature)
 		{	
 			// verify signature
-			int l = m_BufferLen - m_RouterIdentity.GetSignatureLen ();
-			if (!m_RouterIdentity.Verify ((uint8_t *)m_Buffer, l, (uint8_t *)m_Buffer + l))
+			int l = m_BufferLen - m_RouterIdentity->GetSignatureLen ();	
+			if (l < 0 || !m_RouterIdentity->Verify ((uint8_t *)m_Buffer, l, (uint8_t *)m_Buffer + l))
 			{	
-				LogPrint (eLogError, "signature verification failed");	
+				LogPrint (eLogError, "RouterInfo: signature verification failed");
 				m_IsUnreachable = true;
 			}
-			m_RouterIdentity.DropVerifier ();
+			m_RouterIdentity->DropVerifier ();
 		}	
 	}	
 	
@@ -116,10 +143,11 @@ namespace data
 		m_Timestamp = be64toh (m_Timestamp);
 		// read addresses
 		uint8_t numAddresses;
-		s.read ((char *)&numAddresses, sizeof (numAddresses));
+		s.read ((char *)&numAddresses, sizeof (numAddresses)); if (!s) return;	
 		bool introducers = false;
 		for (int i = 0; i < numAddresses; i++)
 		{
+			uint8_t supportedTransports = 0;
 			bool isValidAddress = true;
 			Address address;
 			s.read ((char *)&address.cost, sizeof (address.cost));
@@ -135,7 +163,7 @@ namespace data
 			address.port = 0;
 			address.mtu = 0;
 			uint16_t size, r = 0;
-			s.read ((char *)&size, sizeof (size));
+			s.read ((char *)&size, sizeof (size)); if (!s) return;
 			size = be16toh (size);
 			while (r < size)
 			{
@@ -152,23 +180,22 @@ namespace data
 					{	
 						if (address.transportStyle == eTransportNTCP)
 						{
-							m_SupportedTransports |= eNTCPV4; // TODO:
+							supportedTransports |= eNTCPV4; // TODO:
 							address.addressString = value;
 						}
 						else
 						{	
-							// TODO: resolve address for SSU
-							LogPrint (eLogWarning, "Unexpected SSU address ", value);
-							isValidAddress = false;
+							supportedTransports |= eSSUV4; // TODO:
+							address.addressString = value;
 						}	
 					}	
 					else
 					{
 						// add supported protocol
 						if (address.host.is_v4 ())
-							m_SupportedTransports |= (address.transportStyle == eTransportNTCP) ? eNTCPV4 : eSSUV4;	
+							supportedTransports |= (address.transportStyle == eTransportNTCP) ? eNTCPV4 : eSSUV4;	
 						else
-							m_SupportedTransports |= (address.transportStyle == eTransportNTCP) ? eNTCPV6 : eSSUV6;
+							supportedTransports |= (address.transportStyle == eTransportNTCP) ? eNTCPV6 : eSSUV6;
  					}	
 				}	
 				else if (!strcmp (key, "port"))
@@ -201,17 +228,21 @@ namespace data
 					else if (!strcmp (key, "ikey"))
 						Base64ToByteStream (value, strlen (value), introducer.iKey, 32);
 				}
+				if (!s) return;
 			}	
 			if (isValidAddress)
-				m_Addresses.push_back(address);
+			{
+				m_Addresses.push_back(std::make_shared<Address>(address));
+				m_SupportedTransports |= supportedTransports;
+			}
 		}	
 		// read peers
 		uint8_t numPeers;
-		s.read ((char *)&numPeers, sizeof (numPeers));
+		s.read ((char *)&numPeers, sizeof (numPeers)); if (!s) return;
 		s.seekg (numPeers*32, std::ios_base::cur); // TODO: read peers
 		// read properties
 		uint16_t size, r = 0;
-		s.read ((char *)&size, sizeof (size));
+		s.read ((char *)&size, sizeof (size)); if (!s) return;
 		size = be16toh (size);
 		while (r < size)
 		{
@@ -231,6 +262,28 @@ namespace data
 			// extract caps	
 			if (!strcmp (key, "caps"))
 				ExtractCaps (value);
+			// check netId
+			else if (!strcmp (key, ROUTER_INFO_PROPERTY_NETID) && atoi (value) != I2PD_NET_ID)
+			{
+				LogPrint (eLogError, "Unexpected ", ROUTER_INFO_PROPERTY_NETID, "=", value);
+				m_IsUnreachable = true;		
+			}	
+			// family
+			else if (!strcmp (key, ROUTER_INFO_PROPERTY_FAMILY))
+			{
+				m_Family = value;
+				boost::to_lower (m_Family);
+			}
+			else if (!strcmp (key, ROUTER_INFO_PROPERTY_FAMILY_SIG))
+			{
+				if (!netdb.GetFamilies ().VerifyFamily (m_Family, GetIdentHash (), value))
+				{
+					LogPrint (eLogWarning, "RouterInfo: family signature verification failed");
+					m_Family.clear ();
+				}
+			}				
+
+			if (!s) return;
 		}		
 
 		if (!m_SupportedTransports || !m_Addresses.size() || (UsesIntroducer () && !introducers))
@@ -252,6 +305,10 @@ namespace data
 				case CAPS_FLAG_HIGH_BANDWIDTH3:
 					m_Caps |= Caps::eHighBandwidth;
 				break;
+				case CAPS_FLAG_EXTRA_BANDWIDTH1:
+				case CAPS_FLAG_EXTRA_BANDWIDTH2:
+					m_Caps |= Caps::eExtraBandwidth;
+				break;	
 				case CAPS_FLAG_HIDDEN:
 					m_Caps |= Caps::eHidden;
 				break;	
@@ -276,13 +333,20 @@ namespace data
 	void RouterInfo::UpdateCapsProperty ()
 	{	
 		std::string caps;
-		if (m_Caps & eFloodfill) 
-		{
-			caps += CAPS_FLAG_HIGH_BANDWIDTH3; // highest bandwidth
+		if (m_Caps & eFloodfill) {
 			caps += CAPS_FLAG_FLOODFILL; // floodfill  
+			caps += (m_Caps & eExtraBandwidth)
+				? CAPS_FLAG_EXTRA_BANDWIDTH1 // 'P'
+				: CAPS_FLAG_HIGH_BANDWIDTH3; // 'O'
+		} else {
+			if (m_Caps & eExtraBandwidth) {
+				caps += CAPS_FLAG_EXTRA_BANDWIDTH1; // 'P'
+			} else if (m_Caps & eHighBandwidth) {
+				caps += CAPS_FLAG_HIGH_BANDWIDTH3; // 'O'
+			} else {
+				caps += CAPS_FLAG_LOW_BANDWIDTH2; // 'L'
+			}
 		}	
-		else
-			caps += (m_Caps & eHighBandwidth) ? CAPS_FLAG_HIGH_BANDWIDTH3 : CAPS_FLAG_LOW_BANDWIDTH2; // bandwidth		
 		if (m_Caps & eHidden) caps += CAPS_FLAG_HIDDEN; // hidden
 		if (m_Caps & eReachable) caps += CAPS_FLAG_REACHABLE; // reachable
 		if (m_Caps & eUnreachable) caps += CAPS_FLAG_UNREACHABLE; // unreachable
@@ -298,8 +362,9 @@ namespace data
 		// addresses
 		uint8_t numAddresses = m_Addresses.size ();
 		s.write ((char *)&numAddresses, sizeof (numAddresses));
-		for (auto& address : m_Addresses)
+		for (auto addr : m_Addresses)
 		{
+			Address& address = *addr;
 			s.write ((char *)&address.cost, sizeof (address.cost));
 			s.write ((char *)&address.date, sizeof (address.date));
 			std::stringstream properties;
@@ -414,12 +479,20 @@ namespace data
 		s.write (properties.str ().c_str (), properties.str ().size ());
 	}	
 
+	bool RouterInfo::IsNewer (const uint8_t * buf, size_t len) const
+	{
+		if (!m_RouterIdentity) return false;
+		size_t size = m_RouterIdentity->GetFullLen ();
+		if (size + 8 > len) return false;
+		return bufbe64toh (buf + size) > m_Timestamp; 
+	}
+
 	const uint8_t * RouterInfo::LoadBuffer ()
 	{
 		if (!m_Buffer)
 		{
 			if (LoadFile ())
-				LogPrint ("Buffer for ", GetIdentHashAbbreviation (), " loaded from file");
+				LogPrint (eLogDebug, "RouterInfo: Buffer for ", GetIdentHashAbbreviation (GetIdentHash ()), " loaded from file");
 		} 
 		return m_Buffer; 
 	}
@@ -429,7 +502,7 @@ namespace data
 		m_Timestamp = i2p::util::GetMillisecondsSinceEpoch (); // refresh timstamp
 		std::stringstream s;
 		uint8_t ident[1024];
-		auto identLen = privateKeys.GetPublic ().ToBuffer (ident, 1024);
+		auto identLen = privateKeys.GetPublic ()->ToBuffer (ident, 1024);
 		s.write ((char *)ident, identLen);			
 		WriteToStream (s);
 		m_BufferLen = s.str ().size ();
@@ -438,7 +511,7 @@ namespace data
 		memcpy (m_Buffer, s.str ().c_str (), m_BufferLen);
 		// signature
 		privateKeys.Sign ((uint8_t *)m_Buffer, m_BufferLen, (uint8_t *)m_Buffer + m_BufferLen);
-		m_BufferLen += privateKeys.GetPublic ().GetSignatureLen ();
+		m_BufferLen += privateKeys.GetPublic ()->GetSignatureLen ();
 	}	
 
 	void RouterInfo::SaveToFile (const std::string& fullPath)
@@ -447,10 +520,13 @@ namespace data
 		if (m_Buffer)
 		{	
 			std::ofstream f (fullPath, std::ofstream::binary | std::ofstream::out);
-			f.write ((char *)m_Buffer, m_BufferLen);
-		}	
+			if (f.is_open ())
+				f.write ((char *)m_Buffer, m_BufferLen);
+			else
+				LogPrint(eLogError, "RouterInfo: Can't save to ", fullPath);
+		}
 		else
-			LogPrint (eLogError, "Can't save to file");
+			LogPrint (eLogError, "RouterInfo: Can't save, m_Buffer == NULL");
 	}
 	
 	size_t RouterInfo::ReadString (char * str, std::istream& s)
@@ -471,47 +547,46 @@ namespace data
 
 	void RouterInfo::AddNTCPAddress (const char * host, int port)
 	{
-		Address addr;
-		addr.host = boost::asio::ip::address::from_string (host);
-		addr.port = port;
-		addr.transportStyle = eTransportNTCP;
-		addr.cost = 2;
-		addr.date = 0;
-		addr.mtu = 0;
+		auto addr = std::make_shared<Address>();
+		addr->host = boost::asio::ip::address::from_string (host);
+		addr->port = port;
+		addr->transportStyle = eTransportNTCP;
+		addr->cost = 2;
+		addr->date = 0;
+		addr->mtu = 0;
+		for (auto it: m_Addresses) // don't insert same address twice
+			if (*it == *addr) return;
 		m_Addresses.push_back(addr);	
-		m_SupportedTransports |= addr.host.is_v6 () ? eNTCPV6 : eNTCPV4;
+		m_SupportedTransports |= addr->host.is_v6 () ? eNTCPV6 : eNTCPV4;
 	}	
 
 	void RouterInfo::AddSSUAddress (const char * host, int port, const uint8_t * key, int mtu)
 	{
-		Address addr;
-		addr.host = boost::asio::ip::address::from_string (host);
-		addr.port = port;
-		addr.transportStyle = eTransportSSU;
-		addr.cost = 10; // NTCP should have priority over SSU
-		addr.date = 0;
-		addr.mtu = mtu; 
-		memcpy (addr.key, key, 32);
+		auto addr = std::make_shared<Address>();
+		addr->host = boost::asio::ip::address::from_string (host);
+		addr->port = port;
+		addr->transportStyle = eTransportSSU;
+		addr->cost = 10; // NTCP should have priority over SSU
+		addr->date = 0;
+		addr->mtu = mtu; 
+		memcpy (addr->key, key, 32);
+		for (auto it: m_Addresses) // don't insert same address twice
+			if (*it == *addr) return;
 		m_Addresses.push_back(addr);	
-		m_SupportedTransports |= addr.host.is_v6 () ? eNTCPV6 : eSSUV4;
+		m_SupportedTransports |= addr->host.is_v6 () ? eSSUV6 : eSSUV4;
 		m_Caps |= eSSUTesting; 
 		m_Caps |= eSSUIntroducer; 
 	}	
 
-	bool RouterInfo::AddIntroducer (const Address * address, uint32_t tag)
+	bool RouterInfo::AddIntroducer (const Introducer& introducer)
 	{
-		for (auto& addr : m_Addresses)
+		for (auto addr : m_Addresses)
 		{
-			if (addr.transportStyle == eTransportSSU && addr.host.is_v4 ())
+			if (addr->transportStyle == eTransportSSU && addr->host.is_v4 ())
 			{	
-				for (auto intro: addr.introducers)
-					if (intro.iTag == tag) return false; // already presented
-				Introducer x;
-				x.iHost = address->host;
-				x.iPort = address->port;
-				x.iTag = tag;
-				memcpy (x.iKey, address->key, 32); // TODO: replace to Tag<32>
-				addr.introducers.push_back (x);
+				for (auto intro: addr->introducers)
+					if (intro.iTag == introducer.iTag) return false; // already presented
+				addr->introducers.push_back (introducer);
 				return true;
 			}	
 		}	
@@ -520,14 +595,14 @@ namespace data
 
 	bool RouterInfo::RemoveIntroducer (const boost::asio::ip::udp::endpoint& e)
 	{		
-		for (auto& addr : m_Addresses)
+		for (auto addr: m_Addresses)
 		{
-			if (addr.transportStyle == eTransportSSU && addr.host.is_v4 ())
+			if (addr->transportStyle == eTransportSSU && addr->host.is_v4 ())
 			{	
-				for (std::vector<Introducer>::iterator it = addr.introducers.begin (); it != addr.introducers.end (); it++)
+				for (std::vector<Introducer>::iterator it = addr->introducers.begin (); it != addr->introducers.end (); it++)
 					if ( boost::asio::ip::udp::endpoint (it->iHost, it->iPort) == e) 
 					{
-						addr.introducers.erase (it);
+						addr->introducers.erase (it);
 						return true;
 					}	
 			}	
@@ -558,11 +633,6 @@ namespace data
 		m_Properties.erase (key);
 	}
 
-	bool RouterInfo::IsFloodfill () const
-	{
-		return m_Caps & Caps::eFloodfill;
-	}	
-
 	bool RouterInfo::IsNTCP (bool v4only) const
 	{
 		if (v4only)
@@ -584,12 +654,24 @@ namespace data
 		return m_SupportedTransports & (eNTCPV6 | eSSUV6);
 	}
 
+	bool RouterInfo::IsV4 () const
+	{
+		return m_SupportedTransports & (eNTCPV4 | eSSUV4);
+	}
+	
 	void RouterInfo::EnableV6 ()
 	{
 		if (!IsV6 ())
 			m_SupportedTransports |= eNTCPV6 | eSSUV6;
 	}
-		
+
+  void RouterInfo::EnableV4 ()
+	{
+		if (!IsV4 ())
+			m_SupportedTransports |= eNTCPV4 | eSSUV4;
+	}
+	
+  
 	void RouterInfo::DisableV6 ()
 	{		
 		if (IsV6 ())
@@ -598,8 +680,8 @@ namespace data
 			m_SupportedTransports &= ~eNTCPV6; 
 			for (size_t i = 0; i < m_Addresses.size (); i++)
 			{
-				if (m_Addresses[i].transportStyle == i2p::data::RouterInfo::eTransportNTCP &&
-					m_Addresses[i].host.is_v6 ())
+				if (m_Addresses[i]->transportStyle == i2p::data::RouterInfo::eTransportNTCP &&
+					m_Addresses[i]->host.is_v6 ())
 				{
 					m_Addresses.erase (m_Addresses.begin () + i);
 					break;
@@ -610,8 +692,8 @@ namespace data
 			m_SupportedTransports &= ~eSSUV6; 
 			for (size_t i = 0; i < m_Addresses.size (); i++)
 			{
-				if (m_Addresses[i].transportStyle == i2p::data::RouterInfo::eTransportSSU &&
-					m_Addresses[i].host.is_v6 ())
+				if (m_Addresses[i]->transportStyle == i2p::data::RouterInfo::eTransportSSU &&
+					m_Addresses[i]->host.is_v6 ())
 				{
 					m_Addresses.erase (m_Addresses.begin () + i);
 					break;
@@ -619,35 +701,66 @@ namespace data
 			}	
 		}	
 	}
-		
+
+  void RouterInfo::DisableV4 ()
+	{		
+		if (IsV4 ())
+		{	
+			// NTCP
+			m_SupportedTransports &= ~eNTCPV4; 
+			for (size_t i = 0; i < m_Addresses.size (); i++)
+			{
+				if (m_Addresses[i]->transportStyle == i2p::data::RouterInfo::eTransportNTCP &&
+					m_Addresses[i]->host.is_v4 ())
+				{
+					m_Addresses.erase (m_Addresses.begin () + i);
+					break;
+				}
+			}	
+			
+			// SSU
+			m_SupportedTransports &= ~eSSUV4; 
+			for (size_t i = 0; i < m_Addresses.size (); i++)
+			{
+				if (m_Addresses[i]->transportStyle == i2p::data::RouterInfo::eTransportSSU &&
+					m_Addresses[i]->host.is_v4 ())
+				{
+					m_Addresses.erase (m_Addresses.begin () + i);
+					break;
+				}
+			}	
+		}	
+	}
+	
+  
 	bool RouterInfo::UsesIntroducer () const
 	{
 		return m_Caps & Caps::eUnreachable; // non-reachable
 	}		
 		
-	const RouterInfo::Address * RouterInfo::GetNTCPAddress (bool v4only) const
+	std::shared_ptr<const RouterInfo::Address> RouterInfo::GetNTCPAddress (bool v4only) const
 	{
 		return GetAddress (eTransportNTCP, v4only);
 	}	
 
-	const RouterInfo::Address * RouterInfo::GetSSUAddress (bool v4only) const 
+	std::shared_ptr<const RouterInfo::Address> RouterInfo::GetSSUAddress (bool v4only) const 
 	{
 		return GetAddress (eTransportSSU, v4only);
 	}	
 
-	const RouterInfo::Address * RouterInfo::GetSSUV6Address () const 
+	std::shared_ptr<const RouterInfo::Address> RouterInfo::GetSSUV6Address () const 
 	{
 		return GetAddress (eTransportSSU, false, true);
 	}	
 		
-	const RouterInfo::Address * RouterInfo::GetAddress (TransportStyle s, bool v4only, bool v6only) const
+	std::shared_ptr<const RouterInfo::Address> RouterInfo::GetAddress (TransportStyle s, bool v4only, bool v6only) const
 	{
-		for (auto& address : m_Addresses)
+		for (auto address : m_Addresses)
 		{
-			if (address.transportStyle == s)
+			if (address->transportStyle == s)
 			{	
-				if ((!v4only || address.host.is_v4 ()) && (!v6only || address.host.is_v6 ()))
-					return &address;
+				if ((!v4only || address->host.is_v4 ()) && (!v6only || address->host.is_v6 ()))
+					return address;
 			}	
 		}	
 		return nullptr;

RouterInfo.h

@@ -14,16 +14,25 @@ namespace i2p
 {
 namespace data
 {
+	const char ROUTER_INFO_PROPERTY_LEASESETS[] = "netdb.knownLeaseSets";
+	const char ROUTER_INFO_PROPERTY_ROUTERS[] = "netdb.knownRouters";	
+	const char ROUTER_INFO_PROPERTY_NETID[] = "netId";
+	const char ROUTER_INFO_PROPERTY_FAMILY[] = "family";	
+	const char ROUTER_INFO_PROPERTY_FAMILY_SIG[] = "family.sig";
+	
 	const char CAPS_FLAG_FLOODFILL = 'f';
 	const char CAPS_FLAG_HIDDEN = 'H';
 	const char CAPS_FLAG_REACHABLE = 'R';
 	const char CAPS_FLAG_UNREACHABLE = 'U';	
-	const char CAPS_FLAG_LOW_BANDWIDTH1 = 'K';		
-	const char CAPS_FLAG_LOW_BANDWIDTH2 = 'L';	
-	const char CAPS_FLAG_HIGH_BANDWIDTH1 = 'M';	
-	const char CAPS_FLAG_HIGH_BANDWIDTH2 = 'N';
-	const char CAPS_FLAG_HIGH_BANDWIDTH3 = 'O';
-
+	/* bandwidth flags */
+	const char CAPS_FLAG_LOW_BANDWIDTH1   = 'K'; /*   < 12 KBps */
+	const char CAPS_FLAG_LOW_BANDWIDTH2   = 'L'; /*  12-48 KBps */
+	const char CAPS_FLAG_HIGH_BANDWIDTH1  = 'M'; /*  48-64 KBps */
+	const char CAPS_FLAG_HIGH_BANDWIDTH2  = 'N'; /*  64-128 KBps */
+	const char CAPS_FLAG_HIGH_BANDWIDTH3  = 'O'; /* 128-256 KBps */
+	const char CAPS_FLAG_EXTRA_BANDWIDTH1 = 'P'; /* 256-2000 KBps */
+	const char CAPS_FLAG_EXTRA_BANDWIDTH2 = 'X'; /*   > 2000 KBps */
+	
 	const char CAPS_FLAG_SSU_TESTING = 'B';
 	const char CAPS_FLAG_SSU_INTRODUCER = 'C';
 
@@ -44,11 +53,12 @@ namespace data
 			{
 				eFloodfill = 0x01,
 				eHighBandwidth = 0x02,
-				eReachable = 0x04,
-				eSSUTesting = 0x08,
-				eSSUIntroducer = 0x10,
-				eHidden = 0x20,
-				eUnreachable = 0x40
+				eExtraBandwidth = 0x04,
+				eReachable = 0x08,
+				eSSUTesting = 0x10,
+				eSSUIntroducer = 0x20,
+				eHidden = 0x40,
+				eUnreachable = 0x80
 			};
 
 			enum TransportStyle
@@ -58,11 +68,12 @@ namespace data
 				eTransportSSU
 			};
 
+			typedef Tag<32> IntroKey; // should be castable to MacKey and AESKey
 			struct Introducer			
 			{
 				boost::asio::ip::address iHost;
 				int iPort;
-				Tag<32> iKey;
+				IntroKey iKey;
 				uint32_t iTag;
 			};
 
@@ -75,7 +86,7 @@ namespace data
 				uint64_t date;
 				uint8_t cost;
 				// SSU only
-				Tag<32> key; // intro key for SSU
+				IntroKey key; // intro key for SSU
 				std::vector<Introducer> introducers;
 
 				bool IsCompatible (const boost::asio::ip::address& other) const 
@@ -83,6 +94,16 @@ namespace data
 					return (host.is_v4 () && other.is_v4 ()) ||
 						(host.is_v6 () && other.is_v6 ());
 				}	
+
+				bool operator==(const Address& other) const
+				{
+					return transportStyle == other.transportStyle && host == other.host && port == other.port;
+				}	
+
+				bool operator!=(const Address& other) const
+				{
+					return !(*this == other);
+				}	
 			};
 			
 			RouterInfo (const std::string& fullPath);
@@ -92,36 +113,40 @@ namespace data
 			RouterInfo (const uint8_t * buf, int len);
 			~RouterInfo ();
 			
-			const IdentityEx& GetRouterIdentity () const { return m_RouterIdentity; };
-			void SetRouterIdentity (const IdentityEx& identity);
+			std::shared_ptr<const IdentityEx> GetRouterIdentity () const { return m_RouterIdentity; };
+			void SetRouterIdentity (std::shared_ptr<const IdentityEx> identity);
 			std::string GetIdentHashBase64 () const { return GetIdentHash ().ToBase64 (); };
-			std::string GetIdentHashAbbreviation () const { return GetIdentHash ().ToBase64 ().substr (0, 4); };
 			uint64_t GetTimestamp () const { return m_Timestamp; };
-			std::vector<Address>& GetAddresses () { return m_Addresses; };
-			const Address * GetNTCPAddress (bool v4only = true) const;
-			const Address * GetSSUAddress (bool v4only = true) const;
-			const Address * GetSSUV6Address () const;
+			std::vector<std::shared_ptr<Address> >& GetAddresses () { return m_Addresses; };
+			std::shared_ptr<const Address> GetNTCPAddress (bool v4only = true) const;
+			std::shared_ptr<const Address> GetSSUAddress (bool v4only = true) const;
+			std::shared_ptr<const Address> GetSSUV6Address () const;
 			
 			void AddNTCPAddress (const char * host, int port);
 			void AddSSUAddress (const char * host, int port, const uint8_t * key, int mtu = 0);
-			bool AddIntroducer (const Address * address, uint32_t tag);
+			bool AddIntroducer (const Introducer& introducer);
 			bool RemoveIntroducer (const boost::asio::ip::udp::endpoint& e);
 			void SetProperty (const std::string& key, const std::string& value); // called from RouterContext only
 			void DeleteProperty (const std::string& key); // called from RouterContext only
 			void ClearProperties () { m_Properties.clear (); };
-			bool IsFloodfill () const;
+			bool IsFloodfill () const { return m_Caps & Caps::eFloodfill; };
+			bool IsReachable () const { return m_Caps & Caps::eReachable; };
 			bool IsNTCP (bool v4only = true) const;
 			bool IsSSU (bool v4only = true) const;
 			bool IsV6 () const;
+			bool IsV4 () const;
 			void EnableV6 ();
 			void DisableV6 ();
+			void EnableV4 ();
+			void DisableV4 ();
 			bool IsCompatible (const RouterInfo& other) const { return m_SupportedTransports & other.m_SupportedTransports; };
 			bool UsesIntroducer () const;
 			bool IsIntroducer () const { return m_Caps & eSSUIntroducer; };
 			bool IsPeerTesting () const { return m_Caps & eSSUTesting; };
 			bool IsHidden () const { return m_Caps & eHidden; };
 			bool IsHighBandwidth () const { return m_Caps & RouterInfo::eHighBandwidth; };
-
+			bool IsExtraBandwidth () const { return m_Caps & RouterInfo::eExtraBandwidth; };	
+			
 			uint8_t GetCaps () const { return m_Caps; };	
 			void SetCaps (uint8_t caps);
 			void SetCaps (const char * caps);
@@ -142,14 +167,14 @@ namespace data
 			void SaveProfile () { if (m_Profile) m_Profile->Save (); };
 			
 			void Update (const uint8_t * buf, int len);
-			void DeleteBuffer () { delete m_Buffer; m_Buffer = nullptr; };
-			
+			void DeleteBuffer () { delete[] m_Buffer; m_Buffer = nullptr; };
+			bool IsNewer (const uint8_t * buf, size_t len) const;			
+
 			// implements RoutingDestination
-			const IdentHash& GetIdentHash () const { return m_RouterIdentity.GetIdentHash (); };
-			const uint8_t * GetEncryptionPublicKey () const { return m_RouterIdentity.GetStandardIdentity ().publicKey; };
+			const IdentHash& GetIdentHash () const { return m_RouterIdentity->GetIdentHash (); };
+			const uint8_t * GetEncryptionPublicKey () const { return m_RouterIdentity->GetStandardIdentity ().publicKey; };
 			bool IsDestination () const { return false; };
 
-			
 		private:
 
 			bool LoadFile ();
@@ -160,17 +185,17 @@ namespace data
 			size_t ReadString (char * str, std::istream& s);
 			void WriteString (const std::string& str, std::ostream& s);
 			void ExtractCaps (const char * value);
-			const Address * GetAddress (TransportStyle s, bool v4only, bool v6only = false) const;
+			std::shared_ptr<const Address> GetAddress (TransportStyle s, bool v4only, bool v6only = false) const;
 			void UpdateCapsProperty ();			
 
 		private:
 
-			std::string m_FullPath;
-			IdentityEx m_RouterIdentity;
+			std::string m_FullPath, m_Family;
+			std::shared_ptr<const IdentityEx> m_RouterIdentity;
 			uint8_t * m_Buffer;
-			int m_BufferLen;
+			size_t m_BufferLen;
 			uint64_t m_Timestamp;
-			std::vector<Address> m_Addresses;
+			std::vector<std::shared_ptr<Address> > m_Addresses;
 			std::map<std::string, std::string> m_Properties;
 			bool m_IsUpdated, m_IsUnreachable;
 			uint8_t m_SupportedTransports, m_Caps;

SAM.cpp

@@ -4,7 +4,7 @@
 #include <stdlib.h>
 #endif
 #include <boost/lexical_cast.hpp>
-#include "base64.h"
+#include "Base.h"
 #include "Identity.h"
 #include "Log.h"
 #include "Destination.h"
@@ -78,14 +78,17 @@ namespace client
 	{
 		if (ecode)
         {
-			LogPrint ("SAM handshake read error: ", ecode.message ());
+			LogPrint (eLogError, "SAM: handshake read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
 		else
 		{	
 			m_Buffer[bytes_transferred] = 0;
-			LogPrint ("SAM handshake ", m_Buffer);
+			char * eol = (char *)memchr (m_Buffer, '\n', bytes_transferred);
+			if (eol)
+				*eol = 0;
+			LogPrint (eLogDebug, "SAM: handshake ", m_Buffer);
 			char * separator = strchr (m_Buffer, ' ');
 			if (separator)
 			{
@@ -124,7 +127,7 @@ namespace client
 			}
 			else
 			{
-				LogPrint ("SAM handshake mismatch");
+				LogPrint (eLogError, "SAM: handshake mismatch");
 				Terminate ();
 			}
 		}
@@ -134,7 +137,7 @@ namespace client
 	{
 		if (ecode)
         {
-			LogPrint ("SAM handshake reply send error: ", ecode.message ());
+			LogPrint (eLogError, "SAM: handshake reply send error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -165,7 +168,7 @@ namespace client
 	{
 		if (ecode)
         {
-			LogPrint ("SAM reply send error: ", ecode.message ());
+			LogPrint (eLogError, "SAM: reply send error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -182,10 +185,12 @@ namespace client
 	{
 		if (ecode)
         {
-			LogPrint ("SAM read error: ", ecode.message ());
+			LogPrint (eLogError, "SAM: read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
+		else if (m_SocketType == eSAMSocketTypeStream)
+			HandleReceived (ecode, bytes_transferred);
 		else
 		{
 			bytes_transferred += m_BufferOffset;
@@ -235,19 +240,19 @@ namespace client
 					}
 					else		
 					{	
-						LogPrint (eLogError, "SAM unexpected message ", m_Buffer);		
+						LogPrint (eLogError, "SAM: unexpected message ", m_Buffer);
 						Terminate ();
 					}
 				}
 				else
 				{
-					LogPrint (eLogError, "SAM malformed message ", m_Buffer);
+					LogPrint (eLogError, "SAM: malformed message ", m_Buffer);
 					Terminate ();
 				}
 			}
 			else
 			{	
-				LogPrint (eLogWarning, "SAM incomplete message ", bytes_transferred);
+				LogPrint (eLogWarning, "SAM: incomplete message ", bytes_transferred);
 				m_BufferOffset = bytes_transferred;
 				// try to receive remaining message
 				Receive ();
@@ -257,7 +262,7 @@ namespace client
 
 	void SAMSocket::ProcessSessionCreate (char * buf, size_t len)
 	{
-		LogPrint ("SAM session create: ", buf);
+		LogPrint (eLogDebug, "SAM: session create: ", buf);
 		std::map<std::string, std::string> params;
 		ExtractParams (buf, params);
 		std::string& style = params[SAM_PARAM_STYLE]; 
@@ -328,7 +333,7 @@ namespace client
 
 	void SAMSocket::ProcessStreamConnect (char * buf, size_t len)
 	{
-		LogPrint (eLogDebug, "SAM stream connect: ", buf);
+		LogPrint (eLogDebug, "SAM: stream connect: ", buf);
 		std::map<std::string, std::string> params;
 		ExtractParams (buf, params);
 		std::string& id = params[SAM_PARAM_ID];
@@ -339,20 +344,25 @@ namespace client
 		m_Session = m_Owner.FindSession (id);
 		if (m_Session)
 		{
-			i2p::data::IdentityEx dest;
-			dest.FromBase64 (destination);
-			context.GetAddressBook ().InsertAddress (dest);
-			auto leaseSet = m_Session->localDestination->FindLeaseSet (dest.GetIdentHash ());
-			if (leaseSet)
-				Connect (leaseSet);
-			else
+			auto dest = std::make_shared<i2p::data::IdentityEx> ();
+			size_t len = dest->FromBase64(destination);
+			if (len > 0)
 			{
-				m_Session->localDestination->RequestDestination (dest.GetIdentHash (), 
-					std::bind (&SAMSocket::HandleConnectLeaseSetRequestComplete,
-					shared_from_this (), std::placeholders::_1, dest.GetIdentHash ()));	
+				context.GetAddressBook().InsertAddress(dest);
+				auto leaseSet = m_Session->localDestination->FindLeaseSet(dest->GetIdentHash());
+				if (leaseSet)
+					Connect(leaseSet);
+				else
+				{
+					m_Session->localDestination->RequestDestination(dest->GetIdentHash(),
+						std::bind(&SAMSocket::HandleConnectLeaseSetRequestComplete,
+						shared_from_this(), std::placeholders::_1));
+				}
 			}
+			else
+				SendMessageReply(SAM_SESSION_STATUS_INVALID_KEY, strlen(SAM_SESSION_STATUS_INVALID_KEY), true);
 		}
-		else	
+		else
 			SendMessageReply (SAM_STREAM_STATUS_INVALID_ID, strlen(SAM_STREAM_STATUS_INVALID_ID), true);		
 	}
 
@@ -366,23 +376,20 @@ namespace client
 		SendMessageReply (SAM_STREAM_STATUS_OK, strlen(SAM_STREAM_STATUS_OK), false);
 	}
 
-	void SAMSocket::HandleConnectLeaseSetRequestComplete (bool success, i2p::data::IdentHash ident)
+	void SAMSocket::HandleConnectLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet)
 	{
-		std::shared_ptr<const i2p::data::LeaseSet> leaseSet;
-		if (success) 
-			leaseSet = m_Session->localDestination->FindLeaseSet (ident);
 		if (leaseSet)
 			Connect (leaseSet);
 		else
 		{
-			LogPrint ("SAM destination to connect not found");
+			LogPrint (eLogError, "SAM: destination to connect not found");
 			SendMessageReply (SAM_STREAM_STATUS_CANT_REACH_PEER, strlen(SAM_STREAM_STATUS_CANT_REACH_PEER), true);
 		}
 	}
 
 	void SAMSocket::ProcessStreamAccept (char * buf, size_t len)
 	{
-		LogPrint (eLogDebug, "SAM stream accept: ", buf);
+		LogPrint (eLogDebug, "SAM: stream accept: ", buf);
 		std::map<std::string, std::string> params;
 		ExtractParams (buf, params);
 		std::string& id = params[SAM_PARAM_ID];
@@ -408,7 +415,7 @@ namespace client
 
 	size_t SAMSocket::ProcessDatagramSend (char * buf, size_t len, const char * data)
 	{
-		LogPrint (eLogDebug, "SAM datagram send: ", buf, " ", len);
+		LogPrint (eLogDebug, "SAM: datagram send: ", buf, " ", len);
 		std::map<std::string, std::string> params;
 		ExtractParams (buf, params);
 		size_t size = boost::lexical_cast<int>(params[SAM_PARAM_SIZE]), offset = data - buf;
@@ -424,14 +431,14 @@ namespace client
 					d->SendDatagramTo ((const uint8_t *)data, size, dest.GetIdentHash ());
 				}
 				else
-					LogPrint (eLogError, "SAM missing datagram destination");
+					LogPrint (eLogError, "SAM: missing datagram destination");
 			}
 			else
-				LogPrint (eLogError, "SAM session is not created from DATAGRAM SEND");
+				LogPrint (eLogError, "SAM: session is not created from DATAGRAM SEND");
 		}	
 		else
 		{
-			LogPrint (eLogWarning, "SAM sent datagram size ", size, " exceeds buffer ", len - offset);
+			LogPrint (eLogWarning, "SAM: sent datagram size ", size, " exceeds buffer ", len - offset);
 			return 0; // try to receive more
 		}	
 		return offset + size;
@@ -439,29 +446,29 @@ namespace client
 		
 	void SAMSocket::ProcessDestGenerate ()
 	{
-		LogPrint (eLogDebug, "SAM dest generate");
+		LogPrint (eLogDebug, "SAM: dest generate");
 		auto keys = i2p::data::PrivateKeys::CreateRandomKeys ();
 #ifdef _MSC_VER
 		size_t len = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_DEST_REPLY, 
-			keys.GetPublic ().ToBase64 ().c_str (), keys.ToBase64 ().c_str ());	
+			keys.GetPublic ()->ToBase64 ().c_str (), keys.ToBase64 ().c_str ());
 #else			                        
 		size_t len = snprintf (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_DEST_REPLY, 
-		    keys.GetPublic ().ToBase64 ().c_str (), keys.ToBase64 ().c_str ());
+		    keys.GetPublic ()->ToBase64 ().c_str (), keys.ToBase64 ().c_str ());
 #endif
 		SendMessageReply (m_Buffer, len, false);
 	}
 
 	void SAMSocket::ProcessNamingLookup (char * buf, size_t len)
 	{
-		LogPrint (eLogDebug, "SAM naming lookup: ", buf);
+		LogPrint (eLogDebug, "SAM: naming lookup: ", buf);
 		std::map<std::string, std::string> params;
 		ExtractParams (buf, params);
 		std::string& name = params[SAM_PARAM_NAME];
-		i2p::data::IdentityEx identity;
+		std::shared_ptr<const i2p::data::IdentityEx> identity;
 		i2p::data::IdentHash ident;
 		if (name == "ME")
 			SendNamingLookupReply (m_Session->localDestination->GetIdentity ());
-		else if (context.GetAddressBook ().GetAddress (name, identity))
+		else if ((identity = context.GetAddressBook ().GetAddress (name)) != nullptr)
 			SendNamingLookupReply (identity);
 		else if (m_Session && m_Session->localDestination &&
 			context.GetAddressBook ().GetIdentHash (name, ident))
@@ -476,7 +483,7 @@ namespace client
 		}	
 		else 
 		{
-			LogPrint ("SAM naming failed. Unknown address ", name);
+			LogPrint (eLogError, "SAM: naming failed, unknown address ", name);
 #ifdef _MSC_VER
 			size_t len = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY_INVALID_KEY, name.c_str());
 #else				
@@ -486,11 +493,8 @@ namespace client
 		}
 	}	
 
-	void  SAMSocket::HandleNamingLookupLeaseSetRequestComplete (bool success, i2p::data::IdentHash ident)
+	void  SAMSocket::HandleNamingLookupLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, i2p::data::IdentHash ident)
 	{
-		std::shared_ptr<const i2p::data::LeaseSet> leaseSet;
-		if (success) 
-			leaseSet = m_Session->localDestination->FindLeaseSet (ident);
 		if (leaseSet)
 		{	
 			context.GetAddressBook ().InsertAddress (leaseSet->GetIdentity ());
@@ -498,7 +502,7 @@ namespace client
 		}	
 		else
 		{
-			LogPrint (eLogInfo, "SAM naming lookup failed. LeaseSet for ", ident.ToBase32 (), " not found");
+			LogPrint (eLogError, "SAM: naming lookup failed. LeaseSet for ", ident.ToBase32 (), " not found");
 #ifdef _MSC_VER
 			size_t len = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY_INVALID_KEY, 
 				context.GetAddressBook ().ToAddress (ident).c_str());
@@ -510,9 +514,9 @@ namespace client
 		}
 	}	
 		
-	void SAMSocket::SendNamingLookupReply (const i2p::data::IdentityEx& identity)
+	void SAMSocket::SendNamingLookupReply (std::shared_ptr<const i2p::data::IdentityEx> identity)
 	{
-		auto base64 = identity.ToBase64 ();
+		auto base64 = identity->ToBase64 ();
 #ifdef _MSC_VER
 		size_t l = sprintf_s (m_Buffer, SAM_SOCKET_BUFFER_SIZE, SAM_NAMING_REPLY, base64.c_str ()); 	
 #else			
@@ -544,7 +548,7 @@ namespace client
 	{
 		if (m_BufferOffset >= SAM_SOCKET_BUFFER_SIZE)
 		{
-			LogPrint (eLogError, "Buffer is full. Terminate");
+			LogPrint (eLogError, "SAM: Buffer is full, terminate");
 			Terminate ();
 			return;
 		}
@@ -557,15 +561,24 @@ namespace client
 	{
 		if (ecode)
         {
-			LogPrint ("SAM read error: ", ecode.message ());
+			LogPrint (eLogError, "SAM: read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
 		else
 		{
 			if (m_Stream)
-				m_Stream->Send ((uint8_t *)m_Buffer, bytes_transferred);
-			Receive ();
+			{	
+				auto s = shared_from_this ();
+				m_Stream->AsyncSend ((uint8_t *)m_Buffer, bytes_transferred,
+					[s](const boost::system::error_code& ecode)
+				    {
+						if (!ecode)
+							s->Receive ();
+						else
+							s->Terminate ();
+					});
+			}	
 		}
 	}
 
@@ -582,7 +595,7 @@ namespace client
 	{
 		if (ecode)
 		{
-			LogPrint ("SAM stream read error: ", ecode.message ());
+			LogPrint (eLogError, "SAM: stream read error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -597,7 +610,7 @@ namespace client
 	{
 		if (ecode)
 		{
-			LogPrint ("SAM socket write error: ", ecode.message ());
+			LogPrint (eLogError, "SAM: socket write error: ", ecode.message ());
 			if (ecode != boost::asio::error::operation_aborted)
 				Terminate ();
 		}
@@ -609,7 +622,7 @@ namespace client
 	{
 		if (stream)
 		{
-			LogPrint ("SAM incoming I2P connection for session ", m_ID);
+			LogPrint (eLogDebug, "SAM: incoming I2P connection for session ", m_ID);
 			m_Stream = stream;
 			context.GetAddressBook ().InsertAddress (stream->GetRemoteIdentity ());
 			auto session = m_Owner.FindSession (m_ID);
@@ -618,10 +631,15 @@ namespace client
 			m_SocketType = eSAMSocketTypeStream;
 			if (!m_IsSilent)
 			{
-				// send remote peer address
-				uint8_t ident[1024];
-				size_t l = stream->GetRemoteIdentity ().ToBuffer (ident, 1024);
-				size_t l1 = i2p::data::ByteStreamToBase64 (ident, l, (char *)m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE);
+				// get remote peer address
+				auto ident_ptr = stream->GetRemoteIdentity();
+				const size_t ident_len = ident_ptr->GetFullLen();
+				uint8_t* ident = new uint8_t[ident_len];
+
+				// send remote peer address as base64 
+				const size_t l = ident_ptr->ToBuffer (ident, ident_len);
+				const size_t l1 = i2p::data::ByteStreamToBase64 (ident, l, (char *)m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE);
+				delete[] ident;
 				m_StreamBuffer[l1] = '\n';
 				HandleI2PReceive (boost::system::error_code (), l1 +1); // we send identity like it has been received from stream
 			}	
@@ -629,12 +647,12 @@ namespace client
 				I2PReceive ();
 		}
 		else
-			LogPrint (eLogInfo, "SAM I2P acceptor has been reset");
+			LogPrint (eLogWarning, "SAM: I2P acceptor has been reset");
 	}	
 
 	void SAMSocket::HandleI2PDatagramReceive (const i2p::data::IdentityEx& from, uint16_t fromPort, uint16_t toPort, const uint8_t * buf, size_t len)
 	{
-		LogPrint (eLogDebug, "SAM datagram received ", len);
+		LogPrint (eLogDebug, "SAM: datagram received ", len);
 		auto base64 = from.ToBase64 ();
 #ifdef _MSC_VER
 		size_t l = sprintf_s ((char *)m_StreamBuffer, SAM_SOCKET_BUFFER_SIZE, SAM_DATAGRAM_RECEIVED, base64.c_str (), len); 	
@@ -648,7 +666,7 @@ namespace client
         		std::bind (&SAMSocket::HandleWriteI2PData, shared_from_this (), std::placeholders::_1));
 		}
 		else
-			LogPrint (eLogWarning, "SAM received datagram size ", len," exceeds buffer");
+			LogPrint (eLogWarning, "SAM: received datagram size ", len," exceeds buffer");
 	}
 
 	SAMSession::SAMSession (std::shared_ptr<ClientDestination> dest):
@@ -673,10 +691,10 @@ namespace client
 		sockets.clear ();
 	}
 
-	SAMBridge::SAMBridge (int port):
+	SAMBridge::SAMBridge (const std::string& address, int port):
 		m_IsRunning (false), m_Thread (nullptr),
-		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::tcp::v4(), port)),
-		m_DatagramEndpoint (boost::asio::ip::udp::v4 (), port-1), m_DatagramSocket (m_Service, m_DatagramEndpoint)
+		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::address::from_string(address), port)),
+		m_DatagramEndpoint (boost::asio::ip::address::from_string(address), port-1), m_DatagramSocket (m_Service, m_DatagramEndpoint)
 	{
 	}
 
@@ -720,7 +738,7 @@ namespace client
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint ("SAM: ", ex.what ());
+				LogPrint (eLogError, "SAM: runtime exception: ", ex.what ());
 			}	
 		}	
 	}
@@ -740,14 +758,14 @@ namespace client
 			auto ep = socket->GetSocket ().remote_endpoint (ec);
 			if (!ec)
 			{	
-				LogPrint ("New SAM connection from ", ep);
+				LogPrint (eLogDebug, "SAM: new connection from ", ep);
 				socket->ReceiveHandshake ();
 			}
 			else
-				LogPrint (eLogError, "SAM connection from error ", ec.message ());
+				LogPrint (eLogError, "SAM: incoming connection error ", ec.message ());
 		}
 		else
-			LogPrint ("SAM accept error: ",  ecode.message ());
+			LogPrint (eLogError, "SAM: accept error: ", ecode.message ());
 
 		if (ecode != boost::asio::error::operation_aborted)
 			Accept ();
@@ -781,7 +799,7 @@ namespace client
 			std::unique_lock<std::mutex> l(m_SessionsMutex);
 			auto ret = m_Sessions.insert (std::pair<std::string, SAMSession *>(id, new SAMSession (localDestination)));
 			if (!ret.second)
-				LogPrint ("Session ", id, " already exists");
+				LogPrint (eLogWarning, "SAM: Session ", id, " already exists");
 			return ret.first->second;
 		}
 		return nullptr;
@@ -826,7 +844,7 @@ namespace client
 			char * eol = strchr ((char *)m_DatagramReceiveBuffer, '\n');
 			*eol = 0; eol++;
 			size_t payloadLen = bytes_transferred - ((uint8_t *)eol - m_DatagramReceiveBuffer); 
-			LogPrint ("SAM datagram received ", m_DatagramReceiveBuffer," size=", payloadLen);
+			LogPrint (eLogDebug, "SAM: datagram received ", m_DatagramReceiveBuffer," size=", payloadLen);
 			char * sessionID = strchr ((char *)m_DatagramReceiveBuffer, ' ');
 			if (sessionID)
 			{
@@ -844,17 +862,17 @@ namespace client
 							SendDatagramTo ((uint8_t *)eol, payloadLen, dest.GetIdentHash ());
 					}	
 					else
-						LogPrint ("Session ", sessionID, " not found");
+						LogPrint (eLogError, "SAM: Session ", sessionID, " not found");
 				}
 				else
-					LogPrint ("Missing destination key");
+					LogPrint (eLogError, "SAM: Missing destination key");
 			}
 			else
-				LogPrint ("Missing sessionID");
+				LogPrint (eLogError, "SAM: Missing sessionID");
 			ReceiveDatagram ();
 		}
 		else
-			LogPrint ("SAM datagram receive error: ", ecode.message ());
+			LogPrint (eLogError, "SAM: datagram receive error: ", ecode.message ());
 	}
 }
 }

SAM.h

@@ -28,6 +28,7 @@ namespace client
 	const char SAM_SESSION_CREATE_REPLY_OK[] = "SESSION STATUS RESULT=OK DESTINATION=%s\n";
 	const char SAM_SESSION_CREATE_DUPLICATED_ID[] = "SESSION STATUS RESULT=DUPLICATED_ID\n";
 	const char SAM_SESSION_CREATE_DUPLICATED_DEST[] = "SESSION STATUS RESULT=DUPLICATED_DEST\n";	
+	const char SAM_SESSION_STATUS_INVALID_KEY[] = "SESSION STATUS RESULT=INVALID_KEY\n";
 	const char SAM_STREAM_CONNECT[] = "STREAM CONNECT";
 	const char SAM_STREAM_STATUS_OK[] = "STREAM STATUS RESULT=OK\n";
 	const char SAM_STREAM_STATUS_INVALID_ID[] = "STREAM STATUS RESULT=INVALID_ID\n";
@@ -40,7 +41,7 @@ namespace client
 	const char SAM_DEST_REPLY_I2P_ERROR[] = "DEST REPLY RESULT=I2P_ERROR\n";
 	const char SAM_NAMING_LOOKUP[] = "NAMING LOOKUP";
 	const char SAM_NAMING_REPLY[] = "NAMING REPLY RESULT=OK NAME=ME VALUE=%s\n";
-	const char SAM_DATAGRAM_RECEIVED[] = "DATAGRAM RECEIVED DESTINATION=%s SIZE=%lu\n";	
+	const char SAM_DATAGRAM_RECEIVED[] = "DATAGRAM RECEIVED DESTINATION=%s SIZE=%lu\n";
 	const char SAM_NAMING_REPLY_INVALID_KEY[] = "NAMING REPLY RESULT=INVALID_KEY NAME=%s\n";
 	const char SAM_NAMING_REPLY_KEY_NOT_FOUND[] = "NAMING REPLY RESULT=INVALID_KEY_NOT_FOUND NAME=%s\n";
 	const char SAM_PARAM_MIN[] = "MIN";	
@@ -109,9 +110,9 @@ namespace client
 			void ExtractParams (char * buf, std::map<std::string, std::string>& params);
 
 			void Connect (std::shared_ptr<const i2p::data::LeaseSet> remote);
-			void HandleConnectLeaseSetRequestComplete (bool success, i2p::data::IdentHash ident);
-			void SendNamingLookupReply (const i2p::data::IdentityEx& identity);
-			void HandleNamingLookupLeaseSetRequestComplete (bool success, i2p::data::IdentHash ident);
+			void HandleConnectLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet);
+			void SendNamingLookupReply (std::shared_ptr<const i2p::data::IdentityEx> identity);
+			void HandleNamingLookupLeaseSetRequestComplete (std::shared_ptr<i2p::data::LeaseSet> leaseSet, i2p::data::IdentHash ident);
 			void HandleSessionReadinessCheckTimer (const boost::system::error_code& ecode);
 			void SendSessionCreateReplyOk ();
 
@@ -145,7 +146,7 @@ namespace client
 	{
 		public:
 
-			SAMBridge (int port);
+			SAMBridge (const std::string& address, int port);
 			~SAMBridge ();
 
 			void Start ();

SOCKS.cpp

@@ -9,6 +9,7 @@
 #include "ClientContext.h"
 #include "I2PEndian.h"
 #include "I2PTunnel.h"
+#include "I2PService.h"
 
 namespace i2p
 {
@@ -17,6 +18,10 @@ namespace proxy
 	static const size_t socks_buffer_size = 8192;
 	static const size_t max_socks_hostname_size = 255; // Limit for socks5 and bad idea to traverse
 
+	static const size_t SOCKS_FORWARDER_BUFFER_SIZE = 8192;
+
+	static const size_t SOCKS_UPSTREAM_SOCKS4A_REPLY_SIZE = 8;
+	
 	struct SOCKSDnsAddress 
 	{
 		uint8_t size;
@@ -51,7 +56,10 @@ namespace proxy
 				GET5_IPV6,
 				GET5_HOST_SIZE,
 				GET5_HOST,
-				DONE
+				READY,
+				UPSTREAM_RESOLVE,
+				UPSTREAM_CONNECT,
+				UPSTREAM_HANDSHAKE
 			};
 			enum authMethods 
 			{
@@ -109,6 +117,7 @@ namespace proxy
 			boost::asio::const_buffers_1 GenerateSOCKS5SelectAuth(authMethods method);
 			boost::asio::const_buffers_1 GenerateSOCKS4Response(errTypes error, uint32_t ip, uint16_t port);
 			boost::asio::const_buffers_1 GenerateSOCKS5Response(errTypes error, addrTypes type, const address &addr, uint16_t port);
+		boost::asio::const_buffers_1 GenerateUpstreamRequest();
 			bool Socks5ChooseAuth();
 			void SocksRequestFailed(errTypes error);
 			void SocksRequestSuccess();
@@ -116,12 +125,29 @@ namespace proxy
 			void SentSocksDone(const boost::system::error_code & ecode);
 			void SentSocksResponse(const boost::system::error_code & ecode);
 			void HandleStreamRequestComplete (std::shared_ptr<i2p::stream::Stream> stream);
+			void ForwardSOCKS();
 
-			uint8_t m_sock_buff[socks_buffer_size];
-			boost::asio::ip::tcp::socket * m_sock;
+		void SocksUpstreamSuccess();
+		void AsyncUpstreamSockRead();
+		void SendUpstreamRequest();
+			void HandleUpstreamData(uint8_t * buff, std::size_t len);
+		void HandleUpstreamSockSend(const boost::system::error_code & ecode, std::size_t bytes_transfered);
+		void HandleUpstreamSockRecv(const boost::system::error_code & ecode, std::size_t bytes_transfered);
+		void HandleUpstreamConnected(const boost::system::error_code & ecode,
+																 boost::asio::ip::tcp::resolver::iterator itr);
+		void HandleUpstreamResolved(const boost::system::error_code & ecode,
+																boost::asio::ip::tcp::resolver::iterator itr);
+		
+		boost::asio::ip::tcp::resolver m_proxy_resolver;
+		uint8_t m_sock_buff[socks_buffer_size];
+		std::shared_ptr<boost::asio::ip::tcp::socket> m_sock, m_upstreamSock;
 			std::shared_ptr<i2p::stream::Stream> m_stream;
 			uint8_t *m_remaining_data; //Data left to be sent
+			uint8_t *m_remaining_upstream_data; //upstream data left to be forwarded
 			uint8_t m_response[7+max_socks_hostname_size];
+		uint8_t m_upstream_response[SOCKS_UPSTREAM_SOCKS4A_REPLY_SIZE];
+		uint8_t m_upstream_request[14+max_socks_hostname_size];
+		std::size_t m_upstream_response_len;
 			address m_address; //Address
 			std::size_t m_remaining_data_len; //Size of the data left to be sent
 			uint32_t m_4aip; //Used in 4a requests
@@ -133,25 +159,35 @@ namespace proxy
 			socksVersions m_socksv; //Socks version
 			cmdTypes m_cmd; // Command requested
 			state m_state;
-
+			const bool m_UseUpstreamProxy; // do we want to use the upstream proxy for non i2p addresses?
+		const std::string m_UpstreamProxyAddress;
+		const uint16_t m_UpstreamProxyPort;
+		
 		public:
-			SOCKSHandler(SOCKSServer * parent, boost::asio::ip::tcp::socket * sock) :
-				I2PServiceHandler(parent), m_sock(sock), m_stream(nullptr),
-				m_authchosen(AUTH_UNACCEPTABLE), m_addrtype(ADDR_IPV4)
+		SOCKSHandler(SOCKSServer * parent, std::shared_ptr<boost::asio::ip::tcp::socket> sock, const std::string & upstreamAddr, const uint16_t upstreamPort, const bool useUpstream) :
+				I2PServiceHandler(parent),
+				m_proxy_resolver(parent->GetService()),
+				m_sock(sock), m_stream(nullptr),
+				m_authchosen(AUTH_UNACCEPTABLE), m_addrtype(ADDR_IPV4),
+				m_UseUpstreamProxy(useUpstream),
+				m_UpstreamProxyAddress(upstreamAddr),
+				m_UpstreamProxyPort(upstreamPort) 
 				{ m_address.ip = 0; EnterState(GET_SOCKSV); }
+				
 			~SOCKSHandler() { Terminate(); }
 			void Handle() { AsyncSockRead(); }
 	};
-
+	
 	void SOCKSHandler::AsyncSockRead()
 	{
-		LogPrint(eLogDebug,"--- SOCKS async sock read");
-		if(m_sock)
+		LogPrint(eLogDebug, "SOCKS: async sock read");
+		if (m_sock) {
 			m_sock->async_receive(boost::asio::buffer(m_sock_buff, socks_buffer_size),
 						std::bind(&SOCKSHandler::HandleSockRecv, shared_from_this(),
 								std::placeholders::_1, std::placeholders::_2));
-		else 
-			LogPrint(eLogError,"--- SOCKS no socket for read");
+		} else {
+			LogPrint(eLogError,"SOCKS: no socket for read");
+		}
 	}
 
 	void SOCKSHandler::Terminate() 
@@ -159,14 +195,19 @@ namespace proxy
 		if (Kill()) return;
 		if (m_sock) 
 		{
-			LogPrint(eLogDebug,"--- SOCKS close sock");
+			LogPrint(eLogDebug, "SOCKS: closing socket");
 			m_sock->close();
-			delete m_sock;
 			m_sock = nullptr;
 		}
+		if (m_upstreamSock)
+		{
+			LogPrint(eLogDebug, "SOCKS: closing upstream socket");
+			m_upstreamSock->close();
+			m_upstreamSock = nullptr;
+		}
 		if (m_stream) 
 		{
-			LogPrint(eLogDebug,"--- SOCKS close stream");
+			LogPrint(eLogDebug, "SOCKS: closing stream");
 			m_stream.reset ();
 		}
 		Done(shared_from_this());
@@ -210,6 +251,37 @@ namespace proxy
 		return boost::asio::const_buffers_1(m_response,size);
 	}
 
+	boost::asio::const_buffers_1 SOCKSHandler::GenerateUpstreamRequest()
+	{
+		size_t upstreamRequestSize = 0;
+		// TODO: negotiate with upstream
+		// SOCKS 4a
+		m_upstream_request[0] = '\x04'; //version
+		m_upstream_request[1] = m_cmd;
+		htobe16buf(m_upstream_request+2, m_port);
+		m_upstream_request[4] = 0;
+		m_upstream_request[5] = 0;
+		m_upstream_request[6] = 0;
+		m_upstream_request[7] = 1;
+		// user id
+		m_upstream_request[8] = 'i';
+		m_upstream_request[9] = '2';
+		m_upstream_request[10] = 'p';
+		m_upstream_request[11] = 'd';
+		m_upstream_request[12] = 0;
+		upstreamRequestSize +=	13;
+		if (m_address.dns.size <= max_socks_hostname_size - ( upstreamRequestSize + 1) ) {
+			// bounds check okay
+			memcpy(m_upstream_request + upstreamRequestSize, m_address.dns.value, m_address.dns.size);
+			upstreamRequestSize += m_address.dns.size;
+			// null terminate
+			m_upstream_request[++upstreamRequestSize] = 0;
+		} else {
+			LogPrint(eLogError, "SOCKS: BUG!!! m_addr.dns.sizs > max_socks_hostname - ( upstreamRequestSize + 1 ) )");
+		}
+		return boost::asio::const_buffers_1(m_upstream_request, upstreamRequestSize);
+	}
+
 	bool SOCKSHandler::Socks5ChooseAuth()
 	{
 		m_response[0] = '\x05'; //Version
@@ -217,16 +289,16 @@ namespace proxy
 		boost::asio::const_buffers_1 response(m_response,2);
 		if (m_authchosen == AUTH_UNACCEPTABLE) 
 		{
-			LogPrint(eLogWarning,"--- SOCKS5 authentication negotiation failed");
+			LogPrint(eLogWarning, "SOCKS: v5 authentication negotiation failed");
 			boost::asio::async_write(*m_sock, response, std::bind(&SOCKSHandler::SentSocksFailed,
-									      shared_from_this(), std::placeholders::_1));
+												shared_from_this(), std::placeholders::_1));
 			return false;
 		} 
 		else 
 		{
-			LogPrint(eLogDebug,"--- SOCKS5 choosing authentication method: ", m_authchosen);
+			LogPrint(eLogDebug, "SOCKS: v5 choosing authentication method: ", m_authchosen);
 			boost::asio::async_write(*m_sock, response, std::bind(&SOCKSHandler::SentSocksResponse,
-									      shared_from_this(), std::placeholders::_1));
+												shared_from_this(), std::placeholders::_1));
 			return true;
 		}
 	}
@@ -239,17 +311,17 @@ namespace proxy
 		switch (m_socksv) 
 		{
 			case SOCKS4:
-				LogPrint(eLogWarning,"--- SOCKS4 failed: ", error);
+				LogPrint(eLogWarning, "SOCKS: v4 request failed: ", error);
 				if (error < SOCKS4_OK) error = SOCKS4_FAIL; //Transparently map SOCKS5 errors
 				response = GenerateSOCKS4Response(error, m_4aip, m_port);
 			break;
 			case SOCKS5:
-				LogPrint(eLogWarning,"--- SOCKS5 failed: ", error);
+				LogPrint(eLogWarning, "SOCKS: v5 request failed: ", error);
 				response = GenerateSOCKS5Response(error, m_addrtype, m_address, m_port);
 			break;
 		}
 		boost::asio::async_write(*m_sock, response, std::bind(&SOCKSHandler::SentSocksFailed,
-								      shared_from_this(), std::placeholders::_1));
+											shared_from_this(), std::placeholders::_1));
 	}
 
 	void SOCKSHandler::SocksRequestSuccess()
@@ -259,11 +331,11 @@ namespace proxy
 		switch (m_socksv) 
 		{
 			case SOCKS4:
-				LogPrint(eLogInfo,"--- SOCKS4 connection success");
+				LogPrint(eLogInfo, "SOCKS: v4 connection success");
 				response = GenerateSOCKS4Response(SOCKS4_OK, m_4aip, m_port);
 			break;
 			case SOCKS5:
-				LogPrint(eLogInfo,"--- SOCKS5 connection success");
+				LogPrint(eLogInfo, "SOCKS: v5 connection success");
 				auto s = i2p::client::context.GetAddressBook().ToAddress(GetOwner()->GetLocalDestination()->GetIdentHash());
 				address ad; ad.dns.FromString(s);
 				//HACK only 16 bits passed in port as SOCKS5 doesn't allow for more
@@ -271,7 +343,7 @@ namespace proxy
 			break;
 		}
 		boost::asio::async_write(*m_sock, response, std::bind(&SOCKSHandler::SentSocksDone,
-								      shared_from_this(), std::placeholders::_1));
+											shared_from_this(), std::placeholders::_1));
 	}
 
 	void SOCKSHandler::EnterState(SOCKSHandler::state nstate, uint8_t parseleft) {
@@ -294,7 +366,7 @@ namespace proxy
 		if ( m_cmd != CMD_CONNECT ) 
 		{
 			//TODO: we need to support binds and other shit!
-			LogPrint(eLogError,"--- SOCKS unsupported command: ", m_cmd);
+			LogPrint(eLogError, "SOCKS: unsupported command: ", m_cmd);
 			SocksRequestFailed(SOCKS5_CMD_UNSUP);
 			return false;
 		}
@@ -304,22 +376,15 @@ namespace proxy
 			switch (m_socksv) 
 			{
 				case SOCKS5:
-					LogPrint(eLogError,"--- SOCKS5 unsupported address type: ", m_addrtype);
+					LogPrint(eLogError, "SOCKS: v5 unsupported address type: ", m_addrtype);
 				break;
 				case SOCKS4:
-					LogPrint(eLogError,"--- SOCKS4a rejected because it's actually SOCKS4");
+					LogPrint(eLogError, "SOCKS: request with v4a rejected because it's actually SOCKS4");
 				break;
 			}
 			SocksRequestFailed(SOCKS5_ADDR_UNSUP);
 			return false;
 		}
-		//TODO: we may want to support other domains
-		if(m_addrtype == ADDR_DNS && m_address.dns.ToString().find(".i2p") == std::string::npos) 
-		{
-			LogPrint(eLogError,"--- SOCKS invalid hostname: ", m_address.dns.ToString());
-			SocksRequestFailed(SOCKS5_ADDR_UNSUP);
-			return false;
-		}
 		return true;
 	}
 
@@ -341,7 +406,7 @@ namespace proxy
 							EnterState(GET5_AUTHNUM); //Initialize the parser at the right position
 						break;
 						default:
-							LogPrint(eLogError,"--- SOCKS rejected invalid version: ", ((int)*sock_buff));
+							LogPrint(eLogError, "SOCKS: rejected invalid version: ", ((int)*sock_buff));
 							Terminate();
 							return false;
 					}
@@ -368,7 +433,7 @@ namespace proxy
 						case CMD_UDP:
 							if (m_socksv == SOCKS5) break;
 						default:
-							LogPrint(eLogError,"--- SOCKS invalid command: ", ((int)*sock_buff));
+							LogPrint(eLogError, "SOCKS: invalid command: ", ((int)*sock_buff));
 							SocksRequestFailed(SOCKS5_GEN_FAIL);
 							return false;
 					}
@@ -386,7 +451,7 @@ namespace proxy
 					{
 						switch (m_socksv) 
 						{
-							case SOCKS5: EnterState(DONE); break;
+							case SOCKS5: EnterState(READY); break;
 							case SOCKS4: EnterState(GET_IPV4); break;
 						}
 					}
@@ -407,7 +472,7 @@ namespace proxy
 					if (!*sock_buff) 
 					{
 						if( m_4aip == 0 || m_4aip > 255 )
-							EnterState(DONE);
+							EnterState(READY);
 						else
 							EnterState(GET4A_HOST);
 					}
@@ -415,12 +480,12 @@ namespace proxy
 				case GET4A_HOST:
 					if (!*sock_buff) 
 					{
-						EnterState(DONE);
+						EnterState(READY);
 						break;
 					}
 					if (m_address.dns.size >= max_socks_hostname_size) 
 					{
-						LogPrint(eLogError,"--- SOCKS4a destination is too large");
+						LogPrint(eLogError, "SOCKS: v4a req failed: destination is too large");
 						SocksRequestFailed(SOCKS4_FAIL);
 						return false;
 					}
@@ -429,7 +494,7 @@ namespace proxy
 				case GET5_REQUESTV:
 					if (*sock_buff != SOCKS5) 
 					{
-						LogPrint(eLogError,"--- SOCKS5 rejected unknown request version: ", ((int)*sock_buff));
+						LogPrint(eLogError,"SOCKS: v5 rejected unknown request version: ", ((int)*sock_buff));
 						SocksRequestFailed(SOCKS5_GEN_FAIL);
 						return false;
 					}
@@ -438,7 +503,7 @@ namespace proxy
 				case GET5_GETRSV:
 					if ( *sock_buff != 0 ) 
 					{
-						LogPrint(eLogError,"--- SOCKS5 unknown reserved field: ", ((int)*sock_buff));
+						LogPrint(eLogError, "SOCKS: v5 unknown reserved field: ", ((int)*sock_buff));
 						SocksRequestFailed(SOCKS5_GEN_FAIL);
 						return false;
 					}
@@ -451,7 +516,7 @@ namespace proxy
 						case ADDR_IPV6: EnterState(GET5_IPV6); break;
 						case ADDR_DNS : EnterState(GET5_HOST_SIZE); break;
 						default:
-							LogPrint(eLogError,"--- SOCKS5 unknown address type: ", ((int)*sock_buff));
+							LogPrint(eLogError, "SOCKS: v5 unknown address type: ", ((int)*sock_buff));
 							SocksRequestFailed(SOCKS5_GEN_FAIL);
 							return false;
 					}
@@ -470,13 +535,13 @@ namespace proxy
 					if (m_parseleft == 0) EnterState(GET_PORT);
 				break;
 				default:
-					LogPrint(eLogError,"--- SOCKS parse state?? ", m_state);
+					LogPrint(eLogError, "SOCKS: parse state?? ", m_state);
 					Terminate();
 					return false;
 			}
 			sock_buff++;
 			len--;
-			if (m_state == DONE) 
+			if (m_state == READY) 
 			{
 				m_remaining_data_len = len;
 				m_remaining_data = sock_buff;
@@ -488,21 +553,33 @@ namespace proxy
 
 	void SOCKSHandler::HandleSockRecv(const boost::system::error_code & ecode, std::size_t len)
 	{
-		LogPrint(eLogDebug,"--- SOCKS sock recv: ", len);
+		LogPrint(eLogDebug, "SOCKS: recieved ", len, " bytes");
 		if(ecode) 
 		{
-			LogPrint(eLogWarning," --- SOCKS sock recv got error: ", ecode);
-            Terminate();
+			LogPrint(eLogWarning, "SOCKS: recv got error: ", ecode);
+			Terminate();
 			return;
 		}
 
 		if (HandleData(m_sock_buff, len)) 
 		{
-			if (m_state == DONE) 
+			if (m_state == READY) 
 			{
-				LogPrint(eLogInfo,"--- SOCKS requested ", m_address.dns.ToString(), ":" , m_port);
-				GetOwner()->CreateStream ( std::bind (&SOCKSHandler::HandleStreamRequestComplete,
-						shared_from_this(), std::placeholders::_1), m_address.dns.ToString(), m_port);
+				const std::string addr = m_address.dns.ToString();
+				LogPrint(eLogInfo, "SOCKS: requested ", addr, ":" , m_port);
+				const size_t addrlen = addr.size();
+				// does it end with .i2p?
+				if ( addr.rfind(".i2p") == addrlen - 4) {
+					// yes it does, make an i2p session
+					GetOwner()->CreateStream ( std::bind (&SOCKSHandler::HandleStreamRequestComplete,
+							shared_from_this(), std::placeholders::_1), m_address.dns.ToString(), m_port);
+				} else if (m_UseUpstreamProxy) {
+					// forward it to upstream proxy
+					ForwardSOCKS();
+				} else {
+					// no upstream proxy 
+					SocksRequestFailed(SOCKS5_ADDR_UNSUP);
+				}
 			} 
 			else
 				AsyncSockRead();
@@ -511,13 +588,9 @@ namespace proxy
 
 	void SOCKSHandler::SentSocksFailed(const boost::system::error_code & ecode)
 	{
-		if (!ecode) 
-			Terminate();
-		else 
-		{
-			LogPrint (eLogError,"--- SOCKS Closing socket after sending failure because: ", ecode.message ());
-			Terminate();
-		}
+		if (ecode)
+			LogPrint (eLogError, "SOCKS: closing socket after sending failure because: ", ecode.message ());
+		Terminate();
 	}
 
 	void SOCKSHandler::SentSocksDone(const boost::system::error_code & ecode)
@@ -525,7 +598,7 @@ namespace proxy
 		if (!ecode) 
 		{
 			if (Kill()) return;
-			LogPrint (eLogInfo,"--- SOCKS New I2PTunnel connection");
+			LogPrint (eLogInfo, "SOCKS: new I2PTunnel connection");
 			auto connection = std::make_shared<i2p::client::I2PTunnelConnection>(GetOwner(), m_sock, m_stream);
 			GetOwner()->AddHandler (connection);
 			connection->I2PConnect (m_remaining_data,m_remaining_data_len);
@@ -533,7 +606,7 @@ namespace proxy
 		}
 		else
 		{
-			LogPrint (eLogError,"--- SOCKS Closing socket after completion reply because: ", ecode.message ());
+			LogPrint (eLogError, "SOCKS: closing socket after completion reply because: ", ecode.message ());
 			Terminate();
 		}
 	}
@@ -542,7 +615,7 @@ namespace proxy
 	{
 		if (ecode) 
 		{
-			LogPrint (eLogError,"--- SOCKS Closing socket after sending reply because: ", ecode.message ());
+			LogPrint (eLogError, "SOCKS: closing socket after sending reply because: ", ecode.message ());
 			Terminate();
 		}
 	}
@@ -556,20 +629,163 @@ namespace proxy
 		} 
 		else 
 		{
-			LogPrint (eLogError,"--- SOCKS Issue when creating the stream, check the previous warnings for more info.");
+			LogPrint (eLogError, "SOCKS: error when creating the stream, check the previous warnings for more info");
 			SocksRequestFailed(SOCKS5_HOST_UNREACH);
 		}
 	}
-
-	SOCKSServer::SOCKSServer(int port, std::shared_ptr<i2p::client::ClientDestination> localDestination) : 
-		TCPIPAcceptor (port, localDestination ? localDestination : i2p::client::context.GetSharedLocalDestination ()) 
+	
+	void SOCKSHandler::ForwardSOCKS()
 	{
+		LogPrint(eLogInfo, "SOCKS: forwarding to upstream");
+		EnterState(UPSTREAM_RESOLVE);
+		boost::asio::ip::tcp::resolver::query q(m_UpstreamProxyAddress,boost::lexical_cast<std::string>(m_UpstreamProxyPort) );
+		m_proxy_resolver.async_resolve(q, std::bind(&SOCKSHandler::HandleUpstreamResolved, shared_from_this(),
+			std::placeholders::_1, std::placeholders::_2));
+	}
+
+	void SOCKSHandler::AsyncUpstreamSockRead()
+	{
+		LogPrint(eLogDebug, "SOCKS: async upstream sock read");
+		if (m_upstreamSock) {
+			m_upstreamSock->async_read_some(boost::asio::buffer(m_upstream_response, SOCKS_UPSTREAM_SOCKS4A_REPLY_SIZE),
+																		std::bind(&SOCKSHandler::HandleUpstreamSockRecv, shared_from_this(),
+																							std::placeholders::_1, std::placeholders::_2));
+		} else {
+			LogPrint(eLogError, "SOCKS: no upstream socket for read");
+			SocksRequestFailed(SOCKS5_GEN_FAIL);
+		}
 	}
 	
-	std::shared_ptr<i2p::client::I2PServiceHandler> SOCKSServer::CreateHandler(boost::asio::ip::tcp::socket * socket)
+	void SOCKSHandler::HandleUpstreamSockRecv(const boost::system::error_code & ecode, std::size_t bytes_transfered)
 	{
-		return std::make_shared<SOCKSHandler> (this, socket);
+		if (ecode) {
+			if (m_state == UPSTREAM_HANDSHAKE ) {
+				// we are trying to handshake but it failed
+				SocksRequestFailed(SOCKS5_NET_UNREACH);
+			} else {
+				LogPrint(eLogError, "SOCKS: bad state when reading from upstream: ", (int) m_state);
+			}
+			return;
+		}
+		HandleUpstreamData(m_upstream_response, bytes_transfered);
 	}
 
+	void SOCKSHandler::SocksUpstreamSuccess()
+	{
+		LogPrint(eLogInfo, "SOCKS: upstream success");
+		boost::asio::const_buffers_1 response(nullptr, 0);
+		switch (m_socksv) 
+		{
+			case SOCKS4:
+				LogPrint(eLogInfo, "SOCKS: v4 connection success");
+				response = GenerateSOCKS4Response(SOCKS4_OK, m_4aip, m_port);
+			break;
+			case SOCKS5:
+				LogPrint(eLogInfo, "SOCKS: v5 connection success");
+				//HACK only 16 bits passed in port as SOCKS5 doesn't allow for more
+				response = GenerateSOCKS5Response(SOCKS5_OK, ADDR_DNS, m_address, m_port);
+			break;
+		}
+		m_sock->send(response);
+		auto forwarder = std::make_shared<i2p::client::TCPIPPipe>(GetOwner(), m_sock, m_upstreamSock);
+		m_upstreamSock = nullptr;
+		m_sock = nullptr;
+		GetOwner()->AddHandler(forwarder);
+		forwarder->Start();
+		Terminate();
+				
+	}
+	
+	void SOCKSHandler::HandleUpstreamData(uint8_t * dataptr, std::size_t len)
+	{
+		if (m_state == UPSTREAM_HANDSHAKE) {
+			m_upstream_response_len += len;
+			// handle handshake data
+			if (m_upstream_response_len < SOCKS_UPSTREAM_SOCKS4A_REPLY_SIZE) {
+				// too small, continue reading
+				AsyncUpstreamSockRead();
+			} else if (len == SOCKS_UPSTREAM_SOCKS4A_REPLY_SIZE) {
+				// just right
+				uint8_t resp = m_upstream_response[1];
+				if (resp == SOCKS4_OK) {
+					// we have connected !
+					SocksUpstreamSuccess();
+				} else {
+					// upstream failure
+					LogPrint(eLogError, "SOCKS: upstream proxy failure: ", (int) resp);
+					// TODO: runtime error?
+					SocksRequestFailed(SOCKS5_GEN_FAIL);
+				}
+			} else {
+				// too big
+				SocksRequestFailed(SOCKS5_GEN_FAIL);
+			}
+		} else {
+			// invalid state
+			LogPrint(eLogError, "SOCKS: invalid state reading from upstream: ", (int) m_state);
+		}
+	}
+	
+	void SOCKSHandler::SendUpstreamRequest()
+	{
+		LogPrint(eLogInfo, "SOCKS: negotiating with upstream proxy");
+		EnterState(UPSTREAM_HANDSHAKE);
+		if (m_upstreamSock) {
+			boost::asio::write(*m_upstreamSock,
+												 GenerateUpstreamRequest());
+			AsyncUpstreamSockRead();
+		} else {
+			LogPrint(eLogError, "SOCKS: no upstream socket to send handshake to");
+		}
+	}
+	
+	void SOCKSHandler::HandleUpstreamConnected(const boost::system::error_code & ecode, boost::asio::ip::tcp::resolver::iterator itr)
+	{
+		if (ecode) {
+			LogPrint(eLogWarning, "SOCKS: could not connect to upstream proxy: ", ecode.message());
+			SocksRequestFailed(SOCKS5_NET_UNREACH);
+			return;
+		}
+		LogPrint(eLogInfo, "SOCKS: connected to upstream proxy");
+		SendUpstreamRequest();
+	}
+	
+	void SOCKSHandler::HandleUpstreamResolved(const boost::system::error_code & ecode, boost::asio::ip::tcp::resolver::iterator itr)
+	{
+		if (ecode) {
+			// error resolving
+			LogPrint(eLogWarning, "SOCKS: upstream proxy", m_UpstreamProxyAddress, " not resolved: ", ecode.message());
+			SocksRequestFailed(SOCKS5_NET_UNREACH);
+			return;
+		}
+		LogPrint(eLogInfo, "SOCKS: upstream proxy resolved");
+		EnterState(UPSTREAM_CONNECT);
+		auto & service = GetOwner()->GetService();
+		m_upstreamSock = std::make_shared<boost::asio::ip::tcp::socket>(service);
+		boost::asio::async_connect(*m_upstreamSock, itr,
+			std::bind(&SOCKSHandler::HandleUpstreamConnected,
+								shared_from_this(), std::placeholders::_1, std::placeholders::_2));
+	}
+	
+	SOCKSServer::SOCKSServer(const std::string& address, int port, const std::string& outAddress, uint16_t outPort,
+			std::shared_ptr<i2p::client::ClientDestination> localDestination) : 
+		TCPIPAcceptor (address, port, localDestination ? localDestination : i2p::client::context.GetSharedLocalDestination ()) 
+	{
+		m_UseUpstreamProxy = false;
+		if (outAddress.length() > 0)
+			SetUpstreamProxy(outAddress, outPort);
+	}
+	
+	std::shared_ptr<i2p::client::I2PServiceHandler> SOCKSServer::CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket)
+	{
+		return std::make_shared<SOCKSHandler> (this, socket, m_UpstreamProxyAddress, m_UpstreamProxyPort, m_UseUpstreamProxy);
+	}
+
+	void SOCKSServer::SetUpstreamProxy(const std::string & addr, const uint16_t port)
+	{
+		m_UpstreamProxyAddress = addr;
+		m_UpstreamProxyPort = port;
+		m_UseUpstreamProxy = true;
+	}
 }
 }

SOCKS.h

@@ -15,13 +15,21 @@ namespace proxy
 	{
 		public:
 
-			SOCKSServer(int port, std::shared_ptr<i2p::client::ClientDestination> localDestination = nullptr);
+			SOCKSServer(const std::string& address, int port, const std::string& outAddress, uint16_t outPort,
+				std::shared_ptr<i2p::client::ClientDestination> localDestination = nullptr);
 			~SOCKSServer() {};
 
+			void SetUpstreamProxy(const std::string & addr, const uint16_t port);
+		
 		protected:
 			// Implements TCPIPAcceptor
-			std::shared_ptr<i2p::client::I2PServiceHandler> CreateHandler(boost::asio::ip::tcp::socket * socket);
+			std::shared_ptr<i2p::client::I2PServiceHandler> CreateHandler(std::shared_ptr<boost::asio::ip::tcp::socket> socket);
 			const char* GetName() { return "SOCKS"; }
+
+	private:
+		std::string m_UpstreamProxyAddress;
+		uint16_t m_UpstreamProxyPort;
+		bool m_UseUpstreamProxy;
 	};
 
 	typedef SOCKSServer SOCKSProxy;

SSU.cpp

@@ -86,7 +86,7 @@ namespace transport
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint (eLogError, "SSU server: ", ex.what ());
+				LogPrint (eLogError, "SSU: server runtime exception: ", ex.what ());
 			}	
 		}	
 	}
@@ -101,7 +101,7 @@ namespace transport
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint (eLogError, "SSU V6 server: ", ex.what ());
+				LogPrint (eLogError, "SSU: v6 server runtime exception: ", ex.what ());
 			}	
 		}	
 	}	
@@ -116,7 +116,7 @@ namespace transport
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint (eLogError, "SSU receivers: ", ex.what ());
+				LogPrint (eLogError, "SSU: receivers runtime exception: ", ex.what ());
 			}	
 		}	
 	}	
@@ -174,12 +174,12 @@ namespace transport
 				moreBytes = m_Socket.available();
 			}
 
-			m_Service.post (std::bind (&SSUServer::HandleReceivedPackets, this, packets));
+			m_Service.post (std::bind (&SSUServer::HandleReceivedPackets, this, packets, &m_Sessions));
 			Receive ();
 		}
 		else
 		{	
-			LogPrint ("SSU receive error: ", ecode.message ());
+			LogPrint (eLogError, "SSU: receive error: ", ecode.message ());
 			delete packet;
 		}	
 	}
@@ -201,40 +201,47 @@ namespace transport
 				moreBytes = m_SocketV6.available();
 			}
 
-			m_ServiceV6.post (std::bind (&SSUServer::HandleReceivedPackets, this, packets));
+			m_ServiceV6.post (std::bind (&SSUServer::HandleReceivedPackets, this, packets, &m_SessionsV6));
 			ReceiveV6 ();
 		}
 		else
 		{	
-			LogPrint ("SSU V6 receive error: ", ecode.message ());
+			LogPrint (eLogError, "SSU: v6 receive error: ", ecode.message ());
 			delete packet;
 		}	
 	}
 
-	void SSUServer::HandleReceivedPackets (std::vector<SSUPacket *> packets)
+	void SSUServer::HandleReceivedPackets (std::vector<SSUPacket *> packets, 
+		std::map<boost::asio::ip::udp::endpoint, std::shared_ptr<SSUSession> > * sessions)
 	{
 		std::shared_ptr<SSUSession> session;	
 		for (auto it1: packets)
 		{
 			auto packet = it1;
-			if (!session || session->GetRemoteEndpoint () != packet->from) // we received packet for other session than previous
-			{
-				if (session) session->FlushData ();
-				auto it = m_Sessions.find (packet->from);
-				if (it != m_Sessions.end ())
-					session = it->second;
-				if (!session)
+			try
+			{	
+				if (!session || session->GetRemoteEndpoint () != packet->from) // we received packet for other session than previous
 				{
-					session = std::make_shared<SSUSession> (*this, packet->from);
-					session->WaitForConnect ();
+					if (session) session->FlushData ();
+					auto it = sessions->find (packet->from);
+					if (it != sessions->end ())
+						session = it->second;
+					if (!session)
 					{
-						std::unique_lock<std::mutex> l(m_SessionsMutex);
-						m_Sessions[packet->from] = session;
-					}	
-					LogPrint ("New SSU session from ", packet->from.address ().to_string (), ":", packet->from.port (), " created");
+						session = std::make_shared<SSUSession> (*this, packet->from);
+						session->WaitForConnect ();
+						(*sessions)[packet->from] = session;
+						LogPrint (eLogInfo, "SSU: new session from ", packet->from.address ().to_string (), ":", packet->from.port (), " created");
+					}
 				}
-			}
-			session->ProcessNextMessage (packet->buf, packet->len, packet->from);
+				session->ProcessNextMessage (packet->buf, packet->len, packet->from);
+			}	
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "SSU: HandleReceivedPackets ", ex.what ());
+				if (session) session->FlushData ();
+				session = nullptr;
+			}	
 			delete packet;
 		}
 		if (session) session->FlushData ();
@@ -256,96 +263,135 @@ namespace transport
 
 	std::shared_ptr<SSUSession> SSUServer::FindSession (const boost::asio::ip::udp::endpoint& e) const
 	{
-		auto it = m_Sessions.find (e);
-		if (it != m_Sessions.end ())
+		auto& sessions = e.address ().is_v6 () ?  m_SessionsV6 : m_Sessions; 
+		auto it = sessions.find (e);
+		if (it != sessions.end ())
 			return it->second;
 		else
 			return nullptr;
 	}
-		
-	std::shared_ptr<SSUSession> SSUServer::GetSession (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest)
+	
+	void SSUServer::CreateSession (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest)
+	{
+		auto address = router->GetSSUAddress (!context.SupportsV6 ());
+		if (address)
+			CreateSession (router, address->host, address->port, peerTest);
+		else
+			LogPrint (eLogWarning, "SSU: Router ", i2p::data::GetIdentHashAbbreviation (router->GetIdentHash ()), " doesn't have SSU address");
+	}
+	
+	void SSUServer::CreateSession (std::shared_ptr<const i2p::data::RouterInfo> router,
+		const boost::asio::ip::address& addr, int port, bool peerTest)
 	{
-		std::shared_ptr<SSUSession> session;
 		if (router)
 		{
-			auto address = router->GetSSUAddress (!context.SupportsV6 ());
+			if (router->UsesIntroducer ())
+				m_Service.post (std::bind (&SSUServer::CreateSessionThroughIntroducer, this, router, peerTest)); // always V4 thread
+			else
+			{
+				boost::asio::ip::udp::endpoint remoteEndpoint (addr, port);
+				auto& s = addr.is_v6 () ? m_ServiceV6 : m_Service;
+				s.post (std::bind (&SSUServer::CreateDirectSession, this, router, remoteEndpoint, peerTest));
+			}
+		}
+	}
+
+	void SSUServer::CreateDirectSession (std::shared_ptr<const i2p::data::RouterInfo> router, boost::asio::ip::udp::endpoint remoteEndpoint, bool peerTest)
+	{	
+		auto& sessions = remoteEndpoint.address ().is_v6 () ? m_SessionsV6 : m_Sessions;	
+		auto it = sessions.find (remoteEndpoint);
+		if (it != sessions.end ())
+		{	
+			auto session = it->second;
+			if (peerTest && session->GetState () == eSessionStateEstablished)
+				session->SendPeerTest ();
+		}	
+		else
+		{
+			// otherwise create new session					
+			auto session = std::make_shared<SSUSession> (*this, remoteEndpoint, router, peerTest);
+			sessions[remoteEndpoint] = session;
+			// connect 					
+			LogPrint (eLogInfo, "SSU: Creating new session to [", i2p::data::GetIdentHashAbbreviation (router->GetIdentHash ()), "] ",
+				remoteEndpoint.address ().to_string (), ":", remoteEndpoint.port ());
+			session->Connect ();
+		}
+	}
+	
+	void SSUServer::CreateSessionThroughIntroducer (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest)
+	{
+		if (router && router->UsesIntroducer ())
+		{
+			auto address = router->GetSSUAddress (true); // v4 only for now
 			if (address)
 			{
 				boost::asio::ip::udp::endpoint remoteEndpoint (address->host, address->port);
 				auto it = m_Sessions.find (remoteEndpoint);
+				// check if session if presented alredy
 				if (it != m_Sessions.end ())
-					session = it->second;
-				else
+				{	
+					auto session = it->second;
+					if (peerTest && session->GetState () == eSessionStateEstablished)
+						session->SendPeerTest ();
+					return; 
+				}		
+				// create new session					
+				int numIntroducers = address->introducers.size ();
+				if (numIntroducers > 0)
 				{
-					// otherwise create new session					
-					session = std::make_shared<SSUSession> (*this, remoteEndpoint, router, peerTest);
+					std::shared_ptr<SSUSession> introducerSession;
+					const i2p::data::RouterInfo::Introducer * introducer = nullptr;
+					// we might have a session to introducer already
+					for (int i = 0; i < numIntroducers; i++)
 					{
-						std::unique_lock<std::mutex> l(m_SessionsMutex);
-						m_Sessions[remoteEndpoint] = session;
-					}
-					if (!router->UsesIntroducer ())
-					{
-						// connect directly						
-						LogPrint ("Creating new SSU session to [", router->GetIdentHashAbbreviation (), "] ",
-							remoteEndpoint.address ().to_string (), ":", remoteEndpoint.port ());
-						session->Connect ();
-					}
-					else
-					{
-						// connect through introducer
-						int numIntroducers = address->introducers.size ();
-						if (numIntroducers > 0)
-						{
-							std::shared_ptr<SSUSession> introducerSession;
-							const i2p::data::RouterInfo::Introducer * introducer = nullptr;
-							// we might have a session to introducer already
-							for (int i = 0; i < numIntroducers; i++)
-							{
-								introducer = &(address->introducers[i]);
-								it = m_Sessions.find (boost::asio::ip::udp::endpoint (introducer->iHost, introducer->iPort));
-								if (it != m_Sessions.end ())
-								{
-									introducerSession = it->second;
-									break; 
-								}	
-							}
-
-							if (introducerSession) // session found 
-								LogPrint ("Session to introducer already exists");
-							else // create new
-							{
-								LogPrint ("Creating new session to introducer");
-								introducer = &(address->introducers[0]); // TODO:
-								boost::asio::ip::udp::endpoint introducerEndpoint (introducer->iHost, introducer->iPort);
-								introducerSession = std::make_shared<SSUSession> (*this, introducerEndpoint, router);
-								std::unique_lock<std::mutex> l(m_SessionsMutex);
-								m_Sessions[introducerEndpoint] = introducerSession;													
-							}	
-							// introduce
-							LogPrint ("Introduce new SSU session to [", router->GetIdentHashAbbreviation (), 
-									"] through introducer ", introducer->iHost, ":", introducer->iPort);
-							session->WaitForIntroduction ();	
-							if (i2p::context.GetRouterInfo ().UsesIntroducer ()) // if we are unreachable
-							{
-								uint8_t buf[1];
-								Send (buf, 0, remoteEndpoint); // send HolePunch
-							}	
-							introducerSession->Introduce (introducer->iTag, introducer->iKey);
-						}
-						else
+						auto intr = &(address->introducers[i]);
+						boost::asio::ip::udp::endpoint ep (intr->iHost, intr->iPort);
+						if (ep.address ().is_v4 ()) // ipv4 only
 						{	
-							LogPrint (eLogWarning, "Can't connect to unreachable router. No introducers presented");
-							std::unique_lock<std::mutex> l(m_SessionsMutex);
-							m_Sessions.erase (remoteEndpoint);
-							session.reset ();
-						}	
+							if (!introducer) introducer = intr; // we pick first one for now
+							it = m_Sessions.find (ep); 
+							if (it != m_Sessions.end ())
+							{
+								introducerSession = it->second;
+								break; 
+							}	
+						}
 					}
+					if (!introducer)
+					{
+						LogPrint (eLogWarning, "SSU: Can't connect to unreachable router and no ipv4 introducers present");
+						return;
+					}				
+
+					if (introducerSession) // session found 
+						LogPrint (eLogInfo, "SSU: Session to introducer already exists");
+					else // create new
+					{
+						LogPrint (eLogInfo, "SSU: Creating new session to introducer");
+						boost::asio::ip::udp::endpoint introducerEndpoint (introducer->iHost, introducer->iPort);
+						introducerSession = std::make_shared<SSUSession> (*this, introducerEndpoint, router);
+						m_Sessions[introducerEndpoint] = introducerSession;													
+					}
+					// create session	
+					auto session = std::make_shared<SSUSession> (*this, remoteEndpoint, router, peerTest);
+					m_Sessions[remoteEndpoint] = session;
+					// introduce
+					LogPrint (eLogInfo, "SSU: Introduce new session to [", i2p::data::GetIdentHashAbbreviation (router->GetIdentHash ()),
+							"] through introducer ", introducer->iHost, ":", introducer->iPort);
+					session->WaitForIntroduction ();	
+					if (i2p::context.GetRouterInfo ().UsesIntroducer ()) // if we are unreachable
+					{
+						uint8_t buf[1];
+						Send (buf, 0, remoteEndpoint); // send HolePunch
+					}	
+					introducerSession->Introduce (*introducer, router);
 				}
+				else	
+					LogPrint (eLogWarning, "SSU: Can't connect to unreachable router and no introducers present");
 			}
 			else
-				LogPrint (eLogWarning, "Router ", router->GetIdentHashAbbreviation (), " doesn't have SSU address");
+				LogPrint (eLogWarning, "SSU: Router ", i2p::data::GetIdentHashAbbreviation (router->GetIdentHash ()), " doesn't have SSU address");
 		}
-		return session;
 	}
 
 	void SSUServer::DeleteSession (std::shared_ptr<SSUSession> session)
@@ -353,36 +399,42 @@ namespace transport
 		if (session)
 		{
 			session->Close ();
-			std::unique_lock<std::mutex> l(m_SessionsMutex);	
-			m_Sessions.erase (session->GetRemoteEndpoint ());
+			auto& ep = session->GetRemoteEndpoint ();
+			if (ep.address ().is_v6 ())
+				m_SessionsV6.erase (ep);
+			else
+				m_Sessions.erase (ep);
 		}	
 	}	
 
 	void SSUServer::DeleteAllSessions ()
 	{
-		std::unique_lock<std::mutex> l(m_SessionsMutex);
 		for (auto it: m_Sessions)
 			it.second->Close ();
 		m_Sessions.clear ();
+
+		for (auto it: m_SessionsV6)
+			it.second->Close ();
+		m_SessionsV6.clear ();
 	}
 
 	template<typename Filter>
-	std::shared_ptr<SSUSession> SSUServer::GetRandomSession (Filter filter)
+	std::shared_ptr<SSUSession> SSUServer::GetRandomV4Session (Filter filter) // v4 only
 	{
 		std::vector<std::shared_ptr<SSUSession> > filteredSessions;
 		for (auto s :m_Sessions)
 			if (filter (s.second)) filteredSessions.push_back (s.second);
 		if (filteredSessions.size () > 0)
 		{
-			auto ind = i2p::context.GetRandomNumberGenerator ().GenerateWord32 (0, filteredSessions.size ()-1);
+			auto ind = rand () % filteredSessions.size ();
 			return filteredSessions[ind];
 		}
 		return nullptr;	
 	}
 
-	std::shared_ptr<SSUSession> SSUServer::GetRandomEstablishedSession (std::shared_ptr<const SSUSession> excluded)
+	std::shared_ptr<SSUSession> SSUServer::GetRandomEstablishedV4Session (std::shared_ptr<const SSUSession> excluded) // v4 only
 	{
-		return GetRandomSession (
+		return GetRandomV4Session (
 			[excluded](std::shared_ptr<SSUSession> session)->bool 
 			{ 
 				return session->GetState () == eSessionStateEstablished && !session->IsV6 () && 
@@ -397,7 +449,7 @@ namespace transport
 		std::set<SSUSession *> ret;
 		for (int i = 0; i < maxNumIntroducers; i++)
 		{
-			auto session = GetRandomSession (
+			auto session = GetRandomV4Session (
 				[&ret, ts](std::shared_ptr<SSUSession> session)->bool 
 				{ 
 					return session->GetRelayTag () && !ret.count (session.get ()) &&
@@ -459,21 +511,26 @@ namespace transport
 				{
 					for (auto it1: introducers)
 					{
-						auto router = it1->GetRemoteRouter ();
-						if (router && i2p::context.AddIntroducer (*router, it1->GetRelayTag ()))
+						auto& ep = it1->GetRemoteEndpoint ();
+						i2p::data::RouterInfo::Introducer introducer;
+						introducer.iHost = ep.address ();
+						introducer.iPort = ep.port ();
+						introducer.iTag = it1->GetRelayTag ();
+						introducer.iKey = it1->GetIntroKey ();
+						if (i2p::context.AddIntroducer (introducer))
 						{	
-							newList.push_back (it1->GetRemoteEndpoint ());
+							newList.push_back (ep);
 							if (newList.size () >= SSU_MAX_NUM_INTRODUCERS) break;
 						}	
 					}	
 				}	
 			}	
 			m_Introducers = newList;
-			if (m_Introducers.empty ())
+			if (m_Introducers.size () < SSU_MAX_NUM_INTRODUCERS)
 			{
 				auto introducer = i2p::data::netdb.GetRandomIntroducer ();
 				if (introducer)
-					GetSession (introducer);
+					CreateSession (introducer);
 			}	
 			ScheduleIntroducersUpdateTimer ();
 		}	
@@ -538,7 +595,7 @@ namespace transport
 					it++;	 
 			}
 			if (numDeleted > 0)
-				LogPrint (eLogInfo, numDeleted, " peer tests have been expired");
+				LogPrint (eLogDebug, "SSU: ", numDeleted, " peer tests have been expired");
 			SchedulePeerTestsCleanupTimer ();
 		}
 	}

SSU.h

@@ -9,7 +9,7 @@
 #include <thread>
 #include <mutex>
 #include <boost/asio.hpp>
-#include "aes.h"
+#include "Crypto.h"
 #include "I2PEndian.h"
 #include "Identity.h"
 #include "RouterInfo.h"
@@ -40,10 +40,13 @@ namespace transport
 			~SSUServer ();
 			void Start ();
 			void Stop ();
-			std::shared_ptr<SSUSession> GetSession (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest = false);
+			void CreateSession (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest = false);
+			void CreateSession (std::shared_ptr<const i2p::data::RouterInfo> router, 
+				const boost::asio::ip::address& addr, int port, bool peerTest = false);
+			void CreateDirectSession (std::shared_ptr<const i2p::data::RouterInfo> router, boost::asio::ip::udp::endpoint remoteEndpoint, bool peerTest);
 			std::shared_ptr<SSUSession> FindSession (std::shared_ptr<const i2p::data::RouterInfo> router) const;
 			std::shared_ptr<SSUSession> FindSession (const boost::asio::ip::udp::endpoint& e) const;
-			std::shared_ptr<SSUSession> GetRandomEstablishedSession (std::shared_ptr<const SSUSession> excluded);
+			std::shared_ptr<SSUSession> GetRandomEstablishedV4Session (std::shared_ptr<const SSUSession> excluded);
 			void DeleteSession (std::shared_ptr<SSUSession> session);
 			void DeleteAllSessions ();			
 
@@ -69,10 +72,12 @@ namespace transport
 			void ReceiveV6 ();
 			void HandleReceivedFrom (const boost::system::error_code& ecode, std::size_t bytes_transferred, SSUPacket * packet);
 			void HandleReceivedFromV6 (const boost::system::error_code& ecode, std::size_t bytes_transferred, SSUPacket * packet);
-			void HandleReceivedPackets (std::vector<SSUPacket *> packets);
+			void HandleReceivedPackets (std::vector<SSUPacket *> packets,
+				std::map<boost::asio::ip::udp::endpoint, std::shared_ptr<SSUSession> >* sessions);
 
+			void CreateSessionThroughIntroducer (std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest = false);			
 			template<typename Filter>
-			std::shared_ptr<SSUSession> GetRandomSession (Filter filter);
+			std::shared_ptr<SSUSession> GetRandomV4Session (Filter filter);
 			
 			std::set<SSUSession *> FindIntroducers (int maxNumIntroducers);	
 			void ScheduleIntroducersUpdateTimer ();
@@ -98,14 +103,14 @@ namespace transport
 			boost::asio::ip::udp::socket m_Socket, m_SocketV6;
 			boost::asio::deadline_timer m_IntroducersUpdateTimer, m_PeerTestsCleanupTimer;
 			std::list<boost::asio::ip::udp::endpoint> m_Introducers; // introducers we are connected to
-			mutable std::mutex m_SessionsMutex;
-			std::map<boost::asio::ip::udp::endpoint, std::shared_ptr<SSUSession> > m_Sessions;
+			std::map<boost::asio::ip::udp::endpoint, std::shared_ptr<SSUSession> > m_Sessions, m_SessionsV6;
 			std::map<uint32_t, boost::asio::ip::udp::endpoint> m_Relays; // we are introducer
 			std::map<uint32_t, PeerTest> m_PeerTests; // nonce -> creation time in milliseconds
 
 		public:
 			// for HTTP only
 			const decltype(m_Sessions)& GetSessions () const { return m_Sessions; };
+			const decltype(m_SessionsV6)& GetSessionsV6 () const { return m_SessionsV6; };
 	};
 }
 }

SSUData.cpp

@@ -14,26 +14,22 @@ namespace transport
 	{
 		if (msg->len + fragmentSize > msg->maxLen)
 		{
-			LogPrint (eLogInfo, "SSU I2NP message size ", msg->maxLen, " is not enough");
-			I2NPMessage * newMsg = NewI2NPMessage ();
+			LogPrint (eLogWarning, "SSU: I2NP message size ", msg->maxLen, " is not enough");
+			auto newMsg = NewI2NPMessage ();
 			*newMsg = *msg;
-			DeleteI2NPMessage (msg);
 			msg = newMsg;
 		}
-		memcpy (msg->buf + msg->len, fragment, fragmentSize);
-		msg->len += fragmentSize;
+		if (msg->Concat (fragment, fragmentSize) < fragmentSize)
+			LogPrint (eLogError, "SSU: I2NP buffer overflow ", msg->maxLen);
 		nextFragmentNum++;
 	}
 
 	SSUData::SSUData (SSUSession& session):
 		m_Session (session), m_ResendTimer (session.GetService ()), m_DecayTimer (session.GetService ()),
-		m_IncompleteMessagesCleanupTimer (session.GetService ())
+		m_IncompleteMessagesCleanupTimer (session.GetService ()), 
+		m_MaxPacketSize (session.IsV6 () ? SSU_V6_MAX_PACKET_SIZE : SSU_V4_MAX_PACKET_SIZE), 
+		m_PacketSize (m_MaxPacketSize)
 	{
-		m_MaxPacketSize = session.IsV6 () ? SSU_V6_MAX_PACKET_SIZE : SSU_V4_MAX_PACKET_SIZE;
-		m_PacketSize = m_MaxPacketSize;
-		auto remoteRouter = session.GetRemoteRouter ();
-		if (remoteRouter)
-			AdjustPacketSize (*remoteRouter);
 	}
 
 	SSUData::~SSUData ()
@@ -52,9 +48,10 @@ namespace transport
 		m_IncompleteMessagesCleanupTimer.cancel ();
 	}	
 		
-	void SSUData::AdjustPacketSize (const i2p::data::RouterInfo& remoteRouter)
+	void SSUData::AdjustPacketSize (std::shared_ptr<const i2p::data::RouterInfo> remoteRouter)
 	{
-		auto ssuAddress = remoteRouter.GetSSUAddress ();
+		if (remoteRouter) return;
+		auto ssuAddress = remoteRouter->GetSSUAddress ();
 		if (ssuAddress && ssuAddress->mtu)
 		{
 			if (m_Session.IsV6 ())
@@ -67,11 +64,11 @@ namespace transport
 				m_PacketSize >>= 4;
 				m_PacketSize <<= 4;
 				if (m_PacketSize > m_MaxPacketSize) m_PacketSize = m_MaxPacketSize;
-				LogPrint ("MTU=", ssuAddress->mtu, " packet size=", m_PacketSize); 
+				LogPrint (eLogDebug, "SSU: MTU=", ssuAddress->mtu, " packet size=", m_PacketSize);
 			}
 			else
 			{	
-				LogPrint (eLogWarning, "Unexpected MTU ", ssuAddress->mtu);
+				LogPrint (eLogWarning, "SSU: Unexpected MTU ", ssuAddress->mtu);
 				m_PacketSize = m_MaxPacketSize;
 			}	
 		}		
@@ -81,7 +78,7 @@ namespace transport
 	{
  		auto routerInfo = i2p::data::netdb.FindRouter (remoteIdent);
 		if (routerInfo)
-			AdjustPacketSize (*routerInfo);
+			AdjustPacketSize (routerInfo);
 	}
 
 	void SSUData::ProcessSentMessageAck (uint32_t msgID)
@@ -160,12 +157,12 @@ namespace transport
 			memcpy (frag + 1, buf, 3);
 			buf += 3;
 			uint32_t fragmentInfo = bufbe32toh (frag); // fragment info
-			uint16_t fragmentSize = fragmentInfo & 0x1FFF; // bits 0 - 13
+			uint16_t fragmentSize = fragmentInfo & 0x3FFF; // bits 0 - 13
 			bool isLast = fragmentInfo & 0x010000; // bit 16	
 			uint8_t fragmentNum = fragmentInfo >> 17; // bits 23 - 17 		
 			if (fragmentSize >= SSU_V4_MAX_PACKET_SIZE)
 			{
-				LogPrint (eLogError, "Fragment size ", fragmentSize, "exceeds max SSU packet size");
+				LogPrint (eLogError, "SSU: Fragment size ", fragmentSize, " exceeds max SSU packet size");
 				return;
 			}
 
@@ -202,23 +199,23 @@ namespace transport
 							break;
 					}
 					if (isLast)
-						LogPrint (eLogDebug, "Message ", msgID, " complete");
+						LogPrint (eLogDebug, "SSU: Message ", msgID, " complete");
 				}	
 			}	
 			else
 			{	
 				if (fragmentNum < incompleteMessage->nextFragmentNum)
 					// duplicate fragment
-					LogPrint (eLogWarning, "Duplicate fragment ", (int)fragmentNum, " of message ", msgID, ". Ignored");	
+					LogPrint (eLogWarning, "SSU: Duplicate fragment ", (int)fragmentNum, " of message ", msgID, ", ignored");
 				else
 				{
 					// missing fragment
-					LogPrint (eLogWarning, "Missing fragments from ", (int)incompleteMessage->nextFragmentNum, " to ", fragmentNum - 1, " of message ", msgID);	
+					LogPrint (eLogWarning, "SSU: Missing fragments from ", (int)incompleteMessage->nextFragmentNum, " to ", fragmentNum - 1, " of message ", msgID);
 					auto savedFragment = new Fragment (fragmentNum, buf, fragmentSize, isLast);
 					if (incompleteMessage->savedFragments.insert (std::unique_ptr<Fragment>(savedFragment)).second)
 						incompleteMessage->lastFragmentInsertTime = i2p::util::GetSecondsSinceEpoch ();
 					else	
-						LogPrint (eLogWarning, "Fragment ", (int)fragmentNum, " of message ", msgID, " already saved");
+						LogPrint (eLogWarning, "SSU: Fragment ", (int)fragmentNum, " of message ", msgID, " already saved");
 				}
 				isLast = false;
 			}	
@@ -241,25 +238,24 @@ namespace transport
 						else
 							ScheduleDecay ();
 						m_ReceivedMessages.insert (msgID);
-						m_Handler.PutNextMessage (msg);
+						if (!msg->IsExpired ())
+							m_Handler.PutNextMessage (msg);
+						else
+							LogPrint (eLogInfo, "SSU: message expired");
 					}	
 					else
-					{
-						LogPrint (eLogWarning, "SSU message ", msgID, " already received");						
-						i2p::DeleteI2NPMessage (msg);
-					}	
+						LogPrint (eLogWarning, "SSU: Message ", msgID, " already received");
 				}	
 				else
 				{
 					// we expect DeliveryStatus
 					if (msg->GetTypeID () == eI2NPDeliveryStatus)
 					{
-						LogPrint ("SSU session established");
+						LogPrint (eLogDebug, "SSU: session established");
 						m_Session.Established ();
 					}	
 					else
-						LogPrint (eLogError, "SSU unexpected message ", (int)msg->GetTypeID ());
-					DeleteI2NPMessage (msg);
+						LogPrint (eLogError, "SSU: unexpected message ", (int)msg->GetTypeID ());
 				}	
 			}	
 			else
@@ -278,7 +274,7 @@ namespace transport
 		//uint8_t * start = buf;
 		uint8_t flag = *buf;
 		buf++;
-		LogPrint (eLogDebug, "Process SSU data flags=", (int)flag, " len=", len);
+		LogPrint (eLogDebug, "SSU: Process data, flags=", (int)flag, ", len=", len);
 		// process acks if presented
 		if (flag & (DATA_FLAG_ACK_BITFIELDS_INCLUDED | DATA_FLAG_EXPLICIT_ACKS_INCLUDED))
 			ProcessAcks (buf, flag);
@@ -287,20 +283,19 @@ namespace transport
 		{
 			uint8_t extendedDataSize = *buf;
 			buf++; // size
-			LogPrint (eLogDebug, "SSU extended data of ", extendedDataSize, " bytes presented");
+			LogPrint (eLogDebug, "SSU: extended data of ", extendedDataSize, " bytes present");
 			buf += extendedDataSize;
 		}
 		// process data
 		ProcessFragments (buf);
 	}
 
-	void SSUData::Send (i2p::I2NPMessage * msg)
+	void SSUData::Send (std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		uint32_t msgID = msg->ToSSU ();
 		if (m_SentMessages.count (msgID) > 0)
 		{
-			LogPrint (eLogWarning, "SSU message ", msgID, " already sent");
-			DeleteI2NPMessage (msg);
+			LogPrint (eLogWarning, "SSU: message ", msgID, " already sent");
 			return;
 		}	
 		if (m_SentMessages.empty ()) // schedule resend at first message only
@@ -357,7 +352,7 @@ namespace transport
 			}
 			catch (boost::system::system_error& ec)
 			{
-				LogPrint (eLogError, "Can't send SSU fragment ", ec.what ());
+				LogPrint (eLogWarning, "SSU: Can't send data fragment ", ec.what ());
 			}	
 			if (!isLast)
 			{	
@@ -368,7 +363,6 @@ namespace transport
 				len = 0;
 			fragmentNum++;
 		}	
-		DeleteI2NPMessage (msg);
 	}		
 
 	void SSUData::SendMsgAck (uint32_t msgID)
@@ -379,7 +373,7 @@ namespace transport
 		payload++;
 		*payload = 1; // number of ACKs
 		payload++;
-		*(uint32_t *)(payload) = htobe32 (msgID); // msgID	
+		htobe32buf (payload, msgID); // msgID
 		payload += 4;
 		*payload = 0; // number of fragments
 
@@ -392,7 +386,7 @@ namespace transport
 	{
 		if (fragmentNum > 64)
 		{
-			LogPrint (eLogWarning, "Fragment number ", fragmentNum, " exceeds 64");
+			LogPrint (eLogWarning, "SSU: Fragment number ", fragmentNum, " exceeds 64");
 			return;
 		}
 		uint8_t buf[64 + 18];
@@ -446,7 +440,7 @@ namespace transport
 								}
 								catch (boost::system::system_error& ec)
 								{
-									LogPrint (eLogError, "Can't resend SSU fragment ", ec.what ());
+									LogPrint (eLogWarning, "SSU: Can't resend data fragment ", ec.what ());
 								}
 							}	
 
@@ -456,7 +450,7 @@ namespace transport
 					}	
 					else
 					{
-						LogPrint (eLogError, "SSU message has not been ACKed after ", MAX_NUM_RESENDS, " attempts. Deleted");
+						LogPrint (eLogInfo, "SSU: message has not been ACKed after ", MAX_NUM_RESENDS, " attempts, deleted");
 						it = m_SentMessages.erase (it);
 					}	
 				}	
@@ -500,7 +494,7 @@ namespace transport
 			{
 				if (ts > it->second->lastFragmentInsertTime + INCOMPLETE_MESSAGES_CLEANUP_TIMEOUT)
 				{
-					LogPrint (eLogError, "SSU message ", it->first, " was not completed  in ", INCOMPLETE_MESSAGES_CLEANUP_TIMEOUT, " seconds. Deleted");
+					LogPrint (eLogWarning, "SSU: message ", it->first, " was not completed  in ", INCOMPLETE_MESSAGES_CLEANUP_TIMEOUT, " seconds, deleted");
 					it = m_IncompleteMessages.erase (it);
 				}	
 				else

SSUData.h

@@ -27,8 +27,8 @@ namespace transport
 	const int RESEND_INTERVAL = 3; // in seconds
 	const int MAX_NUM_RESENDS = 5;
 	const int DECAY_INTERVAL = 20; // in seconds
-	const int MAX_NUM_RECEIVED_MESSAGES = 1000; // how many msgID we store for duplicates check
 	const int INCOMPLETE_MESSAGES_CLEANUP_TIMEOUT = 30; // in seconds
+	const unsigned int MAX_NUM_RECEIVED_MESSAGES = 1000; // how many msgID we store for duplicates check
 	// data flags
 	const uint8_t DATA_FLAG_EXTENDED_DATA_INCLUDED = 0x02;
 	const uint8_t DATA_FLAG_WANT_REPLY = 0x04;
@@ -59,13 +59,12 @@ namespace transport
 	
 	struct IncompleteMessage
 	{
-		I2NPMessage * msg;
+		std::shared_ptr<I2NPMessage> msg;
 		int nextFragmentNum;	
 		uint32_t lastFragmentInsertTime; // in seconds
 		std::set<std::unique_ptr<Fragment>, FragmentCmp> savedFragments;
 		
-		IncompleteMessage (I2NPMessage * m): msg (m), nextFragmentNum (0), lastFragmentInsertTime (0) {};
-		~IncompleteMessage () { if (msg) DeleteI2NPMessage (msg); };
+		IncompleteMessage (std::shared_ptr<I2NPMessage> m): msg (m), nextFragmentNum (0), lastFragmentInsertTime (0) {};
 		void AttachNextFragment (const uint8_t * fragment, size_t fragmentSize);	
 	};
 
@@ -81,7 +80,7 @@ namespace transport
 	{
 		public:
 
-			SSUData (SSUSession& session);
+			SSUData (SSUSession& session); 
 			~SSUData ();
 
 			void Start ();
@@ -89,8 +88,9 @@ namespace transport
 			
 			void ProcessMessage (uint8_t * buf, size_t len);
 			void FlushReceivedMessage ();
-			void Send (i2p::I2NPMessage * msg);
+			void Send (std::shared_ptr<i2p::I2NPMessage> msg);
 
+			void AdjustPacketSize (std::shared_ptr<const i2p::data::RouterInfo> remoteRouter);	
 			void UpdatePacketSize (const i2p::data::IdentHash& remoteIdent);
 
 		private:
@@ -110,7 +110,6 @@ namespace transport
 			void ScheduleIncompleteMessagesCleanup ();
 			void HandleIncompleteMessagesCleanupTimer (const boost::system::error_code& ecode);	
 			
-			void AdjustPacketSize (const i2p::data::RouterInfo& remoteRouter);	
 			
 		private:	
 

SSUSession.cpp

@@ -1,7 +1,7 @@
 #include <boost/bind.hpp>
-#include <cryptopp/dh.h>
-#include <cryptopp/sha.h>
-#include "CryptoConst.h"
+#include <openssl/dh.h>
+#include <openssl/sha.h>
+#include <openssl/rand.h>
 #include "Log.h"
 #include "Timestamp.h"
 #include "RouterContext.h"
@@ -16,9 +16,22 @@ namespace transport
 	SSUSession::SSUSession (SSUServer& server, boost::asio::ip::udp::endpoint& remoteEndpoint,
 		std::shared_ptr<const i2p::data::RouterInfo> router, bool peerTest ): TransportSession (router), 
 		m_Server (server), m_RemoteEndpoint (remoteEndpoint), m_Timer (GetService ()), 
-		m_PeerTest (peerTest),m_State (eSessionStateUnknown), m_IsSessionKey (false), 
+		m_IsPeerTest (peerTest),m_State (eSessionStateUnknown), m_IsSessionKey (false), 
 		m_RelayTag (0),m_Data (*this), m_IsDataReceived (false)
-	{
+	{	
+		if (router)
+		{
+			// we are client
+			auto address = router->GetSSUAddress ();
+			if (address) m_IntroKey = address->key;
+			m_Data.AdjustPacketSize (router); // mtu
+		}
+		else
+		{
+			// we are server
+			auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
+			if (address) m_IntroKey = address->key;
+		}
 		m_CreationTime = i2p::util::GetSecondsSinceEpoch ();
 	}
 
@@ -33,13 +46,8 @@ namespace transport
 	
 	void SSUSession::CreateAESandMacKey (const uint8_t * pubKey)
 	{
-		CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
 		uint8_t sharedKey[256];
-		if (!dh.Agree (sharedKey, m_DHKeysPair->privateKey, pubKey))
-		{    
-		    LogPrint (eLogError, "Couldn't create shared key");
-			return;
-		};
+		m_DHKeysPair->Agree (pubKey, sharedKey);
 
 		uint8_t * sessionKey = m_SessionKey, * macKey = m_MacKey;
 		if (sharedKey[0] & 0x80)
@@ -62,13 +70,13 @@ namespace transport
 				nonZero++;
 				if (nonZero - sharedKey > 32)
 				{
-					LogPrint ("First 32 bytes of shared key is all zeros. Ignored");
+					LogPrint (eLogWarning, "SSU: first 32 bytes of shared key is all zeros. Ignored");
 					return;
 				}	
 			}
 			
 			memcpy (sessionKey, nonZero, 32);
-			CryptoPP::SHA256().CalculateDigest(macKey, nonZero, 64 - (nonZero - sharedKey));
+			SHA256(nonZero, 64 - (nonZero - sharedKey), macKey);
 		}
 		m_IsSessionKey = true;
 		m_SessionKeyEncryption.SetKey (m_SessionKey);
@@ -82,7 +90,7 @@ namespace transport
 		if (m_State == eSessionStateIntroduced)
 		{
 			// HolePunch received
-			LogPrint ("SSU HolePunch of ", len, " bytes received");
+			LogPrint (eLogDebug, "SSU: HolePunch of ", len, " bytes received");
 			m_State = eSessionStateUnknown;
 			Connect ();
 		}
@@ -97,23 +105,22 @@ namespace transport
 			else 
 			{
 				// try intro key depending on side
-				auto introKey = GetIntroKey ();
-				if (introKey && Validate (buf, len, introKey))
-					Decrypt (buf, len, introKey);
+				if (Validate (buf, len, m_IntroKey))
+					Decrypt (buf, len, m_IntroKey);
 				else
 				{    
 					// try own intro key
 					auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
 					if (!address)
 					{
-						LogPrint (eLogError, "SSU is not supported");
+						LogPrint (eLogInfo, "SSU is not supported");
 						return;
 					}	
 					if (Validate (buf, len, address->key))
 						Decrypt (buf, len, address->key);
 					else
 					{
-						LogPrint (eLogError, "MAC verification failed ", len, " bytes from ", senderEndpoint);
+						LogPrint (eLogWarning, "SSU: MAC verification failed ", len, " bytes from ", senderEndpoint);
 						m_Server.DeleteSession (shared_from_this ()); 
 						return;
 					}	
@@ -124,79 +131,117 @@ namespace transport
 		}	
 	}
 
+	size_t SSUSession::GetSSUHeaderSize (const uint8_t * buf) const
+	{
+		size_t s = sizeof (SSUHeader);
+		if (((const SSUHeader *)buf)->IsExtendedOptions ())
+			s += buf[s] + 1; // byte right after header is extended options length
+		return s;
+	}
+
 	void SSUSession::ProcessMessage (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint)
 	{
 		len -= (len & 0x0F); // %16, delete extra padding
 		if (len <= sizeof (SSUHeader)) return; // drop empty message
 		//TODO: since we are accessing a uint8_t this is unlikely to crash due to alignment but should be improved
+		auto headerSize = GetSSUHeaderSize (buf);
+		if (headerSize >= len)
+		{
+			LogPrint (eLogError, "SSU header size ", headerSize, " exceeds packet length ", len);
+			return;
+		}
 		SSUHeader * header = (SSUHeader *)buf;
 		switch (header->GetPayloadType ())
 		{
 			case PAYLOAD_TYPE_DATA:
-				ProcessData (buf + sizeof (SSUHeader), len - sizeof (SSUHeader));
+				ProcessData (buf + headerSize, len - headerSize);
 			break;
 			case PAYLOAD_TYPE_SESSION_REQUEST:
-				ProcessSessionRequest (buf, len, senderEndpoint);				
+				ProcessSessionRequest (buf, len, senderEndpoint); // buf with header				
 			break;
 			case PAYLOAD_TYPE_SESSION_CREATED:
-				ProcessSessionCreated (buf, len);
+				ProcessSessionCreated (buf, len); // buf with header
 			break;
 			case PAYLOAD_TYPE_SESSION_CONFIRMED:
-				ProcessSessionConfirmed (buf, len);
+				ProcessSessionConfirmed (buf, len); // buf with header
 			break;	
 			case PAYLOAD_TYPE_PEER_TEST:
-				LogPrint (eLogDebug, "SSU peer test received");
-				ProcessPeerTest (buf + sizeof (SSUHeader), len - sizeof (SSUHeader), senderEndpoint);
+				LogPrint (eLogDebug, "SSU: peer test received");
+				ProcessPeerTest (buf + headerSize, len - headerSize, senderEndpoint);
 			break;
 			case PAYLOAD_TYPE_SESSION_DESTROYED:
 			{
-				LogPrint (eLogDebug, "SSU session destroy received");
+				LogPrint (eLogDebug, "SSU: session destroy received");
 				m_Server.DeleteSession (shared_from_this ()); 
 				break;
 			}	
 			case PAYLOAD_TYPE_RELAY_RESPONSE:
-				ProcessRelayResponse (buf, len);
+				ProcessRelayResponse (buf + headerSize, len - headerSize);
 				if (m_State != eSessionStateEstablished)
 					m_Server.DeleteSession (shared_from_this ());
 			break;
 			case PAYLOAD_TYPE_RELAY_REQUEST:
-				LogPrint (eLogDebug, "SSU relay request received");
-				ProcessRelayRequest (buf + sizeof (SSUHeader), len - sizeof (SSUHeader), senderEndpoint);
+				LogPrint (eLogDebug, "SSU: relay request received");
+				ProcessRelayRequest (buf + headerSize, len - headerSize, senderEndpoint);
 			break;
 			case PAYLOAD_TYPE_RELAY_INTRO:
-				LogPrint (eLogDebug, "SSU relay intro received");
-				ProcessRelayIntro (buf + sizeof (SSUHeader), len - sizeof (SSUHeader));
+				LogPrint (eLogDebug, "SSU: relay intro received");
+				ProcessRelayIntro (buf + headerSize, len - headerSize);
 			break;
 			default:
-				LogPrint (eLogWarning, "Unexpected SSU payload type ", (int)header->GetPayloadType ());
+				LogPrint (eLogWarning, "SSU: Unexpected payload type ", (int)header->GetPayloadType ());
 		}
 	}
 
-	void SSUSession::ProcessSessionRequest (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint)
+	void SSUSession::ProcessSessionRequest (const uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint)
 	{
-		LogPrint (eLogDebug, "Session request received");	
+		LogPrint (eLogDebug, "SSU message: session request");
+		bool sendRelayTag = true; 
+		auto headerSize = sizeof (SSUHeader);
+		if (((SSUHeader *)buf)->IsExtendedOptions ())
+		{
+			uint8_t extendedOptionsLen = buf[headerSize];
+			headerSize++;
+			if (extendedOptionsLen >= 3) // options are presented
+			{
+				uint16_t flags = bufbe16toh (buf + headerSize);
+				sendRelayTag = flags & EXTENDED_OPTIONS_FLAG_REQUEST_RELAY_TAG; 
+			}
+			headerSize += extendedOptionsLen;
+		}			
+		if (headerSize >= len)
+		{
+			LogPrint (eLogError, "Session reaquest header size ", headerSize, " exceeds packet length ", len);
+			return;	
+		}
 		m_RemoteEndpoint = senderEndpoint;
 		if (!m_DHKeysPair)
 			m_DHKeysPair = transports.GetNextDHKeysPair ();
-		CreateAESandMacKey (buf + sizeof (SSUHeader));
-		SendSessionCreated (buf + sizeof (SSUHeader));
+		CreateAESandMacKey (buf + headerSize);
+		SendSessionCreated (buf + headerSize, sendRelayTag);
 	}
 
 	void SSUSession::ProcessSessionCreated (uint8_t * buf, size_t len)
 	{
-		if (!m_RemoteRouter || !m_DHKeysPair)
+		if (!IsOutgoing () || !m_DHKeysPair)
 		{
-			LogPrint (eLogWarning, "Unsolicited session created message");
+			LogPrint (eLogWarning, "SSU: Unsolicited session created message");
 			return;
 		}
 
-		LogPrint (eLogDebug, "Session created received");	
+		LogPrint (eLogDebug, "SSU message: session created");
 		m_Timer.cancel (); // connect timer
 		SignedData s; // x,y, our IP, our port, remote IP, remote port, relayTag, signed on time 
-		uint8_t * payload = buf + sizeof (SSUHeader);	
+		auto headerSize = GetSSUHeaderSize (buf);	
+		if (headerSize >= len)
+		{
+			LogPrint (eLogError, "Session created header size ", headerSize, " exceeds packet length ", len);
+			return;	
+		}	
+		uint8_t * payload = buf + headerSize; 
 		uint8_t * y = payload;
 		CreateAESandMacKey (y);
-		s.Insert (m_DHKeysPair->publicKey, 256); // x
+		s.Insert (m_DHKeysPair->GetPublicKey (), 256); // x
 		s.Insert (y, 256); // y
 		payload += 256;
 		uint8_t addressSize = *payload;
@@ -220,7 +265,7 @@ namespace transport
 		uint16_t ourPort = bufbe16toh (payload);
 		s.Insert (payload, 2); // our port
 		payload += 2; // port
-		LogPrint ("Our external address is ", ourIP.to_string (), ":", ourPort);
+		LogPrint (eLogInfo, "SSU: Our external address is ", ourIP.to_string (), ":", ourPort);
 		i2p::context.UpdateAddress (ourIP);
 		if (m_RemoteEndpoint.address ().is_v4 ())
 			s.Insert (m_RemoteEndpoint.address ().to_v4 ().to_bytes ().data (), 4); // remote IP v4
@@ -232,52 +277,66 @@ namespace transport
 		payload += 4; // relayTag
 		payload += 4; // signed on time
 		// decrypt signature
-		size_t signatureLen = m_RemoteIdentity.GetSignatureLen ();
+		size_t signatureLen = m_RemoteIdentity->GetSignatureLen ();
 		size_t paddingSize = signatureLen & 0x0F; // %16
 		if (paddingSize > 0) signatureLen += (16 - paddingSize);
 		//TODO: since we are accessing a uint8_t this is unlikely to crash due to alignment but should be improved
 		m_SessionKeyDecryption.SetIV (((SSUHeader *)buf)->iv);
-		m_SessionKeyDecryption.Decrypt (payload, signatureLen, payload);
+		m_SessionKeyDecryption.Decrypt (payload, signatureLen, payload); // TODO: non-const payload
 		// verify
 		if (!s.Verify (m_RemoteIdentity, payload))
-			LogPrint (eLogError, "SSU signature verification failed");
-		m_RemoteIdentity.DropVerifier ();	
+			LogPrint (eLogError, "SSU: message 'created' signature verification failed");
 		
 		SendSessionConfirmed (y, ourAddress, addressSize + 2);
 	}	
 
-	void SSUSession::ProcessSessionConfirmed (uint8_t * buf, size_t len)
+	void SSUSession::ProcessSessionConfirmed (const uint8_t * buf, size_t len)
 	{
-		LogPrint (eLogDebug, "Session confirmed received");	
-		uint8_t * payload = buf + sizeof (SSUHeader);
+		LogPrint (eLogDebug, "SSU: Session confirmed received");	
+		auto headerSize = GetSSUHeaderSize (buf);	
+		if (headerSize >= len)
+		{
+			LogPrint (eLogError, "SSU: Session confirmed header size ", len, " exceeds packet length ", len);
+			return;	
+		}	
+		const uint8_t * payload = buf + headerSize;
 		payload++; // identity fragment info
 		uint16_t identitySize = bufbe16toh (payload);	
 		payload += 2; // size of identity fragment
-		m_RemoteIdentity.FromBuffer (payload, identitySize);
-		m_Data.UpdatePacketSize (m_RemoteIdentity.GetIdentHash ());
+		SetRemoteIdentity (std::make_shared<i2p::data::IdentityEx> (payload, identitySize));
+		m_Data.UpdatePacketSize (m_RemoteIdentity->GetIdentHash ());
 		payload += identitySize; // identity	
+		if (m_SignedData)
+			m_SignedData->Insert (payload, 4); // insert Alice's signed on time
 		payload += 4; // signed-on time
-		size_t paddingSize = (payload - buf) + m_RemoteIdentity.GetSignatureLen ();
+		size_t paddingSize = (payload - buf) + m_RemoteIdentity->GetSignatureLen ();
 		paddingSize &= 0x0F;  // %16
 		if (paddingSize > 0) paddingSize = 16 - paddingSize;
 		payload += paddingSize;
-		// TODO: verify signature (need data from session request), payload points to signature
+		// verify
+		if (m_SignedData && !m_SignedData->Verify (m_RemoteIdentity, payload))
+			LogPrint (eLogError, "SSU message 'confirmed' signature verification failed");
 		m_Data.Send (CreateDeliveryStatusMsg (0));
 		Established ();
 	}
 
 	void SSUSession::SendSessionRequest ()
-	{
-		auto introKey = GetIntroKey ();
-		if (!introKey)
-		{
-			LogPrint (eLogError, "SSU is not supported");
-			return;
-		}
-	
+	{	
 		uint8_t buf[320 + 18]; // 304 bytes for ipv4, 320 for ipv6
 		uint8_t * payload = buf + sizeof (SSUHeader);
-		memcpy (payload, m_DHKeysPair->publicKey, 256); // x
+		uint8_t flag = 0;
+		// fill extended options, 3 bytes extended options don't change message size
+		if (i2p::context.GetStatus () == eRouterStatusOK) // we don't need relays
+		{	
+			// tell out peer to now assign relay tag
+			flag = SSU_HEADER_EXTENDED_OPTIONS_INCLUDED;
+			*payload = 2; payload++; //  1 byte length
+			uint16_t flags = 0; // clear EXTENDED_OPTIONS_FLAG_REQUEST_RELAY_TAG
+			htobe16buf (payload, flags); 
+			payload += 2;
+		}	
+		// fill payload
+		memcpy (payload, m_DHKeysPair->GetPublicKey (), 256); // x
 		bool isV4 = m_RemoteEndpoint.address ().is_v4 ();
 		if (isV4)
 		{
@@ -289,26 +348,25 @@ namespace transport
 			payload[256] = 16; 
 			memcpy (payload + 257, m_RemoteEndpoint.address ().to_v6 ().to_bytes ().data(), 16); 
 		}	
-		
+		// encrypt and send
 		uint8_t iv[16];
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		rnd.GenerateBlock (iv, 16); // random iv
-		FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_REQUEST, buf, isV4 ? 304 : 320, introKey, iv, introKey);
+		RAND_bytes (iv, 16); // random iv
+		FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_REQUEST, buf, isV4 ? 304 : 320, m_IntroKey, iv, m_IntroKey, flag);
 		m_Server.Send (buf, isV4 ? 304 : 320, m_RemoteEndpoint);
 	}
 
-	void SSUSession::SendRelayRequest (uint32_t iTag, const uint8_t * iKey)
+	void SSUSession::SendRelayRequest (const i2p::data::RouterInfo::Introducer& introducer, uint32_t nonce)
 	{
 		auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
 		if (!address)
 		{
-			LogPrint (eLogError, "SSU is not supported");
+			LogPrint (eLogInfo, "SSU is not supported");
 			return;
 		}
 	
 		uint8_t buf[96 + 18]; 
 		uint8_t * payload = buf + sizeof (SSUHeader);
-		htobe32buf (payload, iTag);
+		htobe32buf (payload, introducer.iTag);
 		payload += 4;
 		*payload = 0; // no address
 		payload++;
@@ -318,35 +376,32 @@ namespace transport
 		payload++;	
 		memcpy (payload, (const uint8_t *)address->key, 32);
 		payload += 32;
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		htobe32buf (payload, rnd.GenerateWord32 ()); // nonce	
+		htobe32buf (payload, nonce); // nonce	
 
 		uint8_t iv[16];
-		rnd.GenerateBlock (iv, 16); // random iv
+		RAND_bytes (iv, 16); // random iv
 		if (m_State == eSessionStateEstablished)
 			FillHeaderAndEncrypt (PAYLOAD_TYPE_RELAY_REQUEST, buf, 96, m_SessionKey, iv, m_MacKey);
 		else
-			FillHeaderAndEncrypt (PAYLOAD_TYPE_RELAY_REQUEST, buf, 96, iKey, iv, iKey);			
+			FillHeaderAndEncrypt (PAYLOAD_TYPE_RELAY_REQUEST, buf, 96, introducer.iKey, iv, introducer.iKey);			
 		m_Server.Send (buf, 96, m_RemoteEndpoint);
 	}
 
-	void SSUSession::SendSessionCreated (const uint8_t * x)
+	void SSUSession::SendSessionCreated (const uint8_t * x, bool sendRelayTag)
 	{
-		auto introKey = GetIntroKey ();
 		auto address = IsV6 () ? i2p::context.GetRouterInfo ().GetSSUV6Address () :
 			i2p::context.GetRouterInfo ().GetSSUAddress (true); //v4 only
-		if (!introKey || !address)
+		if (!address)
 		{
-			LogPrint (eLogError, "SSU is not supported");
+			LogPrint (eLogInfo, "SSU is not supported");
 			return;
 		}
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
 		SignedData s; // x,y, remote IP, remote port, our IP, our port, relayTag, signed on time 
 		s.Insert (x, 256); // x
 
 		uint8_t buf[384 + 18];	
 		uint8_t * payload = buf + sizeof (SSUHeader);
-		memcpy (payload, m_DHKeysPair->publicKey, 256);
+		memcpy (payload, m_DHKeysPair->GetPublicKey (), 256);
 		s.Insert (payload, 256); // y
 		payload += 256;
 		if (m_RemoteEndpoint.address ().is_v4 ())
@@ -376,9 +431,9 @@ namespace transport
 			s.Insert (address->host.to_v6 ().to_bytes ().data (), 16); // our IP V6
 		s.Insert<uint16_t> (htobe16 (address->port)); // our port
 		uint32_t relayTag = 0;
-		if (i2p::context.GetRouterInfo ().IsIntroducer ())
+		if (sendRelayTag && i2p::context.GetRouterInfo ().IsIntroducer () && !IsV6 ())
 		{
-			relayTag = rnd.GenerateWord32 ();
+			RAND_bytes((uint8_t *)&relayTag, 4);
 			if (!relayTag) relayTag = 1;
 			m_Server.AddRelay (relayTag, m_RemoteEndpoint);
 		}
@@ -386,14 +441,18 @@ namespace transport
 		payload += 4; // relay tag 
 		htobe32buf (payload, i2p::util::GetSecondsSinceEpoch ()); // signed on time
 		payload += 4;
-		s.Insert (payload - 8, 8); // relayTag and signed on time 
+		s.Insert (payload - 8, 4); // relayTag	
+		// we have to store this signed data for session confirmed
+		// same data but signed on time, it will Alice's there	
+		m_SignedData = std::unique_ptr<SignedData>(new SignedData (s)); 	
+		s.Insert (payload - 4, 4); // BOB's signed on time 
 		s.Sign (i2p::context.GetPrivateKeys (), payload); // DSA signature
 		// TODO: fill padding with random data	
 
 		uint8_t iv[16];
-		rnd.GenerateBlock (iv, 16); // random iv
+		RAND_bytes (iv, 16); // random iv
 		// encrypt signature and padding with newly created session key	
-		size_t signatureLen = i2p::context.GetIdentity ().GetSignatureLen ();
+		size_t signatureLen = i2p::context.GetIdentity ()->GetSignatureLen ();
 		size_t paddingSize = signatureLen & 0x0F; // %16
 		if (paddingSize > 0) signatureLen += (16 - paddingSize);
 		m_SessionKeyEncryption.SetIV (iv);
@@ -402,7 +461,7 @@ namespace transport
 		size_t msgLen = payload - buf;
 		
 		// encrypt message with intro key
-		FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_CREATED, buf, msgLen, introKey, iv, introKey);	
+		FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_CREATED, buf, msgLen, m_IntroKey, iv, m_IntroKey);	
 		Send (buf, msgLen);
 	}
 
@@ -412,15 +471,15 @@ namespace transport
 		uint8_t * payload = buf + sizeof (SSUHeader);
 		*payload = 1; // 1 fragment
 		payload++; // info
-		size_t identLen = i2p::context.GetIdentity ().GetFullLen (); // 387+ bytes
+		size_t identLen = i2p::context.GetIdentity ()->GetFullLen (); // 387+ bytes
 		htobe16buf (payload, identLen);
 		payload += 2; // cursize
-		i2p::context.GetIdentity ().ToBuffer (payload, identLen);
+		i2p::context.GetIdentity ()->ToBuffer (payload, identLen);
 		payload += identLen;
 		uint32_t signedOnTime = i2p::util::GetSecondsSinceEpoch ();
 		htobe32buf (payload, signedOnTime); // signed on time
 		payload += 4;
-		auto signatureLen = i2p::context.GetIdentity ().GetSignatureLen ();
+		auto signatureLen = i2p::context.GetIdentity ()->GetSignatureLen ();
 		size_t paddingSize = ((payload - buf) + signatureLen)%16;
 		if (paddingSize > 0) paddingSize = 16 - paddingSize;
 		// TODO: fill padding	
@@ -428,7 +487,7 @@ namespace transport
 
 		// signature		
 		SignedData s; // x,y, our IP, our port, remote IP, remote port, relayTag, our signed on time 
-		s.Insert (m_DHKeysPair->publicKey, 256); // x
+		s.Insert (m_DHKeysPair->GetPublicKey (), 256); // x
 		s.Insert (y, 256); // y
 		s.Insert (ourAddress, ourAddressLen); // our address/port as seem by party
 		if (m_RemoteEndpoint.address ().is_v4 ())
@@ -443,14 +502,13 @@ namespace transport
 		
 		size_t msgLen = payload - buf;
 		uint8_t iv[16];
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		rnd.GenerateBlock (iv, 16); // random iv
+		RAND_bytes (iv, 16); // random iv
 		// encrypt message with session key
 		FillHeaderAndEncrypt (PAYLOAD_TYPE_SESSION_CONFIRMED, buf, msgLen, m_SessionKey, iv, m_MacKey);
 		Send (buf, msgLen);
 	}
 
-	void SSUSession::ProcessRelayRequest (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& from)
+	void SSUSession::ProcessRelayRequest (const uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& from)
 	{
 		uint32_t relayTag = bufbe32toh (buf);
 		auto session = m_Server.FindRelaySession (relayTag);
@@ -464,11 +522,11 @@ namespace transport
 			uint8_t challengeSize = *buf;
 			buf++; // challenge size
 			buf += challengeSize;
-			uint8_t * introKey = buf;
+			const uint8_t * introKey = buf;
 			buf += 32; // introkey
 			uint32_t nonce = bufbe32toh (buf);
 			SendRelayResponse (nonce, from, introKey, session->m_RemoteEndpoint);
-			SendRelayIntro (session.get (), from);
+			SendRelayIntro (session, from);
 		}	
 	}
 
@@ -480,7 +538,7 @@ namespace transport
 		// Charlie's address always v4
 		if (!to.address ().is_v4 ())
 		{
-			LogPrint (eLogError, "Charlie's IP must be v4");
+			LogPrint (eLogWarning, "SSU: Charlie's IP must be v4");
 			return;
 		}
 		*payload = 4;
@@ -519,21 +577,20 @@ namespace transport
 		{
 			// ecrypt with Alice's intro key
 			uint8_t iv[16];
-			CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-			rnd.GenerateBlock (iv, 16); // random iv
+			RAND_bytes (iv, 16); // random iv
 			FillHeaderAndEncrypt (PAYLOAD_TYPE_RELAY_RESPONSE, buf, isV4 ? 64 : 80, introKey, iv, introKey);
 			m_Server.Send (buf, isV4 ? 64 : 80, from);
 		}	
-		LogPrint (eLogDebug, "SSU relay response sent");
+		LogPrint (eLogDebug, "SSU: relay response sent");
 	}	
 
-	void SSUSession::SendRelayIntro (SSUSession * session, const boost::asio::ip::udp::endpoint& from)
+	void SSUSession::SendRelayIntro (std::shared_ptr<SSUSession> session, const boost::asio::ip::udp::endpoint& from)
 	{
 		if (!session) return;	
 		// Alice's address always v4
 		if (!from.address ().is_v4 ())
 		{
-			LogPrint (eLogError, "Alice's IP must be v4");
+			LogPrint (eLogWarning, "SSU: Alice's IP must be v4");
 			return;
 		}	
 		uint8_t buf[48 + 18];
@@ -546,46 +603,65 @@ namespace transport
 		payload += 2; // port
 		*payload = 0; // challenge size	
 		uint8_t iv[16];
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		rnd.GenerateBlock (iv, 16); // random iv
+		RAND_bytes (iv, 16); // random iv
 		FillHeaderAndEncrypt (PAYLOAD_TYPE_RELAY_INTRO, buf, 48, session->m_SessionKey, iv, session->m_MacKey);
 		m_Server.Send (buf, 48, session->m_RemoteEndpoint);
-		LogPrint (eLogDebug, "SSU relay intro sent");
+		LogPrint (eLogDebug, "SSU: relay intro sent");
 	}
 	
-	void SSUSession::ProcessRelayResponse (uint8_t * buf, size_t len)
+	void SSUSession::ProcessRelayResponse (const uint8_t * buf, size_t len)
 	{
-		LogPrint (eLogDebug, "Relay response received");		
-		uint8_t * payload = buf + sizeof (SSUHeader);
-		uint8_t remoteSize = *payload; 
-		payload++; // remote size
-		//boost::asio::ip::address_v4 remoteIP (bufbe32toh (payload));
-		payload += remoteSize; // remote address
-		//uint16_t remotePort = bufbe16toh (payload);
-		payload += 2; // remote port
-		uint8_t ourSize = *payload; 
-		payload++; // our size
+		LogPrint (eLogDebug, "SSU message: Relay response received");		
+		uint8_t remoteSize = *buf; 
+		buf++; // remote size
+		boost::asio::ip::address_v4 remoteIP (bufbe32toh (buf));
+		buf += remoteSize; // remote address
+		uint16_t remotePort = bufbe16toh (buf);
+		buf += 2; // remote port
+		uint8_t ourSize = *buf; 
+		buf++; // our size
 		boost::asio::ip::address ourIP;
 		if (ourSize == 4)
 		{
 			boost::asio::ip::address_v4::bytes_type bytes;
-			memcpy (bytes.data (), payload, 4);
+			memcpy (bytes.data (), buf, 4);
 			ourIP = boost::asio::ip::address_v4 (bytes);
 		}
 		else
 		{
 			boost::asio::ip::address_v6::bytes_type bytes;
-			memcpy (bytes.data (), payload, 16);
+			memcpy (bytes.data (), buf, 16);
 			ourIP = boost::asio::ip::address_v6 (bytes);
 		}
-		payload += ourSize; // our address
-		uint16_t ourPort = bufbe16toh (payload);
-		payload += 2; // our port
-		LogPrint ("Our external address is ", ourIP.to_string (), ":", ourPort);
+		buf += ourSize; // our address
+		uint16_t ourPort = bufbe16toh (buf);
+		buf += 2; // our port
+		LogPrint (eLogInfo, "SSU: Our external address is ", ourIP.to_string (), ":", ourPort);
 		i2p::context.UpdateAddress (ourIP);
+		uint32_t nonce = bufbe32toh (buf);
+		buf += 4; // nonce
+		auto it = m_RelayRequests.find (nonce);
+		if (it != m_RelayRequests.end ())
+		{	
+			// check if we are waiting for introduction
+			boost::asio::ip::udp::endpoint remoteEndpoint (remoteIP, remotePort);
+			if (!m_Server.FindSession (remoteEndpoint))
+			{
+				// we didn't have correct endpoint when sent relay request
+				// now we do
+				LogPrint (eLogInfo, "SSU: RelayReponse connecting to endpoint ", remoteEndpoint);
+				if (i2p::context.GetRouterInfo ().UsesIntroducer ()) // if we are unreachable
+					m_Server.Send (buf, 0, remoteEndpoint); // send HolePunch
+				m_Server.CreateDirectSession (it->second, remoteEndpoint, false);
+			}	
+			// delete request
+			m_RelayRequests.erase (it);
+		}	
+		else
+			LogPrint (eLogError, "SSU: Unsolicited RelayResponse, nonce=", nonce);
 	}
 
-	void SSUSession::ProcessRelayIntro (uint8_t * buf, size_t len)
+	void SSUSession::ProcessRelayIntro (const uint8_t * buf, size_t len)
 	{
 		uint8_t size = *buf;
 		if (size == 4)
@@ -594,26 +670,25 @@ namespace transport
 			boost::asio::ip::address_v4 address (bufbe32toh (buf));
 			buf += 4; // address
 			uint16_t port = bufbe16toh (buf);
-			// send hole punch of 1 byte
+			// send hole punch of 0 bytes
 			m_Server.Send (buf, 0, boost::asio::ip::udp::endpoint (address, port));
 		}
 		else
-			LogPrint (eLogWarning, "Address size ", size, " is not supported"); 	
+			LogPrint (eLogWarning, "SSU: Address size ", size, " is not supported");
 	}		
 
 	void SSUSession::FillHeaderAndEncrypt (uint8_t payloadType, uint8_t * buf, size_t len, 
-		const uint8_t * aesKey, const uint8_t * iv, const uint8_t * macKey)
+		const i2p::crypto::AESKey& aesKey, const uint8_t * iv, const i2p::crypto::MACKey& macKey, uint8_t flag)
 	{	
 		if (len < sizeof (SSUHeader))
 		{
-			LogPrint (eLogError, "Unexpected SSU packet length ", len);
+			LogPrint (eLogError, "SSU: Unexpected packet length ", len);
 			return;
 		}
-		//TODO: we are using a dirty solution here but should work for now
 		SSUHeader * header = (SSUHeader *)buf;
 		memcpy (header->iv, iv, 16);
-		header->flag = payloadType << 4; // MSB is 0
-		htobe32buf (&(header->time), i2p::util::GetSecondsSinceEpoch ());
+		header->flag = flag | (payloadType << 4); // MSB is 0
+		htobe32buf (header->time, i2p::util::GetSecondsSinceEpoch ());
 		uint8_t * encrypted = &header->flag;
 		uint16_t encryptedLen = len - (encrypted - buf);
 		i2p::crypto::CBCEncryption encryption;
@@ -630,15 +705,14 @@ namespace transport
 	{
 		if (len < sizeof (SSUHeader))
 		{
-			LogPrint (eLogError, "Unexpected SSU packet length ", len);
+			LogPrint (eLogError, "SSU: Unexpected packet length ", len);
 			return;
 		}
-		//TODO: we are using a dirty solution here but should work for now
 		SSUHeader * header = (SSUHeader *)buf;
-		i2p::context.GetRandomNumberGenerator ().GenerateBlock (header->iv, 16); // random iv
+		RAND_bytes (header->iv, 16); // random iv
 		m_SessionKeyEncryption.SetIV (header->iv);
 		header->flag = payloadType << 4; // MSB is 0
-		htobe32buf (&(header->time), i2p::util::GetSecondsSinceEpoch ());
+		htobe32buf (header->time, i2p::util::GetSecondsSinceEpoch ());
 		uint8_t * encrypted = &header->flag;
 		uint16_t encryptedLen = len - (encrypted - buf);
 		m_SessionKeyEncryption.Encrypt (encrypted, encryptedLen, encrypted);
@@ -648,14 +722,13 @@ namespace transport
 		i2p::crypto::HMACMD5Digest (encrypted, encryptedLen + 18, m_MacKey, header->mac);
 	}	
 		
-	void SSUSession::Decrypt (uint8_t * buf, size_t len, const uint8_t * aesKey)
+	void SSUSession::Decrypt (uint8_t * buf, size_t len, const i2p::crypto::AESKey& aesKey)
 	{
 		if (len < sizeof (SSUHeader))
 		{
-			LogPrint (eLogError, "Unexpected SSU packet length ", len);
+			LogPrint (eLogError, "SSU: Unexpected packet length ", len);
 			return;
-		}
-		//TODO: since we are accessing a uint8_t this is unlikely to crash due to alignment but should be improved
+		}		
 		SSUHeader * header = (SSUHeader *)buf;
 		uint8_t * encrypted = &header->flag;
 		uint16_t encryptedLen = len - (encrypted - buf);	
@@ -669,10 +742,9 @@ namespace transport
 	{
 		if (len < sizeof (SSUHeader))
 		{
-			LogPrint (eLogError, "Unexpected SSU packet length ", len);
+			LogPrint (eLogError, "SSU: Unexpected packet length ", len);
 			return;
-		}
-		//TODO: since we are accessing a uint8_t this is unlikely to crash due to alignment but should be improved
+		}		
 		SSUHeader * header = (SSUHeader *)buf;
 		uint8_t * encrypted = &header->flag;
 		uint16_t encryptedLen = len - (encrypted - buf);	
@@ -683,14 +755,13 @@ namespace transport
 		}	
 	}	
 		
-	bool SSUSession::Validate (uint8_t * buf, size_t len, const uint8_t * macKey)
+	bool SSUSession::Validate (uint8_t * buf, size_t len, const i2p::crypto::MACKey& macKey)
 	{
 		if (len < sizeof (SSUHeader))
 		{
-			LogPrint (eLogError, "Unexpected SSU packet length ", len);
+			LogPrint (eLogError, "SSU: Unexpected packet length ", len);
 			return false;
-		}
-		//TODO: since we are accessing a uint8_t this is unlikely to crash due to alignment but should be improved
+		}		
 		SSUHeader * header = (SSUHeader *)buf;
 		uint8_t * encrypted = &header->flag;
 		uint16_t encryptedLen = len - (encrypted - buf);
@@ -715,10 +786,10 @@ namespace transport
 
 	void SSUSession::WaitForConnect ()
 	{
-		if (!m_RemoteRouter) // incoming session
+		if (!IsOutgoing ()) // incoming session
 			ScheduleConnectTimer ();
 		else
-			LogPrint (eLogError, "SSU wait for connect for outgoing session");	
+			LogPrint (eLogError, "SSU: wait for connect for outgoing session");
 	}
 
 	void SSUSession::ScheduleConnectTimer ()
@@ -734,12 +805,13 @@ namespace transport
 		if (!ecode)
 		{
 			// timeout expired
-			LogPrint ("SSU session was not established after ", SSU_CONNECT_TIMEOUT, " second");
+			LogPrint (eLogWarning, "SSU: session was not established after ", SSU_CONNECT_TIMEOUT, " seconds");
 			Failed ();
 		}	
 	}	
 	
-	void SSUSession::Introduce (uint32_t iTag, const uint8_t * iKey)
+	void SSUSession::Introduce (const i2p::data::RouterInfo::Introducer& introducer,
+		std::shared_ptr<const i2p::data::RouterInfo> to)
 	{
 		if (m_State == eSessionStateUnknown)
 		{	
@@ -747,8 +819,11 @@ namespace transport
 			m_Timer.expires_from_now (boost::posix_time::seconds(SSU_CONNECT_TIMEOUT));
 			m_Timer.async_wait (std::bind (&SSUSession::HandleConnectTimer,
 				shared_from_this (), std::placeholders::_1));
-		}	
-		SendRelayRequest (iTag, iKey);
+		}
+		uint32_t nonce;
+		RAND_bytes ((uint8_t *)&nonce, 4);
+		m_RelayRequests[nonce] = to;
+		SendRelayRequest (introducer, nonce);
 	}
 
 	void SSUSession::WaitForIntroduction ()
@@ -777,15 +852,11 @@ namespace transport
 	void SSUSession::Established ()
 	{
 		m_State = eSessionStateEstablished;
-		if (m_DHKeysPair)
-		{
-			delete m_DHKeysPair;
-			m_DHKeysPair = nullptr;
-		}
+		m_DHKeysPair = nullptr;
+		m_SignedData = nullptr;
 		m_Data.Start ();
-		m_Data.Send (CreateDatabaseStoreMsg ());
 		transports.PeerConnected (shared_from_this ());
-		if (m_PeerTest && (m_RemoteRouter && m_RemoteRouter->IsPeerTesting ()))
+		if (m_IsPeerTest)
 			SendPeerTest ();
 		ScheduleTermination ();
 	}	
@@ -811,60 +882,24 @@ namespace transport
 	{
 		if (ecode != boost::asio::error::operation_aborted)
 		{	
-			LogPrint ("SSU no activity fo ", SSU_TERMINATION_TIMEOUT, " seconds");
+			LogPrint (eLogWarning, "SSU: no activity for ", SSU_TERMINATION_TIMEOUT, " seconds");
 			Failed ();
 		}	
 	}	
 	
-	const uint8_t * SSUSession::GetIntroKey () const
-	{
-		if (m_RemoteRouter)
-		{
-			// we are client
-			auto address = m_RemoteRouter->GetSSUAddress ();
-			return address ? (const uint8_t *)address->key : nullptr;
-		}
-		else
-		{
-			// we are server
-			auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
-			return address ? (const uint8_t *)address->key : nullptr;
-		}
-	}	
 
-	void SSUSession::SendI2NPMessage (I2NPMessage * msg)
-	{
-		GetService ().post (std::bind (&SSUSession::PostI2NPMessage, shared_from_this (), msg)); 
-	}	
-
-	void SSUSession::PostI2NPMessage (I2NPMessage * msg)
-	{
-		if (msg)
-		{
-			if (m_State == eSessionStateEstablished)
-				m_Data.Send (msg);
-			else
-				DeleteI2NPMessage (msg);   
-		}
-	}		
-
-	void SSUSession::SendI2NPMessages (const std::vector<I2NPMessage *>& msgs)
+	void SSUSession::SendI2NPMessages (const std::vector<std::shared_ptr<I2NPMessage> >& msgs)
 	{
 		GetService ().post (std::bind (&SSUSession::PostI2NPMessages, shared_from_this (), msgs));    
 	}
 
-	void SSUSession::PostI2NPMessages (std::vector<I2NPMessage *> msgs)
+	void SSUSession::PostI2NPMessages (std::vector<std::shared_ptr<I2NPMessage> > msgs)
 	{
 		if (m_State == eSessionStateEstablished)
 		{
 			for (auto it: msgs)
 				if (it) m_Data.Send (it);
 		}
-		else
-		{
-			for (auto it: msgs)
-				DeleteI2NPMessage (it);
-		}
 	}	
 
 	void SSUSession::ProcessData (uint8_t * buf, size_t len)
@@ -891,7 +926,7 @@ namespace transport
 		const uint8_t * introKey = buf + size + 7;
 		if (port && !address)
 		{
-			LogPrint (eLogWarning, "Address of ", size, " bytes not supported");	
+			LogPrint (eLogWarning, "SSU: Address of ", size, " bytes not supported");
 			return;
 		}	
 		switch (m_Server.GetPeerTestParticipant (nonce))
@@ -901,13 +936,13 @@ namespace transport
 			{			
 				if (m_State == eSessionStateEstablished)
 				{
-					LogPrint (eLogDebug, "SSU peer test from Bob. We are Alice");
+					LogPrint (eLogDebug, "SSU: peer test from Bob. We are Alice");
 					if (i2p::context.GetStatus () == eRouterStatusTesting) // still not OK
 						i2p::context.SetStatus (eRouterStatusFirewalled);
 				}
 				else
 				{
-					LogPrint (eLogDebug, "SSU first peer test from Charlie. We are Alice");
+					LogPrint (eLogDebug, "SSU: first peer test from Charlie. We are Alice");
 					i2p::context.SetStatus (eRouterStatusOK);
 					m_Server.UpdatePeerTest (nonce, ePeerTestParticipantAlice2);
 					SendPeerTest (nonce, senderEndpoint.address ().to_v4 ().to_ulong (), 
@@ -918,11 +953,11 @@ namespace transport
 			case ePeerTestParticipantAlice2:
 			{
 				if (m_State == eSessionStateEstablished)
-					LogPrint (eLogDebug, "SSU peer test from Bob. We are Alice");
+					LogPrint (eLogDebug, "SSU: peer test from Bob. We are Alice");
 				else
 				{
 					// peer test successive
-					LogPrint (eLogDebug, "SSU second peer test from Charlie. We are Alice");
+					LogPrint (eLogDebug, "SSU: second peer test from Charlie. We are Alice");
 					i2p::context.SetStatus (eRouterStatusOK);
 					m_Server.RemovePeerTest (nonce);
 				}
@@ -930,7 +965,7 @@ namespace transport
 			}	
 			case ePeerTestParticipantBob: 
 			{
-				LogPrint (eLogDebug, "SSU peer test from Charlie. We are Bob");
+				LogPrint (eLogDebug, "SSU: peer test from Charlie. We are Bob");
 				auto session = m_Server.GetPeerTestSession (nonce); // session with Alice from PeerTest
 				if (session && session->m_State == eSessionStateEstablished)
 					session->Send (PAYLOAD_TYPE_PEER_TEST, buf, len); // back to Alice
@@ -939,7 +974,7 @@ namespace transport
 			}
 			case ePeerTestParticipantCharlie:
 			{	
-				LogPrint (eLogDebug, "SSU peer test from Alice. We are Charlie");
+				LogPrint (eLogDebug, "SSU: peer test from Alice. We are Charlie");
 				SendPeerTest (nonce, senderEndpoint.address ().to_v4 ().to_ulong (),
 					senderEndpoint.port (), introKey); // to Alice with her actual address
 				m_Server.RemovePeerTest (nonce); // nonce has been used
@@ -953,15 +988,15 @@ namespace transport
 					// new test
 					if (port)
 					{
-						LogPrint (eLogDebug, "SSU peer test from Bob. We are Charlie");
+						LogPrint (eLogDebug, "SSU: peer test from Bob. We are Charlie");
 						m_Server.NewPeerTest (nonce, ePeerTestParticipantCharlie);
 						Send (PAYLOAD_TYPE_PEER_TEST, buf, len); // back to Bob
 						SendPeerTest (nonce, be32toh (address), be16toh (port), introKey); // to Alice with her address received from Bob
 					}
 					else
 					{
-						LogPrint (eLogDebug, "SSU peer test from Alice. We are Bob");
-						auto session = m_Server.GetRandomEstablishedSession (shared_from_this ()); // Charlie
+						LogPrint (eLogDebug, "SSU: peer test from Alice. We are Bob");
+						auto session = m_Server.GetRandomEstablishedV4Session (shared_from_this ()); // Charlie, TODO: implement v6 support
 						if (session)
 						{
 							m_Server.NewPeerTest (nonce, ePeerTestParticipantBob, shared_from_this ());
@@ -971,7 +1006,7 @@ namespace transport
 					}
 				}
 				else
-					LogPrint (eLogError, "SSU unexpected peer test");	
+					LogPrint (eLogError, "SSU: unexpected peer test");
 			}
 		}	
 	}
@@ -1009,14 +1044,13 @@ namespace transport
 			if (addr)
 				memcpy (payload, addr->key, 32); // intro key
 			else
-				LogPrint (eLogError, "SSU is not supported. Can't send peer test");	
+				LogPrint (eLogInfo, "SSU is not supported. Can't send peer test");	
 		}	
 		else	
 			memcpy (payload, introKey, 32); // intro key
 
 		// send	
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		rnd.GenerateBlock (iv, 16); // random iv
+		RAND_bytes (iv, 16); // random iv
 		if (toAddress)
 		{	
 			// encrypt message with specified intro key
@@ -1035,16 +1069,17 @@ namespace transport
 	void SSUSession::SendPeerTest ()
 	{
 		// we are Alice
-		LogPrint (eLogDebug, "SSU sending peer test");
+		LogPrint (eLogDebug, "SSU: sending peer test");
 		auto address = i2p::context.GetRouterInfo ().GetSSUAddress ();
 		if (!address)
 		{
-			LogPrint (eLogError, "SSU is not supported. Can't send peer test");
+			LogPrint (eLogInfo, "SSU is not supported. Can't send peer test");
 			return;
 		}
-		uint32_t nonce = i2p::context.GetRandomNumberGenerator ().GenerateWord32 ();
+		uint32_t nonce;
+		RAND_bytes ((uint8_t *)&nonce, 4);
 		if (!nonce) nonce = 1;
-		m_PeerTest = false;
+		m_IsPeerTest = false;
 		m_Server.NewPeerTest (nonce, ePeerTestParticipantAlice1);
 		SendPeerTest (nonce, 0, 0, address->key, false, false); // address and port always zero for Alice
 	}	
@@ -1061,7 +1096,7 @@ namespace transport
 			// encrypt message with session key
 			FillHeaderAndEncrypt (PAYLOAD_TYPE_DATA, buf, 48);
 			Send (buf, 48);
-			LogPrint (eLogDebug, "SSU keep-alive sent");
+			LogPrint (eLogDebug, "SSU: keep-alive sent");
 			ScheduleTermination ();
 		}	
 	}
@@ -1079,9 +1114,9 @@ namespace transport
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint (eLogError, "SSU send session destoriyed exception ", ex.what ()); 
+				LogPrint (eLogWarning, "SSU: exception while sending session destoroyed: ", ex.what ());
 			}
-			LogPrint (eLogDebug, "SSU session destroyed sent");
+			LogPrint (eLogDebug, "SSU: session destroyed sent");
 		}
 	}	
 
@@ -1093,7 +1128,7 @@ namespace transport
 		if (paddingSize > 0) msgSize += (16 - paddingSize);
 		if (msgSize > SSU_MTU_V4)
 		{
-			LogPrint (eLogWarning, "SSU payload size ", msgSize, " exceeds MTU");
+			LogPrint (eLogWarning, "SSU: payload size ", msgSize, " exceeds MTU");
 			return;
 		} 
 		memcpy (buf + sizeof (SSUHeader), payload, len);

SSUSession.h

@@ -4,8 +4,7 @@
 #include <inttypes.h>
 #include <set>
 #include <memory>
-#include "aes.h"
-#include "hmac.h"
+#include "Crypto.h"
 #include "I2NPProtocol.h"
 #include "TransportSession.h"
 #include "SSUData.h"
@@ -14,17 +13,17 @@ namespace i2p
 {
 namespace transport
 {
-#pragma pack(1)
+	const uint8_t SSU_HEADER_EXTENDED_OPTIONS_INCLUDED = 0x04;
 	struct SSUHeader
 	{
 		uint8_t mac[16];
 		uint8_t iv[16];
 		uint8_t flag;
-		uint32_t time;	
+		uint8_t time[4];	
 
 		uint8_t GetPayloadType () const { return flag >> 4; };
+		bool IsExtendedOptions () const { return flag & SSU_HEADER_EXTENDED_OPTIONS_INCLUDED; };	
 	};
-#pragma pack()
 
 	const int SSU_CONNECT_TIMEOUT = 5; // 5 seconds
 	const int SSU_TERMINATION_TIMEOUT = 330; // 5.5 minutes
@@ -40,6 +39,9 @@ namespace transport
 	const uint8_t PAYLOAD_TYPE_PEER_TEST = 7;
 	const uint8_t PAYLOAD_TYPE_SESSION_DESTROYED = 8;
 
+	// extended options
+	const uint16_t EXTENDED_OPTIONS_FLAG_REQUEST_RELAY_TAG = 0x0001;
+
 	enum SessionState
 	{
 		eSessionStateUnknown,	
@@ -70,14 +72,14 @@ namespace transport
 			
 			void Connect ();
 			void WaitForConnect ();
-			void Introduce (uint32_t iTag, const uint8_t * iKey);
+			void Introduce (const i2p::data::RouterInfo::Introducer& introducer, 
+				std::shared_ptr<const i2p::data::RouterInfo> to); // Alice to Charlie
 			void WaitForIntroduction ();
 			void Close ();
 			void Done ();
 			boost::asio::ip::udp::endpoint& GetRemoteEndpoint () { return m_RemoteEndpoint; };
 			bool IsV6 () const { return m_RemoteEndpoint.address ().is_v6 (); };
-			void SendI2NPMessage (I2NPMessage * msg);
-			void SendI2NPMessages (const std::vector<I2NPMessage *>& msgs);
+			void SendI2NPMessages (const std::vector<std::shared_ptr<I2NPMessage> >& msgs);
 			void SendPeerTest (); // Alice			
 
 			SessionState GetState () const  { return m_State; };
@@ -86,6 +88,7 @@ namespace transport
 			
 			void SendKeepAlive ();	
 			uint32_t GetRelayTag () const { return m_RelayTag; };	
+			const i2p::data::RouterInfo::IntroKey& GetIntroKey () const { return m_IntroKey; };
 			uint32_t GetCreationTime () const { return m_CreationTime; };
 
 			void FlushData ();
@@ -94,23 +97,22 @@ namespace transport
 
 			boost::asio::io_service& GetService ();
 			void CreateAESandMacKey (const uint8_t * pubKey); 
-
-			void PostI2NPMessage (I2NPMessage * msg);
-			void PostI2NPMessages (std::vector<I2NPMessage *> msgs);
+			size_t GetSSUHeaderSize (const uint8_t * buf) const;
+			void PostI2NPMessages (std::vector<std::shared_ptr<I2NPMessage> > msgs);
 			void ProcessMessage (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint); // call for established session
-			void ProcessSessionRequest (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint);
+			void ProcessSessionRequest (const uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& senderEndpoint);
 			void SendSessionRequest ();
-			void SendRelayRequest (uint32_t iTag, const uint8_t * iKey);
+			void SendRelayRequest (const i2p::data::RouterInfo::Introducer& introducer, uint32_t nonce);
 			void ProcessSessionCreated (uint8_t * buf, size_t len);
-			void SendSessionCreated (const uint8_t * x);
-			void ProcessSessionConfirmed (uint8_t * buf, size_t len);
+			void SendSessionCreated (const uint8_t * x, bool sendRelayTag = true);
+			void ProcessSessionConfirmed (const uint8_t * buf, size_t len);
 			void SendSessionConfirmed (const uint8_t * y, const uint8_t * ourAddress, size_t ourAddressLen);
-			void ProcessRelayRequest (uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& from);
+			void ProcessRelayRequest (const uint8_t * buf, size_t len, const boost::asio::ip::udp::endpoint& from);
 			void SendRelayResponse (uint32_t nonce, const boost::asio::ip::udp::endpoint& from,
 				const uint8_t * introKey, const boost::asio::ip::udp::endpoint& to);
-			void SendRelayIntro (SSUSession * session, const boost::asio::ip::udp::endpoint& from);
-			void ProcessRelayResponse (uint8_t * buf, size_t len);
-			void ProcessRelayIntro (uint8_t * buf, size_t len);
+			void SendRelayIntro (std::shared_ptr<SSUSession> session, const boost::asio::ip::udp::endpoint& from);
+			void ProcessRelayResponse (const uint8_t * buf, size_t len);
+			void ProcessRelayIntro (const uint8_t * buf, size_t len);
 			void Established ();
 			void Failed ();
 			void ScheduleConnectTimer ();
@@ -122,12 +124,12 @@ namespace transport
 			void Send (uint8_t type, const uint8_t * payload, size_t len); // with session key
 			void Send (const uint8_t * buf, size_t size); 
 			
-			void FillHeaderAndEncrypt (uint8_t payloadType, uint8_t * buf, size_t len, const uint8_t * aesKey, const uint8_t * iv, const uint8_t * macKey);
+			void FillHeaderAndEncrypt (uint8_t payloadType, uint8_t * buf, size_t len, const i2p::crypto::AESKey& aesKey, 
+				const uint8_t * iv, const i2p::crypto::MACKey& macKey, uint8_t flag = 0);
 			void FillHeaderAndEncrypt (uint8_t payloadType, uint8_t * buf, size_t len); // with session key 
-			void Decrypt (uint8_t * buf, size_t len, const uint8_t * aesKey);
+			void Decrypt (uint8_t * buf, size_t len, const i2p::crypto::AESKey& aesKey);
 			void DecryptSessionKey (uint8_t * buf, size_t len);
-			bool Validate (uint8_t * buf, size_t len, const uint8_t * macKey);			
-			const uint8_t * GetIntroKey () const; 
+			bool Validate (uint8_t * buf, size_t len, const i2p::crypto::MACKey& macKey);			
 
 			void ScheduleTermination ();
 			void HandleTerminationTimer (const boost::system::error_code& ecode);
@@ -138,7 +140,7 @@ namespace transport
 			SSUServer& m_Server;
 			boost::asio::ip::udp::endpoint m_RemoteEndpoint;
 			boost::asio::deadline_timer m_Timer;
-			bool m_PeerTest;
+			bool m_IsPeerTest;
 			SessionState m_State;
 			bool m_IsSessionKey;
 			uint32_t m_RelayTag;	
@@ -146,9 +148,12 @@ namespace transport
 			i2p::crypto::CBCDecryption m_SessionKeyDecryption;
 			i2p::crypto::AESKey m_SessionKey;
 			i2p::crypto::MACKey m_MacKey;
+			i2p::data::RouterInfo::IntroKey m_IntroKey;
 			uint32_t m_CreationTime; // seconds since epoch
 			SSUData m_Data;
 			bool m_IsDataReceived;
+			std::unique_ptr<SignedData> m_SignedData; // we need it for SessionConfirmed only
+			std::map<uint32_t, std::shared_ptr<const i2p::data::RouterInfo> > m_RelayRequests; // nonce->Charlie
 	};
 
 

Signature.cpp

@@ -0,0 +1,486 @@
+#include <memory>
+#include "Log.h"
+#include "Signature.h"
+
+namespace i2p
+{
+namespace crypto
+{
+	class Ed25519
+	{
+		public:
+
+			Ed25519 ()
+			{
+				BN_CTX * ctx = BN_CTX_new ();
+				BIGNUM * tmp = BN_new ();
+
+				q = BN_new ();
+				// 2^255-19				
+				BN_set_bit (q, 255); // 2^255 
+				BN_sub_word (q, 19);
+				
+				l = BN_new ();
+				// 2^252 + 27742317777372353535851937790883648493
+				BN_set_bit (l, 252);
+				two_252_2 = BN_dup (l);
+				BN_dec2bn (&tmp, "27742317777372353535851937790883648493");
+				BN_add (l, l, tmp);		
+				BN_sub_word (two_252_2, 2); // 2^252 - 2		
+
+				 // -121665*inv(121666)
+				d = BN_new ();
+				BN_set_word (tmp, 121666);
+				BN_mod_inverse (tmp, tmp, q, ctx);	
+				BN_set_word (d, 121665);
+				BN_set_negative (d, 1);							
+				BN_mul (d, d, tmp, ctx);
+
+				// 2^((q-1)/4)
+				I = BN_new ();
+				BN_free (tmp);
+				tmp = BN_dup (q);
+				BN_sub_word (tmp, 1);
+				BN_div_word (tmp, 4);	
+				BN_set_word (I, 2);
+				BN_mod_exp (I, I, tmp, q, ctx);
+				BN_free (tmp);	
+				
+				// 4*inv(5)	
+				BIGNUM * By = BN_new ();		
+				BN_set_word (By, 5);
+				BN_mod_inverse (By, By, q, ctx);	
+				BN_mul_word (By, 4);
+				BIGNUM * Bx = RecoverX (By, ctx);	
+				BN_mod (Bx, Bx, q, ctx); // % q
+				BN_mod (By, By, q, ctx); // % q										
+			
+				// precalculate Bi256 table
+				Bi256Carry = { Bx, By };  // B
+				for (int i = 0; i < 32; i++)
+				{
+					Bi256[i][0] = Bi256Carry; // first point
+					for (int j = 1; j < 128; j++)
+						Bi256[i][j] = Sum (Bi256[i][j-1], Bi256[i][0], ctx); // (256+j+1)^i*B
+					Bi256Carry = Bi256[i][127];
+					for (int j = 0; j < 128; j++) // add first point 128 more times
+						Bi256Carry = Sum (Bi256Carry, Bi256[i][0], ctx);
+				}
+
+				BN_CTX_free (ctx);
+			}
+
+			Ed25519 (const Ed25519& other): q (BN_dup (other.q)), l (BN_dup (other.l)), 
+				d (BN_dup (other.d)), I (BN_dup (other.I)), two_252_2 (BN_dup (other.two_252_2)),
+				Bi256Carry (other.Bi256Carry)
+			{
+				for (int i = 0; i < 32; i++)
+					for (int j = 0; j < 128; j++)
+						Bi256[i][j] = other.Bi256[i][j];
+			}
+
+			~Ed25519 ()
+			{
+				BN_free (q);
+				BN_free (l);
+				BN_free (d);
+				BN_free (I);
+				BN_free (two_252_2);
+			}
+
+
+			EDDSAPoint GeneratePublicKey (const uint8_t * expandedPrivateKey, BN_CTX * ctx) const
+			{
+				return MulB (expandedPrivateKey, ctx); // left half of expanded key, considered as Little Endian
+			}
+
+			EDDSAPoint DecodePublicKey (const uint8_t * buf, BN_CTX * ctx) const
+			{
+				return DecodePoint (buf, ctx);
+			}
+
+			void EncodePublicKey (const EDDSAPoint& publicKey, uint8_t * buf, BN_CTX * ctx) const
+			{
+				EncodePoint (Normalize (publicKey, ctx), buf);
+			}
+
+			bool Verify (const EDDSAPoint& publicKey, const uint8_t * digest, const uint8_t * signature) const
+			{
+				BN_CTX * ctx = BN_CTX_new ();	
+				BIGNUM * h = DecodeBN<64> (digest);
+				// signature 0..31 - R, 32..63 - S 
+				// B*S = R + PK*h => R = B*S - PK*h
+				// we don't decode R, but encode (B*S - PK*h)
+				auto Bs = MulB (signature + EDDSA25519_SIGNATURE_LENGTH/2, ctx); // B*S;
+				BN_mod (h, h, l, ctx); // public key is multiple of B, but B%l = 0
+				auto PKh = Mul (publicKey, h, ctx); // PK*h
+				uint8_t diff[32];
+				EncodePoint (Normalize (Sum (Bs, -PKh, ctx), ctx), diff); // Bs - PKh encoded
+				bool passed = !memcmp (signature, diff, 32); // R
+				BN_free (h); 
+				BN_CTX_free (ctx);
+				if (!passed)
+					LogPrint (eLogError, "25519 signature verification failed");
+				return passed; 
+			}
+
+			void Sign (const uint8_t * expandedPrivateKey, const uint8_t * publicKeyEncoded, const uint8_t * buf, size_t len, 
+				uint8_t * signature) const
+			{
+				BN_CTX * bnCtx = BN_CTX_new ();
+				// calculate r
+				SHA512_CTX ctx;
+				SHA512_Init (&ctx);
+				SHA512_Update (&ctx, expandedPrivateKey + EDDSA25519_PRIVATE_KEY_LENGTH, EDDSA25519_PRIVATE_KEY_LENGTH); // right half of expanded key
+				SHA512_Update (&ctx, buf, len); // data
+				uint8_t digest[64];
+				SHA512_Final (digest, &ctx);
+				BIGNUM * r = DecodeBN<32> (digest); // DecodeBN<64> (digest); // for test vectors
+				// calculate R
+				uint8_t R[EDDSA25519_SIGNATURE_LENGTH/2]; // we must use separate buffer because signature might be inside buf
+				EncodePoint (Normalize (MulB (digest, bnCtx), bnCtx), R); // EncodePoint (Mul (B, r, bnCtx), R); // for test vectors 
+				// calculate S
+				SHA512_Init (&ctx);
+				SHA512_Update (&ctx, R, EDDSA25519_SIGNATURE_LENGTH/2); // R
+				SHA512_Update (&ctx, publicKeyEncoded, EDDSA25519_PUBLIC_KEY_LENGTH); // public key
+				SHA512_Update (&ctx, buf, len); // data
+				SHA512_Final (digest, &ctx);
+				BIGNUM * h = DecodeBN<64> (digest);			
+				// S = (r + h*a) % l
+				BIGNUM * a = DecodeBN<EDDSA25519_PRIVATE_KEY_LENGTH> (expandedPrivateKey); // left half of expanded key
+				BN_mod_mul (h, h, a, l, bnCtx); // %l
+				BN_mod_add (h, h, r, l, bnCtx); // %l
+				memcpy (signature, R, EDDSA25519_SIGNATURE_LENGTH/2);
+				EncodeBN (h, signature + EDDSA25519_SIGNATURE_LENGTH/2, EDDSA25519_SIGNATURE_LENGTH/2); // S
+				BN_free (r); BN_free (h); BN_free (a);
+				BN_CTX_free (bnCtx);
+			}
+
+		private:		
+
+			EDDSAPoint Sum (const EDDSAPoint& p1, const EDDSAPoint& p2, BN_CTX * ctx) const
+			{
+				// x3 = (x1*y2+y1*x2)*(z1*z2-d*t1*t2)
+				// y3 = (y1*y2+x1*x2)*(z1*z2+d*t1*t2)
+				// z3 = (z1*z2-d*t1*t2)*(z1*z2+d*t1*t2)
+				// t3 = (y1*y2+x1*x2)*(x1*y2+y1*x2)
+				BIGNUM * x3 = BN_new (), * y3 = BN_new (), * z3 = BN_new (), * t3 = BN_new ();
+				
+				BN_mul (x3, p1.x, p2.x, ctx); // A = x1*x2		
+				BN_mul (y3, p1.y, p2.y, ctx); // B = y1*y2	
+				
+				BIGNUM * t1 = p1.t, * t2 = p2.t;
+				if (!t1) { t1 = BN_new (); BN_mul (t1, p1.x, p1.y, ctx); }
+				if (!t2) { t2 = BN_new (); BN_mul (t2, p2.x, p2.y, ctx); }
+				BN_mul (t3, t1, t2, ctx);
+				BN_mul (t3, t3, d, ctx);  // C = d*t1*t2
+				if (!p1.t) BN_free (t1);
+				if (!p2.t) BN_free (t2);
+
+				if (p1.z)
+				{
+					if (p2.z)
+						BN_mul (z3, p1.z, p2.z, ctx); // D = z1*z2
+					else
+						BN_copy (z3, p1.z); // D = z1
+				}
+				else
+				{
+					if (p2.z)
+						BN_copy (z3, p2.z); // D = z2
+					else
+						BN_one (z3); // D = 1
+				}	
+
+				BIGNUM * E = BN_new (), * F = BN_new (), * G = BN_new (), * H = BN_new ();
+				BN_add (E, p1.x, p1.y);				
+				BN_add (F, p2.x, p2.y);
+				BN_mul (E, E, F, ctx); // (x1 + y1)*(x2 + y2)
+				BN_sub (E, E, x3);
+				BN_sub (E, E, y3); // E = (x1 + y1)*(x2 + y2) - A - B
+				BN_sub (F, z3, t3); // F = D - C
+				BN_add (G, z3, t3); // G = D + C
+				BN_add (H, y3, x3); // H = B + A
+
+				BN_mod_mul (x3, E, F, q, ctx); // x3 = E*F
+				BN_mod_mul (y3, G, H, q, ctx); // y3 = G*H	
+				BN_mod_mul (z3, F, G, q, ctx); // z3 = F*G	
+				BN_mod_mul (t3, E, H, q, ctx); // t3 = E*H	
+
+				BN_free (E); BN_free (F); BN_free (G); BN_free (H);
+
+				return EDDSAPoint {x3, y3, z3, t3};
+			}
+
+			EDDSAPoint Double (const EDDSAPoint& p, BN_CTX * ctx) const
+			{
+				BIGNUM * x2 = BN_new (), * y2 = BN_new (), * z2 = BN_new (), * t2 = BN_new ();
+				
+				BN_sqr (x2, p.x, ctx); // x2 = A = x^2		
+				BN_sqr (y2, p.y, ctx); // y2 = B = y^2	
+				if (p.t)
+					BN_sqr (t2, p.t, ctx); // t2 = t^2
+				else
+				{
+					BN_mul (t2, p.x, p.y, ctx); // t = x*y
+					BN_sqr (t2, t2, ctx);  // t2 = t^2
+				}	
+				BN_mul (t2, t2, d, ctx);  // t2 = C = d*t^2 	
+				if (p.z)
+					BN_sqr (z2, p.z, ctx); // z2 = D = z^2 		
+				else
+					BN_one (z2); // z2 = 1
+
+				BIGNUM * E = BN_new (), * F = BN_new (), * G = BN_new (), * H = BN_new ();
+				// E = (x+y)*(x+y)-A-B = x^2+y^2+2xy-A-B = 2xy
+				BN_mul (E, p.x, p.y, ctx);
+				BN_lshift1 (E, E);	// E =2*x*y							
+				BN_sub (F, z2, t2); // F = D - C
+				BN_add (G, z2, t2); // G = D + C 
+				BN_add (H, y2, x2); // H = B + A
+
+				BN_mod_mul (x2, E, F, q, ctx); // x2 = E*F
+				BN_mod_mul (y2, G, H, q, ctx); // y2 = G*H	
+				BN_mod_mul (z2, F, G, q, ctx); // z2 = F*G	
+				BN_mod_mul (t2, E, H, q, ctx); // t2 = E*H	
+
+				BN_free (E); BN_free (F); BN_free (G); BN_free (H);
+
+				return EDDSAPoint {x2, y2, z2, t2};
+			}
+			
+			EDDSAPoint Mul (const EDDSAPoint& p, const BIGNUM * e, BN_CTX * ctx) const
+			{
+				BIGNUM * zero = BN_new (), * one = BN_new ();
+				BN_zero (zero); BN_one (one);
+				EDDSAPoint res {zero, one};
+				if (!BN_is_zero (e))
+				{
+					int bitCount = BN_num_bits (e);
+					for (int i = bitCount - 1; i >= 0; i--)
+					{
+						res = Double (res, ctx);
+						if (BN_is_bit_set (e, i)) res = Sum (res, p, ctx);
+					}
+				}	
+				return res;
+			} 
+			
+			EDDSAPoint MulB (const uint8_t * e, BN_CTX * ctx) const // B*e, e is 32 bytes Little Endian
+			{
+				BIGNUM * zero = BN_new (), * one = BN_new ();
+				BN_zero (zero); BN_one (one);
+				EDDSAPoint res {zero, one};
+				bool carry = false;
+				for (int i = 0; i < 32; i++)
+				{
+					uint8_t x = e[i];
+					if (carry) 
+					{ 
+						if (x < 255) 
+						{ 
+							x++; 
+							carry = false;
+						} 
+						else 
+							x = 0; 
+					}
+					if (x > 0)
+					{
+						if (x <= 128)
+							res = Sum (res, Bi256[i][x-1], ctx);
+						else
+						{
+							res = Sum (res, -Bi256[i][255-x], ctx); // -Bi[256-x]
+							carry = true;
+						}		
+					}
+				}
+				if (carry) res = Sum (res, Bi256Carry, ctx);
+				return res;
+			}
+
+			EDDSAPoint Normalize (const EDDSAPoint& p, BN_CTX * ctx) const
+			{
+				if (p.z)
+				{
+					BIGNUM * x = BN_new (), * y = BN_new ();
+					BN_mod_inverse (y, p.z, q, ctx);
+					BN_mod_mul (x, p.x, y, q, ctx); // x = x/z
+					BN_mod_mul (y, p.y, y, q, ctx); // y = y/z
+					return  EDDSAPoint{x, y};
+				}
+				else
+					return EDDSAPoint{BN_dup (p.x), BN_dup (p.y)};
+			}
+
+			bool IsOnCurve (const EDDSAPoint& p, BN_CTX * ctx) const
+			{
+				BIGNUM * x2 = BN_new ();
+				BN_sqr (x2, p.x, ctx); // x^2
+				BIGNUM * y2 = BN_new ();
+				BN_sqr (y2, p.y, ctx); // y^2
+				// y^2 - x^2 - 1 - d*x^2*y^2 
+				BIGNUM * tmp = BN_new ();				
+				BN_mul (tmp, d, x2, ctx);
+				BN_mul (tmp, tmp, y2, ctx);	
+				BN_sub (tmp, y2, tmp);
+				BN_sub (tmp, tmp, x2);
+				BN_sub_word (tmp, 1);
+				BN_mod (tmp, tmp, q, ctx); // % q
+				bool ret = BN_is_zero (tmp);
+				BN_free (x2);
+				BN_free (y2);
+				BN_free (tmp);
+				return ret;
+			}	
+
+			BIGNUM * RecoverX (const BIGNUM * y, BN_CTX * ctx) const
+			{
+				BIGNUM * y2 = BN_new ();
+				BN_sqr (y2, y, ctx); // y^2
+				// xx = (y^2 -1)*inv(d*y^2 +1) 
+				BIGNUM * xx = BN_new ();
+				BN_mul (xx, d, y2, ctx);
+				BN_add_word (xx, 1);
+				BN_mod_inverse (xx, xx, q, ctx);
+				BN_sub_word (y2, 1);
+				BN_mul (xx, y2, xx, ctx);
+				// x = srqt(xx) = xx^(2^252-2)		
+				BIGNUM * x = BN_new ();
+				BN_mod_exp (x, xx, two_252_2, q, ctx);
+				// check (x^2 -xx) % q	
+				BN_sqr (y2, x, ctx);
+				BN_mod_sub (y2, y2, xx, q, ctx); 
+				if (!BN_is_zero (y2))
+					BN_mod_mul (x, x, I, q, ctx);
+				if (BN_is_odd (x))
+					BN_sub (x, q, x);
+				BN_free (y2);
+				BN_free (xx);
+				return x;
+			}
+
+			EDDSAPoint DecodePoint (const uint8_t * buf, BN_CTX * ctx) const
+			{
+				// buf is 32 bytes Little Endian, convert it to Big Endian
+				uint8_t buf1[EDDSA25519_PUBLIC_KEY_LENGTH];
+				for (size_t i = 0; i < EDDSA25519_PUBLIC_KEY_LENGTH/2; i++) // invert bytes
+				{
+					buf1[i] = buf[EDDSA25519_PUBLIC_KEY_LENGTH -1 - i];
+					buf1[EDDSA25519_PUBLIC_KEY_LENGTH -1 - i] = buf[i];
+				}
+				bool isHighestBitSet = buf1[0] & 0x80;
+				if (isHighestBitSet)
+					buf1[0] &= 0x7f; // clear highest bit
+				BIGNUM * y = BN_new ();
+				BN_bin2bn (buf1, EDDSA25519_PUBLIC_KEY_LENGTH, y);
+				auto x = RecoverX (y, ctx);
+				if (BN_is_bit_set (x, 0) != isHighestBitSet)
+					BN_sub (x, q, x); // x = q - x 
+				BIGNUM * z = BN_new (), * t = BN_new (); 
+				BN_one (z); BN_mod_mul (t, x, y, q, ctx); // pre-calculate t
+				EDDSAPoint p {x, y, z, t};
+				if (!IsOnCurve (p, ctx)) 
+					LogPrint (eLogError, "Decoded point is not on 25519");
+				return p;
+			}
+			
+			void EncodePoint (const EDDSAPoint& p, uint8_t * buf) const
+			{
+				EncodeBN (p.y, buf,EDDSA25519_PUBLIC_KEY_LENGTH); 
+				if (BN_is_bit_set (p.x, 0)) // highest bit
+					buf[EDDSA25519_PUBLIC_KEY_LENGTH - 1] |= 0x80; // set highest bit
+			}
+
+			template<int len>
+			BIGNUM * DecodeBN (const uint8_t * buf) const
+			{
+				// buf is Little Endian convert it to Big Endian
+				uint8_t buf1[len];
+				for (size_t i = 0; i < len/2; i++) // invert bytes
+				{
+					buf1[i] = buf[len -1 - i];
+					buf1[len -1 - i] = buf[i];
+				}
+				BIGNUM * res = BN_new ();
+				BN_bin2bn (buf1, len, res);
+				return res;
+			}
+
+			void EncodeBN (const BIGNUM * bn, uint8_t * buf, size_t len) const
+			{
+				bn2buf (bn, buf, len);
+				// To Little Endian
+				for (size_t i = 0; i < len/2; i++) // invert bytes
+				{
+					uint8_t tmp = buf[i];
+					buf[i] = buf[len -1 - i];
+					buf[len -1 - i] = tmp;
+				}	
+			}
+
+		private:
+			
+			BIGNUM * q, * l, * d, * I; 
+			// transient values
+			BIGNUM * two_252_2; // 2^252-2
+			EDDSAPoint Bi256[32][128]; // per byte, Bi256[i][j] = (256+j+1)^i*B, we don't store zeroes
+			// if j > 128 we use 256 - j and carry 1 to next byte
+			// Bi256[0][0] = B, base point
+			EDDSAPoint Bi256Carry; // Bi256[32][0]
+	};
+
+	static std::unique_ptr<Ed25519> g_Ed25519;
+	std::unique_ptr<Ed25519>& GetEd25519 ()
+	{
+		if (!g_Ed25519)
+			g_Ed25519.reset (new Ed25519());
+			
+		return g_Ed25519; 
+	}	
+	
+
+	EDDSA25519Verifier::EDDSA25519Verifier (const uint8_t * signingKey)
+	{
+		memcpy (m_PublicKeyEncoded, signingKey, EDDSA25519_PUBLIC_KEY_LENGTH); 
+		BN_CTX * ctx = BN_CTX_new ();
+		m_PublicKey = GetEd25519 ()->DecodePublicKey (m_PublicKeyEncoded, ctx);
+		BN_CTX_free (ctx);
+	}
+
+	bool EDDSA25519Verifier::Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
+	{
+		uint8_t digest[64];
+		SHA512_CTX ctx;
+		SHA512_Init (&ctx);
+		SHA512_Update (&ctx, signature, EDDSA25519_SIGNATURE_LENGTH/2); // R
+		SHA512_Update (&ctx, m_PublicKeyEncoded, EDDSA25519_PUBLIC_KEY_LENGTH); // public key
+		SHA512_Update (&ctx, buf, len); // data	
+		SHA512_Final (digest, &ctx);
+		
+		return GetEd25519 ()->Verify (m_PublicKey, digest, signature);
+	}
+
+	EDDSA25519Signer::EDDSA25519Signer (const uint8_t * signingPrivateKey)
+	{ 
+		// expand key
+		SHA512 (signingPrivateKey, EDDSA25519_PRIVATE_KEY_LENGTH, m_ExpandedPrivateKey);
+		m_ExpandedPrivateKey[0] &= 0xF8; // drop last 3 bits 
+		m_ExpandedPrivateKey[EDDSA25519_PRIVATE_KEY_LENGTH - 1] &= 0x1F; // drop first 3 bits
+		m_ExpandedPrivateKey[EDDSA25519_PRIVATE_KEY_LENGTH - 1] |= 0x40; // set second bit
+		// generate and encode public key
+		BN_CTX * ctx = BN_CTX_new ();	
+		auto publicKey = GetEd25519 ()->GeneratePublicKey (m_ExpandedPrivateKey, ctx);
+		GetEd25519 ()->EncodePublicKey (publicKey, m_PublicKeyEncoded, ctx);	
+		BN_CTX_free (ctx);
+	} 
+		
+	void EDDSA25519Signer::Sign (const uint8_t * buf, int len, uint8_t * signature) const
+	{
+		GetEd25519 ()->Sign (m_ExpandedPrivateKey, m_PublicKeyEncoded, buf, len, signature);
+	}	
+}
+}
+
+

Signature.h

@@ -2,13 +2,15 @@
 #define SIGNATURE_H__
 
 #include <inttypes.h>
-#include <cryptopp/dsa.h>
-#include <cryptopp/rsa.h>
-#include <cryptopp/asn.h>
-#include <cryptopp/oids.h>
-#include <cryptopp/osrng.h>
-#include <cryptopp/eccrypto.h>
-#include "CryptoConst.h"
+#include <string.h>
+#include <openssl/sha.h>
+#include <openssl/dsa.h>
+#include <openssl/ec.h>
+#include <openssl/ecdsa.h>
+#include <openssl/rsa.h>
+#include <openssl/rand.h>
+#include <openssl/evp.h>
+#include "Crypto.h"
 
 namespace i2p
 {
@@ -30,7 +32,7 @@ namespace crypto
 		public:
 
 			virtual ~Signer () {};		
-			virtual void Sign (CryptoPP::RandomNumberGenerator& rnd, const uint8_t * buf, int len, uint8_t * signature) const = 0; 
+			virtual void Sign (const uint8_t * buf, int len, uint8_t * signature) const = 0; 
 	};
 
 	const size_t DSA_PUBLIC_KEY_LENGTH = 128;
@@ -42,13 +44,28 @@ namespace crypto
 
 			DSAVerifier (const uint8_t * signingKey)
 			{
-				m_PublicKey.Initialize (dsap, dsaq, dsag, CryptoPP::Integer (signingKey, DSA_PUBLIC_KEY_LENGTH));
+				m_PublicKey = CreateDSA ();
+				m_PublicKey->pub_key = BN_bin2bn (signingKey, DSA_PUBLIC_KEY_LENGTH, NULL);
 			}
-	
+
+			~DSAVerifier ()
+			{
+				DSA_free (m_PublicKey);
+			}
+			
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
 			{
-				CryptoPP::DSA::Verifier verifier (m_PublicKey);
-				return verifier.VerifyMessage (buf, len, signature, DSA_SIGNATURE_LENGTH);
+				// calculate SHA1 digest
+				uint8_t digest[20];
+				SHA1 (buf, len, digest);
+				// signature
+				DSA_SIG * sig = DSA_SIG_new();
+				sig->r = BN_bin2bn (signature, DSA_SIGNATURE_LENGTH/2, NULL);
+				sig->s = BN_bin2bn (signature + DSA_SIGNATURE_LENGTH/2, DSA_SIGNATURE_LENGTH/2, NULL);
+				// DSA verification
+				int ret = DSA_do_verify (digest, 20, sig, m_PublicKey);
+				DSA_SIG_free(sig);
+				return ret;
 			}	
 
 			size_t GetPublicKeyLen () const { return DSA_PUBLIC_KEY_LENGTH; };
@@ -56,7 +73,7 @@ namespace crypto
 			
 		private:
 
-			CryptoPP::DSA::PublicKey m_PublicKey;
+			DSA * m_PublicKey;
 	};
 
 	class DSASigner: public Signer
@@ -65,189 +82,210 @@ namespace crypto
 
 			DSASigner (const uint8_t * signingPrivateKey)
 			{
-				m_PrivateKey.Initialize (dsap, dsaq, dsag, CryptoPP::Integer (signingPrivateKey, DSA_PRIVATE_KEY_LENGTH));
+				m_PrivateKey = CreateDSA ();
+				m_PrivateKey->priv_key = BN_bin2bn (signingPrivateKey, DSA_PRIVATE_KEY_LENGTH, NULL);
 			}
 
-			void Sign (CryptoPP::RandomNumberGenerator& rnd, const uint8_t * buf, int len, uint8_t * signature) const
+			~DSASigner ()
 			{
-				CryptoPP::DSA::Signer signer (m_PrivateKey);
-				signer.SignMessage (rnd, buf, len, signature);
+				DSA_free (m_PrivateKey);
+			}
+			
+			void Sign (const uint8_t * buf, int len, uint8_t * signature) const
+			{
+				uint8_t digest[20];
+				SHA1 (buf, len, digest);
+				DSA_SIG * sig = DSA_do_sign (digest, 20, m_PrivateKey);
+				bn2buf (sig->r, signature, DSA_SIGNATURE_LENGTH/2);
+				bn2buf (sig->s, signature + DSA_SIGNATURE_LENGTH/2, DSA_SIGNATURE_LENGTH/2);
+				DSA_SIG_free(sig);
 			}
 
 		private:
 
-			CryptoPP::DSA::PrivateKey m_PrivateKey;
+			DSA * m_PrivateKey;
 	};
 
-	inline void CreateDSARandomKeys (CryptoPP::RandomNumberGenerator& rnd, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	inline void CreateDSARandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
-		CryptoPP::DSA::PrivateKey privateKey;
-		CryptoPP::DSA::PublicKey publicKey;
-		privateKey.Initialize (rnd, dsap, dsaq, dsag);
-		privateKey.MakePublicKey (publicKey);
-		privateKey.GetPrivateExponent ().Encode (signingPrivateKey, DSA_PRIVATE_KEY_LENGTH);	
-		publicKey.GetPublicElement ().Encode (signingPublicKey, DSA_PUBLIC_KEY_LENGTH);
+		DSA * dsa = CreateDSA ();
+		DSA_generate_key (dsa);
+		bn2buf (dsa->priv_key, signingPrivateKey, DSA_PRIVATE_KEY_LENGTH);
+		bn2buf (dsa->pub_key, signingPublicKey, DSA_PUBLIC_KEY_LENGTH);
+		DSA_free (dsa);
+		
 	}	
 
-	template<typename Hash, size_t keyLen>
+	struct SHA256Hash
+	{	
+		static void CalculateHash (const uint8_t * buf, size_t len, uint8_t * digest)
+		{
+			SHA256 (buf, len, digest);
+		}
+
+		enum { hashLen = 32 };
+	};	
+
+	struct SHA384Hash
+	{	
+		static void CalculateHash (const uint8_t * buf, size_t len, uint8_t * digest)
+		{
+			SHA384 (buf, len, digest);
+		}
+
+		enum { hashLen = 48 };
+	};
+
+	struct SHA512Hash
+	{	
+		static void CalculateHash (const uint8_t * buf, size_t len, uint8_t * digest)
+		{
+			SHA512 (buf, len, digest);
+		}
+
+		enum { hashLen = 64 };
+	};
+	
+	template<typename Hash, int curve, size_t keyLen>
 	class ECDSAVerifier: public Verifier
 	{		
 		public:
 
-			template<typename Curve>
-			ECDSAVerifier (Curve curve, const uint8_t * signingKey)
+			ECDSAVerifier (const uint8_t * signingKey)
 			{
-				m_PublicKey.Initialize (curve, 
-					CryptoPP::ECP::Point (CryptoPP::Integer (signingKey, keyLen/2), 
-					CryptoPP::Integer (signingKey + keyLen/2, keyLen/2)));
+				m_PublicKey = EC_KEY_new_by_curve_name (curve);
+				EC_KEY_set_public_key_affine_coordinates (m_PublicKey, 
+					BN_bin2bn (signingKey, keyLen/2, NULL),
+					BN_bin2bn (signingKey + keyLen/2, keyLen/2, NULL));  
 			}
 
+			~ECDSAVerifier ()
+			{
+				EC_KEY_free (m_PublicKey);
+			}
+			
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
 			{
-				typename CryptoPP::ECDSA<CryptoPP::ECP, Hash>::Verifier verifier (m_PublicKey);
-				return verifier.VerifyMessage (buf, len, signature, keyLen); // signature length
+				uint8_t digest[Hash::hashLen];
+				Hash::CalculateHash (buf, len, digest);
+				ECDSA_SIG * sig = ECDSA_SIG_new();
+				sig->r = BN_bin2bn (signature, GetSignatureLen ()/2, NULL);
+				sig->s = BN_bin2bn (signature + GetSignatureLen ()/2, GetSignatureLen ()/2, NULL);
+				// ECDSA verification
+				int ret = ECDSA_do_verify (digest, Hash::hashLen, sig, m_PublicKey);
+				ECDSA_SIG_free(sig);
+				return ret;
 			}	
-
+			
 			size_t GetPublicKeyLen () const { return keyLen; };
 			size_t GetSignatureLen () const { return keyLen; }; // signature length = key length
+
 			
 		private:
 
-			typename CryptoPP::ECDSA<CryptoPP::ECP, Hash>::PublicKey m_PublicKey;
+			EC_KEY * m_PublicKey;
 	};
 
-	template<typename Hash>
+	template<typename Hash, int curve, size_t keyLen>
 	class ECDSASigner: public Signer
 	{
 		public:
 
-			template<typename Curve>
-			ECDSASigner (Curve curve, const uint8_t * signingPrivateKey, size_t keyLen)
+			ECDSASigner (const uint8_t * signingPrivateKey)
 			{
-				m_PrivateKey.Initialize (curve, CryptoPP::Integer (signingPrivateKey, keyLen/2)); // private key length
+				m_PrivateKey = EC_KEY_new_by_curve_name (curve);
+				EC_KEY_set_private_key (m_PrivateKey, BN_bin2bn (signingPrivateKey, keyLen/2, NULL));			
 			}
 
-			void Sign (CryptoPP::RandomNumberGenerator& rnd, const uint8_t * buf, int len, uint8_t * signature) const
+			~ECDSASigner ()
 			{
-				typename CryptoPP::ECDSA<CryptoPP::ECP, Hash>::Signer signer (m_PrivateKey);
-				signer.SignMessage (rnd, buf, len, signature);
+				EC_KEY_free (m_PrivateKey);
+			}
+			
+			void Sign (const uint8_t * buf, int len, uint8_t * signature) const
+			{
+				uint8_t digest[Hash::hashLen];
+				Hash::CalculateHash (buf, len, digest);
+				ECDSA_SIG * sig = ECDSA_do_sign (digest, Hash::hashLen, m_PrivateKey);
+				// signatureLen = keyLen
+				bn2buf (sig->r, signature, keyLen/2);
+				bn2buf (sig->s, signature + keyLen/2, keyLen/2);
+				ECDSA_SIG_free(sig);
 			}
 
 		private:
 
-			typename CryptoPP::ECDSA<CryptoPP::ECP, Hash>::PrivateKey m_PrivateKey;
+			EC_KEY * m_PrivateKey;
 	};
 
-	template<typename Hash, typename Curve>
-	inline void CreateECDSARandomKeys (CryptoPP::RandomNumberGenerator& rnd, Curve curve, 
-		size_t keyLen, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	inline void CreateECDSARandomKeys (int curve, size_t keyLen, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
-		typename CryptoPP::ECDSA<CryptoPP::ECP, Hash>::PrivateKey privateKey;
-		typename CryptoPP::ECDSA<CryptoPP::ECP, Hash>::PublicKey publicKey;
-		privateKey.Initialize (rnd, curve);
-		privateKey.MakePublicKey (publicKey);
-		privateKey.GetPrivateExponent ().Encode (signingPrivateKey, keyLen/2);	
-		auto q = publicKey.GetPublicElement ();
-		q.x.Encode (signingPublicKey, keyLen/2);
-		q.y.Encode (signingPublicKey + keyLen/2, keyLen/2);
-	}	
+		EC_KEY * signingKey = EC_KEY_new_by_curve_name (curve);
+		EC_KEY_generate_key (signingKey);
+		bn2buf (EC_KEY_get0_private_key (signingKey), signingPrivateKey, keyLen/2);
+		BIGNUM * x = BN_new(), * y = BN_new();
+		EC_POINT_get_affine_coordinates_GFp (EC_KEY_get0_group(signingKey),
+			EC_KEY_get0_public_key (signingKey), x, y, NULL);
+		bn2buf (x, signingPublicKey, keyLen/2);
+		bn2buf (y, signingPublicKey + keyLen/2, keyLen/2);
+		BN_free (x); BN_free (y);
+		EC_KEY_free (signingKey);		
+	}
 
 // ECDSA_SHA256_P256
 	const size_t ECDSAP256_KEY_LENGTH = 64;	
-	class ECDSAP256Verifier: public ECDSAVerifier<CryptoPP::SHA256, ECDSAP256_KEY_LENGTH>
+	typedef ECDSAVerifier<SHA256Hash, NID_X9_62_prime256v1, ECDSAP256_KEY_LENGTH> ECDSAP256Verifier;
+	typedef ECDSASigner<SHA256Hash, NID_X9_62_prime256v1, ECDSAP256_KEY_LENGTH> ECDSAP256Signer;
+
+	inline void CreateECDSAP256RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
-		public:
-
-			ECDSAP256Verifier (const uint8_t * signingKey): 
-				ECDSAVerifier (CryptoPP::ASN1::secp256r1(), signingKey)
-			{
-			}			
-	};	
-
-	class ECDSAP256Signer: public ECDSASigner<CryptoPP::SHA256>
-	{
-		public:
-
-			ECDSAP256Signer (const uint8_t * signingPrivateKey):
-				ECDSASigner (CryptoPP::ASN1::secp256r1(), signingPrivateKey, ECDSAP256_KEY_LENGTH)
-			{
-			}
-	};
-
-	inline void CreateECDSAP256RandomKeys (CryptoPP::RandomNumberGenerator& rnd, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
-	{
-		CreateECDSARandomKeys<CryptoPP::SHA256> (rnd, CryptoPP::ASN1::secp256r1(), ECDSAP256_KEY_LENGTH, signingPrivateKey, signingPublicKey);
+		CreateECDSARandomKeys (NID_X9_62_prime256v1, ECDSAP256_KEY_LENGTH, signingPrivateKey, signingPublicKey);
 	}	
 
 // ECDSA_SHA384_P384
 	const size_t ECDSAP384_KEY_LENGTH = 96;
-	class ECDSAP384Verifier: public ECDSAVerifier<CryptoPP::SHA384, ECDSAP384_KEY_LENGTH>
+	typedef ECDSAVerifier<SHA384Hash, NID_secp384r1, ECDSAP384_KEY_LENGTH> ECDSAP384Verifier;
+	typedef ECDSASigner<SHA384Hash, NID_secp384r1, ECDSAP384_KEY_LENGTH> ECDSAP384Signer;
+
+	inline void CreateECDSAP384RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
-		public:
-
-			ECDSAP384Verifier (const uint8_t * signingKey): 
-				ECDSAVerifier (CryptoPP::ASN1::secp384r1(), signingKey)
-			{
-			}			
-	};	
-
-	class ECDSAP384Signer: public ECDSASigner<CryptoPP::SHA384>
-	{
-		public:
-
-			ECDSAP384Signer (const uint8_t * signingPrivateKey):
-				ECDSASigner (CryptoPP::ASN1::secp384r1(), signingPrivateKey, ECDSAP384_KEY_LENGTH)
-			{
-			}
-	};
-
-	inline void CreateECDSAP384RandomKeys (CryptoPP::RandomNumberGenerator& rnd, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
-	{
-		CreateECDSARandomKeys<CryptoPP::SHA384> (rnd, CryptoPP::ASN1::secp384r1(), ECDSAP384_KEY_LENGTH, signingPrivateKey, signingPublicKey);
+		CreateECDSARandomKeys (NID_secp384r1, ECDSAP384_KEY_LENGTH, signingPrivateKey, signingPublicKey);
 	}	
 
 // ECDSA_SHA512_P521
 	const size_t ECDSAP521_KEY_LENGTH = 132;
-	class ECDSAP521Verifier: public ECDSAVerifier<CryptoPP::SHA512, ECDSAP521_KEY_LENGTH>
+	typedef ECDSAVerifier<SHA512Hash, NID_secp521r1, ECDSAP521_KEY_LENGTH> ECDSAP521Verifier;
+	typedef ECDSASigner<SHA512Hash, NID_secp521r1, ECDSAP521_KEY_LENGTH> ECDSAP521Signer;
+
+	inline void CreateECDSAP521RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
-		public:
-
-			ECDSAP521Verifier (const uint8_t * signingKey): 
-				ECDSAVerifier (CryptoPP::ASN1::secp521r1(), signingKey)
-			{
-			}			
-	};	
-
-	class ECDSAP521Signer: public ECDSASigner<CryptoPP::SHA512>
-	{
-		public:
-
-			ECDSAP521Signer (const uint8_t * signingPrivateKey):
-				ECDSASigner (CryptoPP::ASN1::secp521r1(), signingPrivateKey, ECDSAP521_KEY_LENGTH)
-			{
-			}
-	};
-
-	inline void CreateECDSAP521RandomKeys (CryptoPP::RandomNumberGenerator& rnd, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
-	{
-		CreateECDSARandomKeys<CryptoPP::SHA512> (rnd, CryptoPP::ASN1::secp521r1(), ECDSAP521_KEY_LENGTH, signingPrivateKey, signingPublicKey);
+		CreateECDSARandomKeys (NID_secp521r1, ECDSAP521_KEY_LENGTH, signingPrivateKey, signingPublicKey);
 	}
 
 // RSA
-	template<typename Hash, size_t keyLen>	
+	template<typename Hash, int type, size_t keyLen>	
 	class RSAVerifier: public Verifier
 	{
 		public:
 
 			RSAVerifier (const uint8_t * signingKey)
 			{
-				m_PublicKey.Initialize (CryptoPP::Integer (signingKey, keyLen), CryptoPP::Integer (rsae));
+				m_PublicKey = RSA_new ();
+				memset (m_PublicKey, 0, sizeof (RSA));
+				m_PublicKey->e = BN_dup (GetRSAE ());
+				m_PublicKey->n = BN_bin2bn (signingKey, keyLen, NULL);
 			}
 
+			~RSAVerifier ()
+			{
+				RSA_free (m_PublicKey);
+			}
+			
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const 
 			{
-				typename CryptoPP::RSASS<CryptoPP::PKCS1v15, Hash>::Verifier verifier (m_PublicKey);
-				return verifier.VerifyMessage (buf, len, signature, keyLen); // signature length
+				uint8_t digest[Hash::hashLen];
+				Hash::CalculateHash (buf, len, digest);
+				return RSA_verify (type, digest, Hash::hashLen, signature, GetSignatureLen (), m_PublicKey);
 			}
 			size_t GetPublicKeyLen () const { return keyLen; }
 			size_t GetSignatureLen () const { return keyLen; }	
@@ -255,161 +293,150 @@ namespace crypto
 
 		private:
 			
-			CryptoPP::RSA::PublicKey m_PublicKey;			
+			RSA * m_PublicKey;			
 	};	
 
 	
-	template<typename Hash>
+	template<typename Hash, int type, size_t keyLen>
 	class RSASigner: public Signer
 	{
 		public:
 
-			RSASigner (const uint8_t * signingPrivateKey, size_t keyLen)
+			RSASigner (const uint8_t * signingPrivateKey)
 			{
-				m_PrivateKey.Initialize (CryptoPP::Integer (signingPrivateKey, keyLen/2),
-				    rsae,                 			
-					CryptoPP::Integer (signingPrivateKey + keyLen/2, keyLen/2));
+				m_PrivateKey = RSA_new ();
+				memset (m_PrivateKey, 0, sizeof (RSA));
+				m_PrivateKey->e = BN_dup (GetRSAE ());
+				m_PrivateKey->n = BN_bin2bn (signingPrivateKey, keyLen, NULL);
+				m_PrivateKey->d = BN_bin2bn (signingPrivateKey + keyLen, keyLen, NULL);
 			}
 
-			void Sign (CryptoPP::RandomNumberGenerator& rnd, const uint8_t * buf, int len, uint8_t * signature) const
+			~RSASigner ()
 			{
-				typename CryptoPP::RSASS<CryptoPP::PKCS1v15, Hash>::Signer signer (m_PrivateKey);
-				signer.SignMessage (rnd, buf, len, signature);
+				RSA_free (m_PrivateKey);
+			}
+			
+			void Sign (const uint8_t * buf, int len, uint8_t * signature) const
+			{
+				uint8_t digest[Hash::hashLen];
+				Hash::CalculateHash (buf, len, digest);
+				unsigned int signatureLen = keyLen;
+				RSA_sign (type, digest, Hash::hashLen, signature, &signatureLen, m_PrivateKey);
 			}
 			
 		private:
 
-			CryptoPP::RSA::PrivateKey m_PrivateKey;
+			RSA * m_PrivateKey;
 	};		
 
-	inline void CreateRSARandomKeys (CryptoPP::RandomNumberGenerator& rnd, 
-		size_t publicKeyLen, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	inline void CreateRSARandomKeys (size_t publicKeyLen, uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
-		CryptoPP::RSA::PrivateKey privateKey;
-		privateKey.Initialize (rnd, publicKeyLen*8, rsae);
-		privateKey.GetModulus ().Encode (signingPrivateKey, publicKeyLen);	
-		privateKey.GetPrivateExponent ().Encode (signingPrivateKey + publicKeyLen, publicKeyLen);	
-		privateKey.GetModulus ().Encode (signingPublicKey, publicKeyLen);
+		RSA * rsa = RSA_new ();
+		BIGNUM * e = BN_dup (GetRSAE ()); // make it non-const
+		RSA_generate_key_ex (rsa, publicKeyLen*8, e, NULL);
+		bn2buf (rsa->n, signingPrivateKey, publicKeyLen);
+		bn2buf (rsa->d, signingPrivateKey + publicKeyLen, publicKeyLen);
+		bn2buf (rsa->n, signingPublicKey, publicKeyLen);
+		BN_free (e); // this e is not assigned to rsa->e
+		RSA_free (rsa);
 	}	
-
 	
 //  RSA_SHA256_2048
 	const size_t RSASHA2562048_KEY_LENGTH = 256;
-	class RSASHA2562048Verifier: public RSAVerifier<CryptoPP::SHA256, RSASHA2562048_KEY_LENGTH> 
-	{
-		public:
-
-			RSASHA2562048Verifier (const uint8_t * signingKey): RSAVerifier (signingKey) 
-			{
-			}
-	};
-
-	class RSASHA2562048Signer: public RSASigner<CryptoPP::SHA256> 
-	{
-		public:
-
-			RSASHA2562048Signer (const uint8_t * signingPrivateKey): 
-				RSASigner (signingPrivateKey, RSASHA2562048_KEY_LENGTH*2) 
-			{
-			}
-	};
+	typedef RSAVerifier<SHA256Hash, NID_sha256, RSASHA2562048_KEY_LENGTH> RSASHA2562048Verifier;
+	typedef RSASigner<SHA256Hash, NID_sha256, RSASHA2562048_KEY_LENGTH> RSASHA2562048Signer;
 
 //  RSA_SHA384_3072
 	const size_t RSASHA3843072_KEY_LENGTH = 384;
-	class RSASHA3843072Verifier: public RSAVerifier<CryptoPP::SHA384, RSASHA3843072_KEY_LENGTH> 
-	{
-		public:
-
-			RSASHA3843072Verifier (const uint8_t * signingKey): RSAVerifier (signingKey) 
-			{
-			}
-	};
-
-	class RSASHA3843072Signer: public RSASigner<CryptoPP::SHA384> 
-	{
-		public:
-
-			RSASHA3843072Signer (const uint8_t * signingPrivateKey): 
-				RSASigner (signingPrivateKey, RSASHA3843072_KEY_LENGTH*2) 
-			{
-			}
-	};
+	typedef RSAVerifier<SHA384Hash, NID_sha384, RSASHA3843072_KEY_LENGTH> RSASHA3843072Verifier;
+	typedef RSASigner<SHA384Hash, NID_sha384, RSASHA3843072_KEY_LENGTH> RSASHA3843072Signer;	
 
 //  RSA_SHA512_4096
 	const size_t RSASHA5124096_KEY_LENGTH = 512;
-	class RSASHA5124096Verifier: public RSAVerifier<CryptoPP::SHA512, RSASHA5124096_KEY_LENGTH> 
+	typedef RSAVerifier<SHA512Hash, NID_sha512, RSASHA5124096_KEY_LENGTH> RSASHA5124096Verifier;
+	typedef RSASigner<SHA512Hash, NID_sha512, RSASHA5124096_KEY_LENGTH> RSASHA5124096Signer;
+
+	// EdDSA
+	struct EDDSAPoint
+	{
+		BIGNUM * x, * y;
+		BIGNUM * z, * t; // projective coordinates
+		EDDSAPoint (): x(nullptr), y(nullptr), z(nullptr), t(nullptr) {};
+		EDDSAPoint (const EDDSAPoint& other): x(nullptr), y(nullptr), z(nullptr), t(nullptr) 
+		{ *this = other; };	
+		EDDSAPoint (EDDSAPoint&& other): x(nullptr), y(nullptr), z(nullptr), t(nullptr)  
+		{ *this = std::move (other); };	
+		EDDSAPoint (BIGNUM * x1, BIGNUM * y1, BIGNUM * z1 = nullptr, BIGNUM * t1 = nullptr): x(x1), y(y1), z(z1), t(t1) {};	
+		~EDDSAPoint () { BN_free (x); BN_free (y); BN_free(z); BN_free(t); };
+
+		EDDSAPoint& operator=(EDDSAPoint&& other) 
+		{
+			if (x) BN_free (x); x = other.x; other.x = nullptr;
+			if (y) BN_free (y); y = other.y; other.y = nullptr;
+			if (z) BN_free (z); z = other.z; other.z = nullptr;
+			if (t) BN_free (t); t = other.t; other.t = nullptr;
+			return *this;
+		} 	
+
+		EDDSAPoint& operator=(const EDDSAPoint& other) 
+		{
+			if (x) BN_free (x); x = other.x ? BN_dup (other.x) : nullptr;
+			if (y) BN_free (y); y = other.y ? BN_dup (other.y) : nullptr;
+			if (z) BN_free (z); z = other.z ? BN_dup (other.z) : nullptr;
+			if (t) BN_free (t); t = other.t ? BN_dup (other.t) : nullptr;
+			return *this;
+		}
+
+		EDDSAPoint operator-() const
+		{
+			BIGNUM * x1 = NULL, * y1 = NULL, * z1 = NULL, * t1 = NULL;
+			if (x) { x1 = BN_dup (x); BN_set_negative (x1, !BN_is_negative (x)); };
+			if (y) y1 = BN_dup (y);
+			if (z) z1 = BN_dup (z);
+			if (t) { t1 = BN_dup (t); BN_set_negative (t1, !BN_is_negative (t)); };
+			return EDDSAPoint {x1, y1, z1, t1};
+		}
+	};	
+
+	const size_t EDDSA25519_PUBLIC_KEY_LENGTH = 32;
+	const size_t EDDSA25519_SIGNATURE_LENGTH = 64;
+	const size_t EDDSA25519_PRIVATE_KEY_LENGTH = 32;		
+	class EDDSA25519Verifier: public Verifier
 	{
 		public:
 
-			RSASHA5124096Verifier (const uint8_t * signingKey): RSAVerifier (signingKey) 
-			{
-			}
-	};
+			EDDSA25519Verifier (const uint8_t * signingKey);
+			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const;
 
-	class RSASHA5124096Signer: public RSASigner<CryptoPP::SHA512> 
-	{
-		public:
-
-			RSASHA5124096Signer (const uint8_t * signingPrivateKey): 
-				RSASigner (signingPrivateKey, RSASHA5124096_KEY_LENGTH*2) 
-			{
-			}
-	};
-
-// Raw verifiers	
-	class RawVerifier
-	{
-		public:
-			
-			virtual ~RawVerifier () {};
-			virtual void Update (const uint8_t * buf, size_t len) = 0;
-			virtual bool Verify (const uint8_t * signature) = 0;
-	};		
-
-	template<typename Hash, size_t keyLen>
-	class RSARawVerifier: public RawVerifier
-	{
-		public:
-
-			RSARawVerifier (const uint8_t * signingKey):
-				n (signingKey, keyLen)
-			{
-			}
-
-			void Update (const uint8_t * buf, size_t len)
-			{
-				m_Hash.Update (buf, len);
-			}
-			
-			bool Verify (const uint8_t * signature)
-			{
-				// RSA encryption first
-				CryptoPP::Integer enSig (a_exp_b_mod_c (CryptoPP::Integer (signature, keyLen), 
-					CryptoPP::Integer (i2p::crypto::rsae), n)); // s^e mod n 
-				uint8_t enSigBuf[keyLen];
-				enSig.Encode (enSigBuf, keyLen);
-
-				uint8_t digest[Hash::DIGESTSIZE];
-				m_Hash.Final (digest);
-				if ((int)keyLen < Hash::DIGESTSIZE) return false; // can't verify digest longer than key
-				// we assume digest is right aligned, at least for PKCS#1 v1.5 padding 
-				return !memcmp (enSigBuf + (keyLen - Hash::DIGESTSIZE), digest, Hash::DIGESTSIZE); 				
-			}
+			size_t GetPublicKeyLen () const { return EDDSA25519_PUBLIC_KEY_LENGTH; };
+			size_t GetSignatureLen () const { return EDDSA25519_SIGNATURE_LENGTH; };
 
 		private:
 
-			CryptoPP::Integer n; // RSA modulus	
-			Hash m_Hash;
-	};	
+			EDDSAPoint m_PublicKey;	
+			uint8_t m_PublicKeyEncoded[EDDSA25519_PUBLIC_KEY_LENGTH];
+	};
 
-	class RSASHA5124096RawVerifier: public RSARawVerifier<CryptoPP::SHA512, RSASHA5124096_KEY_LENGTH> 
+	class EDDSA25519Signer: public Signer
 	{
 		public:
 
-			RSASHA5124096RawVerifier (const uint8_t * signingKey): RSARawVerifier (signingKey) 
-			{
-			}
+			EDDSA25519Signer (const uint8_t * signingPrivateKey); 
+			void Sign (const uint8_t * buf, int len, uint8_t * signature) const; 
+			const uint8_t * GetPublicKey () const { return m_PublicKeyEncoded; };
+			
+		private:
+
+			uint8_t m_ExpandedPrivateKey[64]; 
+			uint8_t m_PublicKeyEncoded[EDDSA25519_PUBLIC_KEY_LENGTH];
 	};
+
+	inline void CreateEDDSA25519RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
+	{
+		RAND_bytes (signingPrivateKey, EDDSA25519_PRIVATE_KEY_LENGTH);
+		EDDSA25519Signer signer (signingPrivateKey);
+		memcpy (signingPublicKey, signer.GetPublicKey (), EDDSA25519_PUBLIC_KEY_LENGTH);
+	}
 }
 }
 

Streaming.cpp

@@ -1,4 +1,4 @@
-#include <cryptopp/gzip.h>
+#include <openssl/rand.h>
 #include "Log.h"
 #include "RouterInfo.h"
 #include "RouterContext.h"
@@ -20,9 +20,8 @@ namespace stream
 		m_WindowSize (MIN_WINDOW_SIZE), m_RTT (INITIAL_RTT), m_RTO (INITIAL_RTO),
 		m_LastWindowSizeIncreaseTime (0), m_NumResendAttempts (0)
 	{
-		m_RecvStreamID = i2p::context.GetRandomNumberGenerator ().GenerateWord32 ();
+		RAND_bytes ((uint8_t *)&m_RecvStreamID, 4);
 		m_RemoteIdentity = remote->GetIdentity ();
-		UpdateCurrentRemoteLease ();
 	}	
 
 	Stream::Stream (boost::asio::io_service& service, StreamingDestination& local):
@@ -32,7 +31,7 @@ namespace stream
 		m_NumSentBytes (0), m_NumReceivedBytes (0), m_Port (0),  m_WindowSize (MIN_WINDOW_SIZE), 
 		m_RTT (INITIAL_RTT), m_RTO (INITIAL_RTO), m_LastWindowSizeIncreaseTime (0), m_NumResendAttempts (0)
 	{
-		m_RecvStreamID = i2p::context.GetRandomNumberGenerator ().GenerateWord32 ();
+		RAND_bytes ((uint8_t *)&m_RecvStreamID, 4);
 	}
 
 	Stream::~Stream ()
@@ -53,7 +52,7 @@ namespace stream
 			delete it;
 		m_SavedPackets.clear ();
 			
-		LogPrint (eLogDebug, "Stream deleted");
+		LogPrint (eLogDebug, "Streaming: Stream deleted");
 	}	
 
 	void Stream::Terminate ()
@@ -61,6 +60,12 @@ namespace stream
 		m_AckSendTimer.cancel ();
 		m_ReceiveTimer.cancel ();
 		m_ResendTimer.cancel ();
+		if (m_SendHandler) 
+		{
+			auto handler = m_SendHandler;
+			m_SendHandler = nullptr;
+			handler (boost::asio::error::make_error_code (boost::asio::error::operation_aborted));
+		}
 	}	
 		
 	void Stream::HandleNextPacket (Packet * packet)
@@ -77,13 +82,13 @@ namespace stream
 		if (!receivedSeqn && !isSyn)
 		{
 			// plain ack
-			LogPrint (eLogDebug, "Plain ACK received");
+			LogPrint (eLogDebug, "Streaming: Plain ACK received");
 			delete packet;
 			return;
 		}
 
-		LogPrint (eLogDebug, "Received seqn=", receivedSeqn); 
-		if (isSyn || receivedSeqn == m_LastReceivedSequenceNumber + 1)
+		LogPrint (eLogDebug, "Streaming: Received seqn=", receivedSeqn);
+		if (receivedSeqn == m_LastReceivedSequenceNumber + 1)
 		{			
 			// we have received next in sequence message
 			ProcessPacket (packet);
@@ -108,7 +113,9 @@ namespace stream
 				if (!m_IsAckSendScheduled)
 				{
 					m_IsAckSendScheduled = true;
-					m_AckSendTimer.expires_from_now (boost::posix_time::milliseconds(ACK_SEND_TIMEOUT));
+					auto ackTimeout = m_RTT/10;
+					if (ackTimeout > ACK_SEND_TIMEOUT) ackTimeout = ACK_SEND_TIMEOUT;
+					m_AckSendTimer.expires_from_now (boost::posix_time::milliseconds(ackTimeout));
 					m_AckSendTimer.async_wait (std::bind (&Stream::HandleAckSendTimer,
 						shared_from_this (), std::placeholders::_1));
 				}
@@ -122,13 +129,13 @@ namespace stream
 			if (receivedSeqn <= m_LastReceivedSequenceNumber)
 			{
 				// we have received duplicate
-				LogPrint (eLogWarning, "Duplicate message ", receivedSeqn, " received");
+				LogPrint (eLogWarning, "Streaming: Duplicate message ", receivedSeqn, " received");
 				SendQuickAck (); // resend ack for previous message again
 				delete packet; // packet dropped
 			}	
 			else
 			{
-				LogPrint (eLogWarning, "Missing messages from ", m_LastReceivedSequenceNumber + 1, " to ", receivedSeqn - 1);
+				LogPrint (eLogWarning, "Streaming: Missing messages from ", m_LastReceivedSequenceNumber + 1, " to ", receivedSeqn - 1);
 				// save message and wait for missing message again
 				SavePacket (packet);
 				if (m_LastReceivedSequenceNumber >= 0)
@@ -155,7 +162,8 @@ namespace stream
 
 	void Stream::SavePacket (Packet * packet)
 	{
-		m_SavedPackets.insert (packet);
+		if (!m_SavedPackets.insert (packet).second)
+			delete packet;
 	}	
 
 	void Stream::ProcessPacket (Packet * packet)
@@ -163,43 +171,38 @@ namespace stream
 		// process flags
 		uint32_t receivedSeqn = packet->GetSeqn ();
 		uint16_t flags = packet->GetFlags ();
-		LogPrint (eLogDebug, "Process seqn=", receivedSeqn, ", flags=", flags);
+		LogPrint (eLogDebug, "Streaming: Process seqn=", receivedSeqn, ", flags=", flags);
 		
 		const uint8_t * optionData = packet->GetOptionData ();
-		if (flags & PACKET_FLAG_SYNCHRONIZE)
-			LogPrint (eLogDebug, "Synchronize");
 
 		if (flags & PACKET_FLAG_DELAY_REQUESTED)
-		{
 			optionData += 2;
-		}	
 		
 		if (flags & PACKET_FLAG_FROM_INCLUDED)
 		{
-			optionData += m_RemoteIdentity.FromBuffer (optionData, packet->GetOptionSize ());
-			LogPrint (eLogInfo, "From identity ", m_RemoteIdentity.GetIdentHash ().ToBase64 ());		
+			m_RemoteIdentity = std::make_shared<i2p::data::IdentityEx>(optionData, packet->GetOptionSize ());
+			optionData += m_RemoteIdentity->GetFullLen ();
 			if (!m_RemoteLeaseSet)
-				LogPrint (eLogDebug, "Incoming stream from ", m_RemoteIdentity.GetIdentHash ().ToBase64 ());
+				LogPrint (eLogDebug, "Streaming: Incoming stream from ", m_RemoteIdentity->GetIdentHash ().ToBase64 ());
 		}	
 
 		if (flags & PACKET_FLAG_MAX_PACKET_SIZE_INCLUDED)
 		{
 			uint16_t maxPacketSize = bufbe16toh (optionData);
-			LogPrint (eLogDebug, "Max packet size ", maxPacketSize);
+			LogPrint (eLogDebug, "Streaming: Max packet size ", maxPacketSize);
 			optionData += 2;
 		}	
 		
 		if (flags & PACKET_FLAG_SIGNATURE_INCLUDED)
 		{
-			LogPrint (eLogDebug, "Signature");
 			uint8_t signature[256]; 
-			auto signatureLen = m_RemoteIdentity.GetSignatureLen ();
+			auto signatureLen = m_RemoteIdentity->GetSignatureLen ();
 			memcpy (signature, optionData, signatureLen);
 			memset (const_cast<uint8_t *>(optionData), 0, signatureLen);
-			if (!m_RemoteIdentity.Verify (packet->GetBuffer (), packet->GetLength (), signature))
+			if (!m_RemoteIdentity->Verify (packet->GetBuffer (), packet->GetLength (), signature))
 			{  
-				LogPrint (eLogError, "Signature verification failed");
-			    Close ();
+				LogPrint (eLogError, "Streaming: Signature verification failed");
+				Close ();
 				flags |= PACKET_FLAG_CLOSE;
 			}	
 			memcpy (const_cast<uint8_t *>(optionData), signature, signatureLen);
@@ -217,9 +220,8 @@ namespace stream
 		
 		m_LastReceivedSequenceNumber = receivedSeqn;
 
-		if (flags & PACKET_FLAG_CLOSE)
+		if (flags & (PACKET_FLAG_CLOSE | PACKET_FLAG_RESET))
 		{
-			LogPrint (eLogInfo, "Closed");
 			m_Status = eStreamStatusReset;
 			Close ();
 		}
@@ -247,7 +249,7 @@ namespace stream
 						}
 					if (nacked)
 					{
-						LogPrint (eLogDebug, "Packet ", seqn, " NACK");
+						LogPrint (eLogDebug, "Streaming: Packet ", seqn, " NACK");
 						it++;
 						continue;
 					}	
@@ -272,6 +274,10 @@ namespace stream
 						m_LastWindowSizeIncreaseTime = ts;
 					}
 				}
+				if (!seqn && m_RoutingSession) // first message confirmed
+					m_RoutingSession->SetSharedRoutingPath (
+						std::make_shared<i2p::garlic::GarlicRoutingPath> (
+							i2p::garlic::GarlicRoutingPath{m_CurrentOutboundTunnel, m_CurrentRemoteLease, m_RTT, 0, 0}));
 			}
 			else
 				break;
@@ -299,6 +305,15 @@ namespace stream
 		return len;
 	}	
 
+	void Stream::AsyncSend (const uint8_t * buf, size_t len, SendHandler handler)
+	{
+		if (m_SendHandler) 
+			handler (boost::asio::error::make_error_code (boost::asio::error::in_progress));
+		else
+			m_SendHandler = handler;
+		Send (buf, len);
+	}
+
 	void Stream::SendBuffer ()
 	{	
 		int numMsgs = m_WindowSize - m_SentPackets.size ();
@@ -338,11 +353,11 @@ namespace stream
 					if (isNoAck) flags |= PACKET_FLAG_NO_ACK;
 					htobe16buf (packet + size, flags);
 					size += 2; // flags
-					size_t identityLen = m_LocalDestination.GetOwner ().GetIdentity ().GetFullLen ();
-					size_t signatureLen = m_LocalDestination.GetOwner ().GetIdentity ().GetSignatureLen ();
+					size_t identityLen = m_LocalDestination.GetOwner ()->GetIdentity ()->GetFullLen ();
+					size_t signatureLen = m_LocalDestination.GetOwner ()->GetIdentity ()->GetSignatureLen ();
 					htobe16buf (packet + size, identityLen + signatureLen + 2); // identity + signature + packet size
 					size += 2; // options size
-					m_LocalDestination.GetOwner ().GetIdentity ().ToBuffer (packet + size, identityLen); 
+					m_LocalDestination.GetOwner ()->GetIdentity ()->ToBuffer (packet + size, identityLen); 
 					size += identityLen; // from
 					htobe16buf (packet + size, STREAMING_MTU);
 					size += 2; // max packet size
@@ -351,7 +366,7 @@ namespace stream
 					size += signatureLen; // signature
 					m_SendBuffer.read ((char *)(packet + size), STREAMING_MTU - size);
 					size += m_SendBuffer.gcount (); // payload
-					m_LocalDestination.GetOwner ().Sign (packet, size, signature);
+					m_LocalDestination.GetOwner ()->Sign (packet, size, signature);
 				}	
 				else
 				{
@@ -367,6 +382,11 @@ namespace stream
 				packets.push_back (p);
 				numMsgs--;
 			}
+			if (m_SendBuffer.eof () && m_SendHandler)
+			{
+				m_SendHandler (boost::system::error_code ());
+				m_SendHandler = nullptr;
+			}
 		}	
 		if (packets.size () > 0)
 		{
@@ -397,7 +417,7 @@ namespace stream
 		}	
 		if (lastReceivedSeqn < 0) 
 		{	
-			LogPrint (eLogError, "No packets have been received yet");
+			LogPrint (eLogError, "Streaming: No packets have been received yet");
 			return;
 		}
 		
@@ -453,7 +473,7 @@ namespace stream
 		p.len = size;		
 
 		SendPackets (std::vector<Packet *> { &p });
-		LogPrint ("Quick Ack sent. ", (int)numNacks, " NACKs");
+		LogPrint (eLogDebug, "Streaming: Quick Ack sent. ", (int)numNacks, " NACKs");
 	}	
 
 	void Stream::Close ()
@@ -464,10 +484,10 @@ namespace stream
 				m_Status = eStreamStatusClosing;
 				Close (); // recursion
 				if (m_Status == eStreamStatusClosing) //still closing
-					LogPrint (eLogInfo, "Trying to send stream data before closing");
+					LogPrint (eLogInfo, "Streaming: Trying to send stream data before closing");
 			break;
 			case eStreamStatusReset:
-				SendClose ();
+				SendClose (); 
 				Terminate ();
 				m_LocalDestination.DeleteStream (shared_from_this ());	
 			break;
@@ -486,7 +506,7 @@ namespace stream
 				m_LocalDestination.DeleteStream (shared_from_this ());		
 			break;				
 			default:
-				LogPrint (eLogWarning, "Unexpected stream status ", (int)m_Status);
+				LogPrint (eLogWarning, "Streaming: Unexpected stream status ", (int)m_Status);
 		};			
 	}
 
@@ -508,17 +528,17 @@ namespace stream
 		size++; // resend delay
 		htobe16buf (packet + size, PACKET_FLAG_CLOSE | PACKET_FLAG_SIGNATURE_INCLUDED);
 		size += 2; // flags
-		size_t signatureLen = m_LocalDestination.GetOwner ().GetIdentity ().GetSignatureLen ();
+		size_t signatureLen = m_LocalDestination.GetOwner ()->GetIdentity ()->GetSignatureLen ();
 		htobe16buf (packet + size, signatureLen); // signature only
 		size += 2; // options size
 		uint8_t * signature = packet + size;
 		memset (packet + size, 0, signatureLen);
 		size += signatureLen; // signature
-		m_LocalDestination.GetOwner ().Sign (packet, size, signature);
+		m_LocalDestination.GetOwner ()->Sign (packet, size, signature);
 		
 		p->len = size;
 		m_Service.post (std::bind (&Stream::SendPacket, shared_from_this (), p));
-		LogPrint ("FIN sent");
+		LogPrint (eLogDebug, "Streaming: FIN sent");
 	}	
 		
 	size_t Stream::ConcatenatePackets (uint8_t * buf, size_t len)
@@ -572,31 +592,48 @@ namespace stream
 			UpdateCurrentRemoteLease ();	
 			if (!m_RemoteLeaseSet)
 			{
-				LogPrint (eLogError, "Can't send packets. Missing remote LeaseSet");
+				LogPrint (eLogError, "Streaming: Can't send packets, missing remote LeaseSet");
 				return;
 			}
 		}
+		if (!m_CurrentOutboundTunnel) // first message to send
+		{
+			// try to get shared path first
+			if (!m_RoutingSession)
+				m_RoutingSession = m_LocalDestination.GetOwner ()->GetRoutingSession (m_RemoteLeaseSet, true);
+			if (m_RoutingSession)
+			{	
+				auto routingPath = m_RoutingSession->GetSharedRoutingPath ();
+				if (routingPath)
+				{
+					m_CurrentOutboundTunnel = routingPath->outboundTunnel;
+					m_CurrentRemoteLease = routingPath->remoteLease;
+					m_RTT = routingPath->rtt;
+					m_RTO = m_RTT*1.5; // TODO: implement it better
+				}
+			}	
+		}	
 		if (!m_CurrentOutboundTunnel || !m_CurrentOutboundTunnel->IsEstablished ())
-			m_CurrentOutboundTunnel = m_LocalDestination.GetOwner ().GetTunnelPool ()->GetNextOutboundTunnel ();
+			m_CurrentOutboundTunnel = m_LocalDestination.GetOwner ()->GetTunnelPool ()->GetNewOutboundTunnel (m_CurrentOutboundTunnel);
 		if (!m_CurrentOutboundTunnel)
 		{
-			LogPrint (eLogError, "No outbound tunnels in the pool");
+			LogPrint (eLogError, "Streaming: No outbound tunnels in the pool");
 			return;
 		}
 
-		auto ts = i2p::util::GetMillisecondsSinceEpoch ();
-		if (ts >= m_CurrentRemoteLease.endDate - i2p::tunnel::TUNNEL_EXPIRATION_THRESHOLD*1000)
-			UpdateCurrentRemoteLease ();
-		if (ts < m_CurrentRemoteLease.endDate)
+		auto ts = i2p::util::GetMillisecondsSinceEpoch ();		
+		if (!m_CurrentRemoteLease || ts >= m_CurrentRemoteLease->endDate - i2p::data::LEASE_ENDDATE_THRESHOLD)
+			UpdateCurrentRemoteLease (true);
+		if (m_CurrentRemoteLease && ts < m_CurrentRemoteLease->endDate + i2p::data::LEASE_ENDDATE_THRESHOLD)
 		{	
 			std::vector<i2p::tunnel::TunnelMessageBlock> msgs;
 			for (auto it: packets)
 			{ 
-				auto msg = m_RoutingSession->WrapSingleMessage (CreateDataMessage (it->GetBuffer (), it->GetLength ()));
+				auto msg = m_RoutingSession->WrapSingleMessage (m_LocalDestination.CreateDataMessage (it->GetBuffer (), it->GetLength (), m_Port));
 				msgs.push_back (i2p::tunnel::TunnelMessageBlock 
 					{ 
 						i2p::tunnel::eDeliveryTypeTunnel,
-						m_CurrentRemoteLease.tunnelGateway, m_CurrentRemoteLease.tunnelID,
+						m_CurrentRemoteLease->tunnelGateway, m_CurrentRemoteLease->tunnelID,
 						msg
 					});	
 				m_NumSentBytes += it->GetLength ();
@@ -604,7 +641,7 @@ namespace stream
 			m_CurrentOutboundTunnel->SendTunnelDataMsg (msgs);
 		}	
 		else
-			LogPrint (eLogWarning, "All leases are expired");
+			LogPrint (eLogWarning, "Streaming: All leases are expired");
 	}
 
 		
@@ -623,7 +660,7 @@ namespace stream
 			// check for resend attempts
 			if (m_NumResendAttempts >= MAX_NUM_RESEND_ATTEMPTS)
 			{
-				LogPrint (eLogWarning, "Stream packet was not ACKed after ", MAX_NUM_RESEND_ATTEMPTS,  " attempts. Terminate");
+				LogPrint (eLogWarning, "Streaming: packet was not ACKed after ", MAX_NUM_RESEND_ATTEMPTS,  " attempts, terminate");
 				m_Status = eStreamStatusReset;
 				Close ();
 				return;
@@ -645,6 +682,7 @@ namespace stream
 			if (packets.size () > 0)
 			{
 				m_NumResendAttempts++;
+				m_RTO *= 2;
 				switch (m_NumResendAttempts)
 				{	
 					case 1: // congesion avoidance
@@ -652,15 +690,18 @@ namespace stream
 						if (m_WindowSize < MIN_WINDOW_SIZE) m_WindowSize = MIN_WINDOW_SIZE;
 					break;
 					case 2:
-					case 4:	
+						m_RTO = INITIAL_RTO; // drop RTO to initial upon tunnels pair change first time
+						// no break here
+					case 4:
+						if (m_RoutingSession) m_RoutingSession->SetSharedRoutingPath (nullptr);
 						UpdateCurrentRemoteLease (); // pick another lease
-						m_RTO = INITIAL_RTO; // drop RTO to initial upon tunnels pair change
-						LogPrint (eLogWarning, "Another remote lease has been selected for stream");
+						LogPrint (eLogWarning, "Streaming: Another remote lease has been selected for stream");
 					break;	
 					case 3:
 						// pick another outbound tunnel 
-						m_CurrentOutboundTunnel = m_LocalDestination.GetOwner ().GetTunnelPool ()->GetNextOutboundTunnel (m_CurrentOutboundTunnel); 
-						LogPrint (eLogWarning, "Another outbound tunnel has been selected for stream");
+						if (m_RoutingSession) m_RoutingSession->SetSharedRoutingPath (nullptr);
+						m_CurrentOutboundTunnel = m_LocalDestination.GetOwner ()->GetTunnelPool ()->GetNextOutboundTunnel (m_CurrentOutboundTunnel); 
+						LogPrint (eLogWarning, "Streaming: Another outbound tunnel has been selected for stream");
 					break;
 					default: ;	
 				}	
@@ -676,7 +717,7 @@ namespace stream
 		{
 			if (m_LastReceivedSequenceNumber < 0)
 			{
-				LogPrint (eLogWarning, "SYN has not been recived after ", ACK_SEND_TIMEOUT, " milliseconds after follow on. Terminate");
+				LogPrint (eLogWarning, "Streaming: SYN has not been recived after ", ACK_SEND_TIMEOUT, " milliseconds after follow on, terminate");
 				m_Status = eStreamStatusReset;
 				Close ();
 				return;
@@ -687,67 +728,74 @@ namespace stream
 		}	
 	}
 
-	void Stream::UpdateCurrentRemoteLease ()
+	void Stream::UpdateCurrentRemoteLease (bool expired)
 	{
-		if (!m_RemoteLeaseSet)
+		if (!m_RemoteLeaseSet || m_RemoteLeaseSet->IsExpired ()) 
 		{
-			m_RemoteLeaseSet = m_LocalDestination.GetOwner ().FindLeaseSet (m_RemoteIdentity.GetIdentHash ());
-			if (!m_RemoteLeaseSet)		
-				LogPrint ("LeaseSet ", m_RemoteIdentity.GetIdentHash ().ToBase64 (), " not found");
+			m_RemoteLeaseSet = m_LocalDestination.GetOwner ()->FindLeaseSet (m_RemoteIdentity->GetIdentHash ());
+			if (!m_RemoteLeaseSet)	
+				LogPrint (eLogWarning, "Streaming: LeaseSet ", m_RemoteIdentity->GetIdentHash ().ToBase64 (), " not found");
 		}
 		if (m_RemoteLeaseSet)
 		{
 			if (!m_RoutingSession)
-				m_RoutingSession = m_LocalDestination.GetOwner ().GetRoutingSession (m_RemoteLeaseSet, 32);
+				m_RoutingSession = m_LocalDestination.GetOwner ()->GetRoutingSession (m_RemoteLeaseSet, true);
 			auto leases = m_RemoteLeaseSet->GetNonExpiredLeases (false); // try without threshold first
 			if (leases.empty ())
 			{
-				m_LocalDestination.GetOwner ().RequestDestination (m_RemoteIdentity.GetIdentHash ()); // time to re-request
-				leases = m_RemoteLeaseSet->GetNonExpiredLeases (true); // then with threshold
+				expired = false;
+				m_LocalDestination.GetOwner ()->RequestDestination (m_RemoteIdentity->GetIdentHash ()); // time to request
+				leases = m_RemoteLeaseSet->GetNonExpiredLeases (true); // then with threshold	
 			}
 			if (!leases.empty ())
 			{	
-				uint32_t i = i2p::context.GetRandomNumberGenerator ().GenerateWord32 (0, leases.size () - 1);
-				if (m_CurrentRemoteLease.endDate && leases[i].tunnelID == m_CurrentRemoteLease.tunnelID)
-					// make sure we don't select previous 	
-					i = (i + 1) % leases.size (); // if so, pick next
-				m_CurrentRemoteLease = leases[i];		
+				bool updated = false;	
+				if (expired && m_CurrentRemoteLease)
+				{
+					for (auto it: leases)
+						if ((it->tunnelGateway == m_CurrentRemoteLease->tunnelGateway) && (it->tunnelID != m_CurrentRemoteLease->tunnelID))
+						{
+							m_CurrentRemoteLease = it;
+							updated = true;
+							break;
+						} 
+				}
+				if (!updated)
+				{
+					uint32_t i = rand () % leases.size ();
+					if (m_CurrentRemoteLease && leases[i]->tunnelID == m_CurrentRemoteLease->tunnelID)
+						// make sure we don't select previous 	
+						i = (i + 1) % leases.size (); // if so, pick next
+					m_CurrentRemoteLease = leases[i];		
+				}
 			}	
 			else
 			{	
 				m_RemoteLeaseSet = nullptr;
-				m_CurrentRemoteLease.endDate = 0;
-				// re-request expired
+				m_CurrentRemoteLease = nullptr;
+				// we have requested expired before, no need to do it twice
 			}	
 		}
 		else
-			m_CurrentRemoteLease.endDate = 0;
+			m_CurrentRemoteLease = nullptr;
 	}	
 
-	I2NPMessage * Stream::CreateDataMessage (const uint8_t * payload, size_t len)
+	StreamingDestination::StreamingDestination (std::shared_ptr<i2p::client::ClientDestination> owner, uint16_t localPort, bool gzip): 
+		m_Owner (owner), m_LocalPort (localPort), m_Gzip (gzip), 
+		m_PendingIncomingTimer (m_Owner->GetService ())
 	{
-		I2NPMessage * msg = NewI2NPShortMessage ();
-		CryptoPP::Gzip compressor;
-		if (len <= i2p::stream::COMPRESSION_THRESHOLD_SIZE)
-			compressor.SetDeflateLevel (CryptoPP::Gzip::MIN_DEFLATE_LEVEL);
-		else
-			compressor.SetDeflateLevel (CryptoPP::Gzip::DEFAULT_DEFLATE_LEVEL);
-		compressor.Put (payload, len);
-		compressor.MessageEnd();
-		int size = compressor.MaxRetrievable ();
-		uint8_t * buf = msg->GetPayload ();
-		htobe32buf (buf, size); // length
-		buf += 4;
-		compressor.Get (buf, size);
-		htobe16buf (buf + 4, m_LocalDestination.GetLocalPort ()); // source port
-		htobe16buf (buf + 6, m_Port); // destination port 
-		buf[9] = i2p::client::PROTOCOL_TYPE_STREAMING; // streaming protocol
-		msg->len += size + 4; 
-		FillI2NPMessageHeader (msg, eI2NPData);
-		
-		return msg;
-	}	
+	}
 		
+	StreamingDestination::~StreamingDestination ()
+	{
+		for (auto it: m_SavedPackets)
+		{
+			for (auto it1: it.second) delete it1;
+			it.second.clear ();	
+		}
+		m_SavedPackets.clear ();
+	}
+
 	void StreamingDestination::Start ()
 	{	
 	}
@@ -755,6 +803,7 @@ namespace stream
 	void StreamingDestination::Stop ()
 	{	
 		ResetAcceptor ();
+		m_PendingIncomingTimer.cancel ();
 		{
 			std::unique_lock<std::mutex> l(m_StreamsMutex);
 			m_Streams.clear ();
@@ -771,7 +820,7 @@ namespace stream
 				it->second->HandleNextPacket (packet);
 			else
 			{	
-				LogPrint ("Unknown stream sendStreamID=", sendStreamID);
+				LogPrint (eLogError, "Streaming: Unknown stream sendStreamID=", sendStreamID);
 				delete packet;
 			}
 		}	
@@ -780,13 +829,39 @@ namespace stream
 			if (packet->IsSYN () && !packet->GetSeqn ()) // new incoming stream
 			{	
 				auto incomingStream = CreateNewIncomingStream ();
-				incomingStream->HandleNextPacket (packet);
+				uint32_t receiveStreamID = packet->GetReceiveStreamID ();
+				incomingStream->HandleNextPacket (packet); // SYN
+				// handle saved packets if any
+				{
+					auto it = m_SavedPackets.find (receiveStreamID);
+					if (it != m_SavedPackets.end ())
+					{
+						LogPrint (eLogDebug, "Streaming: Processing ", it->second.size (), " saved packets for receiveStreamID=", 	receiveStreamID);
+						for (auto it1: it->second)
+							incomingStream->HandleNextPacket (it1);
+						m_SavedPackets.erase (it);
+					}			
+				}	
+				// accept
 				if (m_Acceptor != nullptr)
 					m_Acceptor (incomingStream);
 				else
 				{
-					LogPrint ("Acceptor for incoming stream is not set");
-					DeleteStream (incomingStream);
+					LogPrint (eLogWarning, "Streaming: Acceptor for incoming stream is not set");
+					if (m_PendingIncomingStreams.size () < MAX_PENDING_INCOMING_BACKLOG)
+					{
+						m_PendingIncomingStreams.push_back (incomingStream);
+						m_PendingIncomingTimer.cancel ();
+						m_PendingIncomingTimer.expires_from_now (boost::posix_time::seconds(PENDING_INCOMING_TIMEOUT));
+						m_PendingIncomingTimer.async_wait (std::bind (&StreamingDestination::HandlePendingIncomingTimer, 
+							shared_from_this (), std::placeholders::_1));
+						LogPrint (eLogDebug, "Streaming: Pending incoming stream added");
+					}
+					else
+					{	
+						LogPrint (eLogWarning, "Streaming: Pending incoming streams backlog exceeds ", MAX_PENDING_INCOMING_BACKLOG);
+						incomingStream->Close ();
+					}	
 				}	
 			}	
 			else // follow on packet without SYN
@@ -799,16 +874,37 @@ namespace stream
 						it.second->HandleNextPacket (packet);
 						return;
 					}
-				// TODO: should queue it up
-				LogPrint ("Unknown stream receiveStreamID=", receiveStreamID);
-				delete packet;
+				// save follow on packet
+				auto it = m_SavedPackets.find (receiveStreamID);
+				if (it != m_SavedPackets.end ())
+					it->second.push_back (packet);
+				else
+				{
+					m_SavedPackets[receiveStreamID] = std::list<Packet *>{ packet };
+					auto timer = std::make_shared<boost::asio::deadline_timer> (m_Owner->GetService ());
+					timer->expires_from_now (boost::posix_time::seconds(PENDING_INCOMING_TIMEOUT));
+					auto s = shared_from_this ();
+					timer->async_wait ([s,timer,receiveStreamID](const boost::system::error_code& ecode)
+					{
+						if (ecode != boost::asio::error::operation_aborted)
+						{
+							auto it = s->m_SavedPackets.find (receiveStreamID);
+							if (it != s->m_SavedPackets.end ())
+							{
+								for (auto it1: it->second) delete it1;
+								it->second.clear ();
+								s->m_SavedPackets.erase (it);
+							}
+						}
+					});
+				}
 			}	
 		}	
 	}	
-
+		
 	std::shared_ptr<Stream> StreamingDestination::CreateNewOutgoingStream (std::shared_ptr<const i2p::data::LeaseSet> remote, int port)
 	{
-		auto s = std::make_shared<Stream> (m_Owner.GetService (), *this, remote, port);
+		auto s = std::make_shared<Stream> (m_Owner->GetService (), *this, remote, port);
 		std::unique_lock<std::mutex> l(m_StreamsMutex);
 		m_Streams[s->GetRecvStreamID ()] = s;
 		return s;
@@ -816,7 +912,7 @@ namespace stream
 
 	std::shared_ptr<Stream> StreamingDestination::CreateNewIncomingStream ()
 	{
-		auto s = std::make_shared<Stream> (m_Owner.GetService (), *this);
+		auto s = std::make_shared<Stream> (m_Owner->GetService (), *this);
 		std::unique_lock<std::mutex> l(m_StreamsMutex);
 		m_Streams[s->GetRecvStreamID ()] = s;
 		return s;
@@ -833,25 +929,71 @@ namespace stream
 		}	
 	}		
 
+	void StreamingDestination::SetAcceptor (const Acceptor& acceptor) 
+	{ 
+		m_Owner->GetService ().post([acceptor, this](void)
+			{                            
+				m_Acceptor = acceptor;
+				for (auto it: m_PendingIncomingStreams)
+					if (it->GetStatus () == eStreamStatusOpen) // still open?
+						m_Acceptor (it);
+				m_PendingIncomingStreams.clear ();
+				m_PendingIncomingTimer.cancel ();
+			});	
+	}
+
+	void StreamingDestination::ResetAcceptor () 
+	{                
+		if (m_Acceptor) m_Acceptor (nullptr); 
+		m_Acceptor = nullptr; 
+	}
+
+	void StreamingDestination::HandlePendingIncomingTimer (const boost::system::error_code& ecode)
+	{
+		if (ecode != boost::asio::error::operation_aborted)
+		{
+			LogPrint (eLogWarning, "Streaming: Pending incoming timeout expired");
+			for (auto it: m_PendingIncomingStreams)
+				it->Close ();
+			m_PendingIncomingStreams.clear ();
+		}	
+	}	
+		
 	void StreamingDestination::HandleDataMessagePayload (const uint8_t * buf, size_t len)
 	{
 		// unzip it
-		CryptoPP::Gunzip decompressor;
-		decompressor.Put (buf, len);
-		decompressor.MessageEnd();
 		Packet * uncompressed = new Packet;
 		uncompressed->offset = 0;
-		uncompressed->len = decompressor.MaxRetrievable ();
-		if (uncompressed->len <= MAX_PACKET_SIZE)
-		{
-			decompressor.Get (uncompressed->buf, uncompressed->len);
+		uncompressed->len = m_Inflator.Inflate (buf, len, uncompressed->buf, MAX_PACKET_SIZE);
+		if (uncompressed->len)
 			HandleNextPacket (uncompressed); 
-		}
 		else
-		{
-			LogPrint ("Received packet size ", uncompressed->len,  " exceeds max packet size. Skipped");
 			delete uncompressed;
-		}	
 	}
+
+	std::shared_ptr<I2NPMessage> StreamingDestination::CreateDataMessage (const uint8_t * payload, size_t len, uint16_t toPort)
+	{
+		auto msg = NewI2NPShortMessage ();
+		if (!m_Gzip || len <= i2p::stream::COMPRESSION_THRESHOLD_SIZE)
+			m_Deflator.SetCompressionLevel (Z_NO_COMPRESSION);
+		else
+			m_Deflator.SetCompressionLevel (Z_DEFAULT_COMPRESSION);
+		uint8_t * buf = msg->GetPayload ();
+		buf += 4; // reserve for lengthlength
+		msg->len += 4;
+		size_t size = m_Deflator.Deflate (payload, len, buf, msg->maxLen - msg->len);
+		if (size)
+		{
+			htobe32buf (msg->GetPayload (), size); // length
+			htobe16buf (buf + 4, m_LocalPort); // source port
+			htobe16buf (buf + 6, toPort); // destination port 
+			buf[9] = i2p::client::PROTOCOL_TYPE_STREAMING; // streaming protocol
+			msg->len += size; 
+			msg->FillI2NPMessageHeader (eI2NPData);
+		}	
+		else
+			msg = nullptr;
+		return msg;
+	}	
 }		
 }	

Streaming.h

@@ -11,6 +11,7 @@
 #include <memory>
 #include <mutex>
 #include <boost/asio.hpp>
+#include "Base.h"
 #include "I2PEndian.h"
 #include "Identity.h"
 #include "LeaseSet.h"
@@ -48,6 +49,8 @@ namespace stream
 	const int MAX_WINDOW_SIZE = 128;		
 	const int INITIAL_RTT = 8000; // in milliseconds
 	const int INITIAL_RTO = 9000; // in milliseconds
+	const size_t MAX_PENDING_INCOMING_BACKLOG = 128;
+	const int PENDING_INCOMING_TIMEOUT = 10; // in seconds
 	
 	struct Packet
 	{
@@ -85,7 +88,7 @@ namespace stream
 
 	enum StreamStatus
 	{
-		eStreamStatusNew,
+		eStreamStatusNew = 0,
 		eStreamStatusOpen,
 		eStreamStatusReset,
 		eStreamStatusClosing,
@@ -97,6 +100,8 @@ namespace stream
 	{	
 		public:
 
+			typedef std::function<void (const boost::system::error_code& ecode)> SendHandler;
+
 			Stream (boost::asio::io_service& service, StreamingDestination& local, 
 				std::shared_ptr<const i2p::data::LeaseSet> remote, int port = 0); // outgoing
 			Stream (boost::asio::io_service& service, StreamingDestination& local); // incoming			
@@ -105,13 +110,15 @@ namespace stream
 			uint32_t GetSendStreamID () const { return m_SendStreamID; };
 			uint32_t GetRecvStreamID () const { return m_RecvStreamID; };
 			std::shared_ptr<const i2p::data::LeaseSet> GetRemoteLeaseSet () const { return m_RemoteLeaseSet; };
-			const i2p::data::IdentityEx& GetRemoteIdentity () const { return m_RemoteIdentity; };
-			bool IsOpen () const { return m_Status ==  eStreamStatusOpen; };
+			std::shared_ptr<const i2p::data::IdentityEx> GetRemoteIdentity () const { return m_RemoteIdentity; };
+			bool IsOpen () const { return m_Status == eStreamStatusOpen; };
 			bool IsEstablished () const { return m_SendStreamID; };
+			StreamStatus GetStatus () const { return m_Status; };
 			StreamingDestination& GetLocalDestination () { return m_LocalDestination; };
 			
 			void HandleNextPacket (Packet * packet);
 			size_t Send (const uint8_t * buf, size_t len);
+			void AsyncSend (const uint8_t * buf, size_t len, SendHandler handler);
 			
 			template<typename Buffer, typename ReceiveHandler>
 			void AsyncReceive (const Buffer& buffer, ReceiveHandler handler, int timeout = 0);
@@ -143,7 +150,7 @@ namespace stream
 			void ProcessAck (Packet * packet);
 			size_t ConcatenatePackets (uint8_t * buf, size_t len);
 
-			void UpdateCurrentRemoteLease ();
+			void UpdateCurrentRemoteLease (bool expired = false);
 			
 			template<typename Buffer, typename ReceiveHandler>
 			void HandleReceiveTimer (const boost::system::error_code& ecode, const Buffer& buffer, ReceiveHandler handler);
@@ -151,8 +158,6 @@ namespace stream
 			void ScheduleResend ();
 			void HandleResendTimer (const boost::system::error_code& ecode);
 			void HandleAckSendTimer (const boost::system::error_code& ecode);
-
-			I2NPMessage * CreateDataMessage (const uint8_t * payload, size_t len);
 			
 		private:
 
@@ -162,10 +167,10 @@ namespace stream
 			StreamStatus m_Status;
 			bool m_IsAckSendScheduled;
 			StreamingDestination& m_LocalDestination;
-			i2p::data::IdentityEx m_RemoteIdentity;
+			std::shared_ptr<const i2p::data::IdentityEx> m_RemoteIdentity;
 			std::shared_ptr<const i2p::data::LeaseSet> m_RemoteLeaseSet;
 			std::shared_ptr<i2p::garlic::GarlicRoutingSession> m_RoutingSession;
-			i2p::data::Lease m_CurrentRemoteLease;
+			std::shared_ptr<const i2p::data::Lease> m_CurrentRemoteLease;
 			std::shared_ptr<i2p::tunnel::OutboundTunnel> m_CurrentOutboundTunnel;
 			std::queue<Packet *> m_ReceiveQueue;
 			std::set<Packet *, PacketCmp> m_SavedPackets;
@@ -179,46 +184,55 @@ namespace stream
 			int m_WindowSize, m_RTT, m_RTO;
 			uint64_t m_LastWindowSizeIncreaseTime;
 			int m_NumResendAttempts;
+			SendHandler m_SendHandler;
 	};
 
-	class StreamingDestination
+	class StreamingDestination: public std::enable_shared_from_this<StreamingDestination>
 	{
 		public:
 
 			typedef std::function<void (std::shared_ptr<Stream>)> Acceptor;
 
-			StreamingDestination (i2p::client::ClientDestination& owner, uint16_t localPort = 0): 
-				m_Owner (owner), m_LocalPort (localPort) {};
-			~StreamingDestination () {};	
+			StreamingDestination (std::shared_ptr<i2p::client::ClientDestination> owner, uint16_t localPort = 0, bool gzip = true);
+			~StreamingDestination ();	
 
 			void Start ();
 			void Stop ();
 
 			std::shared_ptr<Stream> CreateNewOutgoingStream (std::shared_ptr<const i2p::data::LeaseSet> remote, int port = 0);
 			void DeleteStream (std::shared_ptr<Stream> stream);			
-			void SetAcceptor (const Acceptor& acceptor) { m_Acceptor = acceptor; };
-			void ResetAcceptor () { if (m_Acceptor) m_Acceptor (nullptr); m_Acceptor = nullptr; };
+			void SetAcceptor (const Acceptor& acceptor);
+			void ResetAcceptor ();
 			bool IsAcceptorSet () const { return m_Acceptor != nullptr; };	
-			i2p::client::ClientDestination& GetOwner () { return m_Owner; };
+			std::shared_ptr<i2p::client::ClientDestination> GetOwner () const { return m_Owner; };
 			uint16_t GetLocalPort () const { return m_LocalPort; };
 
 			void HandleDataMessagePayload (const uint8_t * buf, size_t len);
+			std::shared_ptr<I2NPMessage> CreateDataMessage (const uint8_t * payload, size_t len, uint16_t toPort);
 
 		private:		
 	
 			void HandleNextPacket (Packet * packet);
 			std::shared_ptr<Stream> CreateNewIncomingStream ();
+			void HandlePendingIncomingTimer (const boost::system::error_code& ecode);
 
 		private:
 
-			i2p::client::ClientDestination& m_Owner;
+			std::shared_ptr<i2p::client::ClientDestination> m_Owner;
 			uint16_t m_LocalPort;
+			bool m_Gzip; // gzip compression of data messages
 			std::mutex m_StreamsMutex;
-			std::map<uint32_t, std::shared_ptr<Stream> > m_Streams;
+			std::map<uint32_t, std::shared_ptr<Stream> > m_Streams; // sendStreamID->stream
 			Acceptor m_Acceptor;
+			std::list<std::shared_ptr<Stream> > m_PendingIncomingStreams;
+			boost::asio::deadline_timer m_PendingIncomingTimer;
+			std::map<uint32_t, std::list<Packet *> > m_SavedPackets; // receiveStreamID->packets, arrived before SYN
 			
 		public:
 
+			i2p::data::GzipInflator m_Inflator;
+			i2p::data::GzipDeflator m_Deflator;
+			
 			// for HTTP only
 			const decltype(m_Streams)& GetStreams () const { return m_Streams; };
 	};		
@@ -228,20 +242,18 @@ namespace stream
 	template<typename Buffer, typename ReceiveHandler>
 	void Stream::AsyncReceive (const Buffer& buffer, ReceiveHandler handler, int timeout)
 	{
-		if (!m_ReceiveQueue.empty ())
+		auto s = shared_from_this();
+		m_Service.post ([=](void)
 		{
-			auto s = shared_from_this();
-			m_Service.post ([=](void) { s->HandleReceiveTimer (
-				boost::asio::error::make_error_code (boost::asio::error::operation_aborted),
-				buffer, handler); });
-		}
-		else
-		{
-			m_ReceiveTimer.expires_from_now (boost::posix_time::seconds(timeout));
-			auto s = shared_from_this();
-			m_ReceiveTimer.async_wait ([=](const boost::system::error_code& ecode)
-				{ s->HandleReceiveTimer (ecode, buffer, handler); });
-		}
+			if (!m_ReceiveQueue.empty () || m_Status == eStreamStatusReset)
+				s->HandleReceiveTimer (boost::asio::error::make_error_code (boost::asio::error::operation_aborted), buffer, handler);
+			else
+			{
+				s->m_ReceiveTimer.expires_from_now (boost::posix_time::seconds(timeout));
+				s->m_ReceiveTimer.async_wait ([=](const boost::system::error_code& ecode)
+					{ s->HandleReceiveTimer (ecode, buffer, handler); });
+			}
+		});	
 	}
 
 	template<typename Buffer, typename ReceiveHandler>

TransitTunnel.cpp

@@ -14,56 +14,54 @@ namespace tunnel
 	TransitTunnel::TransitTunnel (uint32_t receiveTunnelID, 
 	    const uint8_t * nextIdent, uint32_t nextTunnelID, 
 		const uint8_t * layerKey,const uint8_t * ivKey): 
-			m_TunnelID (receiveTunnelID),  m_NextTunnelID (nextTunnelID), 
-			m_NextIdent (nextIdent)
+			TunnelBase (receiveTunnelID, nextTunnelID, nextIdent)
 	{	
 		m_Encryption.SetKeys (layerKey, ivKey);
 	}	
 
-	void TransitTunnel::EncryptTunnelMsg (I2NPMessage * tunnelMsg)
+	void TransitTunnel::EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out)
 	{		
-		m_Encryption.Encrypt (tunnelMsg->GetPayload () + 4); 
+		m_Encryption.Encrypt (in->GetPayload () + 4, out->GetPayload () + 4); 
 	}	
 
 	TransitTunnelParticipant::~TransitTunnelParticipant ()
 	{
-		for (auto it: m_TunnelDataMsgs)
-			i2p::DeleteI2NPMessage (it);
 	}	
 		
-	void TransitTunnelParticipant::HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg)
+	void TransitTunnelParticipant::HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg)
 	{
-		EncryptTunnelMsg (tunnelMsg);
+		auto newMsg = CreateEmptyTunnelDataMsg ();
+		EncryptTunnelMsg (tunnelMsg, newMsg);
 		
 		m_NumTransmittedBytes += tunnelMsg->GetLength ();
-		htobe32buf (tunnelMsg->GetPayload (), GetNextTunnelID ());
-		FillI2NPMessageHeader (tunnelMsg, eI2NPTunnelData);
-		m_TunnelDataMsgs.push_back (tunnelMsg);
+		htobe32buf (newMsg->GetPayload (), GetNextTunnelID ());
+		newMsg->FillI2NPMessageHeader (eI2NPTunnelData); 
+		m_TunnelDataMsgs.push_back (newMsg);
 	}
 
 	void TransitTunnelParticipant::FlushTunnelDataMsgs ()
 	{
 		if (!m_TunnelDataMsgs.empty ())
 		{	
-			LogPrint (eLogDebug, "TransitTunnel: ",GetTunnelID (),"->", GetNextTunnelID (), " ", m_TunnelDataMsgs.size ());
+			auto num = m_TunnelDataMsgs.size ();
+			if (num > 1)
+				LogPrint (eLogDebug, "TransitTunnel: ", GetTunnelID (), "->", GetNextTunnelID (), " ", num);
 			i2p::transport::transports.SendMessages (GetNextIdentHash (), m_TunnelDataMsgs);
 			m_TunnelDataMsgs.clear ();
 		}	
 	}	
 		
-	void TransitTunnel::SendTunnelDataMsg (i2p::I2NPMessage * msg)
+	void TransitTunnel::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
 	{	
-		LogPrint (eLogError, "We are not a gateway for transit tunnel ", m_TunnelID);
-		i2p::DeleteI2NPMessage (msg);	
+		LogPrint (eLogError, "TransitTunnel: We are not a gateway for ", GetTunnelID ());
 	}		
 
-	void TransitTunnel::HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg)
+	void TransitTunnel::HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg)
 	{
-		LogPrint (eLogError, "Incoming tunnel message is not supported  ", m_TunnelID);
-		DeleteI2NPMessage (tunnelMsg);	
+		LogPrint (eLogError, "TransitTunnel: Incoming tunnel message is not supported ", GetTunnelID ());
 	}	
 		
-	void TransitTunnelGateway::SendTunnelDataMsg (i2p::I2NPMessage * msg)
+	void TransitTunnelGateway::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		TunnelMessageBlock block;
 		block.deliveryType = eDeliveryTypeLocal;
@@ -78,33 +76,34 @@ namespace tunnel
 		m_Gateway.SendBuffer ();
 	}	
 		
-	void TransitTunnelEndpoint::HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg)
+	void TransitTunnelEndpoint::HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg)
 	{
-		EncryptTunnelMsg (tunnelMsg);
+		auto newMsg = CreateEmptyTunnelDataMsg ();
+		EncryptTunnelMsg (tunnelMsg, newMsg);
 		
-		LogPrint (eLogDebug, "TransitTunnel endpoint for ", GetTunnelID ());
-		m_Endpoint.HandleDecryptedTunnelDataMsg (tunnelMsg); 
+		LogPrint (eLogDebug, "TransitTunnel: handle msg for endpoint ", GetTunnelID ());
+		m_Endpoint.HandleDecryptedTunnelDataMsg (newMsg); 
 	}
 		
-	TransitTunnel * CreateTransitTunnel (uint32_t receiveTunnelID,
+	std::shared_ptr<TransitTunnel> CreateTransitTunnel (uint32_t receiveTunnelID,
 		const uint8_t * nextIdent, uint32_t nextTunnelID, 
 	    const uint8_t * layerKey,const uint8_t * ivKey, 
 		bool isGateway, bool isEndpoint)
 	{
 		if (isEndpoint)
 		{	
-			LogPrint (eLogInfo, "TransitTunnel endpoint: ", receiveTunnelID, " created");
-			return new TransitTunnelEndpoint (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
+			LogPrint (eLogInfo, "TransitTunnel: endpoint ", receiveTunnelID, " created");
+			return std::make_shared<TransitTunnelEndpoint> (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
 		}	
 		else if (isGateway)
 		{	
-			LogPrint (eLogInfo, "TransitTunnel gateway: ", receiveTunnelID, " created");
-			return new TransitTunnelGateway (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
+			LogPrint (eLogInfo, "TransitTunnel: gateway ", receiveTunnelID, " created");
+			return std::make_shared<TransitTunnelGateway> (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
 		}	
 		else	
 		{	
 			LogPrint (eLogInfo, "TransitTunnel: ", receiveTunnelID, "->", nextTunnelID, " created");
-			return new TransitTunnelParticipant (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
+			return std::make_shared<TransitTunnelParticipant> (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey);
 		}	
 	}		
 }

TransitTunnel.h

@@ -4,7 +4,8 @@
 #include <inttypes.h>
 #include <vector>
 #include <mutex>
-#include "aes.h"
+#include <memory>
+#include "Crypto.h"
 #include "I2NPProtocol.h"
 #include "TunnelEndpoint.h"
 #include "TunnelGateway.h"
@@ -23,20 +24,12 @@ namespace tunnel
 	    		const uint8_t * layerKey,const uint8_t * ivKey); 
 			
 			virtual size_t GetNumTransmittedBytes () const { return 0; };
-			
-			uint32_t GetTunnelID () const { return m_TunnelID; };
 
 			// implements TunnelBase
-			void SendTunnelDataMsg (i2p::I2NPMessage * msg);
-			void HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg);
-			void EncryptTunnelMsg (I2NPMessage * tunnelMsg); 
-			uint32_t GetNextTunnelID () const { return m_NextTunnelID; };
-			const i2p::data::IdentHash& GetNextIdentHash () const { return m_NextIdent; };
-			
+			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg);
+			void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg);
+			void EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out); 			
 		private:
-
-			uint32_t m_TunnelID, m_NextTunnelID;
-			i2p::data::IdentHash m_NextIdent;
 			
 			i2p::crypto::TunnelEncryption m_Encryption;
 	};	
@@ -53,13 +46,13 @@ namespace tunnel
 			~TransitTunnelParticipant ();
 
 			size_t GetNumTransmittedBytes () const { return m_NumTransmittedBytes; };
-			void HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg);
+			void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg);
 			void FlushTunnelDataMsgs ();
 
 		private:
 
 			size_t m_NumTransmittedBytes;
-			std::vector<i2p::I2NPMessage *> m_TunnelDataMsgs;
+			std::vector<std::shared_ptr<i2p::I2NPMessage> > m_TunnelDataMsgs;
 	};	
 	
 	class TransitTunnelGateway: public TransitTunnel
@@ -72,7 +65,7 @@ namespace tunnel
 				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, 
 				layerKey, ivKey), m_Gateway(this) {};
 
-			void SendTunnelDataMsg (i2p::I2NPMessage * msg);
+			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg);
 			void FlushTunnelDataMsgs ();
 			size_t GetNumTransmittedBytes () const { return m_Gateway.GetNumSentBytes (); };
 			
@@ -92,7 +85,7 @@ namespace tunnel
 				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey),
 				m_Endpoint (false) {}; // transit endpoint is always outbound
 
-			void HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg);
+			void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg);
 			size_t GetNumTransmittedBytes () const { return m_Endpoint.GetNumReceivedBytes (); }
 			
 		private:
@@ -100,7 +93,7 @@ namespace tunnel
 			TunnelEndpoint m_Endpoint;
 	};
 	
-	TransitTunnel * CreateTransitTunnel (uint32_t receiveTunnelID,
+	std::shared_ptr<TransitTunnel> CreateTransitTunnel (uint32_t receiveTunnelID,
 		const uint8_t * nextIdent, uint32_t nextTunnelID, 
 	    const uint8_t * layerKey,const uint8_t * ivKey, 
 		bool isGateway, bool isEndpoint);

TransportSession.h

@@ -6,6 +6,7 @@
 #include <memory>
 #include <vector>
 #include "Identity.h"
+#include "Crypto.h"
 #include "RouterInfo.h"
 #include "I2NPProtocol.h"
 
@@ -13,17 +14,15 @@ namespace i2p
 {
 namespace transport
 {
-	struct DHKeysPair // transient keys for transport sessions
-	{
-		uint8_t publicKey[256];
-		uint8_t privateKey[256];
-	};	
-
 	class SignedData
 	{
 		public:
 
-			SignedData () {};
+			SignedData () {}
+			SignedData (const SignedData& other) 
+			{
+				m_Stream << other.m_Stream.rdbuf ();
+			}	
 			void Insert (const uint8_t * buf, size_t len) 
 			{ 
 				m_Stream.write ((char *)buf, len); 
@@ -35,9 +34,9 @@ namespace transport
 				m_Stream.write ((char *)&t, sizeof (T)); 
 			}
 
-			bool Verify (const i2p::data::IdentityEx& ident, const uint8_t * signature) const
+			bool Verify (std::shared_ptr<const i2p::data::IdentityEx> ident, const uint8_t * signature) const
 			{
-				return ident.Verify ((const uint8_t *)m_Stream.str ().c_str (), m_Stream.str ().size (), signature); 
+				return ident->Verify ((const uint8_t *)m_Stream.str ().c_str (), m_Stream.str ().size (), signature); 
 			}
 
 			void Sign (const i2p::data::PrivateKeys& keys, uint8_t * signature) const
@@ -54,32 +53,31 @@ namespace transport
 	{
 		public:
 
-			TransportSession (std::shared_ptr<const i2p::data::RouterInfo> in_RemoteRouter): 
-				m_RemoteRouter (in_RemoteRouter), m_DHKeysPair (nullptr), 
-				m_NumSentBytes (0), m_NumReceivedBytes (0)
+			TransportSession (std::shared_ptr<const i2p::data::RouterInfo> router): 
+				m_DHKeysPair (nullptr), m_NumSentBytes (0), m_NumReceivedBytes (0), m_IsOutgoing (router)
 			{
-				if (m_RemoteRouter)
-					m_RemoteIdentity = m_RemoteRouter->GetRouterIdentity ();
+				if (router)
+					m_RemoteIdentity = router->GetRouterIdentity ();
 			}
 
-			virtual ~TransportSession () { delete m_DHKeysPair; };
+			virtual ~TransportSession () {};
 			virtual void Done () = 0;
 			
-			std::shared_ptr<const i2p::data::RouterInfo> GetRemoteRouter () { return m_RemoteRouter; };
-			const i2p::data::IdentityEx& GetRemoteIdentity () { return m_RemoteIdentity; };
-
+			std::shared_ptr<const i2p::data::IdentityEx> GetRemoteIdentity () { return m_RemoteIdentity; };
+			void SetRemoteIdentity (std::shared_ptr<const i2p::data::IdentityEx> ident) { m_RemoteIdentity = ident; };
+			
 			size_t GetNumSentBytes () const { return m_NumSentBytes; };
 			size_t GetNumReceivedBytes () const { return m_NumReceivedBytes; };
+			bool IsOutgoing () const { return m_IsOutgoing; };
 			
-			virtual void SendI2NPMessage (I2NPMessage * msg) = 0;
-			virtual void SendI2NPMessages (const std::vector<I2NPMessage *>& msgs) = 0;
+			virtual void SendI2NPMessages (const std::vector<std::shared_ptr<I2NPMessage> >& msgs) = 0;
 			
 		protected:
 
-			std::shared_ptr<const i2p::data::RouterInfo> m_RemoteRouter;
-			i2p::data::IdentityEx m_RemoteIdentity; 
-			DHKeysPair * m_DHKeysPair; // X - for client and Y - for server
+			std::shared_ptr<const i2p::data::IdentityEx> m_RemoteIdentity; 
+			std::shared_ptr<i2p::crypto::DHKeys> m_DHKeysPair; // X - for client and Y - for server
 			size_t m_NumSentBytes, m_NumReceivedBytes;
+			bool m_IsOutgoing;
 	};	
 }
 }

Transports.cpp

@@ -1,6 +1,6 @@
-#include <cryptopp/dh.h>
+#include <openssl/dh.h>
 #include "Log.h"
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "RouterContext.h"
 #include "I2NPProtocol.h"
 #include "NetDb.h"
@@ -56,37 +56,36 @@ namespace transport
 	{
 		if (num > 0)
 		{
-			CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
+			i2p::crypto::DHKeys dh;
 			for (int i = 0; i < num; i++)
 			{
-				i2p::transport::DHKeysPair * pair = new i2p::transport::DHKeysPair ();
-				dh.GenerateKeyPair(m_Rnd, pair->privateKey, pair->publicKey);
+				auto pair = std::make_shared<i2p::crypto::DHKeys> ();
+				pair->GenerateKeys ();
 				std::unique_lock<std::mutex>  l(m_AcquiredMutex);
 				m_Queue.push (pair);
 			}
 		}
 	}
 
-	DHKeysPair * DHKeysPairSupplier::Acquire ()
+	std::shared_ptr<i2p::crypto::DHKeys> DHKeysPairSupplier::Acquire ()
 	{
-		if (!m_Queue.empty ())
 		{
 			std::unique_lock<std::mutex>  l(m_AcquiredMutex);
-			auto pair = m_Queue.front ();
-			m_Queue.pop ();
-			m_Acquired.notify_one ();
-			return pair;
+			if (!m_Queue.empty ())
+			{
+				auto pair = m_Queue.front ();
+				m_Queue.pop ();
+				m_Acquired.notify_one ();
+				return pair;
+			}	
 		}	
-		else // queue is empty, create new
-		{
-			DHKeysPair * pair = new DHKeysPair ();
-			CryptoPP::DH dh (i2p::crypto::elgp, i2p::crypto::elgg);
-			dh.GenerateKeyPair(m_Rnd, pair->privateKey, pair->publicKey);
-			return pair;
-		}
+		// queue is empty, create new
+		auto pair = std::make_shared<i2p::crypto::DHKeys> ();
+		pair->GenerateKeys ();
+		return pair;
 	}
 
-	void DHKeysPairSupplier::Return (DHKeysPair * pair)
+	void DHKeysPairSupplier::Return (std::shared_ptr<i2p::crypto::DHKeys> pair)
 	{
 		std::unique_lock<std::mutex>  l(m_AcquiredMutex);
 		m_Queue.push (pair);
@@ -113,26 +112,26 @@ namespace transport
 		m_IsRunning = true;
 		m_Thread = new std::thread (std::bind (&Transports::Run, this));
 		// create acceptors
-		auto addresses = context.GetRouterInfo ().GetAddresses ();
-		for (auto& address : addresses)
+		auto& addresses = context.GetRouterInfo ().GetAddresses ();
+		for (auto address : addresses)
 		{
 			if (!m_NTCPServer)
 			{	
-				m_NTCPServer = new NTCPServer (address.port);
+				m_NTCPServer = new NTCPServer ();
 				m_NTCPServer->Start ();
 			}	
 			
-			if (address.transportStyle == RouterInfo::eTransportSSU && address.host.is_v4 ())
+			if (address->transportStyle == RouterInfo::eTransportSSU && address->host.is_v4 ())
 			{
 				if (!m_SSUServer)
 				{	
-					m_SSUServer = new SSUServer (address.port);
-					LogPrint ("Start listening UDP port ", address.port);
+					m_SSUServer = new SSUServer (address->port);
+					LogPrint (eLogInfo, "Transports: Start listening UDP port ", address->port);
 					m_SSUServer->Start ();	
 					DetectExternalIP ();
 				}
 				else
-					LogPrint ("SSU server already exists");
+					LogPrint (eLogError, "Transports: SSU server already exists");
 			}
 		}	
 		m_PeerCleanupTimer.expires_from_now (boost::posix_time::seconds(5*SESSION_CREATION_TIMEOUT));
@@ -177,7 +176,7 @@ namespace transport
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint ("Transports: ", ex.what ());
+				LogPrint (eLogError, "Transports: runtime exception: ", ex.what ());
 			}	
 		}	
 	}
@@ -201,48 +200,22 @@ namespace transport
 
 	bool Transports::IsBandwidthExceeded () const
 	{
-		if (i2p::context.GetRouterInfo ().IsHighBandwidth ()) return false;
-		return std::max (m_InBandwidth, m_OutBandwidth) > LOW_BANDWIDTH_LIMIT;
+		auto limit = i2p::context.GetBandwidthLimit() * 1024; // convert to bytes
+		auto bw = std::max (m_InBandwidth, m_OutBandwidth);
+		return bw > limit;
 	}
 
-	void Transports::SendMessage (const i2p::data::IdentHash& ident, i2p::I2NPMessage * msg)
+	void Transports::SendMessage (const i2p::data::IdentHash& ident, std::shared_ptr<i2p::I2NPMessage> msg)
 	{
-		m_Service.post (std::bind (&Transports::PostMessage, this, ident, msg));                             
+		SendMessages (ident, std::vector<std::shared_ptr<i2p::I2NPMessage> > {msg });                             
 	}	
 
-	void Transports::SendMessages (const i2p::data::IdentHash& ident, const std::vector<i2p::I2NPMessage *>& msgs)
+	void Transports::SendMessages (const i2p::data::IdentHash& ident, const std::vector<std::shared_ptr<i2p::I2NPMessage> >& msgs)
 	{
 		m_Service.post (std::bind (&Transports::PostMessages, this, ident, msgs));
 	}	
-		
-	void Transports::PostMessage (i2p::data::IdentHash ident, i2p::I2NPMessage * msg)
-	{
-		if (ident == i2p::context.GetRouterInfo ().GetIdentHash ())
-		{	
-			// we send it to ourself
-			i2p::HandleI2NPMessage (msg);
-			return;
-		}	
 
-		auto it = m_Peers.find (ident);
-		if (it == m_Peers.end ())
-		{
-			auto r = netdb.FindRouter (ident);
-			it = m_Peers.insert (std::pair<i2p::data::IdentHash, Peer>(ident, { 0, r, nullptr,
-				i2p::util::GetSecondsSinceEpoch () })).first;
-			if (!ConnectToPeer (ident, it->second))
-			{
-				DeleteI2NPMessage (msg);
-				return;
-			}	
-		}	
-		if (it->second.session)
-			it->second.session->SendI2NPMessage (msg);
-		else
-			it->second.delayedMessages.push_back (msg);
-	}	
-
-	void Transports::PostMessages (i2p::data::IdentHash ident, std::vector<i2p::I2NPMessage *> msgs)
+	void Transports::PostMessages (i2p::data::IdentHash ident, std::vector<std::shared_ptr<i2p::I2NPMessage> > msgs)
 	{
 		if (ident == i2p::context.GetRouterInfo ().GetIdentHash ())
 		{	
@@ -254,18 +227,25 @@ namespace transport
 		auto it = m_Peers.find (ident);
 		if (it == m_Peers.end ())
 		{
-			auto r = netdb.FindRouter (ident);
-			it = m_Peers.insert (std::pair<i2p::data::IdentHash, Peer>(ident, { 0, r, nullptr,
-				i2p::util::GetSecondsSinceEpoch () })).first;
-			if (!ConnectToPeer (ident, it->second))
+			bool connected = false; 
+			try
 			{
-				for (auto it1: msgs)
-					DeleteI2NPMessage (it1);
-				return;
-			}	
+				auto r = netdb.FindRouter (ident);
+				{
+					std::unique_lock<std::mutex>  l(m_PeersMutex);	
+					it = m_Peers.insert (std::pair<i2p::data::IdentHash, Peer>(ident, { 0, r, {},
+						i2p::util::GetSecondsSinceEpoch (), {} })).first;
+				}
+				connected = ConnectToPeer (ident, it->second);
+			}
+			catch (std::exception& ex)
+			{
+				LogPrint (eLogError, "Transports: PostMessages exception:", ex.what ());
+			}
+			if (!connected) return;
 		}	
-		if (it->second.session)
-			it->second.session->SendI2NPMessages (msgs);
+		if (!it->second.sessions.empty ())
+			it->second.sessions.front ()->SendI2NPMessages (msgs);
 		else
 		{	
 			for (auto it1: msgs)
@@ -281,7 +261,7 @@ namespace transport
 			{
 				peer.numAttempts++;
 				auto address = peer.router->GetNTCPAddress (!context.SupportsV6 ());
-				if (address)
+				if (address && m_NTCPServer)
 				{
 #if BOOST_VERSION >= 104900
 					if (!address->host.is_unspecified ()) // we have address now
@@ -302,30 +282,52 @@ namespace transport
 					{
 						if (address->addressString.length () > 0) // trying to resolve
 						{
-							LogPrint (eLogInfo, "Resolving ", address->addressString);
+							LogPrint (eLogDebug, "Transports: Resolving NTCP ", address->addressString);
 							NTCPResolve (address->addressString, ident);
 							return true;
 						}
 					}
 				}	
+				else
+					LogPrint (eLogWarning, "Transports: NTCP address is not present for ", i2p::data::GetIdentHashAbbreviation (ident), ", trying SSU");
 			}
-			else  if (peer.numAttempts == 1)// SSU
+			if (peer.numAttempts == 1)// SSU
 			{
 				peer.numAttempts++;
-				if (m_SSUServer)
-				{	
-					if (m_SSUServer->GetSession (peer.router))
+				if (m_SSUServer && peer.router->IsSSU (!context.SupportsV6 ()))
+				{
+					auto address = peer.router->GetSSUAddress (!context.SupportsV6 ());
+#if BOOST_VERSION >= 104900
+					if (!address->host.is_unspecified ()) // we have address now
+#else
+					boost::system::error_code ecode;
+					address->host.to_string (ecode);
+					if (!ecode)
+#endif
+					{
+						m_SSUServer->CreateSession (peer.router, address->host, address->port);
 						return true;
+					}
+					else // we don't have address
+					{
+						if (address->addressString.length () > 0) // trying to resolve
+						{
+							LogPrint (eLogDebug, "Transports: Resolving SSU ", address->addressString);
+							SSUResolve (address->addressString, ident);
+							return true;
+						}
+					}
 				}
 			}	
-			LogPrint (eLogError, "No NTCP and SSU addresses available");
-			if (peer.session) peer.session->Done ();
+			LogPrint (eLogError, "Transports: No NTCP or SSU addresses available");
+			peer.Done ();
+			std::unique_lock<std::mutex>  l(m_PeersMutex);	
 			m_Peers.erase (ident);
 			return false;
 		}	
 		else // otherwise request RI
 		{
-			LogPrint ("Router not found. Requested");
+			LogPrint (eLogInfo, "Transports: RouterInfo for ", ident.ToBase64 (), " not found, requested");
 			i2p::data::netdb.RequestDestination (ident, std::bind (
 				&Transports::RequestComplete, this, std::placeholders::_1, ident));
 		}	
@@ -337,20 +339,21 @@ namespace transport
 		m_Service.post (std::bind (&Transports::HandleRequestComplete, this, r, ident));
 	}		
 	
-	void Transports::HandleRequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, const i2p::data::IdentHash& ident)
+	void Transports::HandleRequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, i2p::data::IdentHash ident)
 	{
 		auto it = m_Peers.find (ident);
 		if (it != m_Peers.end ())
 		{	
 			if (r)
 			{
-				LogPrint ("Router found. Trying to connect");
+				LogPrint (eLogDebug, "Transports: RouterInfo for ", ident.ToBase64 (), " found, Trying to connect");
 				it->second.router = r;
 				ConnectToPeer (ident, it->second);
 			}	
 			else
 			{
-				LogPrint ("Router not found. Failed to send messages");
+				LogPrint (eLogError, "Transports: RouterInfo not found, Failed to send messages");
+				std::unique_lock<std::mutex>  l(m_PeersMutex);	
 				m_Peers.erase (it);
 			}	
 		}	
@@ -373,17 +376,70 @@ namespace transport
 			auto& peer = it1->second;
 			if (!ecode && peer.router)
 			{
-				auto address = (*it).endpoint ().address ();
-				LogPrint (eLogInfo, (*it).host_name (), " has been resolved to ", address);
-				auto addr = peer.router->GetNTCPAddress ();
-				if (addr)
-				{
-					auto s = std::make_shared<NTCPSession> (*m_NTCPServer, peer.router);
-					m_NTCPServer->Connect (address, addr->port, s);
-					return;
+				while (it != boost::asio::ip::tcp::resolver::iterator())
+				{	
+					auto address = (*it).endpoint ().address ();
+					LogPrint (eLogDebug, "Transports: ", (*it).host_name (), " has been resolved to ", address);
+					if (address.is_v4 () || context.SupportsV6 ())
+					{
+						auto addr = peer.router->GetNTCPAddress (); // TODO: take one we requested
+						if (addr)
+						{
+							auto s = std::make_shared<NTCPSession> (*m_NTCPServer, peer.router);
+							m_NTCPServer->Connect (address, addr->port, s);
+							return;
+						}
+						break;
+					}	
+					else
+						LogPrint (eLogInfo, "Transports: NTCP ", address, " is not supported");
+					it++;
 				}	
 			}
-			LogPrint (eLogError, "Unable to resolve NTCP address: ", ecode.message ());
+			LogPrint (eLogError, "Transports: Unable to resolve NTCP address: ", ecode.message ());
+			std::unique_lock<std::mutex>  l(m_PeersMutex);		
+			m_Peers.erase (it1);
+		}
+	}
+
+	void Transports::SSUResolve (const std::string& addr, const i2p::data::IdentHash& ident)
+	{
+		auto resolver = std::make_shared<boost::asio::ip::tcp::resolver>(m_Service);
+		resolver->async_resolve (boost::asio::ip::tcp::resolver::query (addr, ""), 
+			std::bind (&Transports::HandleSSUResolve, this, 
+				std::placeholders::_1, std::placeholders::_2, ident, resolver));
+	}
+
+	void Transports::HandleSSUResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it, 
+		i2p::data::IdentHash ident, std::shared_ptr<boost::asio::ip::tcp::resolver> resolver)
+	{
+		auto it1 = m_Peers.find (ident);
+		if (it1 != m_Peers.end ())
+		{
+			auto& peer = it1->second;
+			if (!ecode && peer.router)
+			{
+				while (it != boost::asio::ip::tcp::resolver::iterator())
+				{	
+					auto address = (*it).endpoint ().address ();
+					LogPrint (eLogDebug, "Transports: ", (*it).host_name (), " has been resolved to ", address);
+					if (address.is_v4 () || context.SupportsV6 ())
+					{
+						auto addr = peer.router->GetSSUAddress (); // TODO: take one we requested
+						if (addr)
+						{
+							m_SSUServer->CreateSession (peer.router, address, addr->port);
+							return;
+						}
+						break;
+					}
+					else
+						LogPrint (eLogInfo, "Transports: SSU ", address, " is not supported");
+					it++;
+				}	
+			}
+			LogPrint (eLogError, "Transports: Unable to resolve SSU address: ", ecode.message ());
+			std::unique_lock<std::mutex>  l(m_PeersMutex);	
 			m_Peers.erase (it1);
 		}
 	}
@@ -400,7 +456,7 @@ namespace transport
 		if (ssuSession) // try SSU first
 		{	
 			m_SSUServer->DeleteSession (ssuSession);
-			LogPrint ("SSU session closed");	
+			LogPrint (eLogDebug, "Transports: SSU session closed");
 		}	
 		// TODO: delete NTCP
 	}	
@@ -413,27 +469,48 @@ namespace transport
 			for (int i = 0; i < 5; i++)
 			{
 				auto router = i2p::data::netdb.GetRandomPeerTestRouter ();
-				if (router  && router->IsSSU ())
-					m_SSUServer->GetSession (router, true);  // peer test	
+				if (router  && router->IsSSU (!context.SupportsV6 ()))
+					m_SSUServer->CreateSession (router, true);  // peer test	
 				else
 				{
 					// if not peer test capable routers found pick any
 					router = i2p::data::netdb.GetRandomRouter ();
 					if (router && router->IsSSU ())
-						m_SSUServer->GetSession (router);  	// no peer test
+						m_SSUServer->CreateSession (router);  	// no peer test
 				}
 			}	
 		}
 		else
-			LogPrint (eLogError, "Can't detect external IP. SSU is not available");
+			LogPrint (eLogError, "Transports: Can't detect external IP. SSU is not available");
 	}
-			
-	DHKeysPair * Transports::GetNextDHKeysPair ()
+
+	void Transports::PeerTest ()
+	{
+		if (m_SSUServer)
+		{
+			bool statusChanged = false;
+			for (int i = 0; i < 5; i++)
+			{
+				auto router = i2p::data::netdb.GetRandomPeerTestRouter ();
+				if (router && router->IsSSU (!context.SupportsV6 ()))
+				{	
+					if (!statusChanged)
+					{	
+						statusChanged = true;
+						i2p::context.SetStatus (eRouterStatusTesting); // first time only
+					}	
+					m_SSUServer->CreateSession (router, true);  // peer test	
+				}	
+			}	
+		}
+	}	
+		
+	std::shared_ptr<i2p::crypto::DHKeys> Transports::GetNextDHKeysPair ()
 	{
 		return m_DHKeysPairSupplier.Acquire ();
 	}
 
-	void Transports::ReuseDHKeysPair (DHKeysPair * pair)
+	void Transports::ReuseDHKeysPair (std::shared_ptr<i2p::crypto::DHKeys> pair)
 	{
 		m_DHKeysPairSupplier.Return (pair);
 	}
@@ -442,24 +519,33 @@ namespace transport
 	{
 		m_Service.post([session, this]()
 		{   
-			auto ident = session->GetRemoteIdentity ().GetIdentHash ();
+			auto remoteIdentity = session->GetRemoteIdentity (); 
+			if (!remoteIdentity) return;
+			auto ident = remoteIdentity->GetIdentHash ();
 			auto it = m_Peers.find (ident);
 			if (it != m_Peers.end ())
 			{
-				if (!it->second.session)
+				bool sendDatabaseStore = true;
+				if (it->second.delayedMessages.size () > 0)
 				{
-					it->second.session = session;
-					session->SendI2NPMessages (it->second.delayedMessages);
-					it->second.delayedMessages.clear ();
-				}
-				else
-				{
-					LogPrint (eLogError, "Session for ", ident.ToBase64 ().substr (0, 4), " already exists");
-					session->Done ();
-				}
+					// check if first message is our DatabaseStore (publishing)
+					auto firstMsg = it->second.delayedMessages[0];
+					if (firstMsg && firstMsg->GetTypeID () == eI2NPDatabaseStore &&
+					    i2p::data::IdentHash(firstMsg->GetPayload () + DATABASE_STORE_KEY_OFFSET) == i2p::context.GetIdentHash ())
+						sendDatabaseStore = false; // we have it in the list already
+				}	
+				if (sendDatabaseStore)
+					session->SendI2NPMessages ({ CreateDatabaseStoreMsg () });
+				it->second.sessions.push_back (session);
+				session->SendI2NPMessages (it->second.delayedMessages);
+				it->second.delayedMessages.clear ();
 			}
 			else // incoming connection
-				m_Peers.insert (std::make_pair (ident, Peer{ 0, nullptr, session, i2p::util::GetSecondsSinceEpoch () }));
+			{
+				session->SendI2NPMessages ({ CreateDatabaseStoreMsg () }); // send DatabaseStore
+				std::unique_lock<std::mutex>  l(m_PeersMutex);	
+				m_Peers.insert (std::make_pair (ident, Peer{ 0, nullptr, { session }, i2p::util::GetSecondsSinceEpoch (), {} }));
+			}
 		});			
 	}
 		
@@ -467,20 +553,30 @@ namespace transport
 	{
 		m_Service.post([session, this]()
 		{  
-			auto ident = session->GetRemoteIdentity ().GetIdentHash ();
+			auto remoteIdentity = session->GetRemoteIdentity (); 
+			if (!remoteIdentity) return;
+			auto ident = remoteIdentity->GetIdentHash ();
 			auto it = m_Peers.find (ident);
-			if (it != m_Peers.end () && (!it->second.session || it->second.session == session))
+			if (it != m_Peers.end ())
 			{
-				if (it->second.delayedMessages.size () > 0)
-					ConnectToPeer (ident, it->second);
-				else
-					m_Peers.erase (it);
+				it->second.sessions.remove (session);
+				if (it->second.sessions.empty ()) // TODO: why?
+				{	
+					if (it->second.delayedMessages.size () > 0)
+						ConnectToPeer (ident, it->second);
+					else
+					{
+						std::unique_lock<std::mutex>  l(m_PeersMutex);	
+						m_Peers.erase (it);
+					}
+				}
 			}
 		});	
 	}	
 
 	bool Transports::IsConnected (const i2p::data::IdentHash& ident) const
-	{
+	{	
+		std::unique_lock<std::mutex> l(m_PeersMutex);		
 		auto it = m_Peers.find (ident);
 		return it != m_Peers.end ();
 	}	
@@ -492,9 +588,10 @@ namespace transport
 			auto ts = i2p::util::GetSecondsSinceEpoch ();
 			for (auto it = m_Peers.begin (); it != m_Peers.end (); )
 			{
-				if (!it->second.session && ts > it->second.creationTime + SESSION_CREATION_TIMEOUT)
+				if (it->second.sessions.empty () && ts > it->second.creationTime + SESSION_CREATION_TIMEOUT)
 				{
-					LogPrint (eLogError, "Session to peer ", it->first.ToBase64 (), " has not been created in ", SESSION_CREATION_TIMEOUT, " seconds");
+					LogPrint (eLogWarning, "Transports: Session to peer ", it->first.ToBase64 (), " has not been created in ", SESSION_CREATION_TIMEOUT, " seconds");
+					std::unique_lock<std::mutex>  l(m_PeersMutex);	
 					it = m_Peers.erase (it);
 				}
 				else
@@ -507,6 +604,15 @@ namespace transport
 			m_PeerCleanupTimer.async_wait (std::bind (&Transports::HandlePeerCleanupTimer, this, std::placeholders::_1));
 		}	
 	}
+
+	std::shared_ptr<const i2p::data::RouterInfo> Transports::GetRandomPeer () const
+	{
+		if (!m_Peers.size ()) return nullptr;
+		std::unique_lock<std::mutex> l(m_PeersMutex);	
+		auto it = m_Peers.begin ();
+		std::advance (it, rand () % m_Peers.size ());	
+		return it != m_Peers.end () ? it->second.router : nullptr;
+	}
 }
 }
 

Transports.h

@@ -11,7 +11,6 @@
 #include <string>
 #include <memory>
 #include <atomic>
-#include <cryptopp/osrng.h>
 #include <boost/asio.hpp>
 #include "TransportSession.h"
 #include "NTCPSession.h"
@@ -32,8 +31,8 @@ namespace transport
 			~DHKeysPairSupplier ();
 			void Start ();
 			void Stop ();
-			DHKeysPair * Acquire ();
-			void Return (DHKeysPair * pair);
+			std::shared_ptr<i2p::crypto::DHKeys> Acquire ();
+			void Return (std::shared_ptr<i2p::crypto::DHKeys> pair);
 
 		private:
 
@@ -43,32 +42,30 @@ namespace transport
 		private:
 
 			const int m_QueueSize;
-			std::queue<DHKeysPair *> m_Queue;
+			std::queue<std::shared_ptr<i2p::crypto::DHKeys> > m_Queue;
 
 			bool m_IsRunning;
 			std::thread * m_Thread;	
 			std::condition_variable m_Acquired;
 			std::mutex m_AcquiredMutex;
-			CryptoPP::AutoSeededRandomPool m_Rnd;
 	};
 
 	struct Peer
 	{
 		int numAttempts;
 		std::shared_ptr<const i2p::data::RouterInfo> router;
-		std::shared_ptr<TransportSession> session;
+		std::list<std::shared_ptr<TransportSession> > sessions;
 		uint64_t creationTime;
-		std::vector<i2p::I2NPMessage *> delayedMessages;
+		std::vector<std::shared_ptr<i2p::I2NPMessage> > delayedMessages;
 
-		~Peer ()
+		void Done ()
 		{
-			for (auto it :delayedMessages)
-				i2p::DeleteI2NPMessage (it);			
+			for (auto it: sessions)
+				it->Done ();
 		}	
 	};	
 	
 	const size_t SESSION_CREATION_TIMEOUT = 10; // in seconds
-	const uint32_t LOW_BANDWIDTH_LIMIT = 32*1024; // 32KBs
 	class Transports
 	{
 		public:
@@ -80,11 +77,11 @@ namespace transport
 			void Stop ();
 			
 			boost::asio::io_service& GetService () { return m_Service; };
-			i2p::transport::DHKeysPair * GetNextDHKeysPair ();	
-			void ReuseDHKeysPair (DHKeysPair * pair);
+			std::shared_ptr<i2p::crypto::DHKeys> GetNextDHKeysPair ();	
+			void ReuseDHKeysPair (std::shared_ptr<i2p::crypto::DHKeys> pair);
 
-			void SendMessage (const i2p::data::IdentHash& ident, i2p::I2NPMessage * msg);
-			void SendMessages (const i2p::data::IdentHash& ident, const std::vector<i2p::I2NPMessage *>& msgs);
+			void SendMessage (const i2p::data::IdentHash& ident, std::shared_ptr<i2p::I2NPMessage> msg);
+			void SendMessages (const i2p::data::IdentHash& ident, const std::vector<std::shared_ptr<i2p::I2NPMessage> >& msgs);
 			void CloseSession (std::shared_ptr<const i2p::data::RouterInfo> router);
 
 			void PeerConnected (std::shared_ptr<TransportSession> session);
@@ -95,17 +92,20 @@ namespace transport
 			void UpdateReceivedBytes (uint64_t numBytes) { m_TotalReceivedBytes += numBytes; };
 			uint64_t GetTotalSentBytes () const { return m_TotalSentBytes; };
 			uint64_t GetTotalReceivedBytes () const { return m_TotalReceivedBytes; };		
-			uint32_t GetInBandwidth () const { return m_InBandwidth; }; // bytes per second
-			uint32_t GetOutBandwidth () const { return m_OutBandwidth; }; // bytes per second
+			uint32_t GetInBandwidth  () const { return m_InBandwidth; };
+			uint32_t GetOutBandwidth () const { return m_OutBandwidth; };
 			bool IsBandwidthExceeded () const;
+			size_t GetNumPeers () const { return m_Peers.size (); };
+			std::shared_ptr<const i2p::data::RouterInfo> GetRandomPeer () const;
 
+			void PeerTest ();
+			
 		private:
 
 			void Run ();
 			void RequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, const i2p::data::IdentHash& ident);
-			void HandleRequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, const i2p::data::IdentHash& ident);
-			void PostMessage (i2p::data::IdentHash ident, i2p::I2NPMessage * msg);
-			void PostMessages (i2p::data::IdentHash ident, std::vector<i2p::I2NPMessage *> msgs);
+			void HandleRequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, i2p::data::IdentHash ident);
+			void PostMessages (i2p::data::IdentHash ident, std::vector<std::shared_ptr<i2p::I2NPMessage> > msgs);
 			void PostCloseSession (std::shared_ptr<const i2p::data::RouterInfo> router);
 			bool ConnectToPeer (const i2p::data::IdentHash& ident, Peer& peer);
 			void HandlePeerCleanupTimer (const boost::system::error_code& ecode);			
@@ -113,6 +113,9 @@ namespace transport
 			void NTCPResolve (const std::string& addr, const i2p::data::IdentHash& ident);
 			void HandleNTCPResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it,
  				i2p::data::IdentHash ident, std::shared_ptr<boost::asio::ip::tcp::resolver> resolver);
+			void SSUResolve (const std::string& addr, const i2p::data::IdentHash& ident);
+			void HandleSSUResolve (const boost::system::error_code& ecode, boost::asio::ip::tcp::resolver::iterator it,
+ 				i2p::data::IdentHash ident, std::shared_ptr<boost::asio::ip::tcp::resolver> resolver);
 
 			void UpdateBandwidth ();
 			void DetectExternalIP ();
@@ -127,12 +130,13 @@ namespace transport
 
 			NTCPServer * m_NTCPServer;
 			SSUServer * m_SSUServer;
+			mutable std::mutex m_PeersMutex;
 			std::map<i2p::data::IdentHash, Peer> m_Peers;
 			
 			DHKeysPairSupplier m_DHKeysPairSupplier;
 
 			std::atomic<uint64_t> m_TotalSentBytes, m_TotalReceivedBytes;
-			uint32_t m_InBandwidth, m_OutBandwidth;
+			uint32_t m_InBandwidth, m_OutBandwidth; // bytes per second
 			uint64_t m_LastInBandwidthUpdateBytes, m_LastOutBandwidthUpdateBytes;	
 			uint64_t m_LastBandwidthUpdateTime;		
 

Tunnel.cpp

@@ -3,7 +3,7 @@
 #include <thread>
 #include <algorithm>
 #include <vector> 
-#include <cryptopp/sha.h>
+#include <openssl/rand.h>
 #include "RouterContext.h"
 #include "Log.h"
 #include "Timestamp.h"
@@ -17,22 +17,21 @@ namespace i2p
 namespace tunnel
 {		
 	
-	Tunnel::Tunnel (TunnelConfig * config): 
-		m_Config (config), m_Pool (nullptr), m_State (eTunnelStatePending)
+	Tunnel::Tunnel (std::shared_ptr<const TunnelConfig> config): 
+		TunnelBase (config->GetTunnelID (), config->GetNextTunnelID (), config->GetNextIdentHash ()),
+		m_Config (config), m_Pool (nullptr), m_State (eTunnelStatePending), m_IsRecreated (false)
 	{
 	}	
 
 	Tunnel::~Tunnel ()
 	{
-		delete m_Config;
 	}	
 
 	void Tunnel::Build (uint32_t replyMsgID, std::shared_ptr<OutboundTunnel> outboundTunnel)
 	{
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
 		auto numHops = m_Config->GetNumHops ();
 		int numRecords = numHops <= STANDARD_NUM_RECORDS ? STANDARD_NUM_RECORDS : numHops; 
-		I2NPMessage * msg = NewI2NPShortMessage ();
+		auto msg = NewI2NPShortMessage ();
 		*msg->GetPayload () = numRecords;
 		msg->len += numRecords*TUNNEL_BUILD_RECORD_SIZE + 1;		
 
@@ -47,9 +46,13 @@ namespace tunnel
 		int i = 0;
 		while (hop)
 		{
+			uint32_t msgID;
+			if (hop->next) // we set replyMsgID for last hop only 
+				RAND_bytes ((uint8_t *)&msgID, 4);
+			else
+				msgID = replyMsgID;
 			int idx = recordIndicies[i];
-			hop->CreateBuildRequestRecord (records + idx*TUNNEL_BUILD_RECORD_SIZE, 
-				hop->next ? rnd.GenerateWord32 () : replyMsgID); // we set replyMsgID for last hop only 
+			hop->CreateBuildRequestRecord (records + idx*TUNNEL_BUILD_RECORD_SIZE, msgID); 
 			hop->recordIndex = idx; 
 			i++;
 			hop = hop->next;
@@ -58,7 +61,7 @@ namespace tunnel
 		for (int i = numHops; i < numRecords; i++)
 		{
 			int idx = recordIndicies[i];
-			rnd.GenerateBlock (records + idx*TUNNEL_BUILD_RECORD_SIZE, TUNNEL_BUILD_RECORD_SIZE); 
+			RAND_bytes (records + idx*TUNNEL_BUILD_RECORD_SIZE, TUNNEL_BUILD_RECORD_SIZE); 
 		}	
 
 		// decrypt real records
@@ -78,7 +81,7 @@ namespace tunnel
 			}	
 			hop = hop->prev;
 		}	
-		FillI2NPMessageHeader (msg, eI2NPVariableTunnelBuild);
+		msg->FillI2NPMessageHeader (eI2NPVariableTunnelBuild);
 
 		// send message
 		if (outboundTunnel)
@@ -89,7 +92,7 @@ namespace tunnel
 		
 	bool Tunnel::HandleTunnelBuildResponse (uint8_t * msg, size_t len)
 	{
-		LogPrint ("TunnelBuildResponse ", (int)msg[0], " records.");
+		LogPrint (eLogDebug, "Tunnel: TunnelBuildResponse ", (int)msg[0], " records.");
 		
 		i2p::crypto::CBCDecryption decryption;
 		TunnelHopConfig * hop = m_Config->GetLastHop (); 
@@ -108,7 +111,7 @@ namespace tunnel
 					decryption.Decrypt(record, TUNNEL_BUILD_RECORD_SIZE, record);
 				}	
 				else
-					LogPrint ("Tunnel hop index ", idx, " is out of range");
+					LogPrint (eLogWarning, "Tunnel: hop index ", idx, " is out of range");
 				hop1 = hop1->prev;
 			}	
 			hop = hop->prev;
@@ -120,8 +123,10 @@ namespace tunnel
 		{			
 			const uint8_t * record = msg + 1 + hop->recordIndex*TUNNEL_BUILD_RECORD_SIZE;
 			uint8_t ret = record[BUILD_RESPONSE_RECORD_RET_OFFSET];
-			LogPrint ("Ret code=", (int)ret);
-			hop->router->GetProfile ()->TunnelBuildResponse (ret);
+			LogPrint (eLogDebug, "Tunnel: Build response ret code=", (int)ret);
+			auto profile = i2p::data::netdb.FindRouterProfile (hop->ident->GetIdentHash ());
+			if (profile)
+				profile->TunnelBuildResponse (ret);
 			if (ret) 
 				// if any of participants declined the tunnel is not established
 				established = false; 
@@ -129,44 +134,99 @@ namespace tunnel
 		}
 		if (established) 
 		{
-			// change reply keys to layer keys
-			hop = m_Config->GetFirstHop ();
+			// create tunnel decryptions from layer and iv keys in reverse order
+			hop = m_Config->GetLastHop ();
 			while (hop)
 			{
-				hop->decryption.SetKeys (hop->layerKey, hop->ivKey);
-				hop = hop->next;
+				auto tunnelHop = new TunnelHop;
+				tunnelHop->ident = hop->ident;
+				tunnelHop->decryption.SetKeys (hop->layerKey, hop->ivKey);
+				m_Hops.push_back (std::unique_ptr<TunnelHop>(tunnelHop));
+				hop = hop->prev;
 			}	
+			m_Config = nullptr;
 		}	
 		if (established) m_State = eTunnelStateEstablished;
 		return established;
 	}	
 
-	void Tunnel::EncryptTunnelMsg (I2NPMessage * tunnelMsg)
+	void Tunnel::EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out)
 	{
-		uint8_t * payload = tunnelMsg->GetPayload () + 4;
-		TunnelHopConfig * hop = m_Config->GetLastHop (); 
-		while (hop)
+		const uint8_t * inPayload = in->GetPayload () + 4;
+		uint8_t * outPayload = out->GetPayload () + 4;
+		for (auto& it: m_Hops)
+		{
+			it->decryption.Decrypt (inPayload, outPayload);
+			inPayload = outPayload;	
+		}	
+	}	
+
+	void Tunnel::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
+	{
+		LogPrint (eLogWarning, "Tunnel: Can't send I2NP messages without delivery instructions");
+	}	
+
+	std::vector<std::shared_ptr<const i2p::data::IdentityEx> > Tunnel::GetPeers () const
+	{
+		auto peers = GetInvertedPeers ();
+		std::reverse (peers.begin (), peers.end ());	
+		return peers;
+	}	
+
+	std::vector<std::shared_ptr<const i2p::data::IdentityEx> > Tunnel::GetInvertedPeers () const
+	{
+		// hops are in inverted order
+		std::vector<std::shared_ptr<const i2p::data::IdentityEx> > ret;
+		for (auto& it: m_Hops)
+			ret.push_back (it->ident);
+		return ret;	
+	}	
+
+	void Tunnel::PrintHops (std::stringstream& s) const
+	{
+		for (auto& it: m_Hops)
 		{	
-			hop->decryption.Decrypt (payload);
-			hop = hop->prev;
-		}
+			s << " ⇒ ";
+			s << i2p::data::GetIdentHashAbbreviation (it->ident->GetIdentHash ());
+		}	
 	}	
-
-	void Tunnel::SendTunnelDataMsg (i2p::I2NPMessage * msg)
+		
+	void InboundTunnel::HandleTunnelDataMsg (std::shared_ptr<const I2NPMessage> msg)
 	{
-		LogPrint (eLogInfo, "Can't send I2NP messages without delivery instructions");	
-		DeleteI2NPMessage (msg);
+		if (IsFailed ()) SetState (eTunnelStateEstablished); // incoming messages means a tunnel is alive	
+		auto newMsg = CreateEmptyTunnelDataMsg ();
+		EncryptTunnelMsg (msg, newMsg);
+		newMsg->from = shared_from_this ();
+		m_Endpoint.HandleDecryptedTunnelDataMsg (newMsg);	
 	}	
 
-	void InboundTunnel::HandleTunnelDataMsg (I2NPMessage * msg)
+	void InboundTunnel::Print (std::stringstream& s) const
 	{
-		if (IsFailed ()) SetState (eTunnelStateEstablished); // incoming messages means a tunnel is alive			
-		msg->from = shared_from_this ();
-		EncryptTunnelMsg (msg);
-		m_Endpoint.HandleDecryptedTunnelDataMsg (msg);	
+		PrintHops (s);
+		s << " ⇒ " << GetTunnelID () << ":me";
 	}	
 
-	void OutboundTunnel::SendTunnelDataMsg (const uint8_t * gwHash, uint32_t gwTunnel, i2p::I2NPMessage * msg)
+	ZeroHopsInboundTunnel::ZeroHopsInboundTunnel ():
+		InboundTunnel (std::make_shared<ZeroHopsTunnelConfig> ()),
+		m_NumReceivedBytes (0)
+	{
+	}	
+		
+	void ZeroHopsInboundTunnel::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
+	{
+		if (msg)
+		{	
+			m_NumReceivedBytes += msg->GetLength ();
+			HandleI2NPMessage (msg);
+		}	
+	}	
+
+	void ZeroHopsInboundTunnel::Print (std::stringstream& s) const
+	{
+		s << " ⇒ " << GetTunnelID () << ":me";
+	}	
+		
+	void OutboundTunnel::SendTunnelDataMsg (const uint8_t * gwHash, uint32_t gwTunnel, std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		TunnelMessageBlock block;
 		if (gwHash)
@@ -184,8 +244,7 @@ namespace tunnel
 			block.deliveryType = eDeliveryTypeLocal;
 		block.data = msg;
 		
-		std::unique_lock<std::mutex> l(m_SendMutex);
-		m_Gateway.SendTunnelDataMsg (block);
+		SendTunnelDataMsg ({block});
 	}
 		
 	void OutboundTunnel::SendTunnelDataMsg (const std::vector<TunnelMessageBlock>& msgs)
@@ -196,10 +255,48 @@ namespace tunnel
 		m_Gateway.SendBuffer ();
 	}	
 	
-	void OutboundTunnel::HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg)
+	void OutboundTunnel::HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg)
 	{
-		LogPrint (eLogError, "Incoming message for outbound tunnel ", GetTunnelID ());
-		DeleteI2NPMessage (tunnelMsg);	
+		LogPrint (eLogError, "Tunnel: incoming message for outbound tunnel ", GetTunnelID ());
+	}
+
+	void OutboundTunnel::Print (std::stringstream& s) const
+	{
+		s << GetTunnelID () << ":me";
+		PrintHops (s);
+		s << " ⇒ ";
+	}	
+		
+	ZeroHopsOutboundTunnel::ZeroHopsOutboundTunnel ():
+		OutboundTunnel (std::make_shared<ZeroHopsTunnelConfig> ()),
+		m_NumSentBytes (0)
+	{
+	}
+
+	void ZeroHopsOutboundTunnel::SendTunnelDataMsg (const std::vector<TunnelMessageBlock>& msgs)
+	{
+		for (auto& msg : msgs)
+		{
+			switch (msg.deliveryType)
+			{
+				case eDeliveryTypeLocal:
+					i2p::HandleI2NPMessage (msg.data);
+				break;
+				case eDeliveryTypeTunnel:
+					i2p::transport::transports.SendMessage (msg.hash, i2p::CreateTunnelGatewayMsg (msg.tunnelID, msg.data));
+				break;
+				case eDeliveryTypeRouter:				
+					i2p::transport::transports.SendMessage (msg.hash, msg.data);
+				break;
+				default:
+					LogPrint (eLogError, "Tunnel: Unknown delivery type ", (int)msg.deliveryType);
+			}	
+		}
+	}
+
+	void ZeroHopsOutboundTunnel::Print (std::stringstream& s) const
+	{
+		s << GetTunnelID () << ":me ⇒ ";
 	}
 
 	Tunnels tunnels;
@@ -211,27 +308,16 @@ namespace tunnel
 	
 	Tunnels::~Tunnels ()	
 	{
-		for (auto& it : m_TransitTunnels)
-			delete it.second;
-		m_TransitTunnels.clear ();
 	}	
-	
-	std::shared_ptr<InboundTunnel> Tunnels::GetInboundTunnel (uint32_t tunnelID)
+
+	std::shared_ptr<TunnelBase> Tunnels::GetTunnel (uint32_t tunnelID)
 	{
-		auto it = m_InboundTunnels.find(tunnelID);
-		if (it != m_InboundTunnels.end ())
+		auto it = m_Tunnels.find(tunnelID);
+		if (it != m_Tunnels.end ())
 			return it->second;
 		return nullptr;
 	}	
-	
-	TransitTunnel * Tunnels::GetTransitTunnel (uint32_t tunnelID)
-	{
-		auto it = m_TransitTunnels.find(tunnelID);
-		if (it != m_TransitTunnels.end ())
-			return it->second;
-		return nullptr;
-	}	
-	
+		
 	std::shared_ptr<InboundTunnel> Tunnels::GetPendingInboundTunnel (uint32_t replyMsgID)
 	{
 		return GetPendingTunnel (replyMsgID, m_PendingInboundTunnels);	
@@ -260,11 +346,11 @@ namespace tunnel
 		size_t minReceived = 0;
 		for (auto it : m_InboundTunnels)
 		{
-			if (!it.second->IsEstablished ()) continue;
-			if (!tunnel || it.second->GetNumReceivedBytes () < minReceived)
+			if (!it->IsEstablished ()) continue;
+			if (!tunnel || it->GetNumReceivedBytes () < minReceived)
 			{
-				tunnel = it.second;
-				minReceived = it.second->GetNumReceivedBytes ();
+				tunnel = it;
+				minReceived = it->GetNumReceivedBytes ();
 			}
 		}			
 		return tunnel;
@@ -272,8 +358,8 @@ namespace tunnel
 	
 	std::shared_ptr<OutboundTunnel> Tunnels::GetNextOutboundTunnel ()
 	{
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		uint32_t ind = rnd.GenerateWord32 (0, m_OutboundTunnels.size () - 1), i = 0;
+		if (!m_OutboundTunnels.size ()) return nullptr;
+		uint32_t ind = rand () % m_OutboundTunnels.size (), i = 0;
 		std::shared_ptr<OutboundTunnel> tunnel;
 		for (auto it: m_OutboundTunnels)
 		{	
@@ -287,9 +373,10 @@ namespace tunnel
 		return tunnel;
 	}	
 
-	std::shared_ptr<TunnelPool> Tunnels::CreateTunnelPool (i2p::garlic::GarlicDestination * localDestination, int numInboundHops, int numOutboundHops)
+	std::shared_ptr<TunnelPool> Tunnels::CreateTunnelPool (int numInboundHops, 
+		int numOutboundHops, int numInboundTunnels, int numOutboundTunnels)
 	{
-		auto pool = std::make_shared<TunnelPool> (localDestination, numInboundHops, numOutboundHops);
+		auto pool = std::make_shared<TunnelPool> (numInboundHops, numOutboundHops, numInboundTunnels, numOutboundTunnels);
 		std::unique_lock<std::mutex> l(m_PoolsMutex);
 		m_Pools.push_back (pool);
 		return pool;
@@ -316,14 +403,12 @@ namespace tunnel
 		}	
 	}	
 		
-	void Tunnels::AddTransitTunnel (TransitTunnel * tunnel)
+	void Tunnels::AddTransitTunnel (std::shared_ptr<TransitTunnel> tunnel)
 	{
-		std::unique_lock<std::mutex> l(m_TransitTunnelsMutex);
-		if (!m_TransitTunnels.insert (std::make_pair (tunnel->GetTunnelID (), tunnel)).second)
-		{	
-			LogPrint (eLogError, "Transit tunnel ", tunnel->GetTunnelID (), " already exists");
-			delete tunnel;
-		}
+		if (m_Tunnels.emplace (tunnel->GetTunnelID (), tunnel).second)
+			m_TransitTunnels.push_back (tunnel);
+		else
+			LogPrint (eLogError, "Tunnel: tunnel with id ", tunnel->GetTunnelID (), " already exists");
 	}	
 
 	void Tunnels::Start ()
@@ -353,14 +438,14 @@ namespace tunnel
 		{
 			try
 			{	
-				I2NPMessage * msg = m_Queue.GetNextWithTimeout (1000); // 1 sec
+				auto msg = m_Queue.GetNextWithTimeout (1000); // 1 sec
 				if (msg)
 				{	
 					uint32_t prevTunnelID = 0, tunnelID = 0;
-					TunnelBase * prevTunnel = nullptr; 
+					std::shared_ptr<TunnelBase> prevTunnel; 
 					do
 					{
-						TunnelBase * tunnel = nullptr;
+						std::shared_ptr<TunnelBase> tunnel;
 						uint8_t typeID = msg->GetTypeID ();
 						switch (typeID)
 						{									
@@ -373,10 +458,8 @@ namespace tunnel
 								else if (prevTunnel)
 									prevTunnel->FlushTunnelDataMsgs (); 
 						
-								if (!tunnel && typeID == eI2NPTunnelData)
-									tunnel = GetInboundTunnel (tunnelID).get ();
 								if (!tunnel)
-									tunnel = GetTransitTunnel (tunnelID);
+									tunnel = GetTunnel (tunnelID);
 								if (tunnel)
 								{
 									if (typeID == eI2NPTunnelData)
@@ -384,27 +467,18 @@ namespace tunnel
 									else // tunnel gateway assumed
 										HandleTunnelGatewayMsg (tunnel, msg);
 								}
-								else	
-								{	
-									LogPrint (eLogWarning, "Tunnel ", tunnelID, " not found");
-									DeleteI2NPMessage (msg);
-								}	
+								else		
+									LogPrint (eLogWarning, "Tunnel: tunnel with id ", tunnelID, " not found");
 								break;
 							}	
 							case eI2NPVariableTunnelBuild:		
 							case eI2NPVariableTunnelBuildReply:
 							case eI2NPTunnelBuild:
 							case eI2NPTunnelBuildReply:	
-							{
 								HandleI2NPMessage (msg->GetBuffer (), msg->GetLength ());
-								DeleteI2NPMessage (msg);
-								break;
-							}	
+							break;	
 							default:
-							{
-								LogPrint (eLogError, "Unexpected  messsage type ", (int)typeID);
-								DeleteI2NPMessage (msg);
-							}	
+								LogPrint (eLogWarning, "Tunnel: unexpected messsage type ", (int) typeID);
 						}
 							
 						msg = m_Queue.Get ();
@@ -428,35 +502,35 @@ namespace tunnel
 			}
 			catch (std::exception& ex)
 			{
-				LogPrint ("Tunnels: ", ex.what ());
+				LogPrint (eLogError, "Tunnel: runtime exception: ", ex.what ());
 			}	
 		}	
 	}	
 
-	void Tunnels::HandleTunnelGatewayMsg (TunnelBase * tunnel, I2NPMessage * msg)
+	void Tunnels::HandleTunnelGatewayMsg (std::shared_ptr<TunnelBase> tunnel, std::shared_ptr<I2NPMessage> msg)
 	{
 		if (!tunnel)
 		{
-			LogPrint (eLogError, "Missing tunnel for TunnelGateway");
-			i2p::DeleteI2NPMessage (msg);
+			LogPrint (eLogError, "Tunnel: missing tunnel for gateway");
 			return;
 		}
 		const uint8_t * payload = msg->GetPayload ();
 		uint16_t len = bufbe16toh(payload + TUNNEL_GATEWAY_HEADER_LENGTH_OFFSET);
 		// we make payload as new I2NP message to send
 		msg->offset += I2NP_HEADER_SIZE + TUNNEL_GATEWAY_HEADER_SIZE;
+		if (msg->offset + len > msg->len)
+		{
+			LogPrint (eLogError, "Tunnel: gateway payload ", (int)len, " exceeds message length ", (int)msg->len);
+			return;
+		}
 		msg->len = msg->offset + len;
 		auto typeID = msg->GetTypeID ();
-		LogPrint (eLogDebug, "TunnelGateway of ", (int)len, " bytes for tunnel ", tunnel->GetTunnelID (), ". Msg type ", (int)typeID);
+		LogPrint (eLogDebug, "Tunnel: gateway of ", (int) len, " bytes for tunnel ", tunnel->GetTunnelID (), ", msg type ", (int)typeID);
 			
-		if (typeID == eI2NPDatabaseStore || typeID == eI2NPDatabaseSearchReply)
-		{
+		if (IsRouterInfoMsg (msg) || typeID == eI2NPDatabaseSearchReply)
 			// transit DatabaseStore my contain new/updated RI 
 			// or DatabaseSearchReply with new routers
-			auto ds = NewI2NPMessage ();
-			*ds = *msg;
-			i2p::data::netdb.PostI2NPMsg (ds);
-		}	
+			i2p::data::netdb.PostI2NPMsg (CopyI2NPMessage (msg));	
 		tunnel->SendTunnelDataMsg (msg);
 	}
 
@@ -488,7 +562,7 @@ namespace tunnel
 				case eTunnelStatePending: 
 					if (ts > tunnel->GetCreationTime () + TUNNEL_CREATION_TIMEOUT)
 					{
-						LogPrint ("Pending tunnel build request ", it->first, " timeout. Deleted");
+						LogPrint (eLogWarning, "Tunnel: pending build request ", it->first, " timeout, deleted");
 						// update stats
 						auto config = tunnel->GetTunnelConfig ();
 						if (config)
@@ -496,8 +570,12 @@ namespace tunnel
 							auto hop = config->GetFirstHop ();
 							while (hop)
 							{
-								if (hop->router) 
-									hop->router->GetProfile ()->TunnelNonReplied ();
+								if (hop->ident)
+								{
+									auto profile = i2p::data::netdb.FindRouterProfile (hop->ident->GetIdentHash ());
+									if (profile)
+										profile->TunnelNonReplied ();
+								}
 								hop = hop->next;
 							}	
 						}	
@@ -509,7 +587,7 @@ namespace tunnel
 						it++;
 				break;
 				case eTunnelStateBuildFailed:
-					LogPrint ("Pending tunnel build request ", it->first, " failed. Deleted");
+					LogPrint (eLogWarning, "Tunnel: pending build request ", it->first, " failed, deleted");
 					it = pendingTunnels.erase (it);
 					m_NumFailedTunnelCreations++;
 				break;
@@ -534,18 +612,27 @@ namespace tunnel
 				auto tunnel = *it;
 				if (ts > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
 				{
-					LogPrint ("Tunnel ", tunnel->GetTunnelID (), " expired");
-					{
-						auto pool = tunnel->GetTunnelPool ();
-						if (pool)
-							pool->TunnelExpired (tunnel);
-					}	
+					LogPrint (eLogDebug, "Tunnel: tunnel with id ", tunnel->GetTunnelID (), " expired");
+					auto pool = tunnel->GetTunnelPool ();
+					if (pool)
+						pool->TunnelExpired (tunnel);
+					// we don't have outbound tunnels in m_Tunnels
 					it = m_OutboundTunnels.erase (it);
 				}	
 				else 
 				{
-					if (tunnel->IsEstablished () && ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
-						tunnel->SetState (eTunnelStateExpiring);
+					if (tunnel->IsEstablished ())
+					{	
+						if (!tunnel->IsRecreated () && ts + TUNNEL_RECREATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+						{
+							tunnel->SetIsRecreated ();	
+							auto pool = tunnel->GetTunnelPool ();
+							if (pool)
+								pool->RecreateOutboundTunnel (tunnel);
+						}
+						if (ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+							tunnel->SetState (eTunnelStateExpiring);
+					}	
 					it++;
 				}
 			}
@@ -555,14 +642,13 @@ namespace tunnel
 		{
 			// trying to create one more oubound tunnel
 			auto inboundTunnel = GetNextInboundTunnel ();
-			if (!inboundTunnel) return;
-			LogPrint ("Creating one hop outbound tunnel...");
+			auto router = i2p::data::netdb.GetRandomRouter ();
+			if (!inboundTunnel || !router) return;
+			LogPrint (eLogDebug, "Tunnel: creating one hop outbound tunnel");
 			CreateTunnel<OutboundTunnel> (
-			  	new TunnelConfig (std::vector<std::shared_ptr<const i2p::data::RouterInfo> > 
-				    { 
-						i2p::data::netdb.GetRandomRouter ()
-					},		
-		     		inboundTunnel->GetTunnelConfig ()));
+				std::make_shared<TunnelConfig> (std::vector<std::shared_ptr<const i2p::data::IdentityEx> > { router->GetRouterIdentity () },		
+		     		inboundTunnel->GetNextTunnelID (), inboundTunnel->GetNextIdentHash ())
+			                              );
 		}
 	}
 	
@@ -572,21 +658,31 @@ namespace tunnel
 		{
 			for (auto it = m_InboundTunnels.begin (); it != m_InboundTunnels.end ();)
 			{
-				auto tunnel = it->second;
+				auto tunnel = *it;
 				if (ts > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
 				{
-					LogPrint ("Tunnel ", tunnel->GetTunnelID (), " expired");
-					{
-						auto pool = tunnel->GetTunnelPool ();
-						if (pool)
-							pool->TunnelExpired (tunnel);
-					}	
+					LogPrint (eLogDebug, "Tunnel: tunnel with id ", tunnel->GetTunnelID (), " expired");
+					auto pool = tunnel->GetTunnelPool ();
+					if (pool)
+						pool->TunnelExpired (tunnel);
+					m_Tunnels.erase (tunnel->GetTunnelID ());
 					it = m_InboundTunnels.erase (it);
 				}	
 				else 
 				{
-					if (tunnel->IsEstablished () && ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
-						tunnel->SetState (eTunnelStateExpiring);
+					if (tunnel->IsEstablished ())
+					{	
+						if (!tunnel->IsRecreated () && ts + TUNNEL_RECREATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+						{
+							tunnel->SetIsRecreated ();	
+							auto pool = tunnel->GetTunnelPool ();
+							if (pool)
+								pool->RecreateInboundTunnel (tunnel);
+						}
+	
+						if (ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+							tunnel->SetState (eTunnelStateExpiring);
+					}	
 					it++;
 				}
 			}
@@ -594,22 +690,29 @@ namespace tunnel
 
 		if (m_InboundTunnels.empty ())
 		{
-			LogPrint ("Creating zero hops inbound tunnel...");
+			LogPrint (eLogDebug, "Tunnel: Creating zero hops inbound tunnel");
 			CreateZeroHopsInboundTunnel ();
+			CreateZeroHopsOutboundTunnel ();
 			if (!m_ExploratoryPool)
-				m_ExploratoryPool = CreateTunnelPool (&i2p::context, 2, 2); // 2-hop exploratory
+			{
+				m_ExploratoryPool = CreateTunnelPool (2, 2, 5, 5); // 2-hop exploratory, 5 tunnels
+				m_ExploratoryPool->SetLocalDestination (i2p::context.GetSharedDestination ());
+			}
 			return;
 		}
 		
 		if (m_OutboundTunnels.empty () || m_InboundTunnels.size () < 5) 
 		{
-			// trying to create one more inbound tunnel			
-			LogPrint ("Creating one hop inbound tunnel...");
+			// trying to create one more inbound tunnel		
+			auto router = i2p::data::netdb.GetRandomRouter ();
+			if (!router) {
+				LogPrint (eLogWarning, "Tunnel: can't find any router, skip creating tunnel");
+				return;
+			}
+			LogPrint (eLogDebug, "Tunnel: creating one hop inbound tunnel");
 			CreateTunnel<InboundTunnel> (
-				new TunnelConfig (std::vector<std::shared_ptr<const i2p::data::RouterInfo> >
-				    {              
-						i2p::data::netdb.GetRandomRouter ()
-					}));
+				std::make_shared<TunnelConfig> (std::vector<std::shared_ptr<const i2p::data::IdentityEx> > { router->GetRouterIdentity () })
+			                             );
 		}
 	}	
 
@@ -618,15 +721,12 @@ namespace tunnel
 		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
 		for (auto it = m_TransitTunnels.begin (); it != m_TransitTunnels.end ();)
 		{
-			if (ts > it->second->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
+			auto tunnel = *it;
+			if (ts > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
 			{
-				auto tmp = it->second;
-				LogPrint ("Transit tunnel ", tmp->GetTunnelID (), " expired");
-				{
-					std::unique_lock<std::mutex> l(m_TransitTunnelsMutex);
-					it = m_TransitTunnels.erase (it);
-				}	
-				delete tmp;
+				LogPrint (eLogDebug, "Tunnel: Transit tunnel with id ", tunnel->GetTunnelID (), " expired");
+				m_Tunnels.erase (tunnel->GetTunnelID ());
+				it = m_TransitTunnels.erase (it);
 			}	
 			else 
 				it++;
@@ -647,21 +747,22 @@ namespace tunnel
 		}
 	}	
 	
-	void Tunnels::PostTunnelData (I2NPMessage * msg)
+	void Tunnels::PostTunnelData (std::shared_ptr<I2NPMessage> msg)
 	{
 		if (msg) m_Queue.Put (msg);		
 	}	
 
-	void Tunnels::PostTunnelData (const std::vector<I2NPMessage *>& msgs)
+	void Tunnels::PostTunnelData (const std::vector<std::shared_ptr<I2NPMessage> >& msgs)
 	{
 		m_Queue.Put (msgs);
 	}	
 		
 	template<class TTunnel>
-	std::shared_ptr<TTunnel> Tunnels::CreateTunnel (TunnelConfig * config, std::shared_ptr<OutboundTunnel> outboundTunnel)
+	std::shared_ptr<TTunnel> Tunnels::CreateTunnel (std::shared_ptr<TunnelConfig> config, std::shared_ptr<OutboundTunnel> outboundTunnel)
 	{
 		auto newTunnel = std::make_shared<TTunnel> (config);
-		uint32_t replyMsgID = i2p::context.GetRandomNumberGenerator ().GenerateWord32 ();
+		uint32_t replyMsgID;
+		RAND_bytes ((uint8_t *)&replyMsgID, 4);
 		AddPendingTunnel (replyMsgID, newTunnel); 
 		newTunnel->Build (replyMsgID, outboundTunnel);
 		return newTunnel;
@@ -679,6 +780,7 @@ namespace tunnel
 
 	void Tunnels::AddOutboundTunnel (std::shared_ptr<OutboundTunnel> newTunnel)
 	{
+		// we don't need to insert it to m_Tunnels
 		m_OutboundTunnels.push_back (newTunnel);
 		auto pool = newTunnel->GetTunnelPool ();
 		if (pool && pool->IsActive ())
@@ -689,43 +791,76 @@ namespace tunnel
 
 	void Tunnels::AddInboundTunnel (std::shared_ptr<InboundTunnel> newTunnel)
 	{
-		m_InboundTunnels[newTunnel->GetTunnelID ()] = newTunnel;
-		auto pool = newTunnel->GetTunnelPool ();
-		if (!pool)
-		{		
-			// build symmetric outbound tunnel
-			CreateTunnel<OutboundTunnel> (newTunnel->GetTunnelConfig ()->Invert (), GetNextOutboundTunnel ());		
+		if (m_Tunnels.emplace (newTunnel->GetTunnelID (), newTunnel).second)
+		{	
+			m_InboundTunnels.push_back (newTunnel);
+			auto pool = newTunnel->GetTunnelPool ();
+			if (!pool)
+			{		
+				// build symmetric outbound tunnel
+				CreateTunnel<OutboundTunnel> (std::make_shared<TunnelConfig>(newTunnel->GetInvertedPeers (),
+						newTunnel->GetNextTunnelID (), newTunnel->GetNextIdentHash ()), 
+					GetNextOutboundTunnel ());		
+			}
+			else
+			{
+				if (pool->IsActive ())
+					pool->TunnelCreated (newTunnel);
+				else
+					newTunnel->SetTunnelPool (nullptr);
+			}
 		}
 		else
-		{
-			if (pool->IsActive ())
-				pool->TunnelCreated (newTunnel);
-			else
-				newTunnel->SetTunnelPool (nullptr);
-		}	
+			LogPrint (eLogError, "Tunnel: tunnel with id ", newTunnel->GetTunnelID (), " already exists");
 	}	
 
 	
 	void Tunnels::CreateZeroHopsInboundTunnel ()
 	{
-		CreateTunnel<InboundTunnel> (
-			new TunnelConfig (std::vector<std::shared_ptr<const i2p::data::RouterInfo> >
-			    { 
-					i2p::context.GetSharedRouterInfo ()
-				}));
+		auto inboundTunnel = std::make_shared<ZeroHopsInboundTunnel> ();
+		inboundTunnel->SetState (eTunnelStateEstablished);
+		m_InboundTunnels.push_back (inboundTunnel);
+		m_Tunnels[inboundTunnel->GetTunnelID ()] = inboundTunnel;
 	}	
 
+	void Tunnels::CreateZeroHopsOutboundTunnel ()
+	{
+		auto outboundTunnel = std::make_shared<ZeroHopsOutboundTunnel> ();
+		outboundTunnel->SetState (eTunnelStateEstablished);
+		m_OutboundTunnels.push_back (outboundTunnel);
+		// we don't insert into m_Tunnels
+	}
+
 	int Tunnels::GetTransitTunnelsExpirationTimeout ()
 	{
 		int timeout = 0;
 		uint32_t ts = i2p::util::GetSecondsSinceEpoch ();
-		std::unique_lock<std::mutex> l(m_TransitTunnelsMutex);
+		// TODO: possible race condition with I2PControl
 		for (auto it: m_TransitTunnels)
 		{
-			int t = it.second->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT - ts;
+			int t = it->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT - ts;
 			if (t > timeout) timeout = t;
 		}	
 		return timeout;
-	}	
+	}
+
+	size_t Tunnels::CountTransitTunnels() const
+	{
+		// TODO: locking
+		return m_TransitTunnels.size();
+	}
+
+	size_t Tunnels::CountInboundTunnels() const
+	{
+		// TODO: locking
+		return m_InboundTunnels.size();
+	}
+
+	size_t Tunnels::CountOutboundTunnels() const
+	{
+		// TODO: locking
+		return m_OutboundTunnels.size();
+	}
 }
 }
+

Tunnel.h

@@ -3,6 +3,7 @@
 
 #include <inttypes.h>
 #include <map>
+#include <unordered_map>
 #include <list>
 #include <vector>
 #include <string>
@@ -10,6 +11,7 @@
 #include <mutex>
 #include <memory>
 #include "Queue.h"
+#include "Crypto.h"
 #include "TunnelConfig.h"
 #include "TunnelPool.h"
 #include "TransitTunnel.h"
@@ -24,6 +26,7 @@ namespace tunnel
 {	
 	const int TUNNEL_EXPIRATION_TIMEOUT = 660; // 11 minutes	
 	const int TUNNEL_EXPIRATION_THRESHOLD = 60; // 1 minute	
+	const int TUNNEL_RECREATION_THRESHOLD = 90; // 1.5 minutes	
 	const int TUNNEL_CREATION_TIMEOUT = 30; // 30 seconds
 	const int STANDARD_NUM_RECORDS = 5; // in VariableTunnelBuild message
 
@@ -42,75 +45,118 @@ namespace tunnel
 	class InboundTunnel;
 	class Tunnel: public TunnelBase
 	{
+		struct TunnelHop
+		{
+			std::shared_ptr<const i2p::data::IdentityEx> ident;
+			i2p::crypto::TunnelDecryption decryption;
+		};	
+		
 		public:
 
-			Tunnel (TunnelConfig * config);
+			Tunnel (std::shared_ptr<const TunnelConfig> config);
 			~Tunnel ();
 
 			void Build (uint32_t replyMsgID, std::shared_ptr<OutboundTunnel> outboundTunnel = nullptr);
 			
-			TunnelConfig * GetTunnelConfig () const { return m_Config; }
+			std::shared_ptr<const TunnelConfig> GetTunnelConfig () const { return m_Config; }
+			std::vector<std::shared_ptr<const i2p::data::IdentityEx> > GetPeers () const; 
+			std::vector<std::shared_ptr<const i2p::data::IdentityEx> > GetInvertedPeers () const; 
 			TunnelState GetState () const { return m_State; };
 			void SetState (TunnelState state)  { m_State = state; };
 			bool IsEstablished () const { return m_State == eTunnelStateEstablished; };
 			bool IsFailed () const { return m_State == eTunnelStateFailed; };
+			bool IsRecreated () const { return m_IsRecreated; };
+			void SetIsRecreated () { m_IsRecreated = true; };
 
 			std::shared_ptr<TunnelPool> GetTunnelPool () const { return m_Pool; };
 			void SetTunnelPool (std::shared_ptr<TunnelPool> pool) { m_Pool = pool; };			
 			
 			bool HandleTunnelBuildResponse (uint8_t * msg, size_t len);
+
+			virtual void Print (std::stringstream& s) const {};	
 			
 			// implements TunnelBase
-			void SendTunnelDataMsg (i2p::I2NPMessage * msg);
-			void EncryptTunnelMsg (I2NPMessage * tunnelMsg); 
-			uint32_t GetNextTunnelID () const { return m_Config->GetFirstHop ()->tunnelID; };
-			const i2p::data::IdentHash& GetNextIdentHash () const { return m_Config->GetFirstHop ()->router->GetIdentHash (); };
+			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg);
+			void EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out); 
+
+		protected:
+
+			void PrintHops (std::stringstream& s) const;
 			
 		private:
 
-			TunnelConfig * m_Config;
+			std::shared_ptr<const TunnelConfig> m_Config;
+			std::vector<std::unique_ptr<TunnelHop> > m_Hops;
 			std::shared_ptr<TunnelPool> m_Pool; // pool, tunnel belongs to, or null
 			TunnelState m_State;
+			bool m_IsRecreated;
 	};	
 
 	class OutboundTunnel: public Tunnel 
 	{
 		public:
 
-			OutboundTunnel (TunnelConfig * config): Tunnel (config), m_Gateway (this) {};
-
-			void SendTunnelDataMsg (const uint8_t * gwHash, uint32_t gwTunnel, i2p::I2NPMessage * msg);
-			void SendTunnelDataMsg (const std::vector<TunnelMessageBlock>& msgs); // multiple messages
-			std::shared_ptr<const i2p::data::RouterInfo> GetEndpointRouter () const 
-				{ return GetTunnelConfig ()->GetLastHop ()->router; }; 
-			size_t GetNumSentBytes () const { return m_Gateway.GetNumSentBytes (); };
+			OutboundTunnel (std::shared_ptr<const TunnelConfig> config): 
+				Tunnel (config), m_Gateway (this), m_EndpointIdentHash (config->GetLastIdentHash ()) {};
 
+			void SendTunnelDataMsg (const uint8_t * gwHash, uint32_t gwTunnel, std::shared_ptr<i2p::I2NPMessage> msg);
+			virtual void SendTunnelDataMsg (const std::vector<TunnelMessageBlock>& msgs); // multiple messages
+			const i2p::data::IdentHash& GetEndpointIdentHash () const { return m_EndpointIdentHash; }; 
+			virtual size_t GetNumSentBytes () const { return m_Gateway.GetNumSentBytes (); };
+			void Print (std::stringstream& s) const;
+			
 			// implements TunnelBase
-			void HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg);
-			uint32_t GetTunnelID () const { return GetNextTunnelID (); };
+			void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg);
 			
 		private:
 
 			std::mutex m_SendMutex;
 			TunnelGateway m_Gateway; 
+			i2p::data::IdentHash m_EndpointIdentHash;
 	};
-	
+
 	class InboundTunnel: public Tunnel, public std::enable_shared_from_this<InboundTunnel>
 	{
 		public:
 
-			InboundTunnel (TunnelConfig * config): Tunnel (config), m_Endpoint (true) {};
-			void HandleTunnelDataMsg (I2NPMessage * msg);
-			size_t GetNumReceivedBytes () const { return m_Endpoint.GetNumReceivedBytes (); };
-
-			// implements TunnelBase
-			uint32_t GetTunnelID () const { return GetTunnelConfig ()->GetLastHop ()->nextTunnelID; };
+			InboundTunnel (std::shared_ptr<const TunnelConfig> config): Tunnel (config), m_Endpoint (true) {};
+			void HandleTunnelDataMsg (std::shared_ptr<const I2NPMessage> msg);
+			virtual size_t GetNumReceivedBytes () const { return m_Endpoint.GetNumReceivedBytes (); };
+			void Print (std::stringstream& s) const;
+			
 		private:
 
 			TunnelEndpoint m_Endpoint; 
 	};	
-
 	
+	class ZeroHopsInboundTunnel: public InboundTunnel
+	{
+		public:
+
+			ZeroHopsInboundTunnel ();
+			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg); 
+			void Print (std::stringstream& s) const;
+			size_t GetNumReceivedBytes () const { return m_NumReceivedBytes; };
+			
+		private:
+
+			size_t m_NumReceivedBytes;
+	};		
+	
+	class ZeroHopsOutboundTunnel: public OutboundTunnel
+	{
+		public:
+
+			ZeroHopsOutboundTunnel ();
+			void SendTunnelDataMsg (const std::vector<TunnelMessageBlock>& msgs);
+			void Print (std::stringstream& s) const;
+			size_t GetNumSentBytes () const { return m_NumSentBytes; };
+			
+		private:
+
+			size_t m_NumSentBytes;
+	};	
+
 	class Tunnels
 	{	
 		public:
@@ -120,24 +166,24 @@ namespace tunnel
 			void Start ();
 			void Stop ();		
 			
-			std::shared_ptr<InboundTunnel> GetInboundTunnel (uint32_t tunnelID);
 			std::shared_ptr<InboundTunnel> GetPendingInboundTunnel (uint32_t replyMsgID);	
 			std::shared_ptr<OutboundTunnel> GetPendingOutboundTunnel (uint32_t replyMsgID);			
 			std::shared_ptr<InboundTunnel> GetNextInboundTunnel ();
 			std::shared_ptr<OutboundTunnel> GetNextOutboundTunnel ();
 			std::shared_ptr<TunnelPool> GetExploratoryPool () const { return m_ExploratoryPool; };
-			TransitTunnel * GetTransitTunnel (uint32_t tunnelID);
+			std::shared_ptr<TunnelBase> GetTunnel (uint32_t tunnelID);
 			int GetTransitTunnelsExpirationTimeout ();
-			void AddTransitTunnel (TransitTunnel * tunnel);
+			void AddTransitTunnel (std::shared_ptr<TransitTunnel> tunnel);
 			void AddOutboundTunnel (std::shared_ptr<OutboundTunnel> newTunnel);
 			void AddInboundTunnel (std::shared_ptr<InboundTunnel> newTunnel);
-			void PostTunnelData (I2NPMessage * msg);
-			void PostTunnelData (const std::vector<I2NPMessage *>& msgs);
+			void PostTunnelData (std::shared_ptr<I2NPMessage> msg);
+			void PostTunnelData (const std::vector<std::shared_ptr<I2NPMessage> >& msgs);
 			template<class TTunnel>
-			std::shared_ptr<TTunnel> CreateTunnel (TunnelConfig * config, std::shared_ptr<OutboundTunnel> outboundTunnel = nullptr);
+			std::shared_ptr<TTunnel> CreateTunnel (std::shared_ptr<TunnelConfig> config, std::shared_ptr<OutboundTunnel> outboundTunnel = nullptr);
 			void AddPendingTunnel (uint32_t replyMsgID, std::shared_ptr<InboundTunnel> tunnel);
 			void AddPendingTunnel (uint32_t replyMsgID, std::shared_ptr<OutboundTunnel> tunnel);
-			std::shared_ptr<TunnelPool> CreateTunnelPool (i2p::garlic::GarlicDestination * localDestination, int numInboundHops, int numOuboundHops);
+			std::shared_ptr<TunnelPool> CreateTunnelPool (int numInboundHops, 
+				int numOuboundHops, int numInboundTunnels, int numOutboundTunnels);
 			void DeleteTunnelPool (std::shared_ptr<TunnelPool> pool);
 			void StopTunnelPool (std::shared_ptr<TunnelPool> pool);
 			
@@ -146,7 +192,7 @@ namespace tunnel
 			template<class TTunnel>
 			std::shared_ptr<TTunnel> GetPendingTunnel (uint32_t replyMsgID, const std::map<uint32_t, std::shared_ptr<TTunnel> >& pendingTunnels);			
 
-			void HandleTunnelGatewayMsg (TunnelBase * tunnel, I2NPMessage * msg);
+			void HandleTunnelGatewayMsg (std::shared_ptr<TunnelBase> tunnel, std::shared_ptr<I2NPMessage> msg);
 
 			void Run ();	
 			void ManageTunnels ();
@@ -159,21 +205,22 @@ namespace tunnel
 			void ManageTunnelPools ();
 			
 			void CreateZeroHopsInboundTunnel ();
-			
+			void CreateZeroHopsOutboundTunnel ();			
+
 		private:
 
 			bool m_IsRunning;
 			std::thread * m_Thread;	
 			std::map<uint32_t, std::shared_ptr<InboundTunnel> > m_PendingInboundTunnels; // by replyMsgID
 			std::map<uint32_t, std::shared_ptr<OutboundTunnel> > m_PendingOutboundTunnels; // by replyMsgID
-			std::map<uint32_t, std::shared_ptr<InboundTunnel> > m_InboundTunnels;
+			std::list<std::shared_ptr<InboundTunnel> > m_InboundTunnels;
 			std::list<std::shared_ptr<OutboundTunnel> > m_OutboundTunnels;
-			std::mutex m_TransitTunnelsMutex;
-			std::map<uint32_t, TransitTunnel *> m_TransitTunnels;
+			std::list<std::shared_ptr<TransitTunnel> > m_TransitTunnels;
+			std::unordered_map<uint32_t, std::shared_ptr<TunnelBase> > m_Tunnels; // tunnelID->tunnel known by this id
 			std::mutex m_PoolsMutex;
 			std::list<std::shared_ptr<TunnelPool>> m_Pools;
 			std::shared_ptr<TunnelPool> m_ExploratoryPool;
-			i2p::util::Queue<I2NPMessage> m_Queue;
+			i2p::util::Queue<std::shared_ptr<I2NPMessage> > m_Queue;
 
 			// some stats
 			int m_NumSuccesiveTunnelCreations, m_NumFailedTunnelCreations;
@@ -184,6 +231,11 @@ namespace tunnel
 			const decltype(m_OutboundTunnels)& GetOutboundTunnels () const { return m_OutboundTunnels; };
 			const decltype(m_InboundTunnels)& GetInboundTunnels () const { return m_InboundTunnels; };
 			const decltype(m_TransitTunnels)& GetTransitTunnels () const { return m_TransitTunnels; };
+
+			size_t CountTransitTunnels() const;
+			size_t CountInboundTunnels() const;
+			size_t CountOutboundTunnels() const;
+			
 			int GetQueueSize () { return m_Queue.GetSize (); };
 			int GetTunnelCreationSuccessRate () const // in percents
 			{ 

TunnelBase.h

@@ -26,30 +26,33 @@ namespace tunnel
 		TunnelDeliveryType deliveryType;
 		i2p::data::IdentHash hash;	
 		uint32_t tunnelID;
-		I2NPMessage * data;
+		std::shared_ptr<I2NPMessage> data;
 	};
 
 	class TunnelBase
 	{
 		public:
 
-			//WARNING!!! GetSecondsSinceEpoch() return uint64_t
-			TunnelBase (): m_CreationTime (i2p::util::GetSecondsSinceEpoch ()) {};
+			TunnelBase (uint32_t tunnelID, uint32_t nextTunnelID, i2p::data::IdentHash nextIdent): 
+				m_TunnelID (tunnelID), m_NextTunnelID (nextTunnelID), m_NextIdent (nextIdent),
+				m_CreationTime (i2p::util::GetSecondsSinceEpoch ()) {};
 			virtual ~TunnelBase () {};
 			
-			virtual void HandleTunnelDataMsg (i2p::I2NPMessage * tunnelMsg) = 0;
-			virtual void SendTunnelDataMsg (i2p::I2NPMessage * msg) = 0;
+			virtual void HandleTunnelDataMsg (std::shared_ptr<const i2p::I2NPMessage> tunnelMsg) = 0;
+			virtual void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg) = 0;
 			virtual void FlushTunnelDataMsgs () {};
-			virtual void EncryptTunnelMsg (I2NPMessage * tunnelMsg) = 0;
-			virtual uint32_t GetNextTunnelID () const = 0;
-			virtual const i2p::data::IdentHash& GetNextIdentHash () const = 0;
-			virtual uint32_t GetTunnelID () const = 0; // as known at our side
+			virtual void EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out) = 0;
+			uint32_t GetNextTunnelID () const { return m_NextTunnelID; };
+			const i2p::data::IdentHash& GetNextIdentHash () const { return m_NextIdent; };
+			virtual uint32_t GetTunnelID () const { return m_TunnelID; }; // as known at our side
 
 			uint32_t GetCreationTime () const { return m_CreationTime; };
 			void SetCreationTime (uint32_t t) { m_CreationTime = t; };
 
 		private:
-			
+
+			uint32_t m_TunnelID, m_NextTunnelID;
+			i2p::data::IdentHash m_NextIdent;
 			uint32_t m_CreationTime; // seconds since epoch
 	};	
 

TunnelConfig.h

@@ -5,8 +5,9 @@
 #include <sstream>
 #include <vector>
 #include <memory>
-#include "aes.h"
-#include "RouterInfo.h"
+#include <openssl/rand.h>
+#include "Crypto.h"
+#include "Identity.h"
 #include "RouterContext.h"
 #include "Timestamp.h"
 
@@ -16,7 +17,8 @@ namespace tunnel
 {
 	struct TunnelHopConfig
 	{
-		std::shared_ptr<const i2p::data::RouterInfo> router, nextRouter;
+		std::shared_ptr<const i2p::data::IdentityEx> ident;
+		i2p::data::IdentHash nextIdent;
 		uint32_t tunnelID, nextTunnelID;
 		uint8_t layerKey[32];
 		uint8_t ivKey[32];
@@ -25,19 +27,18 @@ namespace tunnel
 		bool isGateway, isEndpoint;	
 		
 		TunnelHopConfig * next, * prev;
-		i2p::crypto::TunnelDecryption decryption;	
 		int recordIndex; // record # in tunnel build message
 		
-		TunnelHopConfig (std::shared_ptr<const i2p::data::RouterInfo> r)
+		TunnelHopConfig (std::shared_ptr<const i2p::data::IdentityEx> r)
 		{
-			CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-			rnd.GenerateBlock (layerKey, 32);
-			rnd.GenerateBlock (ivKey, 32);
-			rnd.GenerateBlock (replyIV, 16);
-			tunnelID = rnd.GenerateWord32 ();
+			RAND_bytes (layerKey, 32);
+			RAND_bytes (ivKey, 32);
+			RAND_bytes (replyKey, 32);
+			RAND_bytes (replyIV, 16);
+			RAND_bytes ((uint8_t *)&tunnelID, 4);
 			isGateway = true;
 			isEndpoint = true;
-			router = r; 
+			ident = r; 
 			//nextRouter = nullptr; 
 			nextTunnelID = 0;
 
@@ -45,18 +46,17 @@ namespace tunnel
 			prev = nullptr;
 		}	
 
-		void SetNextRouter (std::shared_ptr<const i2p::data::RouterInfo> r)
+		void SetNextIdent (const i2p::data::IdentHash& ident)
 		{
-			nextRouter = r;
+			nextIdent = ident;
 			isEndpoint = false;
-			CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-			nextTunnelID = rnd.GenerateWord32 ();
+			RAND_bytes ((uint8_t *)&nextTunnelID, 4);
 		}	
 
-		void SetReplyHop (const TunnelHopConfig * replyFirstHop)
+		void SetReplyHop (uint32_t replyTunnelID, const i2p::data::IdentHash& replyIdent)
 		{
-			nextRouter = replyFirstHop->router;
-			nextTunnelID = replyFirstHop->tunnelID;
+			nextIdent = replyIdent;
+			nextTunnelID = replyTunnelID;
 			isEndpoint = true;
 		}
 		
@@ -68,7 +68,7 @@ namespace tunnel
 				next->prev = this;
 				next->isGateway = false;
 				isEndpoint = false;
-				nextRouter = next->router;
+				nextIdent = next->ident->GetIdentHash ();
 				nextTunnelID = next->tunnelID;
 			}	
 		}
@@ -84,13 +84,13 @@ namespace tunnel
 			}	
 		}
 
-		void CreateBuildRequestRecord (uint8_t * record, uint32_t replyMsgID)
+		void CreateBuildRequestRecord (uint8_t * record, uint32_t replyMsgID) const
 		{
 			uint8_t clearText[BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE];
 			htobe32buf (clearText + BUILD_REQUEST_RECORD_RECEIVE_TUNNEL_OFFSET, tunnelID); 
-			memcpy (clearText + BUILD_REQUEST_RECORD_OUR_IDENT_OFFSET, router->GetIdentHash (), 32);
+			memcpy (clearText + BUILD_REQUEST_RECORD_OUR_IDENT_OFFSET, ident->GetIdentHash (), 32);
 			htobe32buf (clearText + BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET, nextTunnelID);
-			memcpy (clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, nextRouter->GetIdentHash (), 32);
+			memcpy (clearText + BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET, nextIdent, 32);
 			memcpy (clearText + BUILD_REQUEST_RECORD_LAYER_KEY_OFFSET, layerKey, 32);
 			memcpy (clearText + BUILD_REQUEST_RECORD_IV_KEY_OFFSET, ivKey, 32);
 			memcpy (clearText + BUILD_REQUEST_RECORD_REPLY_KEY_OFFSET, replyKey, 32);
@@ -101,9 +101,10 @@ namespace tunnel
 			clearText[BUILD_REQUEST_RECORD_FLAG_OFFSET] = flag;
 			htobe32buf (clearText + BUILD_REQUEST_RECORD_REQUEST_TIME_OFFSET, i2p::util::GetHoursSinceEpoch ()); 
 			htobe32buf (clearText + BUILD_REQUEST_RECORD_SEND_MSG_ID_OFFSET, replyMsgID); 
-			// TODO: fill padding
-			router->GetElGamalEncryption ()->Encrypt (clearText, BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE, record + BUILD_REQUEST_RECORD_ENCRYPTED_OFFSET);
-			memcpy (record + BUILD_REQUEST_RECORD_TO_PEER_OFFSET, (const uint8_t *)router->GetIdentHash (), 16);
+			RAND_bytes (clearText + BUILD_REQUEST_RECORD_PADDING_OFFSET, BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE - BUILD_REQUEST_RECORD_PADDING_OFFSET);
+			i2p::crypto::ElGamalEncryption elGamalEncryption (ident->GetEncryptionPublicKey ());
+			elGamalEncryption.Encrypt (clearText, BUILD_REQUEST_RECORD_CLEAR_TEXT_SIZE, record + BUILD_REQUEST_RECORD_ENCRYPTED_OFFSET);
+			memcpy (record + BUILD_REQUEST_RECORD_TO_PEER_OFFSET, (const uint8_t *)ident->GetIdentHash (), 16);
 		}	
 	};	
 
@@ -111,29 +112,18 @@ namespace tunnel
 	{
 		public:			
 			
-
-			TunnelConfig (std::vector<std::shared_ptr<const i2p::data::RouterInfo> > peers, 
-				const TunnelConfig * replyTunnelConfig = nullptr) // replyTunnelConfig=nullptr means inbound
+			TunnelConfig (std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers) // inbound
 			{
-				TunnelHopConfig * prev = nullptr;
-				for (auto it: peers)
-				{
-					auto hop = new TunnelHopConfig (it);
-					if (prev)
-						prev->SetNext (hop);
-					else	
-						m_FirstHop = hop;
-					prev = hop;
-				}	
-				m_LastHop = prev;
-				
-				if (replyTunnelConfig) // outbound
-				{
-					m_FirstHop->isGateway = false;
-					m_LastHop->SetReplyHop (replyTunnelConfig->GetFirstHop ());
-				}	
-				else // inbound
-					m_LastHop->SetNextRouter (i2p::context.GetSharedRouterInfo ());
+				CreatePeers (peers);
+				m_LastHop->SetNextIdent (i2p::context.GetIdentHash ());
+			}
+
+			TunnelConfig (std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers, 
+				uint32_t replyTunnelID, const i2p::data::IdentHash& replyIdent) // outbound
+			{
+				CreatePeers (peers);
+				m_FirstHop->isGateway = false;
+				m_LastHop->SetReplyHop (replyTunnelID, replyIdent);
 			}
 			
 			~TunnelConfig ()
@@ -170,75 +160,88 @@ namespace tunnel
 				return num;
 			}
 
-			void Print (std::stringstream& s) const
-			{
-				TunnelHopConfig * hop = m_FirstHop;
-				if (!m_FirstHop->isGateway)
-					s << "me";
-				s << "-->" << m_FirstHop->tunnelID;
-				while (hop)
-				{
-					s << ":" << hop->router->GetIdentHashAbbreviation () << "-->"; 
-					if (!hop->isEndpoint)
-						s << hop->nextTunnelID;
-					else
-						return;
-					hop = hop->next;
-				}	
-				// we didn't reach enpoint that mean we are last hop
-				s << ":me";	
+			virtual bool IsInbound () const { return m_FirstHop->isGateway; }
+
+			virtual uint32_t GetTunnelID () const 
+			{	
+				if (!m_FirstHop) return 0;
+				return IsInbound () ? m_LastHop->nextTunnelID : m_FirstHop->tunnelID; 
 			}
 
-			TunnelConfig * Invert () const
-			{
-				TunnelConfig * newConfig = new TunnelConfig ();
-				TunnelHopConfig * hop = m_FirstHop, * nextNewHop = nullptr;
-				while (hop)
-				{
-					TunnelHopConfig * newHop = new TunnelHopConfig (hop->router);
-					if (nextNewHop)
-						newHop->SetNext (nextNewHop);
-					nextNewHop = newHop;
-					newHop->isEndpoint = hop->isGateway;
-					newHop->isGateway = hop->isEndpoint;
-					
-					if (!hop->prev) // first hop
-					{	
-						newConfig->m_LastHop = newHop; 
-						if (hop->isGateway) // inbound tunnel
-							newHop->SetReplyHop (m_FirstHop); // use it as reply tunnel
-						else
-							newHop->SetNextRouter (i2p::context.GetSharedRouterInfo ());
-					}	
-					if (!hop->next) newConfig->m_FirstHop = newHop; // last hop
-									
-					hop = hop->next;
-				}	
-				return newConfig;
+			virtual uint32_t GetNextTunnelID () const 
+			{	
+				if (!m_FirstHop) return 0;
+				return m_FirstHop->tunnelID; 
 			}
 
-			TunnelConfig * Clone (const TunnelConfig * replyTunnelConfig = nullptr) const
-			{
-				std::vector<std::shared_ptr<const i2p::data::RouterInfo> > peers;
-				TunnelHopConfig * hop = m_FirstHop;
-				while (hop)
-				{
-					peers.push_back (hop->router);
-					hop = hop->next;
-				}	
-				return new TunnelConfig (peers, replyTunnelConfig);
+			virtual const i2p::data::IdentHash& GetNextIdentHash () const 
+			{ 
+				return m_FirstHop->ident->GetIdentHash (); 
+			}	
+
+			virtual const i2p::data::IdentHash& GetLastIdentHash () const 
+			{ 
+				return m_LastHop->ident->GetIdentHash (); 
 			}	
 			
-		private:
+			std::vector<std::shared_ptr<const i2p::data::IdentityEx> > GetPeers () const
+			{
+				std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers;
+				TunnelHopConfig * hop = m_FirstHop;		
+				while (hop)
+				{
+					peers.push_back (hop->ident);
+					hop = hop->next;
+				}	
+				return peers;
+			}
+			
+		protected:
 
 			// this constructor can't be called from outside
 			TunnelConfig (): m_FirstHop (nullptr), m_LastHop (nullptr)
 			{
 			}
+	
+		private:
+
+			template<class Peers>
+			void CreatePeers (const Peers& peers)
+			{
+				TunnelHopConfig * prev = nullptr;
+				for (auto it: peers)
+				{
+					auto hop = new TunnelHopConfig (it);
+					if (prev)
+						prev->SetNext (hop);
+					else	
+						m_FirstHop = hop;
+					prev = hop;
+				}	
+				m_LastHop = prev;
+			}
 			
 		private:
 
 			TunnelHopConfig * m_FirstHop, * m_LastHop;
+	};
+
+	class ZeroHopsTunnelConfig: public TunnelConfig
+	{
+		public:
+
+			ZeroHopsTunnelConfig () { RAND_bytes ((uint8_t *)&m_TunnelID, 4);};
+
+			bool IsInbound () const { return true; }; // TODO:		
+			uint32_t GetTunnelID () const { return m_TunnelID; };
+			uint32_t GetNextTunnelID () const { return m_TunnelID; };
+			const i2p::data::IdentHash& GetNextIdentHash () const { return i2p::context.GetIdentHash (); };
+			const i2p::data::IdentHash& GetLastIdentHash () const { return i2p::context.GetIdentHash (); };
+
+
+		private:
+		
+			uint32_t m_TunnelID;	
 	};	
 }		
 }	

TunnelEndpoint.cpp

@@ -1,5 +1,6 @@
 #include "I2PEndian.h"
 #include <string.h>
+#include <openssl/sha.h>
 #include "Log.h"
 #include "NetDb.h"
 #include "I2NPProtocol.h"
@@ -13,13 +14,9 @@ namespace tunnel
 {
 	TunnelEndpoint::~TunnelEndpoint ()
 	{
-		for (auto it: m_IncompleteMessages)
-			i2p::DeleteI2NPMessage (it.second.data);
-		for (auto it: m_OutOfSequenceFragments)
-			i2p::DeleteI2NPMessage (it.second.data);
 	}	
 	
-	void TunnelEndpoint::HandleDecryptedTunnelDataMsg (I2NPMessage * msg)
+	void TunnelEndpoint::HandleDecryptedTunnelDataMsg (std::shared_ptr<I2NPMessage> msg)
 	{
 		m_NumReceivedBytes += TUNNEL_DATA_MSG_SIZE;
 		
@@ -31,11 +28,10 @@ namespace tunnel
 			// verify checksum
 			memcpy (msg->GetPayload () + TUNNEL_DATA_MSG_SIZE, msg->GetPayload () + 4, 16); // copy iv to the end
 			uint8_t hash[32];
-			CryptoPP::SHA256().CalculateDigest (hash, fragment, TUNNEL_DATA_MSG_SIZE -(fragment - msg->GetPayload ()) + 16); // payload + iv
+			SHA256(fragment, TUNNEL_DATA_MSG_SIZE -(fragment - msg->GetPayload ()) + 16, hash); // payload + iv
 			if (memcmp (hash, decrypted, 4))
 			{
 				LogPrint (eLogError, "TunnelMessage: checksum verification failed");
-				i2p::DeleteI2NPMessage (msg);
 				return;
 			}	
 			// process fragments
@@ -94,6 +90,11 @@ namespace tunnel
 
 				msg->offset = fragment - msg->buf;
 				msg->len = msg->offset + size;
+				if (msg->len > msg->maxLen)
+				{
+					LogPrint (eLogError, "TunnelMessage: fragment is too long ", (int)size);
+					return;
+				}
 				if (fragment + size < decrypted + TUNNEL_DATA_ENCRYPTED_SIZE)
 				{
 					// this is not last message. we have to copy it
@@ -118,10 +119,7 @@ namespace tunnel
 							if (ret.second)
 								HandleOutOfSequenceFragment (msgID, ret.first->second);
 							else
-							{
-								LogPrint (eLogError, "Incomplete message ", msgID, "already exists");
-								DeleteI2NPMessage (m.data);
-							}	
+								LogPrint (eLogError, "TunnelMessage: Incomplete message ", msgID, "already exists");
 						}
 						else
 						{
@@ -130,20 +128,14 @@ namespace tunnel
 						}	
 					}
 					else	
-					{	
-						LogPrint (eLogError, "Message is fragmented, but msgID is not presented");
-						DeleteI2NPMessage (m.data);
-					}	
+						LogPrint (eLogError, "TunnelMessage: Message is fragmented, but msgID is not presented");
 				}	
 					
 				fragment += size;
 			}	
 		}	
 		else
-		{	
 			LogPrint (eLogError, "TunnelMessage: zero not found");
-			i2p::DeleteI2NPMessage (msg);	
-		}	
 	}	
 
 	void TunnelEndpoint::HandleFollowOnFragment (uint32_t msgID, bool isLastFragment, const TunnelMessageBlockEx& m)
@@ -160,14 +152,13 @@ namespace tunnel
 				{	
 					if (msg.data->len + size > msg.data->maxLen)
 					{
-						LogPrint (eLogInfo, "Tunnel endpoint I2NP message size ", msg.data->maxLen, " is not enough");
-						I2NPMessage * newMsg = NewI2NPMessage ();
+						LogPrint (eLogWarning, "TunnelMessage: I2NP message size ", msg.data->maxLen, " is not enough");
+						auto newMsg = NewI2NPMessage ();
 						*newMsg = *(msg.data);
-						DeleteI2NPMessage (msg.data);
 						msg.data = newMsg;
 					}
-					memcpy (msg.data->buf + msg.data->len, fragment, size); // concatenate fragment
-					msg.data->len += size;
+					if (msg.data->Concat (fragment, size) < size) // concatenate fragment
+						LogPrint (eLogError, "TunnelMessage: I2NP buffer overflow ", msg.data->maxLen);
 					if (isLastFragment)
 					{
 						// message complete
@@ -182,32 +173,28 @@ namespace tunnel
 				}
 				else
 				{
-					LogPrint (eLogError, "Fragment ", m.nextFragmentNum, " of message ", msgID, "exceeds max I2NP message size. Message dropped");
-					i2p::DeleteI2NPMessage (msg.data);
+					LogPrint (eLogError, "TunnelMessage: Fragment ", m.nextFragmentNum, " of message ", msgID, "exceeds max I2NP message size, message dropped");
 					m_IncompleteMessages.erase (it);
 				}
-				i2p::DeleteI2NPMessage (m.data);
 			}
 			else
 			{	
-				LogPrint (eLogInfo, "Unexpected fragment ", (int)m.nextFragmentNum, " instead ", (int)msg.nextFragmentNum, " of message ", msgID, ". Saved");
+				LogPrint (eLogWarning, "TunnelMessage: Unexpected fragment ", (int)m.nextFragmentNum, " instead ", (int)msg.nextFragmentNum, " of message ", msgID, ", saved");
 				AddOutOfSequenceFragment (msgID, m.nextFragmentNum, isLastFragment, m.data);
 			}
 		}
 		else
 		{	
-			LogPrint (eLogInfo, "First fragment of message ", msgID, " not found. Saved");
+			LogPrint (eLogWarning, "TunnelMessage: First fragment of message ", msgID, " not found, saved");
 			AddOutOfSequenceFragment (msgID, m.nextFragmentNum, isLastFragment, m.data);
 		}	
 	}	
 
-	void TunnelEndpoint::AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum, bool isLastFragment, I2NPMessage * data)
+	void TunnelEndpoint::AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum, bool isLastFragment, std::shared_ptr<I2NPMessage> data)
 	{
 		auto it = m_OutOfSequenceFragments.find (msgID);
 		if (it == m_OutOfSequenceFragments.end ())
 			m_OutOfSequenceFragments.insert (std::pair<uint32_t, Fragment> (msgID, {fragmentNum, isLastFragment, data}));	
-		else
-			i2p::DeleteI2NPMessage (data);
 	}	
 
 	void TunnelEndpoint::HandleOutOfSequenceFragment (uint32_t msgID, TunnelMessageBlockEx& msg)
@@ -217,18 +204,17 @@ namespace tunnel
 		{
 			if (it->second.fragmentNum == msg.nextFragmentNum)
 			{
-				LogPrint (eLogInfo, "Out-of-sequence fragment ", (int)it->second.fragmentNum, " of message ", msgID, " found");
+				LogPrint (eLogWarning, "TunnelMessage: Out-of-sequence fragment ", (int)it->second.fragmentNum, " of message ", msgID, " found");
 				auto size = it->second.data->GetLength ();
 				if (msg.data->len + size > msg.data->maxLen)
 				{
-					LogPrint (eLogInfo, "Tunnel endpoint I2NP message size ", msg.data->maxLen, " is not enough");
-					I2NPMessage * newMsg = NewI2NPMessage ();
+					LogPrint (eLogWarning, "TunnelMessage: Tunnel endpoint I2NP message size ", msg.data->maxLen, " is not enough");
+					auto newMsg = NewI2NPMessage ();
 					*newMsg = *(msg.data);
-					DeleteI2NPMessage (msg.data);
 					msg.data = newMsg;
 				}
-				memcpy (msg.data->buf + msg.data->len, it->second.data->GetBuffer (), size); // concatenate out-of-sync fragment
-				msg.data->len += size;
+				if (msg.data->Concat (it->second.data->GetBuffer (), size) < size) // concatenate out-of-sync fragment
+					LogPrint (eLogError, "Tunnel endpoint I2NP buffer overflow ", msg.data->maxLen);
 				if (it->second.isLastFragment)
 				{
 					// message complete
@@ -237,7 +223,6 @@ namespace tunnel
 				}	
 				else
 					msg.nextFragmentNum++;
-				i2p::DeleteI2NPMessage (it->second.data);
 				m_OutOfSequenceFragments.erase (it);
 			}	
 		}	
@@ -245,45 +230,37 @@ namespace tunnel
 	
 	void TunnelEndpoint::HandleNextMessage (const TunnelMessageBlock& msg)
 	{
-		LogPrint (eLogInfo, "TunnelMessage: handle fragment of ", msg.data->GetLength ()," bytes. Msg type ", (int)msg.data->GetTypeID ());
+		if (!m_IsInbound && msg.data->IsExpired ())
+		{
+			LogPrint (eLogInfo, "TunnelMessage: message expired");
+			return;
+		}	
+		auto typeID = msg.data->GetTypeID ();
+		LogPrint (eLogDebug, "TunnelMessage: handle fragment of ", msg.data->GetLength (), " bytes, msg type ", (int)typeID);
+		// catch RI or reply with new list of routers	
+		if ((IsRouterInfoMsg (msg.data) || typeID == eI2NPDatabaseSearchReply) &&
+			!m_IsInbound && msg.deliveryType != eDeliveryTypeLocal)
+			i2p::data::netdb.PostI2NPMsg (CopyI2NPMessage (msg.data));
+
 		switch (msg.deliveryType)
 		{
 			case eDeliveryTypeLocal:
 				i2p::HandleI2NPMessage (msg.data);
 			break;
 			case eDeliveryTypeTunnel:
-				i2p::transport::transports.SendMessage (msg.hash, i2p::CreateTunnelGatewayMsg (msg.tunnelID, msg.data));
-			break;
-			case eDeliveryTypeRouter:
-				if (msg.hash == i2p::context.GetRouterInfo ().GetIdentHash ()) // check if message is sent to us
-					i2p::HandleI2NPMessage (msg.data);
+				if (!m_IsInbound) // outbound transit tunnel
+					i2p::transport::transports.SendMessage (msg.hash, i2p::CreateTunnelGatewayMsg (msg.tunnelID, msg.data));
 				else
-				{	
-					// to somebody else
-					if (!m_IsInbound) // outbound transit tunnel
-					{
-						auto typeID = msg.data->GetTypeID ();
-						if (typeID == eI2NPDatabaseStore || typeID == eI2NPDatabaseSearchReply )
-						{
-							// catch RI or reply with new list of routers
-							auto ds = NewI2NPShortMessage ();
-							*ds = *(msg.data);
-							i2p::data::netdb.PostI2NPMsg (ds);
-						}
-						i2p::transport::transports.SendMessage (msg.hash, msg.data);
-					}
-					else // we shouldn't send this message. possible leakage 
-					{
-						LogPrint (eLogError, "Message to another router arrived from an inbound tunnel. Dropped");
-						i2p::DeleteI2NPMessage (msg.data);
-					}
-				}
+					LogPrint (eLogError, "TunnelMessage: Delivery type 'tunnel' arrived from an inbound tunnel, dropped");
+			break;
+			case eDeliveryTypeRouter:				
+				if (!m_IsInbound) // outbound transit tunnel
+					i2p::transport::transports.SendMessage (msg.hash, msg.data);
+				else // we shouldn't send this message. possible leakage 
+					LogPrint (eLogError, "TunnelMessage: Delivery type 'router' arrived from an inbound tunnel, dropped");
 			break;
 			default:
-			{	
 				LogPrint (eLogError, "TunnelMessage: Unknown delivery type ", (int)msg.deliveryType);
-				i2p::DeleteI2NPMessage (msg.data);
-			}	
 		};	
 	}	
 }		

TunnelEndpoint.h

@@ -22,7 +22,7 @@ namespace tunnel
 		{
 			uint8_t fragmentNum;
 			bool isLastFragment;
-			I2NPMessage * data;
+			std::shared_ptr<I2NPMessage> data;
 		};	
 		
 		public:
@@ -31,14 +31,14 @@ namespace tunnel
 			~TunnelEndpoint ();
 			size_t GetNumReceivedBytes () const { return m_NumReceivedBytes; };
 			
-			void HandleDecryptedTunnelDataMsg (I2NPMessage * msg);
+			void HandleDecryptedTunnelDataMsg (std::shared_ptr<I2NPMessage> msg);
 
 		private:
 
 			void HandleFollowOnFragment (uint32_t msgID, bool isLastFragment, const TunnelMessageBlockEx& m);
 			void HandleNextMessage (const TunnelMessageBlock& msg);
 
-			void AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum, bool isLastFragment, I2NPMessage * data);
+			void AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum, bool isLastFragment, std::shared_ptr<I2NPMessage> data);
 			void HandleOutOfSequenceFragment (uint32_t msgID, TunnelMessageBlockEx& msg);
 			
 		private:			

TunnelGateway.cpp

@@ -1,6 +1,7 @@
 #include <string.h>
+#include <openssl/rand.h>
+#include <openssl/sha.h>
 #include "I2PEndian.h"
-#include <cryptopp/sha.h>
 #include "Log.h"
 #include "RouterContext.h"
 #include "Transports.h"
@@ -10,10 +11,16 @@ namespace i2p
 {
 namespace tunnel
 {
+	TunnelGatewayBuffer::TunnelGatewayBuffer (uint32_t tunnelID): m_TunnelID (tunnelID), 
+				m_CurrentTunnelDataMsg (nullptr), m_RemainingSize (0) 
+	{
+		RAND_bytes (m_NonZeroRandomBuffer, TUNNEL_DATA_MAX_PAYLOAD_SIZE);
+		for (size_t i = 0; i < TUNNEL_DATA_MAX_PAYLOAD_SIZE; i++)
+			if (!m_NonZeroRandomBuffer[i]) m_NonZeroRandomBuffer[i] = 1;
+	}
+
 	TunnelGatewayBuffer::~TunnelGatewayBuffer ()
 	{
-		for (auto it: m_TunnelDataMsgs)
-			DeleteI2NPMessage (it);
 	}	
 	
 	void TunnelGatewayBuffer::PutI2NPMsg (const TunnelMessageBlock& block)
@@ -42,7 +49,7 @@ namespace tunnel
 		di[0] = block.deliveryType << 5; // set delivery type
 
 		// create fragments
-		I2NPMessage * msg = block.data;
+		std::shared_ptr<I2NPMessage> msg = block.data;
 		auto fullMsgLen = diLen + msg->GetLength () + 2; // delivery instructions + payload + 2 bytes length
 		if (fullMsgLen <= m_RemainingSize)
 		{
@@ -55,7 +62,6 @@ namespace tunnel
 			m_RemainingSize -= diLen + msg->GetLength ();
 			if (!m_RemainingSize)
 				CompleteCurrentTunnelDataMessage ();
-			DeleteI2NPMessage (msg);
 		}	
 		else
 		{
@@ -119,7 +125,6 @@ namespace tunnel
 					size += s;
 					fragmentNumber++;
 				}
-				DeleteI2NPMessage (msg);
 			}	
 			else
 			{
@@ -155,22 +160,25 @@ namespace tunnel
 		m_CurrentTunnelDataMsg->offset = m_CurrentTunnelDataMsg->len - TUNNEL_DATA_MSG_SIZE - I2NP_HEADER_SIZE;
 		uint8_t * buf = m_CurrentTunnelDataMsg->GetPayload ();
 		htobe32buf (buf, m_TunnelID);
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		rnd.GenerateBlock (buf + 4, 16); // original IV	
+		RAND_bytes (buf + 4, 16); // original IV	
 		memcpy (payload + size, buf + 4, 16); // copy IV for checksum 
 		uint8_t hash[32];
-		CryptoPP::SHA256().CalculateDigest (hash, payload, size+16);
+		SHA256(payload, size+16, hash);
 		memcpy (buf+20, hash, 4); // checksum		
 		payload[-1] = 0; // zero	
 		ptrdiff_t paddingSize = payload - buf - 25; // 25  = 24 + 1 
 		if (paddingSize > 0)
-			memset (buf + 24, 1, paddingSize); // padding TODO: fill with random data
+		{
+			// non-zero padding 
+			auto randomOffset = rand () % (TUNNEL_DATA_MAX_PAYLOAD_SIZE - paddingSize + 1);
+			memcpy (buf + 24, m_NonZeroRandomBuffer + randomOffset, paddingSize); 
+		}
 
 		// we can't fill message header yet because encryption is required
 		m_TunnelDataMsgs.push_back (m_CurrentTunnelDataMsg);
 		m_CurrentTunnelDataMsg = nullptr;
 	}	
-	
+
 	void TunnelGateway::SendTunnelDataMsg (const TunnelMessageBlock& block)
 	{
 		if (block.data)
@@ -192,8 +200,8 @@ namespace tunnel
 		auto tunnelMsgs = m_Buffer.GetTunnelDataMsgs ();
 		for (auto tunnelMsg : tunnelMsgs)
 		{	
-			m_Tunnel->EncryptTunnelMsg (tunnelMsg);
-			FillI2NPMessageHeader (tunnelMsg, eI2NPTunnelData);
+			m_Tunnel->EncryptTunnelMsg (tunnelMsg, tunnelMsg); 
+			tunnelMsg->FillI2NPMessageHeader (eI2NPTunnelData); 
 			m_NumSentBytes += TUNNEL_DATA_MSG_SIZE;
 		}	
 		i2p::transport::transports.SendMessages (m_Tunnel->GetNextIdentHash (), tunnelMsgs);

TunnelGateway.h

@@ -3,6 +3,7 @@
 
 #include <inttypes.h>
 #include <vector>
+#include <memory>
 #include "I2NPProtocol.h"
 #include "TunnelBase.h"
 
@@ -13,11 +14,10 @@ namespace tunnel
 	class TunnelGatewayBuffer
 	{
 		public:
-			TunnelGatewayBuffer (uint32_t tunnelID): m_TunnelID (tunnelID), 
-				m_CurrentTunnelDataMsg (nullptr), m_RemainingSize (0) {};
+			TunnelGatewayBuffer (uint32_t tunnelID);
 			~TunnelGatewayBuffer ();
 			void PutI2NPMsg (const TunnelMessageBlock& block);	
-			const std::vector<I2NPMessage *>& GetTunnelDataMsgs () const { return m_TunnelDataMsgs; };
+			const std::vector<std::shared_ptr<I2NPMessage> >& GetTunnelDataMsgs () const { return m_TunnelDataMsgs; };
 			void ClearTunnelDataMsgs ();
 			void CompleteCurrentTunnelDataMessage ();
 
@@ -28,16 +28,17 @@ namespace tunnel
 		private:
 
 			uint32_t m_TunnelID;
-			std::vector<I2NPMessage *> m_TunnelDataMsgs;
-			I2NPMessage * m_CurrentTunnelDataMsg;
+			std::vector<std::shared_ptr<I2NPMessage> > m_TunnelDataMsgs;
+			std::shared_ptr<I2NPMessage> m_CurrentTunnelDataMsg;
 			size_t m_RemainingSize;
+			uint8_t m_NonZeroRandomBuffer[TUNNEL_DATA_MAX_PAYLOAD_SIZE];
 	};	
 
 	class TunnelGateway
 	{
 		public:
 
-			TunnelGateway (TunnelBase * tunnel): 
+			TunnelGateway (TunnelBase * tunnel):
 				m_Tunnel (tunnel), m_Buffer (tunnel->GetNextTunnelID ()), m_NumSentBytes (0) {};
 			void SendTunnelDataMsg (const TunnelMessageBlock& block);	
 			void PutTunnelDataMsg (const TunnelMessageBlock& block);

TunnelPool.cpp

@@ -1,18 +1,22 @@
+#include <algorithm>
+#include <openssl/rand.h>
 #include "I2PEndian.h"
-#include "CryptoConst.h"
+#include "Crypto.h"
 #include "Tunnel.h"
 #include "NetDb.h"
 #include "Timestamp.h"
 #include "Garlic.h"
+#include "Transports.h"
+#include "Log.h"
 #include "TunnelPool.h"
 
 namespace i2p
 {
 namespace tunnel
 {
-	TunnelPool::TunnelPool (i2p::garlic::GarlicDestination * localDestination, int numInboundHops, int numOutboundHops, int numTunnels):
-		m_LocalDestination (localDestination), m_NumInboundHops (numInboundHops), m_NumOutboundHops (numOutboundHops),
-		m_NumTunnels (numTunnels), m_IsActive (true)
+	TunnelPool::TunnelPool (int numInboundHops, int numOutboundHops, int numInboundTunnels, int numOutboundTunnels):
+		m_NumInboundHops (numInboundHops), m_NumOutboundHops (numOutboundHops),
+		m_NumInboundTunnels (numInboundTunnels), m_NumOutboundTunnels (numOutboundTunnels), m_IsActive (true)
 	{
 	}
 
@@ -21,6 +25,27 @@ namespace tunnel
 		DetachTunnels ();
 	}
 
+	void TunnelPool::SetExplicitPeers (std::shared_ptr<std::vector<i2p::data::IdentHash> > explicitPeers)
+	{
+		m_ExplicitPeers = explicitPeers;
+		if (m_ExplicitPeers)
+		{
+			int size = m_ExplicitPeers->size ();
+			if (m_NumInboundHops > size) 
+			{
+				m_NumInboundHops = size;
+				LogPrint (eLogInfo, "Tunnels: Inbound tunnel length has beed adjusted to ", size, " for explicit peers");
+			} 
+			if (m_NumOutboundHops > size) 
+			{
+				m_NumOutboundHops = size;
+				LogPrint (eLogInfo, "Tunnels: Outbound tunnel length has beed adjusted to ", size, " for explicit peers");
+			} 
+			m_NumInboundTunnels = 1;
+			m_NumOutboundTunnels = 1;
+		}	
+	}
+
 	void TunnelPool::DetachTunnels ()
 	{
 		{
@@ -56,7 +81,6 @@ namespace tunnel
 			expiredTunnel->SetTunnelPool (nullptr);
 			for (auto it: m_Tests)
 				if (it.second.second == expiredTunnel) it.second.second = nullptr;
-			RecreateInboundTunnel (expiredTunnel);	
 
 			std::unique_lock<std::mutex> l(m_InboundTunnelsMutex);
 			m_InboundTunnels.erase (expiredTunnel);
@@ -66,8 +90,11 @@ namespace tunnel
 	void TunnelPool::TunnelCreated (std::shared_ptr<OutboundTunnel> createdTunnel)
 	{
 		if (!m_IsActive) return;
-		std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
-		m_OutboundTunnels.insert (createdTunnel);
+		{
+			std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
+			m_OutboundTunnels.insert (createdTunnel);
+		}
+		//CreatePairedInboundTunnel (createdTunnel);
 	}
 
 	void TunnelPool::TunnelExpired (std::shared_ptr<OutboundTunnel> expiredTunnel)
@@ -77,7 +104,6 @@ namespace tunnel
 			expiredTunnel->SetTunnelPool (nullptr);
 			for (auto it: m_Tests)
 				if (it.second.first == expiredTunnel) it.second.first = nullptr;
-			RecreateOutboundTunnel (expiredTunnel);
 
 			std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);
 			m_OutboundTunnels.erase (expiredTunnel);
@@ -117,8 +143,7 @@ namespace tunnel
 	typename TTunnels::value_type TunnelPool::GetNextTunnel (TTunnels& tunnels, typename TTunnels::value_type excluded) const
 	{
 		if (tunnels.empty ()) return nullptr;		
-		CryptoPP::RandomNumberGenerator& rnd = i2p::context.GetRandomNumberGenerator ();
-		uint32_t ind = rnd.GenerateWord32 (0, tunnels.size ()/2), i = 0;
+		uint32_t ind = rand () % (tunnels.size ()/2 + 1), i = 0;
 		typename TTunnels::value_type tunnel = nullptr;
 		for (auto it: tunnels)
 		{	
@@ -133,6 +158,26 @@ namespace tunnel
 		return tunnel;
 	}
 
+	std::shared_ptr<OutboundTunnel> TunnelPool::GetNewOutboundTunnel (std::shared_ptr<OutboundTunnel> old) const
+	{
+		if (old && old->IsEstablished ()) return old;
+		std::shared_ptr<OutboundTunnel> tunnel;	
+		if (old)
+		{
+			std::unique_lock<std::mutex> l(m_OutboundTunnelsMutex);	
+			for (auto it: m_OutboundTunnels)
+				if (it->IsEstablished () && old->GetEndpointIdentHash () == it->GetEndpointIdentHash ())
+				{
+					tunnel = it;
+					break;
+				}
+		}
+	
+		if (!tunnel)
+			tunnel = GetNextOutboundTunnel ();		
+		return tunnel;
+	}
+
 	void TunnelPool::CreateTunnels ()
 	{
 		int num = 0;
@@ -141,7 +186,7 @@ namespace tunnel
 			for (auto it : m_InboundTunnels)
 				if (it->IsEstablished ()) num++;
 		}
-		for (int i = num; i < m_NumTunnels; i++)
+		for (int i = num; i < m_NumInboundTunnels; i++)
 			CreateInboundTunnel ();	
 		
 		num = 0;
@@ -150,16 +195,22 @@ namespace tunnel
 			for (auto it : m_OutboundTunnels)
 				if (it->IsEstablished ()) num++;
 		}
-		for (int i = num; i < m_NumTunnels; i++)
+		for (int i = num; i < m_NumOutboundTunnels; i++)
 			CreateOutboundTunnel ();	
 	}
 
 	void TunnelPool::TestTunnels ()
 	{
-		auto& rnd = i2p::context.GetRandomNumberGenerator ();
-		for (auto it: m_Tests)
+		decltype(m_Tests) tests;
 		{
-			LogPrint ("Tunnel test ", (int)it.first, " failed"); 
+			std::unique_lock<std::mutex> l(m_TestsMutex);
+			tests = m_Tests;
+			m_Tests.clear ();
+		}
+
+		for (auto it: tests)
+		{
+			LogPrint (eLogWarning, "Tunnels: test of tunnel ", it.first, " failed");
 			// if test failed again with another tunnel we consider it failed
 			if (it.second.first)
 			{	
@@ -188,7 +239,7 @@ namespace tunnel
 					it.second.second->SetState (eTunnelStateTestFailed);
 			}	
 		}
-		m_Tests.clear ();
+	
 		// new tests	
 		auto it1 = m_OutboundTunnels.begin ();
 		auto it2 = m_InboundTunnels.begin ();
@@ -207,8 +258,12 @@ namespace tunnel
 			}
 			if (!failed)
 			{
- 				uint32_t msgID = rnd.GenerateWord32 ();
- 				m_Tests[msgID] = std::make_pair (*it1, *it2);
+ 				uint32_t msgID;
+				RAND_bytes ((uint8_t *)&msgID, 4);
+				{
+					std::unique_lock<std::mutex> l(m_TestsMutex);
+ 					m_Tests[msgID] = std::make_pair (*it1, *it2);
+				}
  				(*it1)->SendTunnelDataMsg ((*it2)->GetNextIdentHash (), (*it2)->GetNextTunnelID (),
 					CreateDeliveryStatusMsg (msgID));
 				it1++; it2++;
@@ -216,93 +271,131 @@ namespace tunnel
 		}
 	}
 
-	void TunnelPool::ProcessGarlicMessage (I2NPMessage * msg)
+	void TunnelPool::ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg)
 	{
 		if (m_LocalDestination)
 			m_LocalDestination->ProcessGarlicMessage (msg);
 		else
-		{
-			LogPrint (eLogWarning, "Local destination doesn't exist. Dropped");
-			DeleteI2NPMessage (msg);
-		}	
+			LogPrint (eLogWarning, "Tunnels: local destination doesn't exist, dropped");
 	}	
 		
-	void TunnelPool::ProcessDeliveryStatus (I2NPMessage * msg)
+	void TunnelPool::ProcessDeliveryStatus (std::shared_ptr<I2NPMessage> msg)
 	{
 		const uint8_t * buf = msg->GetPayload ();
 		uint32_t msgID = bufbe32toh (buf);
 		buf += 4;	
 		uint64_t timestamp = bufbe64toh (buf);
 
-		auto it = m_Tests.find (msgID);
-		if (it != m_Tests.end ())
+		decltype(m_Tests)::mapped_type test;
+		bool found = false;	
+		{
+			std::unique_lock<std::mutex> l(m_TestsMutex);
+			auto it = m_Tests.find (msgID);
+			if (it != m_Tests.end ())
+			{
+				found = true;
+				test = it->second; 
+				m_Tests.erase (it);
+			}
+		}
+		if (found)
 		{
 			// restore from test failed state if any
-			if (it->second.first->GetState () == eTunnelStateTestFailed)
-				it->second.first->SetState (eTunnelStateEstablished);
-			if (it->second.second->GetState () == eTunnelStateTestFailed)
-				it->second.second->SetState (eTunnelStateEstablished);
-			LogPrint ("Tunnel test ", it->first, " successive. ", i2p::util::GetMillisecondsSinceEpoch () - timestamp, " milliseconds");
-			m_Tests.erase (it);
-			DeleteI2NPMessage (msg);
+			if (test.first->GetState () == eTunnelStateTestFailed)
+				test.first->SetState (eTunnelStateEstablished);
+			if (test.second->GetState () == eTunnelStateTestFailed)
+				test.second->SetState (eTunnelStateEstablished);
+			LogPrint (eLogDebug, "Tunnels: test of ", msgID, " successful. ", i2p::util::GetMillisecondsSinceEpoch () - timestamp, " milliseconds");
 		}
 		else
 		{
 			if (m_LocalDestination)
 				m_LocalDestination->ProcessDeliveryStatusMessage (msg);
 			else
-			{	
-				LogPrint (eLogWarning, "Local destination doesn't exist. Dropped");
-				DeleteI2NPMessage (msg);
-			}	
+				LogPrint (eLogWarning, "Tunnels: Local destination doesn't exist, dropped");
 		}	
 	}
 
 	std::shared_ptr<const i2p::data::RouterInfo> TunnelPool::SelectNextHop (std::shared_ptr<const i2p::data::RouterInfo> prevHop) const
 	{
-		bool isExploratory = (m_LocalDestination == &i2p::context); // TODO: implement it better
+		bool isExploratory = (i2p::tunnel::tunnels.GetExploratoryPool () == shared_from_this ());
 		auto hop = isExploratory ? i2p::data::netdb.GetRandomRouter (prevHop): 
 			i2p::data::netdb.GetHighBandwidthRandomRouter (prevHop);
-		if (!isExploratory && hop && hop->GetProfile ()->IsBad ())
-		{
-			LogPrint (eLogInfo, "Selected peer for tunnel has bad profile. Selecting another"); 
-			hop = i2p::data::netdb.GetHighBandwidthRandomRouter (prevHop);
-		}	
-			
-		if (!hop)
+
+		if (!hop || hop->GetProfile ()->IsBad ())
 			hop = i2p::data::netdb.GetRandomRouter ();
 		return hop;	
 	}	
+
+	bool TunnelPool::SelectPeers (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >& peers, bool isInbound)
+	{
+		if (m_ExplicitPeers) return SelectExplicitPeers (peers, isInbound);
+		auto prevHop = i2p::context.GetSharedRouterInfo ();	
+		int numHops = isInbound ? m_NumInboundHops : m_NumOutboundHops;
+		if (i2p::transport::transports.GetNumPeers () > 25)
+		{
+			auto r = i2p::transport::transports.GetRandomPeer ();
+			if (r && !r->GetProfile ()->IsBad ())
+			{
+				prevHop = r;
+				peers.push_back (r->GetRouterIdentity ());
+				numHops--;
+			}
+		}
 		
+		for (int i = 0; i < numHops; i++)
+		{
+			auto hop = SelectNextHop (prevHop);
+			if (!hop)
+			{
+				LogPrint (eLogError, "Tunnels: Can't select next hop for ", prevHop->GetIdentHashBase64 ());
+				return false;
+			}	
+			prevHop = hop;
+			peers.push_back (hop->GetRouterIdentity ());
+		}		
+		return true;
+	}	
+	
+	bool TunnelPool::SelectExplicitPeers (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >& peers, bool isInbound)
+	{
+		int size = m_ExplicitPeers->size ();
+		std::vector<int> peerIndicies;
+		for (int i = 0; i < size; i++) peerIndicies.push_back(i);
+		std::random_shuffle (peerIndicies.begin(), peerIndicies.end());
+	
+		int numHops = isInbound ? m_NumInboundHops : m_NumOutboundHops;		
+		for (int i = 0; i < numHops; i++) 
+		{
+			auto& ident = (*m_ExplicitPeers)[peerIndicies[i]];
+			auto r = i2p::data::netdb.FindRouter (ident);
+			if (r)
+				peers.push_back (r->GetRouterIdentity ());
+			else
+			{
+				LogPrint (eLogInfo, "Tunnels: Can't find router for ", ident.ToBase64 ());
+				i2p::data::netdb.RequestDestination (ident);
+				return false;
+			}
+		}
+		return true;
+	}
+	
 	void TunnelPool::CreateInboundTunnel ()
 	{
 		auto outboundTunnel = GetNextOutboundTunnel ();
 		if (!outboundTunnel)
 			outboundTunnel = tunnels.GetNextOutboundTunnel ();
-		LogPrint ("Creating destination inbound tunnel...");
-		auto prevHop = i2p::context.GetSharedRouterInfo ();	
-		std::vector<std::shared_ptr<const i2p::data::RouterInfo> > hops;
-		int numHops = m_NumInboundHops;
-		if (outboundTunnel)
-		{	
-			// last hop
-			auto hop = outboundTunnel->GetTunnelConfig ()->GetFirstHop ()->router;
-			if (hop->GetIdentHash () != i2p::context.GetIdentHash ()) // outbound shouldn't be zero-hop tunnel
-			{	
-				prevHop = hop;
-				hops.push_back (prevHop);
-				numHops--;
-			}
-		}
-		for (int i = 0; i < numHops; i++)
+		LogPrint (eLogDebug, "Tunnels: Creating destination inbound tunnel...");
+		std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers;
+		if (SelectPeers (peers, true))
 		{
-			auto hop = SelectNextHop (prevHop);
-			prevHop = hop;
-			hops.push_back (hop);
-		}		
-		std::reverse (hops.begin (), hops.end ());	
-		auto tunnel = tunnels.CreateTunnel<InboundTunnel> (new TunnelConfig (hops), outboundTunnel);
-		tunnel->SetTunnelPool (shared_from_this ());
+			std::reverse (peers.begin (), peers.end ());	
+			auto tunnel = tunnels.CreateTunnel<InboundTunnel> (std::make_shared<TunnelConfig> (peers), outboundTunnel);
+			tunnel->SetTunnelPool (shared_from_this ());
+		}	
+		else
+			LogPrint (eLogError, "Tunnels: Can't create inbound tunnel, no peers available");
 	}
 
 	void TunnelPool::RecreateInboundTunnel (std::shared_ptr<InboundTunnel> tunnel)
@@ -310,8 +403,8 @@ namespace tunnel
 		auto outboundTunnel = GetNextOutboundTunnel ();
 		if (!outboundTunnel)
 			outboundTunnel = tunnels.GetNextOutboundTunnel ();
-		LogPrint ("Re-creating destination inbound tunnel...");
-		auto newTunnel = tunnels.CreateTunnel<InboundTunnel> (tunnel->GetTunnelConfig ()->Clone (), outboundTunnel);
+		LogPrint (eLogDebug, "Tunnels: Re-creating destination inbound tunnel...");
+		auto newTunnel = tunnels.CreateTunnel<InboundTunnel> (std::make_shared<TunnelConfig>(tunnel->GetPeers ()), outboundTunnel);
 		newTunnel->SetTunnelPool (shared_from_this());
 	}	
 		
@@ -322,23 +415,19 @@ namespace tunnel
 			inboundTunnel = tunnels.GetNextInboundTunnel ();
 		if (inboundTunnel)
 		{	
-			LogPrint ("Creating destination outbound tunnel...");
-
-			auto prevHop = i2p::context.GetSharedRouterInfo ();
-			std::vector<std::shared_ptr<const i2p::data::RouterInfo> > hops;
-			for (int i = 0; i < m_NumOutboundHops; i++)
-			{
-				auto hop = SelectNextHop (prevHop);
-				prevHop = hop;
-				hops.push_back (hop);
+			LogPrint (eLogDebug, "Tunnels: Creating destination outbound tunnel...");
+			std::vector<std::shared_ptr<const i2p::data::IdentityEx> > peers;
+			if (SelectPeers (peers, false))
+			{	
+				auto tunnel = tunnels.CreateTunnel<OutboundTunnel> (
+					std::make_shared<TunnelConfig> (peers, inboundTunnel->GetNextTunnelID (), inboundTunnel->GetNextIdentHash ()));
+				tunnel->SetTunnelPool (shared_from_this ());
 			}	
-				
-			auto tunnel = tunnels.CreateTunnel<OutboundTunnel> (
-				new TunnelConfig (hops, inboundTunnel->GetTunnelConfig ()));
-			tunnel->SetTunnelPool (shared_from_this ());
+			else
+				LogPrint (eLogError, "Tunnels: Can't create outbound tunnel, no peers available");
 		}	
 		else
-			LogPrint ("Can't create outbound tunnel. No inbound tunnels found");
+			LogPrint (eLogError, "Tunnels: Can't create outbound tunnel, no inbound tunnels found");
 	}	
 		
 	void TunnelPool::RecreateOutboundTunnel (std::shared_ptr<OutboundTunnel> tunnel)
@@ -348,13 +437,21 @@ namespace tunnel
 			inboundTunnel = tunnels.GetNextInboundTunnel ();
 		if (inboundTunnel)
 		{	
-			LogPrint ("Re-creating destination outbound tunnel...");
+			LogPrint (eLogDebug, "Tunnels: Re-creating destination outbound tunnel...");
 			auto newTunnel = tunnels.CreateTunnel<OutboundTunnel> (
-				tunnel->GetTunnelConfig ()->Clone (inboundTunnel->GetTunnelConfig ()));
+				std::make_shared<TunnelConfig> (tunnel->GetPeers (),
+					inboundTunnel->GetNextTunnelID (), inboundTunnel->GetNextIdentHash ()));
 			newTunnel->SetTunnelPool (shared_from_this ());
 		}	
 		else
-			LogPrint ("Can't re-create outbound tunnel. No inbound tunnels found");
-	}			
+			LogPrint (eLogDebug, "Tunnels: Can't re-create outbound tunnel, no inbound tunnels found");
+	}		
+
+	void TunnelPool::CreatePairedInboundTunnel (std::shared_ptr<OutboundTunnel> outboundTunnel)
+	{
+		LogPrint (eLogDebug, "Tunnels: Creating paired inbound tunnel...");
+		auto tunnel = tunnels.CreateTunnel<InboundTunnel> (std::make_shared<TunnelConfig>(outboundTunnel->GetInvertedPeers ()), outboundTunnel);
+		tunnel->SetTunnelPool (shared_from_this ());
+	}	
 }
 }

TunnelPool.h

@@ -27,47 +27,57 @@ namespace tunnel
 	{
 		public:
 
-			TunnelPool (i2p::garlic::GarlicDestination * localDestination, int numInboundHops, int numOutboundHops, int numTunnels = 5);
+			TunnelPool (int numInboundHops, int numOutboundHops, int numInboundTunnels, int numOutboundTunnels);
 			~TunnelPool ();
 		
-			i2p::garlic::GarlicDestination * GetLocalDestination () const { return m_LocalDestination; };
-			void SetLocalDestination (i2p::garlic::GarlicDestination * destination) { m_LocalDestination = destination; };
+			std::shared_ptr<i2p::garlic::GarlicDestination> GetLocalDestination () const { return m_LocalDestination; };
+			void SetLocalDestination (std::shared_ptr<i2p::garlic::GarlicDestination> destination) { m_LocalDestination = destination; };
+			void SetExplicitPeers (std::shared_ptr<std::vector<i2p::data::IdentHash> > explicitPeers);
 
 			void CreateTunnels ();
 			void TunnelCreated (std::shared_ptr<InboundTunnel> createdTunnel);
 			void TunnelExpired (std::shared_ptr<InboundTunnel> expiredTunnel);
 			void TunnelCreated (std::shared_ptr<OutboundTunnel> createdTunnel);
 			void TunnelExpired (std::shared_ptr<OutboundTunnel> expiredTunnel);
+			void RecreateInboundTunnel (std::shared_ptr<InboundTunnel> tunnel);
+			void RecreateOutboundTunnel (std::shared_ptr<OutboundTunnel> tunnel);
 			std::vector<std::shared_ptr<InboundTunnel> > GetInboundTunnels (int num) const;
 			std::shared_ptr<OutboundTunnel> GetNextOutboundTunnel (std::shared_ptr<OutboundTunnel> excluded = nullptr) const;
 			std::shared_ptr<InboundTunnel> GetNextInboundTunnel (std::shared_ptr<InboundTunnel> excluded = nullptr) const;		
+			std::shared_ptr<OutboundTunnel> GetNewOutboundTunnel (std::shared_ptr<OutboundTunnel> old) const;
 
 			void TestTunnels ();
-			void ProcessGarlicMessage (I2NPMessage * msg);
-			void ProcessDeliveryStatus (I2NPMessage * msg);
+			void ProcessGarlicMessage (std::shared_ptr<I2NPMessage> msg);
+			void ProcessDeliveryStatus (std::shared_ptr<I2NPMessage> msg);
 
 			bool IsActive () const { return m_IsActive; };
 			void SetActive (bool isActive) { m_IsActive = isActive; };
 			void DetachTunnels ();
+
+			int GetNumInboundTunnels () const { return m_NumInboundTunnels; };
+			int GetNumOutboundTunnels () const { return m_NumOutboundTunnels; };
 			
 		private:
 
 			void CreateInboundTunnel ();	
 			void CreateOutboundTunnel ();
-			void RecreateInboundTunnel (std::shared_ptr<InboundTunnel> tunnel);
-			void RecreateOutboundTunnel (std::shared_ptr<OutboundTunnel> tunnel);
+			void CreatePairedInboundTunnel (std::shared_ptr<OutboundTunnel> outboundTunnel);
 			template<class TTunnels>
 			typename TTunnels::value_type GetNextTunnel (TTunnels& tunnels, typename TTunnels::value_type excluded) const;
 			std::shared_ptr<const i2p::data::RouterInfo> SelectNextHop (std::shared_ptr<const i2p::data::RouterInfo> prevHop) const;
-			
+			bool SelectPeers (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >& hops, bool isInbound);
+			bool SelectExplicitPeers (std::vector<std::shared_ptr<const i2p::data::IdentityEx> >& hops, bool isInbound);			
+
 		private:
 
-			i2p::garlic::GarlicDestination * m_LocalDestination;
-			int m_NumInboundHops, m_NumOutboundHops, m_NumTunnels;
+			std::shared_ptr<i2p::garlic::GarlicDestination> m_LocalDestination;
+			int m_NumInboundHops, m_NumOutboundHops, m_NumInboundTunnels, m_NumOutboundTunnels;
+			std::shared_ptr<std::vector<i2p::data::IdentHash> > m_ExplicitPeers;	
 			mutable std::mutex m_InboundTunnelsMutex;
 			std::set<std::shared_ptr<InboundTunnel>, TunnelCreationTimeCmp> m_InboundTunnels; // recent tunnel appears first
 			mutable std::mutex m_OutboundTunnelsMutex;
 			std::set<std::shared_ptr<OutboundTunnel>, TunnelCreationTimeCmp> m_OutboundTunnels;
+			mutable std::mutex m_TestsMutex;
 			std::map<uint32_t, std::pair<std::shared_ptr<OutboundTunnel>, std::shared_ptr<InboundTunnel> > > m_Tests;
 			bool m_IsActive;
 

UPnP.cpp

@@ -2,47 +2,53 @@
 #include <string>
 #include <thread>
 
-#ifdef _WIN32
-#include <windows.h>
-#endif
-
 #include <boost/thread/thread.hpp>
 #include <boost/asio.hpp>
 #include <boost/bind.hpp>
 
+#ifdef _WIN32
+#include <windows.h>
+#define dlsym GetProcAddress
+#else
+#include <dlfcn.h>
+#endif
+
 #include "Log.h"
+
 #include "RouterContext.h"
 #include "UPnP.h"
 #include "NetDb.h"
 #include "util.h"
+#include "RouterInfo.h"
 
 #include <miniupnpc/miniupnpc.h>
 #include <miniupnpc/upnpcommands.h>
-#include <dlfcn.h>
 
-#ifndef UPNPDISCOVER_SUCCESS
-/* miniupnpc 1.5 */
-typedef UPNPDev* (*upnp_upnpDiscoverFunc) (int, const char *, const char *, int);
-typedef int (*upnp_UPNP_AddPortMappingFunc) (const char *, const char *, const char *, const char *, 
-                                             const char *, const char *, const char *, const char *);
-#else
-/* miniupnpc 1.6 */
-typedef UPNPDev* (*upnp_upnpDiscoverFunc) (int, const char *, const char *, int, int, int *);
-typedef int (*upnp_UPNP_AddPortMappingFunc) (const char *, const char *, const char *, const char *, 
-                                             const char *, const char *, const char *, const char *, const char *);
-#endif
-typedef int (*upnp_UPNP_GetValidIGDFunc) (struct UPNPDev *, struct UPNPUrls *, struct IGDdatas *, char *, int);
-typedef int (*upnp_UPNP_GetExternalIPAddressFunc) (const char *, const char *, char *);
-typedef int (*upnp_UPNP_DeletePortMappingFunc) (const char *, const char *, const char *, const char *, const char *);
-typedef void (*upnp_freeUPNPDevlistFunc) (struct UPNPDev *);
-typedef void (*upnp_FreeUPNPUrlsFunc) (struct UPNPUrls *);
+// These are per-process and are safe to reuse for all threads
+decltype(upnpDiscover) *upnpDiscoverFunc;
+decltype(UPNP_AddPortMapping) *UPNP_AddPortMappingFunc;
+decltype(UPNP_GetValidIGD) *UPNP_GetValidIGDFunc;
+decltype(UPNP_GetExternalIPAddress) *UPNP_GetExternalIPAddressFunc;
+decltype(UPNP_DeletePortMapping) *UPNP_DeletePortMappingFunc;
+decltype(freeUPNPDevlist) *freeUPNPDevlistFunc;
+decltype(FreeUPNPUrls) *FreeUPNPUrlsFunc;
+
+// Nice approach http://stackoverflow.com/a/21517513/673826
+template<class M, typename F>
+F GetKnownProcAddressImpl(M hmod, const char *name, F) {
+    auto proc = reinterpret_cast<F>(dlsym(hmod, name));
+    if (!proc) {
+        LogPrint(eLogError, "UPnP: Error resolving ", name, " from library, version mismatch?");
+    }
+    return proc;
+}
+#define GetKnownProcAddress(hmod, func) GetKnownProcAddressImpl(hmod, #func, func##Func);
+
 
 namespace i2p
 {
-namespace UPnP
+namespace transport
 {
-    UPnP upnpc;
-
     UPnP::UPnP () : m_Thread (nullptr) , m_IsModuleLoaded (false)
     {
     }
@@ -59,6 +65,33 @@ namespace UPnP
 
     void UPnP::Start()
     {
+        if (!m_IsModuleLoaded) {
+#ifdef MAC_OSX
+            m_Module = dlopen ("libminiupnpc.dylib", RTLD_LAZY);
+#elif _WIN32
+            m_Module = LoadLibrary ("miniupnpc.dll"); // official prebuilt binary, e.g., in upnpc-exe-win32-20140422.zip
+#else
+            m_Module = dlopen ("libminiupnpc.so", RTLD_LAZY);
+#endif
+            if (m_Module == NULL)
+            {
+                LogPrint (eLogError, "UPnP: Error loading UPNP library, version mismatch?");
+                return;
+            }
+            else
+            {
+                upnpDiscoverFunc = GetKnownProcAddress (m_Module, upnpDiscover);
+                UPNP_GetValidIGDFunc = GetKnownProcAddress (m_Module, UPNP_GetValidIGD);
+                UPNP_GetExternalIPAddressFunc = GetKnownProcAddress (m_Module, UPNP_GetExternalIPAddress);
+                UPNP_AddPortMappingFunc = GetKnownProcAddress (m_Module, UPNP_AddPortMapping);
+                UPNP_DeletePortMappingFunc = GetKnownProcAddress (m_Module, UPNP_DeletePortMapping);
+                freeUPNPDevlistFunc = GetKnownProcAddress (m_Module, freeUPNPDevlist);
+                FreeUPNPUrlsFunc = GetKnownProcAddress (m_Module, FreeUPNPUrls);
+                if (upnpDiscoverFunc && UPNP_GetValidIGDFunc && UPNP_GetExternalIPAddressFunc && UPNP_AddPortMappingFunc &&
+                    UPNP_DeletePortMappingFunc && freeUPNPDevlistFunc && FreeUPNPUrlsFunc)
+                    m_IsModuleLoaded = true;
+            }
+        }
         m_Thread = new std::thread (std::bind (&UPnP::Run, this));
     }
     
@@ -68,46 +101,19 @@ namespace UPnP
 
     void UPnP::Run ()
     {
-#ifdef MAC_OSX
-        m_Module = dlopen ("libminiupnpc.dylib", RTLD_LAZY);
-#elif _WIN32
-        m_Module = LoadLibrary ("libminiupnpc.dll");
-        if (m_Module == NULL)
+        const std::vector<std::shared_ptr<i2p::data::RouterInfo::Address> > a = context.GetRouterInfo().GetAddresses();
+        for (auto address : a)
         {
-            LogPrint ("Error loading UPNP library. This often happens if there is version mismatch!");
-            return;
-        }
-        else
-        {
-            m_IsModuleLoaded = true;
-        }
-#else
-        m_Module = dlopen ("libminiupnpc.so", RTLD_LAZY);
-#endif
-#ifndef _WIN32
-        if (!m_Module)
-        {
-            LogPrint ("no UPnP module available (", dlerror (), ")");
-            return;
-        }
-        else
-        {
-            m_IsModuleLoaded = true;
-        }
-#endif
-        for (auto& address : context.GetRouterInfo ().GetAddresses ())
-        {
-            if (!address.host.is_v6 ())
+            if (!address->host.is_v6 ())
             {
-                m_Port = std::to_string (util::config::GetArg ("-port", address.port));
                 Discover ();
-                if (address.transportStyle == data::RouterInfo::eTransportSSU )
+                if (address->transportStyle == data::RouterInfo::eTransportSSU )
                 {
-                    TryPortMapping (I2P_UPNP_UDP);
+                    TryPortMapping (I2P_UPNP_UDP, address->port);
                 }
-                else if (address.transportStyle == data::RouterInfo::eTransportNTCP )
+                else if (address->transportStyle == data::RouterInfo::eTransportNTCP )
                 {
-                    TryPortMapping (I2P_UPNP_TCP);
+                    TryPortMapping (I2P_UPNP_TCP, address->port);
                 }
             }
         }
@@ -115,63 +121,43 @@ namespace UPnP
         
     void UPnP::Discover ()
     {
-        const char *error;
-#ifdef _WIN32
-        upnp_upnpDiscoverFunc upnpDiscoverFunc = (upnp_upnpDiscoverFunc) GetProcAddress (m_Module, "upnpDiscover");
-#else
-        upnp_upnpDiscoverFunc upnpDiscoverFunc = (upnp_upnpDiscoverFunc) dlsym (m_Module, "upnpDiscover");
-        // reinterpret_cast<upnp_upnpDiscoverFunc> (dlsym(...));
-        if ( (error = dlerror ()))
-        {
-            LogPrint ("Error loading UPNP library. This often happens if there is version mismatch!");
-            return;
-        }
-#endif // _WIN32
-#ifndef UPNPDISCOVER_SUCCESS
-        /* miniupnpc 1.5 */
-        m_Devlist = upnpDiscoverFunc (2000, m_MulticastIf, m_Minissdpdpath, 0);
-#else
-        /* miniupnpc 1.6 */
         int nerror = 0;
+#if MINIUPNPC_API_VERSION >= 14
+        m_Devlist = upnpDiscoverFunc (2000, m_MulticastIf, m_Minissdpdpath, 0, 0, 2, &nerror);
+#else
         m_Devlist = upnpDiscoverFunc (2000, m_MulticastIf, m_Minissdpdpath, 0, 0, &nerror);
 #endif
 
         int r;
-#ifdef _WIN32
-        upnp_UPNP_GetValidIGDFunc UPNP_GetValidIGDFunc = (upnp_UPNP_GetValidIGDFunc) GetProcAddress (m_Module, "UPNP_GetValidIGD");
-#else
-        upnp_UPNP_GetValidIGDFunc UPNP_GetValidIGDFunc = (upnp_UPNP_GetValidIGDFunc) dlsym (m_Module, "UPNP_GetValidIGD");
-#endif
-        r = (*UPNP_GetValidIGDFunc) (m_Devlist, &m_upnpUrls, &m_upnpData, m_NetworkAddr, sizeof (m_NetworkAddr));
+        r = UPNP_GetValidIGDFunc (m_Devlist, &m_upnpUrls, &m_upnpData, m_NetworkAddr, sizeof (m_NetworkAddr));
         if (r == 1)
         {
-            upnp_UPNP_GetExternalIPAddressFunc UPNP_GetExternalIPAddressFunc = (upnp_UPNP_GetExternalIPAddressFunc) dlsym (m_Module, "UPNP_GetExternalIPAddress");
             r = UPNP_GetExternalIPAddressFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, m_externalIPAddress);
             if(r != UPNPCOMMAND_SUCCESS)
             {
-                LogPrint ("UPnP: UPNP_GetExternalIPAddress () returned ", r);
+                LogPrint (eLogError, "UPnP: UPNP_GetExternalIPAddress () returned ", r);
                 return;
             }
             else
             {
                 if (m_externalIPAddress[0])
                 {
-                    LogPrint ("UPnP: ExternalIPAddress = ", m_externalIPAddress);
+                    LogPrint (eLogInfo, "UPnP: ExternalIPAddress = ", m_externalIPAddress);
                     i2p::context.UpdateAddress (boost::asio::ip::address::from_string (m_externalIPAddress));
                     return;
                 }
                 else
                 {
-                    LogPrint ("UPnP: GetExternalIPAddress failed.");
+                    LogPrint (eLogError, "UPnP: GetExternalIPAddress failed.");
                     return;
                 }
             }
         }
     }
 
-    void UPnP::TryPortMapping (int type)
+    void UPnP::TryPortMapping (int type, int port)
     {
-        std::string strType;
+        std::string strType, strPort (std::to_string (port));
         switch (type)
         {
             case I2P_UPNP_TCP:
@@ -185,42 +171,33 @@ namespace UPnP
         std::string strDesc = "I2Pd";
         try {
             for (;;) {
-#ifdef _WIN32
-                upnp_UPNP_AddPortMappingFunc UPNP_AddPortMappingFunc = (upnp_UPNP_AddPortMappingFunc) GetProcAddress (m_Module, "UPNP_AddPortMapping");
-#else
-                upnp_UPNP_AddPortMappingFunc UPNP_AddPortMappingFunc = (upnp_UPNP_AddPortMappingFunc) dlsym (m_Module, "UPNP_AddPortMapping");
-#endif
-#ifndef UPNPDISCOVER_SUCCESS
-                /* miniupnpc 1.5 */
-                r = UPNP_AddPortMappingFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, m_Port.c_str (), m_Port.c_str (), m_NetworkAddr, strDesc.c_str (), strType.c_str (), 0);
-#else
-                /* miniupnpc 1.6 */
-                r = UPNP_AddPortMappingFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, m_Port.c_str (), m_Port.c_str (), m_NetworkAddr, strDesc.c_str (), strType.c_str (), 0, "0");
-#endif
+                r = UPNP_AddPortMappingFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, strPort.c_str (), strPort.c_str (), m_NetworkAddr, strDesc.c_str (), strType.c_str (), 0, "0");
                 if (r!=UPNPCOMMAND_SUCCESS)
                 {
-                    LogPrint ("AddPortMapping (", m_Port.c_str () ,", ", m_Port.c_str () ,", ", m_NetworkAddr, ") failed with code ", r);
+                    LogPrint (eLogError, "UPnP: AddPortMapping (", strPort.c_str () ,", ", strPort.c_str () ,", ", m_NetworkAddr, ") failed with code ", r);
                     return;
                 }
                 else
                 {
-                    LogPrint ("UPnP Port Mapping successful. (", m_NetworkAddr ,":", m_Port.c_str(), " type ", strType.c_str () ," -> ", m_externalIPAddress ,":", m_Port.c_str() ,")");
+                    LogPrint (eLogDebug, "UPnP: Port Mapping successful. (", m_NetworkAddr ,":", strPort.c_str(), " type ", strType.c_str () ," -> ", m_externalIPAddress ,":", strPort.c_str() ,")");
                     return;
                 }
-                sleep(20*60);
+                std::this_thread::sleep_for(std::chrono::minutes(20)); // c++11
+                //boost::this_thread::sleep_for(); // pre c++11
+                //sleep(20*60); // non-portable
             }
         }
         catch (boost::thread_interrupted)
         {
-            CloseMapping(type);
+            CloseMapping(type, port);
             Close();
             throw;
         }
     }
 
-    void UPnP::CloseMapping (int type)
+    void UPnP::CloseMapping (int type, int port)
     {
-        std::string strType;
+        std::string strType, strPort (std::to_string (port));
         switch (type)
         {
             case I2P_UPNP_TCP:
@@ -231,29 +208,14 @@ namespace UPnP
                 strType = "UDP";
         }
         int r = 0;
-#ifdef _WIN32
-        upnp_UPNP_DeletePortMappingFunc UPNP_DeletePortMappingFunc = (upnp_UPNP_DeletePortMappingFunc) GetProcAddress (m_Module, "UPNP_DeletePortMapping");
-#else
-        upnp_UPNP_DeletePortMappingFunc UPNP_DeletePortMappingFunc = (upnp_UPNP_DeletePortMappingFunc) dlsym (m_Module, "UPNP_DeletePortMapping");
-#endif
-        r = UPNP_DeletePortMappingFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, m_Port.c_str (), strType.c_str (), 0);
-        LogPrint ("UPNP_DeletePortMapping() returned : ", r, "\n");
+        r = UPNP_DeletePortMappingFunc (m_upnpUrls.controlURL, m_upnpData.first.servicetype, strPort.c_str (), strType.c_str (), 0);
+        LogPrint (eLogError, "UPnP: DeletePortMapping() returned : ", r, "\n");
     }
 
     void UPnP::Close ()
     {
-#ifdef _WIN32
-        upnp_freeUPNPDevlistFunc freeUPNPDevlistFunc = (upnp_freeUPNPDevlistFunc) GetProcAddress (m_Module, "freeUPNPDevlist");
-#else
-        upnp_freeUPNPDevlistFunc freeUPNPDevlistFunc = (upnp_freeUPNPDevlistFunc) dlsym (m_Module, "freeUPNPDevlist");
-#endif
         freeUPNPDevlistFunc (m_Devlist);
         m_Devlist = 0;
-#ifdef _WIN32
-        upnp_FreeUPNPUrlsFunc FreeUPNPUrlsFunc = (upnp_FreeUPNPUrlsFunc) GetProcAddress (m_Module, "FreeUPNPUrlsFunc");
-#else
-        upnp_FreeUPNPUrlsFunc FreeUPNPUrlsFunc = (upnp_FreeUPNPUrlsFunc) dlsym (m_Module, "FreeUPNPUrlsFunc");
-#endif
         FreeUPNPUrlsFunc (&m_upnpUrls);
 #ifndef _WIN32
         dlclose (m_Module);

UPnP.h

@@ -19,7 +19,7 @@
 
 namespace i2p
 {
-namespace UPnP
+namespace transport
 {
 	class UPnP
 	{
@@ -33,8 +33,8 @@ namespace UPnP
         void Stop ();
 
 		void Discover ();
-		void TryPortMapping (int type);
-		void CloseMapping (int type);
+		void TryPortMapping (int type, int port);
+		void CloseMapping (int type, int port);
 	private:
 		void Run ();
 
@@ -49,17 +49,14 @@ namespace UPnP
         char m_NetworkAddr[64];
         char m_externalIPAddress[40];
         bool m_IsModuleLoaded;
-        std::string m_Port = std::to_string (util::config::GetArg ("-port", 17070));
 #ifndef _WIN32
         void *m_Module;
 #else
-        HINSTANCE *m_Module;
+        HINSTANCE m_Module;
 #endif
 	};
-	extern UPnP upnpc;
 }
 }
 
-#endif
-
-#endif
+#endif // USE_UPNP
+#endif // __UPNP_H__