Merge pull request #2162 from PurpleI2P/openssl

Recent changes
2025-03-20 16:26:39 +01:00 · 2025-03-17 08:40:59 -04:00 · 2025-03-17 08:40:59 -04:00 · a6cc3cec17
commit a6cc3cec17
parent d610e6c4c1 e0a21cf702
126 changed files with 2858 additions and 1925 deletions
--- a/.github/workflows/build-windows.yml
+++ b/.github/workflows/build-windows.yml
@ -133,6 +133,8 @@ jobs:
        git clone https://github.com/msys2/MINGW-packages
        cd MINGW-packages
        git checkout 4cbb366edf2f268ac3146174b40ce38604646fc5 mingw-w64-boost
        cd mingw-w64-boost
        sed -i 's/boostorg.jfrog.io\/artifactory\/main/archives.boost.io/' PKGBUILD
    # headers
    - name: Get headers package version
@ -230,8 +232,10 @@ jobs:
      run: |
        cd MINGW-packages/mingw-w64-boost
        MINGW_ARCH=mingw32 makepkg-mingw -sCLf --noconfirm --nocheck
    - name: Remove boost packages
      run: pacman --noconfirm -R mingw-w64-i686-boost mingw-w64-i686-boost-libs
    - name: Install boost package
-      run: pacman --noconfirm -U --overwrite MINGW-packages/mingw-w64-boost/mingw-w64-i686-*-any.pkg.tar.zst
+      run: pacman --noconfirm -U MINGW-packages/mingw-w64-boost/mingw-w64-i686-*-any.pkg.tar.zst
    # Building i2pd
    - name: Build application
--- a/64
+++ b/64
@ -1,6 +1,70 @@
 # for this file format description,
 # see https://github.com/olivierlacan/keep-a-changelog
 ## [2.56.0] - 2025-02-11
 ### Added
 - Config params for shared local destination
 - AddressBook full addresses cache
 - Decline transit tunnel to duplicated router
 - Recreate tunnels in random order
 ### Changed
 - Exclude disk operations from SSU2 and NTCP2 threads
 - Set minimal version for peer test to 0.9.62
 - Send ack requested flag after second SSU2 resend attempt
 - Shorter ECIESx25519 ack request interval for datagram and I2CP sessions
 - Don't change datagram routing path too often if unidirectional data stream
 - Reduce LeaseSet and local RouterInfo publishing confirmation intervals
 - Don't delete buffer of connected routers or if an update received
 - Smaller RouterInfo request timeout if sent directly
 - Persist local RouterInfo in separate thread
 - Don't recalculate and process ranges for every SSU2 Ack block
 - Reseeds list
 ### Fixed
 - Termination deadlock if SAM session is active
 - Race condition at tunnel endpoint
 - Inbound tunnel build encryption
 ## [2.55.0] - 2024-12-30
 ### Added
 - Support boost 1.87
 - "i2p.streaming.maxConcurrentStreams" tunnel's param to limit number of simultaneous streams
 - Separate thread for tunnel build requests
 - Show next peer and connectivity on "Transit tunnels" page
 - Tunnel name for local destination thread
 - Throttle incoming ECIESx25519 sessions
 - Send tunnel data to transport session directly if possible
 - Publish 'R' cap for yggdrasil-only routers, and 'U' cap for routers through proxy
 - Random tunnel rejection when medium congestion
 - Save unreachable router's endpoint to use it next time without introducers
 - Recognize symmetric NAT from peer test message 7
 - Resend HolePunch and RelayResponse messages
 ### Changed
 - Removed own implementation of AESNI and always use one from openssl
 - Renamed main thread to i2pd-daemon
 - Set i2p.streaming.profile=2 for shared local destination
 - Reduced LeaseSet and RouterInfo lookup timeouts
 - Cleanup ECIES sessions and tags more often
 - Check LeaseSet expiration time
 - Handle NTCP2 session handshakes in separate thread
 - Limit last decline time by 1.5 hours in router's profile
 - Don't handle RelayRequest and RelayIntro with same nonce twice
 - Increased hole punch expiration interval
 - Send peer test message 6 with delay if message 4 was received before message 5
 - Pre-calculate more x25519 keys for transports in runtime
 - Don't request LeaseSet for incoming stream
 - Terminate incoming stream right away if no remote LeaseSet
 - Handle choked, new RTO and window size calculation and resetting algorithm for streams
 ### Fixed
 - Empty string in addressbook subscriptions
 - ECIESx25519 sessions without destination
 - Missing RouterInfo buffer in NetDb
 - Invalid I2PControl certificate
 - Routers disappear from NetDb when offline
 - Peer test message 6 sent to unknown endpoint
 - Race condition with LeaseSet update
 - Excessive CPU usage by streams
 - Crash on shutdown
 ## [2.54.0] - 2024-10-06
 ### Added
 - Maintain recently connected routers list to avoid false-positive peer test
--- a/4
+++ b/4
@ -29,7 +29,6 @@ DAEMON_SRC_DIR := daemon
 # import source files lists
 include filelist.mk
 USE_AESNI       := $(or $(USE_AESNI),yes)
 USE_STATIC      := $(or $(USE_STATIC),no)
 USE_UPNP        := $(or $(USE_UPNP),no)
 DEBUG           := $(or $(DEBUG),yes)
@ -70,6 +69,9 @@ else ifneq (, $(findstring freebsd, $(SYS))$(findstring openbsd, $(SYS)))
 else ifneq (, $(findstring haiku, $(SYS)))
 	DAEMON_SRC += $(DAEMON_SRC_DIR)/UnixDaemon.cpp
 	include Makefile.haiku
 else ifneq (, $(findstring solaris, $(SYS)))
 	DAEMON_SRC += $(DAEMON_SRC_DIR)/UnixDaemon.cpp
 	include Makefile.solaris
 else # not supported
 	$(error Not supported platform)
 endif
--- a/Makefile.bsd
+++ b/Makefile.bsd
@ -3,7 +3,7 @@ CXXFLAGS ?= ${CXX_DEBUG} -Wall -Wextra -Wno-unused-parameter -pedantic -Wno-misl
 DEFINES = -D_GLIBCXX_USE_NANOSLEEP=1
 INCFLAGS = -I/usr/include/ -I/usr/local/include/
 LDFLAGS = ${LD_DEBUG} -Wl,-rpath,/usr/local/lib -L/usr/local/lib
-LDLIBS = -lcrypto -lssl -lz -lpthread -lboost_system -lboost_program_options
+LDLIBS = -lssl -lcrypto -lz -lpthread -lboost_system -lboost_program_options
 ## NOTE: NEEDED_CXXFLAGS is here so that custom CXXFLAGS can be specified at build time
 ## **without** overwriting the CXXFLAGS which we need in order to build.
--- a/Makefile.haiku
+++ b/Makefile.haiku
@ -2,7 +2,7 @@ CXX = g++
 CXXFLAGS := -Wall -std=c++17
 INCFLAGS = -I/system/develop/headers
 DEFINES = -D_DEFAULT_SOURCE -D_GNU_SOURCE
-LDLIBS = -lbe -lbsd -lnetwork -lz -lcrypto -lssl -lboost_system -lboost_program_options -lpthread
+LDLIBS = -lbe -lbsd -lnetwork -lz -lssl -lcrypto -lboost_system -lboost_program_options -lpthread
 ifeq ($(USE_UPNP),yes)
 	DEFINES += -DUSE_UPNP
--- a/Makefile.homebrew
+++ b/Makefile.homebrew
@ -18,7 +18,7 @@ endif
 	LDLIBS +=  -lpthread -ldl
 else
 	LDFLAGS += -L${SSLROOT}/lib -L${BOOSTROOT}/lib
-	LDLIBS = -lz -lcrypto -lssl -lboost_system -lboost_filesystem -lboost_program_options -lpthread
+	LDLIBS = -lz -lssl -lcrypto -lboost_system -lboost_filesystem -lboost_program_options -lpthread
 ifeq ($(USE_UPNP),yes)
 	LDFLAGS += -L${UPNPROOT}/lib
 	LDLIBS += -lminiupnpc
@ -30,13 +30,6 @@ ifeq ($(USE_UPNP),yes)
 	INCFLAGS += -I${UPNPROOT}/include
 endif
 ifeq ($(USE_AESNI),yes)
 ifneq (, $(findstring i386, $(SYS))$(findstring i686, $(SYS))$(findstring x86_64, $(SYS))) # only x86-based CPU supports that
 	NEEDED_CXXFLAGS += -maes
 	DEFINES += -D__AES__
 endif
 endif
 install: all
 	install -d ${PREFIX}/bin
 	install -m 755 ${I2PD} ${PREFIX}/bin
--- a/Makefile.linux
+++ b/Makefile.linux
@ -40,7 +40,7 @@ ifeq ($(USE_UPNP),yes)
 endif
 	LDLIBS += -lpthread -ldl
 else
-	LDLIBS += -lcrypto -lssl -lz -lboost_program_options -lpthread -latomic
+	LDLIBS += -lssl -lcrypto -lz -lboost_program_options -lpthread -latomic
 ifeq ($(USE_UPNP),yes)
 	LDLIBS += -lminiupnpc
 endif
@ -51,13 +51,6 @@ ifeq ($(USE_UPNP),yes)
 	DEFINES += -DUSE_UPNP
 endif
 ifeq ($(USE_AESNI),yes)
 ifneq (, $(findstring i386, $(SYS))$(findstring i686, $(SYS))$(findstring x86_64, $(SYS))) # only x86-based CPU supports that
 	NEEDED_CXXFLAGS += -maes
 	DEFINES += -D__AES__
 endif
 endif
 install: all
 	install -d ${PREFIX}/bin
 	install -m 755 ${I2PD} ${PREFIX}/bin
--- a/Makefile.mingw
+++ b/Makefile.mingw
@ -42,12 +42,6 @@ ifeq ($(USE_WIN32_APP), yes)
 	DAEMON_OBJS += $(patsubst %.rc,obj/%.o,$(DAEMON_RC))
 endif
 ifeq ($(USE_AESNI),yes)
 	NEEDED_CXXFLAGS += -maes
 	LDFLAGS += -maes
 	DEFINES += -D__AES__
 endif
 ifeq ($(USE_ASLR),yes)
 	LDFLAGS += -Wl,--nxcompat -Wl,--high-entropy-va -Wl,--dynamicbase,--export-all-symbols
 endif
--- a/Makefile.osx
+++ b/Makefile.osx
@ -7,9 +7,9 @@ LDFLAGS += -Wl,-dead_strip
 LDFLAGS += -Wl,-dead_strip_dylibs
 ifeq ($(USE_STATIC),yes)
-	LDLIBS = -lz /usr/local/lib/libcrypto.a /usr/local/lib/libssl.a /usr/local/lib/libboost_system.a /usr/local/lib/libboost_filesystem.a /usr/local/lib/libboost_program_options.a -lpthread
+	LDLIBS = -lz /usr/local/lib/libssl.a /usr/local/lib/libcrypto.a /usr/local/lib/libboost_system.a /usr/local/lib/libboost_filesystem.a /usr/local/lib/libboost_program_options.a -lpthread
 else
-	LDLIBS = -lz -lcrypto -lssl -lboost_system -lboost_filesystem -lboost_program_options -lpthread
+	LDLIBS = -lz -lssl -lcrypto -lboost_system -lboost_filesystem -lboost_program_options -lpthread
 endif
 ifeq ($(USE_UPNP),yes)
@ -25,9 +25,5 @@ endif
 OSARCH = $(shell uname -p)
 ifneq ($(OSARCH),powerpc)
 	ifeq ($(USE_AESNI),yes)
 		CXXFLAGS += -D__AES__ -maes
 	else
 	CXXFLAGS += -msse
 	endif
 endif
--- a/Makefile.solaris
+++ b/Makefile.solaris
@ -0,0 +1,9 @@
 CXX = g++
 INCFLAGS = -I/usr/openssl/3/include
 CXXFLAGS := -Wall -std=c++20
 LDLIBS = -L/usr/openssl/3/lib/64 -lssl -lcrypto -lboost_program_options -lz -lpthread -lsocket
 ifeq ($(USE_UPNP),yes)
 	DEFINES += -DUSE_UPNP
 	LDLIBS += -lminiupnpc
 endif
--- a/build/CMakeLists.txt
+++ b/build/CMakeLists.txt
@ -29,7 +29,6 @@ project(
 )
 # configurable options
 option(WITH_AESNI           "Use AES-NI instructions set"             ON)
 option(WITH_HARDENING       "Use hardening compiler flags"            OFF)
 option(WITH_LIBRARY         "Build library"                           ON)
 option(WITH_BINARY          "Build binary"                            ON)
@ -185,16 +184,6 @@ if(UNIX)
  endif()
 endif()
 # Note: AES-NI and AVX is available on x86-based CPU's.
 # Here also ARM64 implementation, but currently we don't support it.
 # MSVC is not supported due to different ASM processing, so we hope OpenSSL has its own checks to run optimized code.
 if(WITH_AESNI AND (ARCHITECTURE MATCHES "x86_64" OR ARCHITECTURE MATCHES "i386"))
  if(NOT MSVC)
    set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -maes")
  endif()
  add_definitions(-D__AES__)
 endif()
 if(WITH_ADDRSANITIZER)
  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsanitize=address -fno-omit-frame-pointer")
  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fsanitize=address")
@ -335,7 +324,6 @@ message(STATUS "Architecture       : ${ARCHITECTURE}")
 message(STATUS "Compiler flags     : ${CMAKE_CXX_FLAGS}")
 message(STATUS "Install prefix:    : ${CMAKE_INSTALL_PREFIX}")
 message(STATUS "Options:")
 message(STATUS "  AESNI            : ${WITH_AESNI}")
 message(STATUS "  HARDENING        : ${WITH_HARDENING}")
 message(STATUS "  LIBRARY          : ${WITH_LIBRARY}")
 message(STATUS "  BINARY           : ${WITH_BINARY}")
--- a/build/cmake_modules/GetGitRevisionDescription.cmake
+++ b/build/cmake_modules/GetGitRevisionDescription.cmake
@ -59,7 +59,7 @@ get_filename_component(_gitdescmoddir ${CMAKE_CURRENT_LIST_FILE} PATH)
 # function returns an empty string via _git_dir_var.
 #
 # Example: Given a path C:/bla/foo/bar and assuming C:/bla/.git exists and
-# neither foo nor bar contain a file/directory .git. This wil return
+# neither foo nor bar contain a file/directory .git. This will return
 # C:/bla/.git
 #
 function(_git_find_closest_git_dir _start_dir _git_dir_var)
--- a/contrib/debian/trusty/patches/01-upnp.patch
+++ b/contrib/debian/trusty/patches/01-upnp.patch
@ -2,13 +2,13 @@ Description: Enable UPnP usage in package
 Author: r4sas <r4sas@i2pmail.org>
 Reviewed-By: r4sas <r4sas@i2pmail.org>
-Last-Update: 2022-03-23
+Last-Update: 2024-12-30
 --- i2pd.orig/Makefile
 +++ i2pd/Makefile
-@@ -31,7 +31,7 @@ include filelist.mk
+@@ -31,7 +31,7 @@ # import source files lists
 include filelist.mk
 USE_AESNI       := $(or $(USE_AESNI),yes)
 USE_STATIC      := $(or $(USE_STATIC),no)
 -USE_UPNP        := $(or $(USE_UPNP),no)
 +USE_UPNP        := $(or $(USE_UPNP),yes)
--- a/contrib/debian/xenial/patches/01-upnp.patch
+++ b/contrib/debian/xenial/patches/01-upnp.patch
@ -2,13 +2,13 @@ Description: Enable UPnP usage in package
 Author: r4sas <r4sas@i2pmail.org>
 Reviewed-By: r4sas <r4sas@i2pmail.org>
-Last-Update: 2022-03-23
+Last-Update: 2024-12-30
 --- i2pd.orig/Makefile
 +++ i2pd/Makefile
-@@ -31,7 +31,7 @@ include filelist.mk
+@@ -31,7 +31,7 @@ # import source files lists
 include filelist.mk
 USE_AESNI       := $(or $(USE_AESNI),yes)
 USE_STATIC      := $(or $(USE_STATIC),no)
 -USE_UPNP        := $(or $(USE_UPNP),no)
 +USE_UPNP        := $(or $(USE_UPNP),yes)
--- a/contrib/i2pd.conf
+++ b/contrib/i2pd.conf
@ -243,7 +243,7 @@ verify = true
 ## Default: reg.i2p at "mainline" I2P Network
 # defaulturl = http://shx5vqsw7usdaunyzr2qmes2fq37oumybpudrd4jjj4e4vk4uusa.b32.i2p/hosts.txt
 ## Optional subscriptions URLs, separated by comma
-# subscriptions = http://reg.i2p/hosts.txt,http://identiguy.i2p/hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt,http://rus.i2p/hosts.txt
+# subscriptions = http://reg.i2p/hosts.txt,http://identiguy.i2p/hosts.txt,http://stats.i2p/cgi-bin/newhosts.txt
 [limits]
 ## Maximum active transit sessions (default: 5000)
@ -277,9 +277,3 @@ verify = true
 ## Save full addresses on disk (default: true)
 # addressbook = true
 [cpuext]
 ## Use CPU AES-NI instructions set when work with cryptography when available (default: true)
 # aesni = true
 ## Force usage of CPU instructions set, even if they not found (default: false)
 ## DO NOT TOUCH that option if you really don't know what are you doing!
 # force = false
--- a/contrib/rpm/i2pd-git.spec
+++ b/contrib/rpm/i2pd-git.spec
@ -1,7 +1,7 @@
 %define git_hash %(git rev-parse HEAD | cut -c -7)
 Name:          i2pd-git
-Version:       2.54.0
+Version:       2.56.0
 Release:       git%{git_hash}%{?dist}
 Summary:       I2P router written in C++
 Conflicts:     i2pd
@ -148,6 +148,12 @@ getent passwd i2pd >/dev/null || \
 %changelog
 * Tue Feb 11 2025 orignal <orignal@i2pmail.org> - 2.56.0
 - update to 2.56.0
 * Mon Dec 30 2024 orignal <orignal@i2pmail.org> - 2.55.0
 - update to 2.55.0
 * Sun Oct 6 2024 orignal <orignal@i2pmail.org> - 2.54.0
 - update to 2.54.0
--- a/contrib/rpm/i2pd.spec
+++ b/contrib/rpm/i2pd.spec
@ -1,5 +1,5 @@
 Name:          i2pd
-Version:       2.54.0
+Version:       2.56.0
 Release:       1%{?dist}
 Summary:       I2P router written in C++
 Conflicts:     i2pd-git
@ -146,6 +146,12 @@ getent passwd i2pd >/dev/null || \
 %changelog
 * Tue Feb 11 2025 orignal <orignal@i2pmail.org> - 2.56.0
 - update to 2.56.0
 * Mon Dec 30 2024 orignal <orignal@i2pmail.org> - 2.55.0
 - update to 2.55.0
 * Sun Oct 6 2024 orignal <orignal@i2pmail.org> - 2.54.0
 - update to 2.54.0
--- a/contrib/tunnels.conf
+++ b/contrib/tunnels.conf
@ -5,6 +5,7 @@ port = 6668
 destination = irc.ilita.i2p
 destinationport = 6667
 keys = irc-keys.dat
 i2p.streaming.profile=2
 #[IRC-IRC2P]
 #type = client
--- a/daemon/Daemon.cpp
+++ b/daemon/Daemon.cpp
@ -149,12 +149,10 @@ namespace util
 		LogPrint(eLogDebug, "FS: Certificates directory: ", certsdir);
 		bool precomputation; i2p::config::GetOption("precomputation.elgamal", precomputation);
 		bool aesni; i2p::config::GetOption("cpuext.aesni", aesni);
 		bool forceCpuExt; i2p::config::GetOption("cpuext.force", forceCpuExt);
 		bool ssu; i2p::config::GetOption("ssu", ssu);
 		if (!ssu && i2p::config::IsDefault ("precomputation.elgamal"))
 			precomputation = false; // we don't elgamal table if no ssu, unless it's specified explicitly
-		i2p::crypto::InitCrypto (precomputation, aesni, forceCpuExt);
+		i2p::crypto::InitCrypto (precomputation);
 		i2p::transport::InitAddressFromIface (); // get address4/6 from interfaces
--- a/daemon/HTTPServer.cpp
+++ b/daemon/HTTPServer.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -132,7 +132,8 @@ namespace http {
 	static void ShowTunnelDetails (std::stringstream& s, enum i2p::tunnel::TunnelState eState, bool explr, int bytes)
 	{
-		std::string state, stateText;
+		std::string state;
 		std::string_view stateText;
 		switch (eState) 
 		{
 			case i2p::tunnel::eTunnelStateBuildReplyReceived :
@ -146,7 +147,7 @@ namespace http {
 		}
 		if (stateText.empty ()) stateText = tr(state);
-		s << "<span class=\"tunnel " << state << "\"> " << stateText << ((explr) ? " (" + tr("exploratory") + ")" : "") << "</span>, ";
+		s << "<span class=\"tunnel " << state << "\"> " << stateText << ((explr) ? " (" + std::string(tr("exploratory")) + ")" : "") << "</span>, "; // TODO:
 		ShowTraffic(s, bytes);
 		s << "\r\n";
 	}
@ -213,7 +214,7 @@ namespace http {
 			"</html>\r\n";
 	}
-	static void ShowError(std::stringstream& s, const std::string& string)
+	static void ShowError(std::stringstream& s, std::string_view string)
 	{
 		s << "<b>" << tr("ERROR") << ":</b>&nbsp;" << string << "<br>\r\n";
 	}
@ -826,7 +827,7 @@ namespace http {
 		if (i2p::tunnel::tunnels.CountTransitTunnels())
 		{
 			s << "<b>" << tr("Transit Tunnels") << ":</b><br>\r\n";
-			s << "<table><thead><th>&#8658;</th><th>ID</th><th>&#8658;</th><th>" << tr("Amount") << "</th></thead><tbody class=\"tableitem\">";
+			s << "<table><thead><th>&#8658;</th><th>ID</th><th>&#8658;</th><th>" << tr("Amount") << "</th><th>" << tr("Next") << "</th></thead><tbody class=\"tableitem\">";
 			for (const auto& it: i2p::tunnel::tunnels.GetTransitTunnels ())
 			{
 				if (std::dynamic_pointer_cast<i2p::tunnel::TransitTunnelGateway>(it))
@ -836,7 +837,7 @@ namespace http {
 				else
 					s << "<tr><td>&#8658;</td><td>" << it->GetTunnelID () << "</td><td>&#8658;</td><td>";
 				ShowTraffic(s, it->GetNumTransmittedBytes ());
-				s << "</td></tr>\r\n";
+				s << "</td><td>" << it->GetNextPeerName () << "</td></tr>\r\n";
 			}
 			s << "</tbody></table>\r\n";
 		}
@ -1262,7 +1263,7 @@ namespace http {
 			ShowLeasesSets(s);
 		else {
 			res.code = 400;
-			ShowError(s, tr("Unknown page") + ": " + page);
+			ShowError(s, std::string (tr("Unknown page")) + ": " + page); // TODO
 			return;
 		}
 	}
@ -1462,7 +1463,7 @@ namespace http {
 		else
 		{
 			res.code = 400;
-			ShowError(s, tr("Unknown command") + ": " + cmd);
+			ShowError(s, std::string (tr("Unknown command")) + ": " + cmd); // TODO
 			return;
 		}
--- a/daemon/I2PControl.cpp
+++ b/daemon/I2PControl.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -15,7 +15,6 @@
 // Use global placeholders from boost introduced when local_time.hpp is loaded
 #define BOOST_BIND_GLOBAL_PLACEHOLDERS
 #include <boost/property_tree/json_parser.hpp>
 #include <boost/lexical_cast.hpp>
 #include "FS.h"
 #include "Log.h"
@ -30,11 +29,24 @@ namespace i2p
 namespace client
 {
 	I2PControlService::I2PControlService (const std::string& address, int port):
-		m_IsRunning (false), m_Thread (nullptr),
+		m_IsRunning (false),	
 		m_Acceptor (m_Service, boost::asio::ip::tcp::endpoint(boost::asio::ip::make_address(address), port)),
 		m_SSLContext (boost::asio::ssl::context::sslv23),
 		m_ShutdownTimer (m_Service)
 	{
 		if (port)		
 			m_Acceptor = std::make_unique<boost::asio::ip::tcp::acceptor>(m_Service,
 				boost::asio::ip::tcp::endpoint(boost::asio::ip::make_address(address), port));
 		else
 #if defined(BOOST_ASIO_HAS_LOCAL_SOCKETS)
 		{		
 			std::remove (address.c_str ());	// just in case
 			m_LocalAcceptor = std::make_unique<boost::asio::local::stream_protocol::acceptor>(m_Service,
 				boost::asio::local::stream_protocol::endpoint(address));	
 		}	
 #else
 			LogPrint(eLogError, "I2PControl: Local sockets are not supported");
 #endif				
 		i2p::config::GetOption("i2pcontrol.password", m_Password);
 		// certificate / keys
@ -98,7 +110,7 @@ namespace client
 		{
 			Accept ();
 			m_IsRunning = true;
-			m_Thread = new std::thread (std::bind (&I2PControlService::Run, this));
+			m_Thread = std::make_unique<std::thread>(std::bind (&I2PControlService::Run, this));
 		}
 	}
@ -107,12 +119,19 @@ namespace client
 		if (m_IsRunning)
 		{
 			m_IsRunning = false;
-			m_Acceptor.cancel ();
+			if (m_Acceptor) m_Acceptor->cancel ();
 #if defined(BOOST_ASIO_HAS_LOCAL_SOCKETS)
 			if (m_LocalAcceptor) 
 			{
 				auto path = m_LocalAcceptor->local_endpoint().path();
 				m_LocalAcceptor->cancel ();
 				std::remove (path.c_str ());
 			}	
 #endif			
 			m_Service.stop ();
 			if (m_Thread)
 			{
 				m_Thread->join ();
 				delete m_Thread;
 				m_Thread = nullptr;
 			}
 		}
@ -134,40 +153,60 @@ namespace client
 	void I2PControlService::Accept ()
 	{
-		auto newSocket = std::make_shared<ssl_socket> (m_Service, m_SSLContext);
+		if (m_Acceptor)
-		m_Acceptor.async_accept (newSocket->lowest_layer(), std::bind (&I2PControlService::HandleAccept, this,
+		{	
-			std::placeholders::_1, newSocket));
+			auto newSocket = std::make_shared<boost::asio::ssl::stream<boost::asio::ip::tcp::socket> > (m_Service, m_SSLContext);
 			m_Acceptor->async_accept (newSocket->lowest_layer(),
 				[this, newSocket](const boost::system::error_code& ecode)
 				{
 					HandleAccepted (ecode, newSocket);
 				});		
 		}	
 #if defined(BOOST_ASIO_HAS_LOCAL_SOCKETS)
 		else if (m_LocalAcceptor)
 		{
 			auto newSocket = std::make_shared<boost::asio::ssl::stream<boost::asio::local::stream_protocol::socket> > (m_Service, m_SSLContext);
 			m_LocalAcceptor->async_accept (newSocket->lowest_layer(),
 				[this, newSocket](const boost::system::error_code& ecode)
 				{
 					HandleAccepted (ecode, newSocket);
 				});		
 		}	
 #endif		
 	}
-	void I2PControlService::HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> socket)
+	template<typename ssl_socket> 
 	void I2PControlService::HandleAccepted (const boost::system::error_code& ecode,
 		std::shared_ptr<ssl_socket> newSocket)
 	{
 		if (ecode != boost::asio::error::operation_aborted)
 			Accept ();
-		if (ecode) {
+		if (ecode) 
 		{
 			LogPrint (eLogError, "I2PControl: Accept error: ", ecode.message ());
 			return;
 		}
-		LogPrint (eLogDebug, "I2PControl: New request from ", socket->lowest_layer ().remote_endpoint ());
+		LogPrint (eLogDebug, "I2PControl: New request from ", newSocket->lowest_layer ().remote_endpoint ());
-		Handshake (socket);
+		Handshake (newSocket);
 	}	
 	template<typename ssl_socket>
 	void I2PControlService::Handshake (std::shared_ptr<ssl_socket> socket)
 	{
 		socket->async_handshake(boost::asio::ssl::stream_base::server,
-		std::bind( &I2PControlService::HandleHandshake, this, std::placeholders::_1, socket));
+			[this, socket](const boost::system::error_code& ecode)
-	}
+		    {
-
+				if (ecode) 
 	void I2PControlService::HandleHandshake (const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> socket)
 				{
 		if (ecode) {
 					LogPrint (eLogError, "I2PControl: Handshake error: ", ecode.message ());
 					return;
 				}
 		//std::this_thread::sleep_for (std::chrono::milliseconds(5));
 				ReadRequest (socket);
 			});			                        
 	}
 	template<typename ssl_socket>
 	void I2PControlService::ReadRequest (std::shared_ptr<ssl_socket> socket)
 	{
 		auto request = std::make_shared<I2PControlBuffer>();
@ -177,10 +216,13 @@ namespace client
 #else
 			boost::asio::buffer (request->data (), request->size ()),
 #endif
-			std::bind(&I2PControlService::HandleRequestReceived, this,
+		    [this, socket, request](const boost::system::error_code& ecode, size_t bytes_transferred)
-			std::placeholders::_1, std::placeholders::_2, socket, request));
+		    {
 				HandleRequestReceived (ecode, bytes_transferred, socket, request);
 			});
 	}
 	template<typename ssl_socket>
 	void I2PControlService::HandleRequestReceived (const boost::system::error_code& ecode,
 		size_t bytes_transferred, std::shared_ptr<ssl_socket> socket,
 		std::shared_ptr<I2PControlBuffer> buf)
@ -258,6 +300,7 @@ namespace client
 		}
 	}
 	template<typename ssl_socket>
 	void I2PControlService::SendResponse (std::shared_ptr<ssl_socket> socket,
 		std::shared_ptr<I2PControlBuffer> buf, std::ostringstream& response, bool isHtml)
 	{
@ -267,7 +310,7 @@ namespace client
 			std::ostringstream header;
 			header << "HTTP/1.1 200 OK\r\n";
 			header << "Connection: close\r\n";
-			header << "Content-Length: " << boost::lexical_cast<std::string>(len) << "\r\n";
+			header << "Content-Length: " << std::to_string(len) << "\r\n";
 			header << "Content-Type: application/json\r\n";
 			header << "Date: ";
 			std::time_t t = std::time (nullptr);
@ -280,16 +323,11 @@ namespace client
 		memcpy (buf->data () + offset, response.str ().c_str (), len);
 		boost::asio::async_write (*socket, boost::asio::buffer (buf->data (), offset + len),
 			boost::asio::transfer_all (),
-			std::bind(&I2PControlService::HandleResponseSent, this,
+		    [socket, buf](const boost::system::error_code& ecode, std::size_t bytes_transferred)
 				std::placeholders::_1, std::placeholders::_2, socket, buf));
 	}
 	void I2PControlService::HandleResponseSent (const boost::system::error_code& ecode, std::size_t bytes_transferred,
 		std::shared_ptr<ssl_socket> socket, std::shared_ptr<I2PControlBuffer> buf)
 		    {
-		if (ecode) {
+				if (ecode)
 					LogPrint (eLogError, "I2PControl: Write error: ", ecode.message ());
-		}
+			});	
 	}
 // handlers
--- a/daemon/I2PControl.h
+++ b/daemon/I2PControl.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -35,8 +35,6 @@ namespace client
 	class I2PControlService: public I2PControlHandlers
 	{
 		typedef boost::asio::ssl::stream<boost::asio::ip::tcp::socket> ssl_socket;
 		public:
 			I2PControlService (const std::string& address, int port);
@ -49,16 +47,18 @@ namespace client
 			void Run ();
 			void Accept ();
-			void HandleAccept(const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> socket);
+			template<typename ssl_socket> 
 			void HandleAccepted (const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> newSocket);
 			template<typename ssl_socket>
 			void Handshake (std::shared_ptr<ssl_socket> socket);
-			void HandleHandshake (const boost::system::error_code& ecode, std::shared_ptr<ssl_socket> socket);
+			template<typename ssl_socket>
 			void ReadRequest (std::shared_ptr<ssl_socket> socket);
 			template<typename ssl_socket>
 			void HandleRequestReceived (const boost::system::error_code& ecode, size_t bytes_transferred,
 				std::shared_ptr<ssl_socket> socket, std::shared_ptr<I2PControlBuffer> buf);
 			template<typename ssl_socket>
 			void SendResponse (std::shared_ptr<ssl_socket> socket,
 				std::shared_ptr<I2PControlBuffer> buf, std::ostringstream& response, bool isHtml);
 			void HandleResponseSent (const boost::system::error_code& ecode, std::size_t bytes_transferred,
 				std::shared_ptr<ssl_socket> socket, std::shared_ptr<I2PControlBuffer> buf);
 			void CreateCertificate (const char *crt_path, const char *key_path);
@ -86,10 +86,13 @@ namespace client
 			std::string m_Password;
 			bool m_IsRunning;
-			std::thread * m_Thread;
+			std::unique_ptr<std::thread> m_Thread;
 			boost::asio::io_context m_Service;
-			boost::asio::ip::tcp::acceptor m_Acceptor;
+			std::unique_ptr<boost::asio::ip::tcp::acceptor> m_Acceptor;
 #if defined(BOOST_ASIO_HAS_LOCAL_SOCKETS)
 			std::unique_ptr<boost::asio::local::stream_protocol::acceptor> m_LocalAcceptor;
 #endif		
 			boost::asio::ssl::context m_SSLContext;
 			boost::asio::deadline_timer m_ShutdownTimer;
 			std::set<std::string> m_Tokens;
--- a/daemon/UPnP.cpp
+++ b/daemon/UPnP.cpp
@ -52,7 +52,7 @@ namespace transport
 	{
 		m_IsRunning = true;
 		LogPrint(eLogInfo, "UPnP: Starting");
-		m_Service.post (std::bind (&UPnP::Discover, this));
+		boost::asio::post (m_Service, std::bind (&UPnP::Discover, this));
 		std::unique_lock<std::mutex> l(m_StartedMutex);
 		m_Thread.reset (new std::thread (std::bind (&UPnP::Run, this)));
 		m_Started.wait_for (l, std::chrono::seconds (5)); // 5 seconds maximum
@ -150,7 +150,7 @@ namespace transport
 		// UPnP discovered
 		LogPrint (eLogDebug, "UPnP: ExternalIPAddress is ", m_externalIPAddress);
-		i2p::context.UpdateAddress (boost::asio::ip::address::from_string (m_externalIPAddress));
+		i2p::context.UpdateAddress (boost::asio::ip::make_address (m_externalIPAddress));
 		// port mapping
 		PortMapping ();
 	}
--- a/debian/changelog
+++ b/debian/changelog
@ -1,3 +1,15 @@
 i2pd (2.56.0-1) unstable; urgency=medium
  * updated to version 2.56.0/0.9.65
 -- orignal <orignal@i2pmail.org>  Tue, 11 Feb 2025 16:00:00 +0000
 i2pd (2.55.0-1) unstable; urgency=medium
  * updated to version 2.55.0
 -- orignal <orignal@i2pmail.org>  Mon, 30 Dec 2024 16:00:00 +0000
 i2pd (2.54.0-1) unstable; urgency=medium
  * updated to version 2.54.0/0.9.64
--- a/debian/patches/01-upnp.patch
+++ b/debian/patches/01-upnp.patch
@ -2,13 +2,13 @@ Description: Enable UPnP usage in package
 Author: r4sas <r4sas@i2pmail.org>
 Reviewed-By: r4sas <r4sas@i2pmail.org>
-Last-Update: 2022-03-23
+Last-Update: 2024-12-30
 --- i2pd.orig/Makefile
 +++ i2pd/Makefile
-@@ -31,7 +31,7 @@ include filelist.mk
+@@ -31,7 +31,7 @@ # import source files lists
 include filelist.mk
 USE_AESNI       := $(or $(USE_AESNI),yes)
 USE_STATIC      := $(or $(USE_STATIC),no)
 -USE_UPNP        := $(or $(USE_UPNP),no)
 +USE_UPNP        := $(or $(USE_UPNP),yes)
--- a/i18n/Afrikaans.cpp
+++ b/i18n/Afrikaans.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace afrikaans // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"failed", "Het misluk"},
 		{"unknown", "onbekend"},
--- a/i18n/Armenian.cpp
+++ b/i18n/Armenian.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021-2023, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace armenian // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f ԿիԲ"},
 		{"%.2f MiB", "%.2f ՄիԲ"},
--- a/i18n/Chinese.cpp
+++ b/i18n/Chinese.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2024, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace chinese // language namespace
 		return 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/Czech.cpp
+++ b/i18n/Czech.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2024, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace czech // language namespace
 		return (n == 1) ? 0 : (n >= 2 && n <= 4) ? 1 : 2;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/English.cpp
+++ b/i18n/English.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -30,7 +30,7 @@ namespace english // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"", ""},
 	};
--- a/i18n/French.cpp
+++ b/i18n/French.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2024, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace french // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f Kio"},
 		{"%.2f MiB", "%.2f Mio"},
--- a/i18n/German.cpp
+++ b/i18n/German.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2023, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace german // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/I18N.cpp
+++ b/i18n/I18N.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021-2023, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -30,12 +30,12 @@ namespace i18n
 		}
 	}
-	std::string translate (const std::string& arg)
+	std::string_view translate (std::string_view arg)
 	{
 		return i2p::client::context.GetLanguage ()->GetString (arg);
 	}
-	std::string translate (const std::string& arg, const std::string& arg2, const int& n)
+	std::string translate (const std::string& arg, const std::string& arg2, const int n)
 	{
 		return i2p::client::context.GetLanguage ()->GetPlural (arg, arg2, n);
 	}
--- a/i18n/I18N.h
+++ b/i18n/I18N.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021-2023, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -10,6 +10,7 @@
 #define __I18N_H__
 #include <string>
 #include <string_view>
 #include <map>
 #include <utility>
 #include <functional>
@ -18,12 +19,13 @@ namespace i2p
 {
 namespace i18n
 {
 	typedef std::map<std::string_view, std::string_view> LocaleStrings; 
 	class Locale
 	{
 		public:
 			Locale (
 				const std::string& language,
-				const std::map<std::string, std::string>& strings,
+				const LocaleStrings& strings,
 				const std::map<std::string, std::vector<std::string>>& plurals,
 				std::function<int(int)> formula
 			): m_Language (language), m_Strings (strings), m_Plurals (plurals), m_Formula (formula) { };
@ -34,7 +36,7 @@ namespace i18n
 				return m_Language;
 			}
-			std::string GetString (const std::string& arg) const
+			std::string_view GetString (std::string_view arg) const
 			{
 				const auto it = m_Strings.find(arg);
 				if (it == m_Strings.end())
@ -47,7 +49,7 @@ namespace i18n
 				}
 			}
-			std::string GetPlural (const std::string& arg, const std::string& arg2, const int& n) const
+			std::string GetPlural (const std::string& arg, const std::string& arg2, int n) const
 			{
 				const auto it = m_Plurals.find(arg2);
 				if (it == m_Plurals.end()) // not found, fallback to english
@ -63,14 +65,14 @@ namespace i18n
 		private:
 			const std::string m_Language;
-			const std::map<std::string, std::string> m_Strings;
+			const LocaleStrings m_Strings;
 			const std::map<std::string, std::vector<std::string>> m_Plurals;
 			std::function<int(int)> m_Formula;
 	};
 	void SetLanguage(const std::string &lang);
-	std::string translate (const std::string& arg);
+	std::string_view translate (std::string_view arg);
-	std::string translate (const std::string& arg, const std::string& arg2, const int& n);
+	std::string translate (const std::string& arg, const std::string& arg2, int n);
 } // i18n
 } // i2p
@ -79,7 +81,7 @@ namespace i18n
 * @param arg String with message
 */
 template<typename TValue>
-std::string tr (TValue&& arg)
+std::string_view tr (TValue&& arg)
 {
 	return i2p::i18n::translate(std::forward<TValue>(arg));
 }
@ -92,7 +94,7 @@ std::string tr (TValue&& arg)
 template<typename TValue, typename... TArgs>
 std::string tr (TValue&& arg, TArgs&&... args)
 {
-	std::string tr_str = i2p::i18n::translate(std::forward<TValue>(arg));
+	std::string tr_str = std::string (i2p::i18n::translate(std::forward<TValue>(arg))); // TODO:
 	size_t size = std::snprintf(NULL, 0, tr_str.c_str(), std::forward<TArgs>(args)...);
 	std::string str(size, 0);
@ -108,7 +110,7 @@ std::string tr (TValue&& arg, TArgs&&... args)
 * @param n Integer, used for selection of form
 */
 template<typename TValue, typename TValue2>
-std::string ntr (TValue&& arg, TValue2&& arg2, int& n)
+std::string ntr (TValue&& arg, TValue2&& arg2, int n)
 {
 	return i2p::i18n::translate(std::forward<TValue>(arg), std::forward<TValue2>(arg2), std::forward<int>(n));
 }
@ -121,7 +123,7 @@ std::string ntr (TValue&& arg, TValue2&& arg2, int& n)
 * @param args Array of arguments for string formatting
 */
 template<typename TValue, typename TValue2, typename... TArgs>
-std::string ntr (TValue&& arg, TValue2&& arg2, int& n, TArgs&&... args)
+std::string ntr (TValue&& arg, TValue2&& arg2, int n, TArgs&&... args)
 {
 	std::string tr_str = i2p::i18n::translate(std::forward<TValue>(arg), std::forward<TValue2>(arg2), std::forward<int>(n));
--- a/i18n/Italian.cpp
+++ b/i18n/Italian.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2023, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace italian // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/Polish.cpp
+++ b/i18n/Polish.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2023-2024, The PurpleI2P Project
+* Copyright (c) 2023-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace polish // language namespace
 		return (n == 1 ? 0 : n % 10 >= 2 && n % 10 <= 4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2);
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/Portuguese.cpp
+++ b/i18n/Portuguese.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2023-2024, The PurpleI2P Project
+* Copyright (c) 2023-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace portuguese // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/Russian.cpp
+++ b/i18n/Russian.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021-2023, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace russian // language namespace
 		return n % 10 == 1 && n % 100 != 11 ? 0 : n % 10 >= 2 && n % 10 <= 4 && (n % 100 < 10 || n % 100 >= 20) ? 1 : 2;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f КиБ"},
 		{"%.2f MiB", "%.2f МиБ"},
--- a/i18n/Spanish.cpp
+++ b/i18n/Spanish.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2023, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace spanish // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/Swedish.cpp
+++ b/i18n/Swedish.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2023, The PurpleI2P Project
+* Copyright (c) 2023-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace swedish // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/Turkish.cpp
+++ b/i18n/Turkish.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2023, The PurpleI2P Project
+* Copyright (c) 2023-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace turkish // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/Turkmen.cpp
+++ b/i18n/Turkmen.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021-2023, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace turkmen // language namespace
 		return n != 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/i18n/Ukrainian.cpp
+++ b/i18n/Ukrainian.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021-2023, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace ukrainian // language namespace
 		return n%10==1 && n%100!=11 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f КіБ"},
 		{"%.2f MiB", "%.2f МіБ"},
--- a/i18n/Uzbek.cpp
+++ b/i18n/Uzbek.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2021-2023, The PurpleI2P Project
+* Copyright (c) 2021-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -29,7 +29,7 @@ namespace uzbek // language namespace
 		return n > 1 ? 1 : 0;
 	}
-	static std::map<std::string, std::string> strings
+	static const LocaleStrings strings
 	{
 		{"%.2f KiB", "%.2f KiB"},
 		{"%.2f MiB", "%.2f MiB"},
--- a/libi2pd/Base.cpp
+++ b/libi2pd/Base.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -28,11 +28,6 @@ namespace data
 		return T32;
 	}
 	bool IsBase32 (char ch)
 	{
 		return (ch >= 'a' && ch <= 'z') || (ch >= '2' && ch <= '7');
 	}	
 	static void iT64Build(void);
 	/*
@ -60,11 +55,6 @@ namespace data
 		return T64;
 	}
 	bool IsBase64 (char ch)
 	{
 		return (ch >= 'A' && ch <= 'Z') || (ch >= 'a' && ch <= 'z') || (ch >= '0' && ch <= '9') || ch == '-' || ch == '~';
 	}	
 	/*
 	* Reverse Substitution Table (built in run time)
 	*/
@ -235,20 +225,11 @@ namespace data
 		return outCount;
 	}
-	size_t Base64EncodingBufferSize (const size_t input_size)
+	std::string ToBase64Standard (std::string_view in)
 	{
 		auto d = div (input_size, 3);
 		if (d.rem)
 			d.quot++;
 		return 4 * d.quot;
 	}
 	std::string ToBase64Standard (const std::string& in)
 	{
 		auto len = Base64EncodingBufferSize (in.length ());
 		char * str = new char[len + 1];
-		auto l = ByteStreamToBase64 ((const uint8_t *)in.c_str (), in.length (), str, len);
+		auto l = ByteStreamToBase64 ((const uint8_t *)in.data (), in.length (), str, len);
 		str[l] = 0;
 		// replace '-' by '+' and '~' by '/'
 		for (size_t i = 0; i < l; i++)
@ -280,13 +261,12 @@ namespace data
 		iT64[(int)P64] = 0;
 	}
-	size_t Base32ToByteStream (const char * inBuf, size_t len, uint8_t * outBuf, size_t outLen)
+	size_t Base32ToByteStream (std::string_view base32Str, uint8_t * outBuf, size_t outLen)
 	{
 		unsigned int tmp = 0, bits = 0;
 		size_t ret = 0;
-		for (size_t i = 0; i < len; i++)
+		for (auto ch: base32Str)
 		{
 			char ch = inBuf[i];
 			if (ch >= '2' && ch <= '7') // digit
 				ch = (ch - '2') + 26; // 26 means a-z
 			else if (ch >= 'a' && ch <= 'z')
@ -308,11 +288,13 @@ namespace data
 		return ret;
 	}	
-	size_t ByteStreamToBase32 (const uint8_t * inBuf, size_t len, char * outBuf, size_t outLen)
+	std::string ByteStreamToBase32 (const uint8_t * inBuf, size_t len)
 	{
-		size_t ret = 0, pos = 1;
+		std::string out;
 		out.reserve ((len * 8 + 4) / 5);
 		size_t pos = 1;
 		unsigned int bits = 8, tmp = inBuf[0];
-		while (ret < outLen && (bits > 0 || pos < len))
+		while (bits > 0 || pos < len)
 		{
 			if (bits < 5)
 			{
@ -332,10 +314,9 @@ namespace data
 			bits -= 5;
 			int ind = (tmp >> bits) & 0x1F;
-			outBuf[ret] = (ind < 26) ? (ind + 'a') : ((ind - 26) + '2');
+			out.push_back ((ind < 26) ? (ind + 'a') : ((ind - 26) + '2'));
 			ret++;
 		}
-		return ret;
+		return out;
 	}	
 }
 }
--- a/libi2pd/Base.h
+++ b/libi2pd/Base.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -11,26 +11,41 @@
 #include <inttypes.h>
 #include <string>
-#include <iostream>
+#include <string_view>
 #include <cstdlib>
-namespace i2p {
+namespace i2p 
-namespace data {
+{
 namespace data 
 {
 	size_t ByteStreamToBase64 (const uint8_t * InBuffer, size_t InCount, char * OutBuffer, size_t len);
 	size_t Base64ToByteStream (const char * InBuffer, size_t InCount, uint8_t * OutBuffer, size_t len );
 	const char * GetBase32SubstitutionTable ();
 	const char * GetBase64SubstitutionTable ();
-	bool IsBase64 (char ch);
+	constexpr bool IsBase64 (char ch)
 	{
 		return (ch >= 'A' && ch <= 'Z') || (ch >= 'a' && ch <= 'z') || (ch >= '0' && ch <= '9') || ch == '-' || ch == '~';
 	}	
-	size_t Base32ToByteStream (const char * inBuf, size_t len, uint8_t * outBuf, size_t outLen);
+	size_t Base32ToByteStream (std::string_view base32Str, uint8_t * outBuf, size_t outLen);
-	size_t ByteStreamToBase32 (const uint8_t * InBuf, size_t len, char * outBuf, size_t outLen);
+	std::string ByteStreamToBase32 (const uint8_t * inBuf, size_t len);
-	bool IsBase32 (char ch);
+	
 	constexpr bool IsBase32 (char ch)
 	{
 		return (ch >= 'a' && ch <= 'z') || (ch >= '2' && ch <= '7');
 	}	
 	/**
 	 * Compute the size for a buffer to contain encoded base64 given that the size of the input is input_size bytes
 	 */
-	size_t Base64EncodingBufferSize(const size_t input_size);
+	constexpr size_t Base64EncodingBufferSize(size_t input_size)
 	{
 		auto d = std::div (input_size, 3);
 		if (d.rem) d.quot++;
 		return 4 * d.quot;
 	}	
-	std::string ToBase64Standard (const std::string& in); // using standard table, for Proxy-Authorization
+	std::string ToBase64Standard (std::string_view in); // using standard table, for Proxy-Authorization
 } // data
 } // i2p
--- a/libi2pd/Blinding.cpp
+++ b/libi2pd/Blinding.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2022, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -152,11 +152,11 @@ namespace data
 			m_BlindedSigType = m_SigType;
 	}
-	BlindedPublicKey::BlindedPublicKey (const std::string& b33):
+	BlindedPublicKey::BlindedPublicKey (std::string_view b33):
 		m_SigType (0) // 0 means invalid, we can't blind DSA, set it later
 	{
 		uint8_t addr[40]; // TODO: define length from b33
-		size_t l = i2p::data::Base32ToByteStream (b33.c_str (), b33.length (), addr, 40);
+		size_t l = i2p::data::Base32ToByteStream (b33, addr, 40);
 		if (l < 32)
 		{
 			LogPrint (eLogError, "Blinding: Malformed b33 ", b33);
@ -198,7 +198,7 @@ namespace data
 	std::string BlindedPublicKey::ToB33 () const
 	{
 		if (m_PublicKey.size () > 32) return ""; // assume 25519
-		uint8_t addr[35]; char str[60]; // TODO: define actual length
+		uint8_t addr[35];
 		uint8_t flags = 0;
 		if (m_IsClientAuth) flags |= B33_PER_CLIENT_AUTH_FLAG;
 		addr[0] = flags; // flags
@ -208,8 +208,7 @@ namespace data
 		uint32_t checksum = crc32 (0, addr + 3, m_PublicKey.size ());
 		// checksum is Little Endian
 		addr[0] ^= checksum; addr[1] ^= (checksum >> 8); addr[2] ^= (checksum >> 16);
-		auto l = ByteStreamToBase32 (addr, m_PublicKey.size () + 3, str, 60);
+		return ByteStreamToBase32 (addr, m_PublicKey.size () + 3);
 		return std::string (str, str + l);
 	}
 	void BlindedPublicKey::GetCredential (uint8_t * credential) const
--- a/libi2pd/Blinding.h
+++ b/libi2pd/Blinding.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2020, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -11,6 +11,7 @@
 #include <inttypes.h>
 #include <string>
 #include <string_view>
 #include <vector>
 #include "Identity.h"
@ -23,7 +24,7 @@ namespace data
 		public:
 			BlindedPublicKey (std::shared_ptr<const IdentityEx> identity, bool clientAuth = false);
-			BlindedPublicKey (const std::string& b33); // from b33 without .b32.i2p
+			BlindedPublicKey (std::string_view b33); // from b33 without .b32.i2p
 			std::string ToB33 () const;
 			const uint8_t * GetPublicKey () const { return m_PublicKey.data (); };
--- a/libi2pd/CPU.cpp
+++ b/libi2pd/CPU.cpp
@ -1,68 +0,0 @@
 /*
 * Copyright (c) 2013-2023, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
 * See full license text in LICENSE file at top of project tree
 */
 #include "CPU.h"
 #include "Log.h"
 #ifndef bit_AES
 	#define bit_AES (1 << 25)
 #endif
 #if defined(__GNUC__) && __GNUC__ < 6 && IS_X86
 	#include <cpuid.h>
 #endif
 #ifdef _MSC_VER
 	#include <intrin.h>
 #endif
 namespace i2p
 {
 namespace cpu
 {
 	bool aesni = false;
 	inline bool cpu_support_aes()
 	{
 #if IS_X86
 #if defined(__clang__)
 #	if (__clang_major__ >= 6)
 		__builtin_cpu_init();
 #	endif
 		return __builtin_cpu_supports("aes");
 #elif (defined(__GNUC__) && __GNUC__ >= 6)
 		__builtin_cpu_init();
 		return __builtin_cpu_supports("aes");
 #elif (defined(__GNUC__) && __GNUC__ < 6)
 		int cpu_info[4];
 		bool flag = false;
 		__cpuid(0, cpu_info[0], cpu_info[1], cpu_info[2], cpu_info[3]);
 		if (cpu_info[0] >= 0x00000001) {
 			__cpuid(0x00000001, cpu_info[0], cpu_info[1], cpu_info[2], cpu_info[3]);
 			flag = ((cpu_info[2] & bit_AES) != 0);
 		}
 		return flag;
 #elif defined(_MSC_VER)
 		int cpu_info[4];
 		__cpuid(cpu_info, 1);
 		return ((cpu_info[2] & bit_AES) != 0);
 #endif
 #endif
 		return false;
 	}
 	void Detect(bool AesSwitch, bool force)
 	{
 		if ((cpu_support_aes() && AesSwitch) || (AesSwitch && force)) {
 			aesni = true;
 		}
 		LogPrint(eLogInfo, "AESNI ", (aesni ? "enabled" : "disabled"));
 	}
 }
 }
--- a/libi2pd/CPU.h
+++ b/libi2pd/CPU.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2024, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -21,20 +21,4 @@
 #	define IS_X86_64 0
 #endif
 #if defined(__AES__) && !defined(_MSC_VER) && IS_X86
 #	define SUPPORTS_AES 1
 #else
 #	define SUPPORTS_AES 0
 #endif
 namespace i2p
 {
 namespace cpu
 {
 	extern bool aesni;
 	void Detect(bool AesSwitch, bool force);
 }
 }
 #endif
--- a/libi2pd/Config.cpp
+++ b/libi2pd/Config.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -117,7 +117,7 @@ namespace config {
 			("httpproxy.latency.max", value<std::string>()->default_value("0"),       "HTTP proxy max latency for tunnels")
 			("httpproxy.outproxy", value<std::string>()->default_value(""),           "HTTP proxy upstream out proxy url")
 			("httpproxy.addresshelper", value<bool>()->default_value(true),           "Enable or disable addresshelper")
-			("httpproxy.senduseragent", value<bool>()->default_value(false),          "Pass through user's User-Agent if enabled. Disabled by deafult")
+			("httpproxy.senduseragent", value<bool>()->default_value(false),          "Pass through user's User-Agent if enabled. Disabled by default")
 			("httpproxy.i2cp.leaseSetType", value<std::string>()->default_value("3"), "Local destination's LeaseSet type")
 			("httpproxy.i2cp.leaseSetEncType", value<std::string>()->default_value("0,4"), "Local destination's LeaseSet encryption type")
 			("httpproxy.i2cp.leaseSetPrivKey", value<std::string>()->default_value(""), "LeaseSet private key")
@ -154,6 +154,17 @@ namespace config {
 			("socksproxy.i2p.streaming.profile", value<std::string>()->default_value("1"), "SOCKS Proxy bandwidth usage profile. 1 - bulk(high), 2- interactive(low)")
 		;
 		options_description shareddest("Shared local destination options");
 		shareddest.add_options()
 			("shareddest.inbound.length", value<std::string>()->default_value("3"),    "Shared local destination inbound tunnel length")
 			("shareddest.outbound.length", value<std::string>()->default_value("3"),   "Shared local destination outbound tunnel length")
 			("shareddest.inbound.quantity", value<std::string>()->default_value("3"),  "Shared local destination inbound tunnels quantity")
 			("shareddest.outbound.quantity", value<std::string>()->default_value("3"), "Shared local destination outbound tunnels quantity")
 			("shareddest.i2cp.leaseSetType", value<std::string>()->default_value("3"), "Shared local destination's LeaseSet type")
 			("shareddest.i2cp.leaseSetEncType", value<std::string>()->default_value("0,4"), "Shared local destination's LeaseSet encryption type")
 			("shareddest.i2p.streaming.profile", value<std::string>()->default_value("2"), "Shared local destination bandwidth usage profile. 1 - bulk(high), 2- interactive(low)")
 		;	
 		options_description sam("SAM bridge options");
 		sam.add_options()
 			("sam.enabled", value<bool>()->default_value(true),               "Enable or disable SAM Application bridge")
@ -227,7 +238,7 @@ namespace config {
 				"https://reseed.onion.im/,"
 				"https://i2pseed.creativecowpat.net:8443/,"
 				"https://reseed.i2pgit.org/,"
-				"https://banana.incognet.io/,"
+				"https://coconut.incognet.io/,"
 				"https://reseed-pl.i2pd.xyz/,"
 				"https://www2.mk16.de/,"
 			    "https://i2p.ghativega.in/,"
@ -315,11 +326,11 @@ namespace config {
 			("persist.addressbook", value<bool>()->default_value(true),    "Persist full addresses (default: true)")
 		;
-		options_description cpuext("CPU encryption extensions options");
+		options_description cpuext("CPU encryption extensions options. Deprecated");
 		cpuext.add_options()
-			("cpuext.aesni", bool_switch()->default_value(true),                     "Use auto detection for AESNI CPU extensions. If false, AESNI will be not used")
+			("cpuext.aesni", bool_switch()->default_value(true),                     "Deprecated option")
 			("cpuext.avx", bool_switch()->default_value(false),                      "Deprecated option")
-			("cpuext.force", bool_switch()->default_value(false),                    "Force usage of CPU extensions. Useful when cpuinfo is not available on virtual machines")
+			("cpuext.force", bool_switch()->default_value(false),                    "Deprecated option")
 		;
 		options_description meshnets("Meshnet transports options");
@ -341,6 +352,7 @@ namespace config {
 			.add(httpserver)
 			.add(httpproxy)
 			.add(socksproxy)
 			.add(shareddest)
 			.add(sam)
 			.add(bob)
 			.add(i2cp)
--- a/libi2pd/Crypto.cpp
+++ b/libi2pd/Crypto.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -19,6 +19,7 @@
 #if OPENSSL_HKDF
 #include <openssl/kdf.h>
 #endif
 #include "CPU.h"
 #include "Crypto.h"
 #include "Ed25519.h"
 #include "I2PEndian.h"
@ -441,9 +442,8 @@ namespace crypto
 		// encrypt
 		CBCEncryption encryption;
 		encryption.SetKey (shared);
 		encryption.SetIV (iv);
 		encrypted[257] = 0;
-		encryption.Encrypt (m, 256, encrypted + 258);
+		encryption.Encrypt (m, 256, iv, encrypted + 258);
 		EC_POINT_free (p);
 		BN_CTX_end (ctx);
 		BN_CTX_free (ctx);
@ -476,8 +476,7 @@ namespace crypto
 			uint8_t m[256];
 			CBCDecryption decryption;
 			decryption.SetKey (shared);
-			decryption.SetIV (iv);
+			decryption.Decrypt (encrypted + 258, 256, iv, m);
 			decryption.Decrypt (encrypted + 258, 256, m);
 			// verify and copy
 			uint8_t hash[32];
 			SHA256 (m + 33, 222, hash);
@ -515,440 +514,114 @@ namespace crypto
 	}
 // AES
-#if SUPPORTS_AES
+	ECBEncryption::ECBEncryption ()
 	#define KeyExpansion256(round0,round1) \
 		"pshufd $0xff, %%xmm2, %%xmm2 \n" \
 		"movaps %%xmm1, %%xmm4 \n" \
 		"pslldq $4, %%xmm4 \n" \
 		"pxor %%xmm4, %%xmm1 \n" \
 		"pslldq $4, %%xmm4 \n" \
 		"pxor %%xmm4, %%xmm1 \n" \
 		"pslldq $4, %%xmm4 \n" \
 		"pxor %%xmm4, %%xmm1 \n" \
 		"pxor %%xmm2, %%xmm1 \n" \
 		"movaps %%xmm1, "#round0"(%[sched]) \n" \
 		"aeskeygenassist $0, %%xmm1, %%xmm4 \n" \
 		"pshufd $0xaa, %%xmm4, %%xmm2 \n" \
 		"movaps %%xmm3, %%xmm4 \n" \
 		"pslldq $4, %%xmm4 \n" \
 		"pxor %%xmm4, %%xmm3 \n" \
 		"pslldq $4, %%xmm4 \n" \
 		"pxor %%xmm4, %%xmm3 \n" \
 		"pslldq $4, %%xmm4 \n" \
 		"pxor %%xmm4, %%xmm3 \n" \
 		"pxor %%xmm2, %%xmm3 \n" \
 		"movaps %%xmm3, "#round1"(%[sched]) \n"
 #endif
 #if SUPPORTS_AES
 	void ECBCryptoAESNI::ExpandKey (const AESKey& key)
 	{
-		__asm__
+		m_Ctx = EVP_CIPHER_CTX_new ();
 		(
 			"movups (%[key]), %%xmm1 \n"
 			"movups 16(%[key]), %%xmm3 \n"
 			"movaps %%xmm1, (%[sched]) \n"
 			"movaps %%xmm3, 16(%[sched]) \n"
 			"aeskeygenassist $1, %%xmm3, %%xmm2 \n"
 			KeyExpansion256(32,48)
 			"aeskeygenassist $2, %%xmm3, %%xmm2 \n"
 			KeyExpansion256(64,80)
 			"aeskeygenassist $4, %%xmm3, %%xmm2 \n"
 			KeyExpansion256(96,112)
 			"aeskeygenassist $8, %%xmm3, %%xmm2 \n"
 			KeyExpansion256(128,144)
 			"aeskeygenassist $16, %%xmm3, %%xmm2 \n"
 			KeyExpansion256(160,176)
 			"aeskeygenassist $32, %%xmm3, %%xmm2 \n"
 			KeyExpansion256(192,208)
 			"aeskeygenassist $64, %%xmm3, %%xmm2 \n"
 			// key expansion final
 			"pshufd $0xff, %%xmm2, %%xmm2 \n"
 			"movaps %%xmm1, %%xmm4 \n"
 			"pslldq $4, %%xmm4 \n"
 			"pxor %%xmm4, %%xmm1 \n"
 			"pslldq $4, %%xmm4 \n"
 			"pxor %%xmm4, %%xmm1 \n"
 			"pslldq $4, %%xmm4 \n"
 			"pxor %%xmm4, %%xmm1 \n"
 			"pxor %%xmm2, %%xmm1 \n"
 			"movups %%xmm1, 224(%[sched]) \n"
 			: // output
 			: [key]"r"((const uint8_t *)key), [sched]"r"(GetKeySchedule ()) // input
 			: "%xmm1", "%xmm2", "%xmm3", "%xmm4", "memory" // clogged
 		);
 	}
 #endif
 #if SUPPORTS_AES
 	#define EncryptAES256(sched) \
 		"pxor (%["#sched"]), %%xmm0 \n" \
 		"aesenc	16(%["#sched"]), %%xmm0 \n" \
 		"aesenc	32(%["#sched"]), %%xmm0 \n" \
 		"aesenc	48(%["#sched"]), %%xmm0 \n" \
 		"aesenc	64(%["#sched"]), %%xmm0 \n" \
 		"aesenc	80(%["#sched"]), %%xmm0 \n" \
 		"aesenc	96(%["#sched"]), %%xmm0 \n" \
 		"aesenc	112(%["#sched"]), %%xmm0 \n" \
 		"aesenc	128(%["#sched"]), %%xmm0 \n" \
 		"aesenc	144(%["#sched"]), %%xmm0 \n" \
 		"aesenc	160(%["#sched"]), %%xmm0 \n" \
 		"aesenc	176(%["#sched"]), %%xmm0 \n" \
 		"aesenc	192(%["#sched"]), %%xmm0 \n" \
 		"aesenc	208(%["#sched"]), %%xmm0 \n" \
 		"aesenclast	224(%["#sched"]), %%xmm0 \n"
 #endif
 	void ECBEncryption::Encrypt (const ChipherBlock * in, ChipherBlock * out)
 	{
 #if SUPPORTS_AES
 		if(i2p::cpu::aesni)
 		{
 			__asm__
 			(
 				"movups (%[in]), %%xmm0 \n"
 				EncryptAES256(sched)
 				"movups %%xmm0, (%[out]) \n"
 				:
 				: [sched]"r"(GetKeySchedule ()), [in]"r"(in), [out]"r"(out)
 				: "%xmm0", "memory"
 			);
 		}
 		else
 #endif
 		{
 			AES_encrypt (in->buf, out->buf, &m_Key);
 		}
 	}
-#if SUPPORTS_AES
+	ECBEncryption::~ECBEncryption ()
 	#define DecryptAES256(sched) \
 		"pxor 224(%["#sched"]), %%xmm0 \n" \
 		"aesdec	208(%["#sched"]), %%xmm0 \n" \
 		"aesdec	192(%["#sched"]), %%xmm0 \n" \
 		"aesdec	176(%["#sched"]), %%xmm0 \n" \
 		"aesdec	160(%["#sched"]), %%xmm0 \n" \
 		"aesdec	144(%["#sched"]), %%xmm0 \n" \
 		"aesdec	128(%["#sched"]), %%xmm0 \n" \
 		"aesdec	112(%["#sched"]), %%xmm0 \n" \
 		"aesdec	96(%["#sched"]), %%xmm0 \n" \
 		"aesdec	80(%["#sched"]), %%xmm0 \n" \
 		"aesdec	64(%["#sched"]), %%xmm0 \n" \
 		"aesdec	48(%["#sched"]), %%xmm0 \n" \
 		"aesdec	32(%["#sched"]), %%xmm0 \n" \
 		"aesdec	16(%["#sched"]), %%xmm0 \n" \
 		"aesdeclast (%["#sched"]), %%xmm0 \n"
 #endif
 	void ECBDecryption::Decrypt (const ChipherBlock * in, ChipherBlock * out)
 	{
-#if SUPPORTS_AES
+		if (m_Ctx)
-		if(i2p::cpu::aesni)
+			EVP_CIPHER_CTX_free (m_Ctx);
 		{
 			__asm__
 			(
 				"movups (%[in]), %%xmm0 \n"
 				DecryptAES256(sched)
 				"movups %%xmm0, (%[out]) \n"
 				:
 				: [sched]"r"(GetKeySchedule ()), [in]"r"(in), [out]"r"(out)
 				: "%xmm0", "memory"
 			);
 		}
 		else
 #endif
 		{
 			AES_decrypt (in->buf, out->buf, &m_Key);
 		}
 	}	
-#if SUPPORTS_AES
+	void ECBEncryption::Encrypt (const uint8_t * in, uint8_t * out)
 	#define CallAESIMC(offset) \
 		"movaps "#offset"(%[shed]), %%xmm0 \n" \
 		"aesimc %%xmm0, %%xmm0 \n" \
 		"movaps %%xmm0, "#offset"(%[shed]) \n"
 #endif
 	void ECBEncryption::SetKey (const AESKey& key)
 	{
-#if SUPPORTS_AES
+		EVP_EncryptInit_ex (m_Ctx, EVP_aes_256_ecb(), NULL, m_Key, NULL);
-		if(i2p::cpu::aesni)
+		EVP_CIPHER_CTX_set_padding (m_Ctx, 0);
-		{
+		int len;
-			ExpandKey (key);
+		EVP_EncryptUpdate (m_Ctx, out, &len, in, 16);
-		}
+		EVP_EncryptFinal_ex (m_Ctx, out + len, &len);
 		else
 #endif
 		{
 			AES_set_encrypt_key (key, 256, &m_Key);
 		}
 	}
-	void ECBDecryption::SetKey (const AESKey& key)
+	ECBDecryption::ECBDecryption ()
 	{
-#if SUPPORTS_AES
+		m_Ctx = EVP_CIPHER_CTX_new ();
 		if(i2p::cpu::aesni)
 		{
 			ExpandKey (key); // expand encryption key first
 			// then invert it using aesimc
 			__asm__
 			(
 				CallAESIMC(16)
 				CallAESIMC(32)
 				CallAESIMC(48)
 				CallAESIMC(64)
 				CallAESIMC(80)
 				CallAESIMC(96)
 				CallAESIMC(112)
 				CallAESIMC(128)
 				CallAESIMC(144)
 				CallAESIMC(160)
 				CallAESIMC(176)
 				CallAESIMC(192)
 				CallAESIMC(208)
 				:
 				: [shed]"r"(GetKeySchedule ())
 				: "%xmm0", "memory"
 			);
 		}
 		else
 #endif
 		{
 			AES_set_decrypt_key (key, 256, &m_Key);
 		}
 	}
-	void CBCEncryption::Encrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out)
+	ECBDecryption::~ECBDecryption ()
 	{
-#if SUPPORTS_AES
+		if (m_Ctx)
-		if(i2p::cpu::aesni)
+			EVP_CIPHER_CTX_free (m_Ctx);
 		{
 			__asm__
 			(
 				"movups (%[iv]), %%xmm1 \n"
 				"1: \n"
 				"movups (%[in]), %%xmm0 \n"
 				"pxor %%xmm1, %%xmm0 \n"
 				EncryptAES256(sched)
 				"movaps %%xmm0, %%xmm1 \n"
 				"movups %%xmm0, (%[out]) \n"
 				"add $16, %[in] \n"
 				"add $16, %[out] \n"
 				"dec %[num] \n"
 				"jnz 1b \n"
 				"movups %%xmm1, (%[iv]) \n"
 				:
 				: [iv]"r"((uint8_t *)m_LastBlock), [sched]"r"(m_ECBEncryption.GetKeySchedule ()),
 					[in]"r"(in), [out]"r"(out), [num]"r"(numBlocks)
 				: "%xmm0", "%xmm1", "cc", "memory"
 			);
 		}
 		else
 #endif
 		{
 			for (int i = 0; i < numBlocks; i++)
 			{
 				*m_LastBlock.GetChipherBlock () ^= in[i];
 				m_ECBEncryption.Encrypt (m_LastBlock.GetChipherBlock (), m_LastBlock.GetChipherBlock ());
 				out[i] = *m_LastBlock.GetChipherBlock ();
 			}
 		}
 	}	
-	void CBCEncryption::Encrypt (const uint8_t * in, std::size_t len, uint8_t * out)
+	void ECBDecryption::Decrypt (const uint8_t * in, uint8_t * out)
 	{
 		EVP_DecryptInit_ex (m_Ctx, EVP_aes_256_ecb(), NULL, m_Key, NULL);
 		EVP_CIPHER_CTX_set_padding (m_Ctx, 0);
 		int len;
 		EVP_DecryptUpdate (m_Ctx, out, &len, in, 16);
 		EVP_DecryptFinal_ex (m_Ctx, out + len, &len);
 	}
 	CBCEncryption::CBCEncryption () 
 	{ 
 		m_Ctx = EVP_CIPHER_CTX_new ();
 	}
 	CBCEncryption::~CBCEncryption ()
 	{
 		if (m_Ctx)
 			EVP_CIPHER_CTX_free (m_Ctx);
 	}	
 	void CBCEncryption::Encrypt (const uint8_t * in, size_t len, const uint8_t * iv, uint8_t * out)
 	{
 		// len/16
-		int numBlocks = len >> 4;
+		EVP_EncryptInit_ex (m_Ctx, EVP_aes_256_cbc(), NULL, m_Key, iv);
-		if (numBlocks > 0)
+		EVP_CIPHER_CTX_set_padding (m_Ctx, 0);
-			Encrypt (numBlocks, (const ChipherBlock *)in, (ChipherBlock *)out);
+		int l;
 		EVP_EncryptUpdate (m_Ctx, out, &l, in, len);
 		EVP_EncryptFinal_ex (m_Ctx, out + l, &l);
 	}
-	void CBCEncryption::Encrypt (const uint8_t * in, uint8_t * out)
+	CBCDecryption::CBCDecryption () 
 	{ 
-#if SUPPORTS_AES
+		m_Ctx = EVP_CIPHER_CTX_new ();
 		if(i2p::cpu::aesni)
 		{
 			__asm__
 			(
 				"movups (%[iv]), %%xmm1 \n"
 				"movups (%[in]), %%xmm0 \n"
 				"pxor %%xmm1, %%xmm0 \n"
 				EncryptAES256(sched)
 				"movups %%xmm0, (%[out]) \n"
 				"movups %%xmm0, (%[iv]) \n"
 				:
 				: [iv]"r"((uint8_t *)m_LastBlock), [sched]"r"(m_ECBEncryption.GetKeySchedule ()),
 					[in]"r"(in), [out]"r"(out)
 				: "%xmm0", "%xmm1", "memory"
 			);
 		}
 		else
 #endif
 			Encrypt (1, (const ChipherBlock *)in, (ChipherBlock *)out);
 	}
-	void CBCDecryption::Decrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out)
+	CBCDecryption::~CBCDecryption ()
 	{
-#if SUPPORTS_AES
+		if (m_Ctx)
-		if(i2p::cpu::aesni)
+			EVP_CIPHER_CTX_free (m_Ctx);
 		{
 			__asm__
 			(
 				"movups (%[iv]), %%xmm1 \n"
 				"1: \n"
 				"movups (%[in]), %%xmm0 \n"
 				"movaps %%xmm0, %%xmm2 \n"
 				DecryptAES256(sched)
 				"pxor %%xmm1, %%xmm0 \n"
 				"movups %%xmm0, (%[out]) \n"
 				"movaps %%xmm2, %%xmm1 \n"
 				"add $16, %[in] \n"
 				"add $16, %[out] \n"
 				"dec %[num] \n"
 				"jnz 1b \n"
 				"movups %%xmm1, (%[iv]) \n"
 				:
 				: [iv]"r"((uint8_t *)m_IV), [sched]"r"(m_ECBDecryption.GetKeySchedule ()),
 					[in]"r"(in), [out]"r"(out), [num]"r"(numBlocks)
 				: "%xmm0", "%xmm1", "%xmm2", "cc", "memory"
 			);
 		}
 		else
 #endif
 		{
 			for (int i = 0; i < numBlocks; i++)
 			{
 				ChipherBlock tmp = in[i];
 				m_ECBDecryption.Decrypt (in + i, out + i);
 				out[i] ^= *m_IV.GetChipherBlock ();
 				*m_IV.GetChipherBlock () = tmp;
 			}
 		}
 	}	
-	void CBCDecryption::Decrypt (const uint8_t * in, std::size_t len, uint8_t * out)
+	void CBCDecryption::Decrypt (const uint8_t * in, size_t len, const uint8_t * iv, uint8_t * out)
 	{
-		int numBlocks = len >> 4;
+		// len/16
-		if (numBlocks > 0)
+		EVP_DecryptInit_ex (m_Ctx, EVP_aes_256_cbc(), NULL, m_Key, iv);
-			Decrypt (numBlocks, (const ChipherBlock *)in, (ChipherBlock *)out);
+		EVP_CIPHER_CTX_set_padding (m_Ctx, 0);
-	}
+		int l;
-
+		EVP_DecryptUpdate (m_Ctx, out, &l, in, len);
-	void CBCDecryption::Decrypt (const uint8_t * in, uint8_t * out)
+		EVP_DecryptFinal_ex (m_Ctx, out + l, &l);
 	{
 #if SUPPORTS_AES
 		if(i2p::cpu::aesni)
 		{
 			__asm__
 			(
 				"movups (%[iv]), %%xmm1 \n"
 				"movups (%[in]), %%xmm0 \n"
 				"movups %%xmm0, (%[iv]) \n"
 				DecryptAES256(sched)
 				"pxor %%xmm1, %%xmm0 \n"
 				"movups %%xmm0, (%[out]) \n"
 				:
 				: [iv]"r"((uint8_t *)m_IV), [sched]"r"(m_ECBDecryption.GetKeySchedule ()),
 					[in]"r"(in), [out]"r"(out)
 				: "%xmm0", "%xmm1", "memory"
 			);
 		}
 		else
 #endif
 			Decrypt (1, (const ChipherBlock *)in, (ChipherBlock *)out);
 	}
 	void TunnelEncryption::Encrypt (const uint8_t * in, uint8_t * out)
 	{
-#if SUPPORTS_AES
+		uint8_t iv[16];
-		if(i2p::cpu::aesni)
+		m_IVEncryption.Encrypt (in, iv); // iv
-		{
+		m_LayerEncryption.Encrypt (in + 16, i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE, iv, out + 16); // data
-			__asm__
+		m_IVEncryption.Encrypt (iv, out); // double iv
 			(
 				// encrypt IV
 				"movups (%[in]), %%xmm0 \n"
 				EncryptAES256(sched_iv)
 				"movaps %%xmm0, %%xmm1 \n"
 				// double IV encryption
 				EncryptAES256(sched_iv)
 				"movups %%xmm0, (%[out]) \n"
 				// encrypt data, IV is xmm1
 				"1: \n"
 				"add $16, %[in] \n"
 				"add $16, %[out] \n"
 				"movups (%[in]), %%xmm0 \n"
 				"pxor %%xmm1, %%xmm0 \n"
 				EncryptAES256(sched_l)
 				"movaps %%xmm0, %%xmm1 \n"
 				"movups %%xmm0, (%[out]) \n"
 				"dec %[num] \n"
 				"jnz 1b \n"
 				:
 				: [sched_iv]"r"(m_IVEncryption.GetKeySchedule ()), [sched_l]"r"(m_LayerEncryption.ECB().GetKeySchedule ()),
 					[in]"r"(in), [out]"r"(out), [num]"r"(63) // 63 blocks = 1008 bytes
 				: "%xmm0", "%xmm1", "cc", "memory"
 			);
 		}
 		else
 #endif
 		{
 			m_IVEncryption.Encrypt ((const ChipherBlock *)in, (ChipherBlock *)out); // iv
 			m_LayerEncryption.SetIV (out);
 			m_LayerEncryption.Encrypt (in + 16, i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE, out + 16); // data
 			m_IVEncryption.Encrypt ((ChipherBlock *)out, (ChipherBlock *)out); // double iv
 		}
 	}
 	void TunnelDecryption::Decrypt (const uint8_t * in, uint8_t * out)
 	{
-#if SUPPORTS_AES
+		uint8_t iv[16];
-		if(i2p::cpu::aesni)
+		m_IVDecryption.Decrypt (in, iv); // iv
-		{
+		m_LayerDecryption.Decrypt (in + 16, i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE, iv, out + 16); // data
-			__asm__
+		m_IVDecryption.Decrypt (iv, out); // double iv
 			(
 				// decrypt IV
 				"movups	(%[in]), %%xmm0 \n"
 				DecryptAES256(sched_iv)
 				"movaps %%xmm0, %%xmm1 \n"
 				// double IV encryption
 				DecryptAES256(sched_iv)
 				"movups %%xmm0, (%[out]) \n"
 				// decrypt data, IV is xmm1
 				"1: \n"
 				"add $16, %[in] \n"
 				"add $16, %[out] \n"
 				"movups (%[in]), %%xmm0 \n"
 				"movaps %%xmm0, %%xmm2 \n"
 				DecryptAES256(sched_l)
 				"pxor %%xmm1, %%xmm0 \n"
 				"movups %%xmm0, (%[out]) \n"
 				"movaps %%xmm2, %%xmm1 \n"
 				"dec %[num] \n"
 				"jnz 1b \n"
 				:
 				: [sched_iv]"r"(m_IVDecryption.GetKeySchedule ()), [sched_l]"r"(m_LayerDecryption.ECB().GetKeySchedule ()),
 					[in]"r"(in), [out]"r"(out), [num]"r"(63) // 63 blocks = 1008 bytes
 				: "%xmm0", "%xmm1", "%xmm2", "cc", "memory"
 			);
 		}
 		else
 #endif
 		{
 			m_IVDecryption.Decrypt ((const ChipherBlock *)in, (ChipherBlock *)out); // iv
 			m_LayerDecryption.SetIV (out);
 			m_LayerDecryption.Decrypt (in + 16, i2p::tunnel::TUNNEL_DATA_ENCRYPTED_SIZE, out + 16); // data
 			m_IVDecryption.Decrypt ((ChipherBlock *)out, (ChipherBlock *)out); // double iv
 		}
 	}
 // AEAD/ChaCha20/Poly1305
-	bool AEADChaCha20Poly1305 (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen, const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len, bool encrypt)
+	static bool AEADChaCha20Poly1305 (EVP_CIPHER_CTX * ctx, const uint8_t * msg, size_t msgLen, 
 		const uint8_t * ad, size_t adLen, const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len, bool encrypt)
 	{
-		if (len < msgLen) return false;
+		if (!ctx || len < msgLen) return false;
 		if (encrypt && len < msgLen + 16) return false;
 		bool ret = true;
 		int outlen = 0;
 		EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new ();
 		if (encrypt)
 		{
 			EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), 0, 0, 0);
@ -978,38 +651,100 @@ namespace crypto
 			EVP_DecryptUpdate(ctx, buf, &outlen, msg, msgLen);
 			ret = EVP_DecryptFinal_ex(ctx, buf + outlen, &outlen) > 0;
 		}
 		return ret;
 	}
 	bool AEADChaCha20Poly1305 (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen, 
 		const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len, bool encrypt)
 	{
 		EVP_CIPHER_CTX * ctx = EVP_CIPHER_CTX_new ();
 		auto ret = AEADChaCha20Poly1305 (ctx, msg, msgLen, ad, adLen, key, nonce, buf, len, encrypt);
 		EVP_CIPHER_CTX_free (ctx);
 		return ret;
 	}
-	void AEADChaCha20Poly1305Encrypt (const std::vector<std::pair<uint8_t *, size_t> >& bufs, const uint8_t * key, const uint8_t * nonce, uint8_t * mac)
+	AEADChaCha20Poly1305Encryptor::AEADChaCha20Poly1305Encryptor ()
 	{
 		m_Ctx = EVP_CIPHER_CTX_new ();
 	}
 	AEADChaCha20Poly1305Encryptor::~AEADChaCha20Poly1305Encryptor ()
 	{
 		if (m_Ctx)
 			EVP_CIPHER_CTX_free (m_Ctx);
 	}	
 	bool AEADChaCha20Poly1305Encryptor::Encrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 		const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len)
 	{
 		return AEADChaCha20Poly1305 (m_Ctx, msg, msgLen, ad, adLen, key, nonce, buf, len, true);
 	}	
 	void AEADChaCha20Poly1305Encryptor::Encrypt (const std::vector<std::pair<uint8_t *, size_t> >& bufs, 
 		const uint8_t * key, const uint8_t * nonce, uint8_t * mac)
 	{
 		if (bufs.empty ()) return;
 		int outlen = 0;
-		EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new ();
+		EVP_EncryptInit_ex(m_Ctx, EVP_chacha20_poly1305(), 0, 0, 0);
-		EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), 0, 0, 0);
+		EVP_CIPHER_CTX_ctrl(m_Ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, 0);
-		EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, 12, 0);
+		EVP_EncryptInit_ex(m_Ctx, NULL, NULL, key, nonce);
 		EVP_EncryptInit_ex(ctx, NULL, NULL, key, nonce);
 		for (const auto& it: bufs)
-			EVP_EncryptUpdate(ctx, it.first, &outlen, it.first, it.second);
+			EVP_EncryptUpdate(m_Ctx, it.first, &outlen, it.first, it.second);
-		EVP_EncryptFinal_ex(ctx, NULL, &outlen);
+		EVP_EncryptFinal_ex(m_Ctx, NULL, &outlen);
-		EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, mac);
+		EVP_CIPHER_CTX_ctrl(m_Ctx, EVP_CTRL_AEAD_GET_TAG, 16, mac);
 		EVP_CIPHER_CTX_free (ctx);
 	}	
-	void ChaCha20 (const uint8_t * msg, size_t msgLen, const uint8_t * key, const uint8_t * nonce, uint8_t * out)
+	AEADChaCha20Poly1305Decryptor::AEADChaCha20Poly1305Decryptor ()
 	{
 		m_Ctx = EVP_CIPHER_CTX_new ();
 	}
 	AEADChaCha20Poly1305Decryptor::~AEADChaCha20Poly1305Decryptor ()
 	{
 		if (m_Ctx)
 			EVP_CIPHER_CTX_free (m_Ctx);
 	}	
 	bool AEADChaCha20Poly1305Decryptor::Decrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 		const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len)
 	{
 		return AEADChaCha20Poly1305 (m_Ctx, msg, msgLen, ad, adLen, key, nonce, buf, len, false);
 	}
 	static void ChaCha20 (EVP_CIPHER_CTX *ctx, const uint8_t * msg, size_t msgLen, const uint8_t * key, const uint8_t * nonce, uint8_t * out)
 	{
 		EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new ();
 		uint32_t iv[4];
 		iv[0] = htole32 (1); memcpy (iv + 1, nonce, 12); // counter | nonce
 		EVP_EncryptInit_ex(ctx, EVP_chacha20 (), NULL, key, (const uint8_t *)iv);
 		int outlen = 0;
 		EVP_EncryptUpdate(ctx, out, &outlen, msg, msgLen);
 		EVP_EncryptFinal_ex(ctx, NULL, &outlen);
 	}
 	void ChaCha20 (const uint8_t * msg, size_t msgLen, const uint8_t * key, const uint8_t * nonce, uint8_t * out)
 	{
 		EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new ();
 		ChaCha20 (ctx, msg, msgLen, key, nonce, out);
 		EVP_CIPHER_CTX_free (ctx);
 	}
 	ChaCha20Context::ChaCha20Context ()
 	{
 		m_Ctx = EVP_CIPHER_CTX_new ();
 	}
 	ChaCha20Context::~ChaCha20Context ()
 	{
 		if (m_Ctx)
 			EVP_CIPHER_CTX_free (m_Ctx);
 	}
 	void ChaCha20Context::operator ()(const uint8_t * msg, size_t msgLen, const uint8_t * key, const uint8_t * nonce, uint8_t * out)
 	{
 		ChaCha20 (m_Ctx, msg, msgLen, key, nonce, out);
 	}	
 	void HKDF (const uint8_t * salt, const uint8_t * key, size_t keyLen, const std::string& info,
 		uint8_t * out, size_t outLen)
 	{
@ -1157,9 +892,8 @@ namespace crypto
 		}
 	}*/
-	void InitCrypto (bool precomputation, bool aesni, bool force)
+	void InitCrypto (bool precomputation)
 	{
 		i2p::cpu::Detect (aesni, force);
 /*		auto numLocks = CRYPTO_num_locks();
 		for (int i = 0; i < numLocks; i++)
 			m_OpenSSLMutexes.emplace_back (new std::mutex);
--- a/libi2pd/Crypto.h
+++ b/libi2pd/Crypto.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -25,7 +25,6 @@
 #include "Base.h"
 #include "Tag.h"
 #include "CPU.h"
 // recognize openssl version and features
 #if (OPENSSL_VERSION_NUMBER >= 0x010101000) // 1.1.1
@ -34,6 +33,9 @@
 #	if (!defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER != 0x030000000)) // 3.0.0, regression in SipHash, not implemented in LibreSSL
 #		define OPENSSL_SIPHASH 1
 #	endif
 #	if (OPENSSL_VERSION_NUMBER >= 0x030500000) // 3.5.0
 #		define OPENSSL_PQ 1
 #	endif
 #endif
 namespace i2p
@ -85,142 +87,70 @@ namespace crypto
 	void GenerateECIESKeyPair (const EC_GROUP * curve, BIGNUM *& priv, EC_POINT *& pub);
 	// AES
 	struct ChipherBlock
 	{
 		uint8_t buf[16];
 		void operator^=(const ChipherBlock& other) // XOR
 		{
 			if (!(((size_t)buf | (size_t)other.buf) & 0x03)) // multiple of 4 ?
 			{
 				for (int i = 0; i < 4; i++)
 					reinterpret_cast<uint32_t *>(buf)[i] ^= reinterpret_cast<const uint32_t *>(other.buf)[i];
 			}
 			else
 			{
 				for (int i = 0; i < 16; i++)
 					buf[i] ^= other.buf[i];
 			}
 		}
 	};
 	typedef i2p::data::Tag<32> AESKey;
 	template<size_t sz>
 	class AESAlignedBuffer // 16 bytes alignment
 	{
 		public:
 			AESAlignedBuffer ()
 			{
 				m_Buf = m_UnalignedBuffer;
 				uint8_t rem = ((size_t)m_Buf) & 0x0f;
 				if (rem)
 					m_Buf += (16 - rem);
 			}
 			operator uint8_t * () { return m_Buf; };
 			operator const uint8_t * () const { return m_Buf; };
 			ChipherBlock * GetChipherBlock () { return (ChipherBlock *)m_Buf; };
 			const ChipherBlock * GetChipherBlock () const { return (const ChipherBlock *)m_Buf; };
 		private:
 			uint8_t m_UnalignedBuffer[sz + 15]; // up to 15 bytes alignment
 			uint8_t * m_Buf;
 	};
 #if SUPPORTS_AES
 	class ECBCryptoAESNI
 	{
 		public:
 			uint8_t * GetKeySchedule () { return m_KeySchedule; };
 		protected:
 			void ExpandKey (const AESKey& key);
 		private:
 			AESAlignedBuffer<240> m_KeySchedule;	// 14 rounds for AES-256, 240 bytes
 	};
 #endif
 #if SUPPORTS_AES
 	class ECBEncryption: public ECBCryptoAESNI
 #else
 	class ECBEncryption
 #endif
 	{
 		public:
-		void SetKey (const AESKey& key);
+			ECBEncryption ();
 			~ECBEncryption ();
-		void Encrypt(const ChipherBlock * in, ChipherBlock * out);
+			void SetKey (const uint8_t * key) { m_Key = key; };
 			void Encrypt(const uint8_t * in, uint8_t * out);
 		private:
-		AES_KEY m_Key;
+
 			AESKey m_Key;
 			EVP_CIPHER_CTX * m_Ctx;	
 	};
 #if SUPPORTS_AES
 	class ECBDecryption: public ECBCryptoAESNI
 #else
 	class ECBDecryption
 #endif
 	{
 		public:
-			void SetKey (const AESKey& key);
+			ECBDecryption ();
-			void Decrypt (const ChipherBlock * in, ChipherBlock * out);
+			~ECBDecryption ();
 			void SetKey (const uint8_t * key) { m_Key = key; };
 			void Decrypt (const uint8_t * in, uint8_t * out);
 		private:
-			AES_KEY m_Key;
+			
 			AESKey m_Key;
 			EVP_CIPHER_CTX * m_Ctx;	
 	};
 	class CBCEncryption
 	{
 		public:
-			CBCEncryption () { memset ((uint8_t *)m_LastBlock, 0, 16); };
+			CBCEncryption ();
 			~CBCEncryption ();
-			void SetKey (const AESKey& key) { m_ECBEncryption.SetKey (key); }; // 32 bytes
+			void SetKey (const uint8_t * key) { m_Key = key; }; // 32 bytes		
-			void SetIV (const uint8_t * iv) { memcpy ((uint8_t *)m_LastBlock, iv, 16); }; // 16 bytes
+			void Encrypt (const uint8_t * in, size_t len, const uint8_t * iv, uint8_t * out);
 			void GetIV (uint8_t * iv) const { memcpy (iv, (const uint8_t *)m_LastBlock, 16); };
 			void Encrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out);
 			void Encrypt (const uint8_t * in, std::size_t len, uint8_t * out);
 			void Encrypt (const uint8_t * in, uint8_t * out); // one block
 			ECBEncryption & ECB() { return m_ECBEncryption; }
 		private:
-			AESAlignedBuffer<16> m_LastBlock;
+			AESKey m_Key;
-
+			EVP_CIPHER_CTX * m_Ctx;	
 			ECBEncryption m_ECBEncryption;
 	};
 	class CBCDecryption
 	{
 		public:
-			CBCDecryption () { memset ((uint8_t *)m_IV, 0, 16); };
+			CBCDecryption ();
 			~CBCDecryption ();
-			void SetKey (const AESKey& key) { m_ECBDecryption.SetKey (key); }; // 32 bytes
+			void SetKey (const uint8_t * key) { m_Key = key; }; // 32 bytes
-			void SetIV (const uint8_t * iv) { memcpy ((uint8_t *)m_IV, iv, 16); }; // 16 bytes
+			void Decrypt (const uint8_t * in, size_t len, const uint8_t * iv, uint8_t * out);
 			void GetIV (uint8_t * iv) const { memcpy (iv, (const uint8_t *)m_IV, 16); };
 			void Decrypt (int numBlocks, const ChipherBlock * in, ChipherBlock * out);
 			void Decrypt (const uint8_t * in, std::size_t len, uint8_t * out);
 			void Decrypt (const uint8_t * in, uint8_t * out); // one block
 			ECBDecryption & ECB() { return m_ECBDecryption; }
 		private:
-			AESAlignedBuffer<16> m_IV;
+			AESKey m_Key;
-			ECBDecryption m_ECBDecryption;
+			EVP_CIPHER_CTX * m_Ctx;	
 	};
 	class TunnelEncryption // with double IV encryption
@ -260,13 +190,58 @@ namespace crypto
 	};
 // AEAD/ChaCha20/Poly1305
 	bool AEADChaCha20Poly1305 (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen, const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len, bool encrypt); // msgLen is len without tag
-	void AEADChaCha20Poly1305Encrypt (const std::vector<std::pair<uint8_t *, size_t> >& bufs, const uint8_t * key, const uint8_t * nonce, uint8_t * mac); // encrypt multiple buffers with zero ad
+	class AEADChaCha20Poly1305Encryptor
 	{
 		public:
 			AEADChaCha20Poly1305Encryptor ();
 			~AEADChaCha20Poly1305Encryptor ();
 			bool Encrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 				const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len); // msgLen is len without tag
 			void Encrypt (const std::vector<std::pair<uint8_t *, size_t> >& bufs, const uint8_t * key, const uint8_t * nonce, uint8_t * mac); // encrypt multiple buffers with zero ad
 		private:
 			EVP_CIPHER_CTX * m_Ctx;	
 	};	
 	class AEADChaCha20Poly1305Decryptor
 	{
 		public:
 			AEADChaCha20Poly1305Decryptor ();
 			~AEADChaCha20Poly1305Decryptor ();
 			bool Decrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 				const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len); // msgLen is len without tag
 		private:
 			EVP_CIPHER_CTX * m_Ctx;	
 	};	
 	bool AEADChaCha20Poly1305 (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 		const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len, bool encrypt); // msgLen is len without tag
 // ChaCha20
 	void ChaCha20 (const uint8_t * msg, size_t msgLen, const uint8_t * key, const uint8_t * nonce, uint8_t * out);
 	class ChaCha20Context
 	{
 		public:
 			ChaCha20Context ();
 			~ChaCha20Context ();
 			void operator ()(const uint8_t * msg, size_t msgLen, const uint8_t * key, const uint8_t * nonce, uint8_t * out);
 		private:
 			EVP_CIPHER_CTX * m_Ctx;	
 	};
 // HKDF
 	void HKDF (const uint8_t * salt, const uint8_t * key, size_t keyLen, const std::string& info, uint8_t * out, size_t outLen = 64); // salt - 32, out - 32 or 64, info <= 32
@ -288,7 +263,7 @@ namespace crypto
 	void InitNoiseIKState (NoiseSymmetricState& state, const uint8_t * pub); // Noise_IK (ratchets)
 // init and terminate
-	void InitCrypto (bool precomputation, bool aesni, bool force);
+	void InitCrypto (bool precomputation);
 	void TerminateCrypto ();
 }
 }
--- a/libi2pd/Datagram.cpp
+++ b/libi2pd/Datagram.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -104,8 +104,7 @@ namespace datagram
 		if (verified)
 		{
-			auto h = identity.GetIdentHash();
+			auto session = ObtainSession (identity.GetIdentHash());
 			auto session = ObtainSession(h);
 			session->Ack();
 			auto r = FindReceiver(toPort);
 			if(r)
@ -381,15 +380,19 @@ namespace datagram
 			if (!found)
 			{
 				m_RoutingSession = m_LocalDestination->GetRoutingSession(m_RemoteLeaseSet, true);
 				if (m_RoutingSession)
 				{	
 					m_RoutingSession->SetAckRequestInterval (DATAGRAM_SESSION_ACK_REQUEST_INTERVAL);
 					if (!m_RoutingSession->GetOwner () || !m_RoutingSession->IsReadyToSend ())
 						m_PendingRoutingSessions.push_back (m_RoutingSession);
 				}	
 			}
 		}
 		auto path = m_RoutingSession->GetSharedRoutingPath();
-		if (path && m_RoutingSession->IsRatchets () && (m_RoutingSession->CleanupUnconfirmedTags () ||
+		if (path && m_RoutingSession->IsRatchets () && m_RoutingSession->CleanupUnconfirmedTags ())
 			m_LastUse > m_RoutingSession->GetLastActivityTimestamp ()*1000 + DATAGRAM_SESSION_PATH_TIMEOUT))
 		{
 			LogPrint (eLogDebug, "Datagram: path reset");
 			m_RoutingSession->SetSharedRoutingPath (nullptr);
 			path = nullptr;
 		}
--- a/libi2pd/Datagram.h
+++ b/libi2pd/Datagram.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -31,8 +31,6 @@ namespace datagram
 {
 	// milliseconds for max session idle time
 	const uint64_t DATAGRAM_SESSION_MAX_IDLE = 10 * 60 * 1000;
 	// milliseconds for how long we try sticking to a dead routing path before trying to switch
 	const uint64_t DATAGRAM_SESSION_PATH_TIMEOUT = 10 * 1000;
 	// milliseconds interval a routing path is used before switching
 	const uint64_t DATAGRAM_SESSION_PATH_SWITCH_INTERVAL = 20 * 60 * 1000;
 	// milliseconds before lease expire should we try switching leases
@ -44,6 +42,7 @@ namespace datagram
 	// max 64 messages buffered in send queue for each datagram session
 	const size_t DATAGRAM_SEND_QUEUE_MAX_SIZE = 64;
 	const uint64_t DATAGRAM_MAX_FLUSH_INTERVAL = 5; // in milliseconds
 	const int DATAGRAM_SESSION_ACK_REQUEST_INTERVAL = 5500; // in milliseconds
 	class DatagramSession : public std::enable_shared_from_this<DatagramSession>
 	{
--- a/libi2pd/Destination.cpp
+++ b/libi2pd/Destination.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -195,7 +195,7 @@ namespace client
 			m_IsPublic = itr->second != "true";
 		}
-		int inLen, outLen, inQuant, outQuant, numTags, minLatency, maxLatency;
+		int inLen = 0, outLen = 0, inQuant = 0, outQuant = 0, numTags = 0, minLatency = 0, maxLatency = 0;
 		std::map<std::string, int&> intOpts = {
 			{I2CP_PARAM_INBOUND_TUNNEL_LENGTH, inLen},
 			{I2CP_PARAM_OUTBOUND_TUNNEL_LENGTH, outLen},
@ -597,7 +597,8 @@ namespace client
 			m_ExcludedFloodfills.clear ();
 			m_PublishReplyToken = 0;
 			// schedule verification
-			m_PublishVerificationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_VERIFICATION_TIMEOUT));
+			m_PublishVerificationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_VERIFICATION_TIMEOUT +
 				(m_Pool ? m_Pool->GetRng ()() % PUBLISH_VERIFICATION_TIMEOUT_VARIANCE : 0)));
 			m_PublishVerificationTimer.async_wait (std::bind (&LeaseSetDestination::HandlePublishVerificationTimer,
 			shared_from_this (), std::placeholders::_1));
 		}
@ -676,8 +677,8 @@ namespace client
 				m_ExcludedFloodfills.clear ();
 				m_PublishReplyToken = 1; // dummy non-zero value
 				// try again after a while
-				LogPrint (eLogInfo, "Destination: Can't publish LeasetSet because destination is not ready. Try publishing again after ", PUBLISH_CONFIRMATION_TIMEOUT, " seconds");
+				LogPrint (eLogInfo, "Destination: Can't publish LeasetSet because destination is not ready. Try publishing again after ", PUBLISH_CONFIRMATION_TIMEOUT, " milliseconds");
-				m_PublishConfirmationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_CONFIRMATION_TIMEOUT));
+				m_PublishConfirmationTimer.expires_from_now (boost::posix_time::milliseconds(PUBLISH_CONFIRMATION_TIMEOUT));
 				m_PublishConfirmationTimer.async_wait (std::bind (&LeaseSetDestination::HandlePublishConfirmationTimer,
 					shared_from_this (), std::placeholders::_1));
 				return;
@ -696,7 +697,7 @@ namespace client
 						s->HandlePublishConfirmationTimer (boost::system::error_code());
 					});
 			};
-		m_PublishConfirmationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_CONFIRMATION_TIMEOUT));
+		m_PublishConfirmationTimer.expires_from_now (boost::posix_time::milliseconds(PUBLISH_CONFIRMATION_TIMEOUT));
 		m_PublishConfirmationTimer.async_wait (std::bind (&LeaseSetDestination::HandlePublishConfirmationTimer,
 			shared_from_this (), std::placeholders::_1));
 		outbound->SendTunnelDataMsgTo (floodfill->GetIdentHash (), 0, msg);
@ -712,15 +713,15 @@ namespace client
 				m_PublishReplyToken = 0;
 				if (GetIdentity ()->GetCryptoKeyType () == i2p::data::CRYPTO_KEY_TYPE_ELGAMAL)
 				{
-					LogPrint (eLogWarning, "Destination: Publish confirmation was not received in ", PUBLISH_CONFIRMATION_TIMEOUT, " seconds or failed. will try again");
+					LogPrint (eLogWarning, "Destination: Publish confirmation was not received in ", PUBLISH_CONFIRMATION_TIMEOUT, " milliseconds or failed. will try again");
 					Publish ();
 				}
 				else
 				{
-					LogPrint (eLogWarning, "Destination: Publish confirmation was not received in ", PUBLISH_CONFIRMATION_TIMEOUT, " seconds from Java floodfill for crypto type ", (int)GetIdentity ()->GetCryptoKeyType ());
+					LogPrint (eLogWarning, "Destination: Publish confirmation was not received in ", PUBLISH_CONFIRMATION_TIMEOUT, " milliseconds from Java floodfill for crypto type ", (int)GetIdentity ()->GetCryptoKeyType ());
 					// Java floodfill never sends confirmation back for unknown crypto type
 					// assume it successive and try to verify
-					m_PublishVerificationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_VERIFICATION_TIMEOUT));
+					m_PublishVerificationTimer.expires_from_now (boost::posix_time::seconds(PUBLISH_VERIFICATION_TIMEOUT + PUBLISH_VERIFICATION_TIMEOUT_VARIANCE)); // always max
 					m_PublishVerificationTimer.async_wait (std::bind (&LeaseSetDestination::HandlePublishVerificationTimer,
 			shared_from_this (), std::placeholders::_1));
@ -833,7 +834,7 @@ namespace client
 			request->requestedBlindedKey = requestedBlindedKey; // for encrypted LeaseSet2
 			if (requestComplete)
 				request->requestComplete.push_back (requestComplete);
-			auto ts = i2p::util::GetSecondsSinceEpoch ();
+			auto ts = i2p::util::GetMillisecondsSinceEpoch ();
 			auto ret = m_LeaseSetRequests.insert (std::pair<i2p::data::IdentHash, std::shared_ptr<LeaseSetRequest> >(dest,request));
 			if (ret.second) // inserted
 			{
@ -916,7 +917,7 @@ namespace client
 						nextFloodfill->GetIdentHash (), 0, msg
 					}
 				});
-			request->requestTimeoutTimer.expires_from_now (boost::posix_time::seconds(LEASESET_REQUEST_TIMEOUT));
+			request->requestTimeoutTimer.expires_from_now (boost::posix_time::milliseconds(LEASESET_REQUEST_TIMEOUT));
 			request->requestTimeoutTimer.async_wait (std::bind (&LeaseSetDestination::HandleRequestTimoutTimer,
 				shared_from_this (), std::placeholders::_1, dest));
 		}
@ -933,7 +934,7 @@ namespace client
 			if (it != m_LeaseSetRequests.end ())
 			{
 				bool done = false;
-				uint64_t ts = i2p::util::GetSecondsSinceEpoch ();
+				uint64_t ts = i2p::util::GetMillisecondsSinceEpoch ();
 				if (ts < it->second->requestTime + MAX_LEASESET_REQUEST_TIMEOUT)
 				{
 					auto floodfill = i2p::data::netdb.GetClosestFloodfill (dest, it->second->excluded);
--- a/libi2pd/Destination.h
+++ b/libi2pd/Destination.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -36,12 +36,13 @@ namespace client
 	const uint8_t PROTOCOL_TYPE_STREAMING = 6;
 	const uint8_t PROTOCOL_TYPE_DATAGRAM = 17;
 	const uint8_t PROTOCOL_TYPE_RAW = 18;
-	const int PUBLISH_CONFIRMATION_TIMEOUT = 5; // in seconds
+	const int PUBLISH_CONFIRMATION_TIMEOUT = 1800; // in milliseconds
-	const int PUBLISH_VERIFICATION_TIMEOUT = 10; // in seconds after successful publish
+	const int PUBLISH_VERIFICATION_TIMEOUT = 5; // in seconds after successful publish
 	const int PUBLISH_VERIFICATION_TIMEOUT_VARIANCE = 3; // in seconds
 	const int PUBLISH_MIN_INTERVAL = 20; // in seconds
 	const int PUBLISH_REGULAR_VERIFICATION_INTERNAL = 100; // in seconds periodically
-	const int LEASESET_REQUEST_TIMEOUT = 5; // in seconds
+	const int LEASESET_REQUEST_TIMEOUT = 1600; // in milliseconds
-	const int MAX_LEASESET_REQUEST_TIMEOUT = 40; // in seconds
+	const int MAX_LEASESET_REQUEST_TIMEOUT = 12000; // in milliseconds
 	const int DESTINATION_CLEANUP_TIMEOUT = 44; // in seconds
 	const int DESTINATION_CLEANUP_TIMEOUT_VARIANCE = 30; // in seconds
 	const unsigned int MAX_NUM_FLOODFILLS_PER_REQUEST = 7;
--- a/libi2pd/ECIESX25519AEADRatchetSession.cpp
+++ b/libi2pd/ECIESX25519AEADRatchetSession.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -725,6 +725,8 @@ namespace garlic
 	bool ECIESX25519AEADRatchetSession::NewExistingSessionMessage (const uint8_t * payload, size_t len, uint8_t * out, size_t outLen)
 	{
 		auto owner = GetOwner ();
 		if (!owner) return false;
 		uint8_t nonce[12];
 		auto index = m_SendTagset->GetNextIndex ();
 		CreateNonce (index, nonce); // tag's index
@ -732,8 +734,7 @@ namespace garlic
 		if (!tag)
 		{
 			LogPrint (eLogError, "Garlic: Can't create new ECIES-X25519-AEAD-Ratchet tag for send tagset");
-			if (GetOwner ())
+			owner->RemoveECIESx25519Session (m_RemoteStaticKey);
 				GetOwner ()->RemoveECIESx25519Session (m_RemoteStaticKey);
 			return false;
 		}
 		memcpy (out, &tag, 8);
@ -741,7 +742,7 @@ namespace garlic
 		// ciphertext = ENCRYPT(k, n, payload, ad)
 		uint8_t key[32];
 		m_SendTagset->GetSymmKey (index, key);
-		if (!i2p::crypto::AEADChaCha20Poly1305 (payload, len, out, 8, key, nonce, out + 8, outLen - 8, true)) // encrypt
+		if (!owner->AEADChaCha20Poly1305Encrypt (payload, len, out, 8, key, nonce, out + 8, outLen - 8))
 		{
 			LogPrint (eLogWarning, "Garlic: Payload section AEAD encryption failed");
 			return false;
@ -760,20 +761,22 @@ namespace garlic
 		uint8_t * payload = buf + 8;
 		uint8_t key[32];
 		receiveTagset->GetSymmKey (index, key);
-		if (!i2p::crypto::AEADChaCha20Poly1305 (payload, len - 16, buf, 8, key, nonce, payload, len - 16, false)) // decrypt
+		auto owner = GetOwner ();
 		if (!owner) return true; // drop message
 		if (!owner->AEADChaCha20Poly1305Decrypt (payload, len - 16, buf, 8, key, nonce, payload, len - 16))
 		{
 			LogPrint (eLogWarning, "Garlic: Payload section AEAD decryption failed");
 			return false;
 		}
 		HandlePayload (payload, len - 16, receiveTagset, index);
-		if (GetOwner ())
+		
 		{
 		int moreTags = 0;
-			if (GetOwner ()->GetNumRatchetInboundTags () > 0) // override in settings?
+		if (owner->GetNumRatchetInboundTags () > 0) // override in settings?
 		{
-				if (receiveTagset->GetNextIndex () - index < GetOwner ()->GetNumRatchetInboundTags ()/2)
+			if (receiveTagset->GetNextIndex () - index < owner->GetNumRatchetInboundTags ()/2)
-					moreTags = GetOwner ()->GetNumRatchetInboundTags ();
+				moreTags = owner->GetNumRatchetInboundTags ();
-				index -= GetOwner ()->GetNumRatchetInboundTags (); // trim behind
+			index -= owner->GetNumRatchetInboundTags (); // trim behind
 		}
 		else
 		{
@ -787,7 +790,6 @@ namespace garlic
 			GenerateMoreReceiveTags (receiveTagset, moreTags);
 		if (index > 0)
 			receiveTagset->SetTrimBehind (index);
 		}
 		return true;
 	}
@ -911,7 +913,7 @@ namespace garlic
 			}
 		}
 		if (!sendAckRequest && !first &&
-		    ((!m_AckRequestMsgID && ts > m_LastAckRequestSendTime + ECIESX25519_ACK_REQUEST_INTERVAL) || // regular request
+		    ((!m_AckRequestMsgID && ts > m_LastAckRequestSendTime + m_AckRequestInterval) || // regular request
 		     (m_AckRequestMsgID && ts > m_LastAckRequestSendTime + LEASESET_CONFIRMATION_TIMEOUT))) // previous request failed. try again
 		{	
 			// not LeaseSet
--- a/libi2pd/ECIESX25519AEADRatchetSession.h
+++ b/libi2pd/ECIESX25519AEADRatchetSession.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -33,7 +33,7 @@ namespace garlic
 	const int ECIESX25519_SESSION_CREATE_TIMEOUT = 3; // in seconds, NSR must be send after NS received
 	const int ECIESX25519_SESSION_ESTABLISH_TIMEOUT = 15; // in seconds 
 	const int ECIESX25519_PREVIOUS_TAGSET_EXPIRATION_TIMEOUT = 180; // in seconds
-	const int ECIESX25519_ACK_REQUEST_INTERVAL = 33000; // in milliseconds
+	const int ECIESX25519_DEFAULT_ACK_REQUEST_INTERVAL = 33000; // in milliseconds
 	const int ECIESX25519_ACK_REQUEST_MAX_NUM_ATTEMPTS = 3;
 	const int ECIESX25519_TAGSET_MAX_NUM_TAGS = 8192; // number of tags we request new tagset after
 	const int ECIESX25519_MIN_NUM_GENERATED_TAGS = 24;
@ -164,7 +164,7 @@ namespace garlic
 			~ECIESX25519AEADRatchetSession ();
 			bool HandleNextMessage (uint8_t * buf, size_t len, std::shared_ptr<ReceiveRatchetTagSet> receiveTagset, int index = 0);
-			std::shared_ptr<I2NPMessage> WrapSingleMessage (std::shared_ptr<const I2NPMessage> msg);
+			std::shared_ptr<I2NPMessage> WrapSingleMessage (std::shared_ptr<const I2NPMessage> msg) override;
 			std::shared_ptr<I2NPMessage> WrapOneTimeMessage (std::shared_ptr<const I2NPMessage> msg);
 			const uint8_t * GetRemoteStaticKey () const { return m_RemoteStaticKey; }
@ -180,11 +180,12 @@ namespace garlic
 			bool CanBeRestarted (uint64_t ts) const { return ts > m_SessionCreatedTimestamp + ECIESX25519_RESTART_TIMEOUT; }
 			bool IsInactive (uint64_t ts) const { return ts > m_LastActivityTimestamp + ECIESX25519_INACTIVITY_TIMEOUT && CanBeRestarted (ts); }
-			bool IsRatchets () const { return true; };
+			bool IsRatchets () const override { return true; };
-			bool IsReadyToSend () const { return m_State != eSessionStateNewSessionSent; };
+			bool IsReadyToSend () const override { return m_State != eSessionStateNewSessionSent; };
-			bool IsTerminated () const { return m_IsTerminated; }
+			bool IsTerminated () const override { return m_IsTerminated; }
-			uint64_t GetLastActivityTimestamp () const { return m_LastActivityTimestamp; };
+			uint64_t GetLastActivityTimestamp () const override { return m_LastActivityTimestamp; };
-			bool CleanupUnconfirmedTags (); // return true if unaswered Ack requests, called from I2CP
+			void SetAckRequestInterval (int interval) override { m_AckRequestInterval = interval; };
 			bool CleanupUnconfirmedTags () override; // return true if unaswered Ack requests, called from I2CP
 		protected:
@ -192,7 +193,7 @@ namespace garlic
 			void SetNoiseState (const i2p::crypto::NoiseSymmetricState& state) { GetNoiseState () = state; };
 			void CreateNonce (uint64_t seqn, uint8_t * nonce);
 			void HandlePayload (const uint8_t * buf, size_t len, const std::shared_ptr<ReceiveRatchetTagSet>& receiveTagset, int index);
-			bool MessageConfirmed (uint32_t msgID);
+			bool MessageConfirmed (uint32_t msgID) override;
 		private:
@ -235,6 +236,7 @@ namespace garlic
 			uint64_t m_LastAckRequestSendTime = 0; // milliseconds
 			uint32_t m_AckRequestMsgID = 0; 
 			int m_AckRequestNumAttempts = 0;
 			int m_AckRequestInterval = ECIESX25519_DEFAULT_ACK_REQUEST_INTERVAL; // milliseconds
 		public:
--- a/libi2pd/Family.cpp
+++ b/libi2pd/Family.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -90,10 +90,10 @@ namespace data
 	}
 	bool Families::VerifyFamily (const std::string& family, const IdentHash& ident,
-		const char * signature, const char * key) const
+		std::string_view signature, const char * key) const
 	{
 		uint8_t buf[100], signatureBuf[64];
-		size_t len = family.length (), signatureLen = strlen (signature);
+		size_t len = family.length ();
 		if (len + 32 > 100)
 		{
 			LogPrint (eLogError, "Family: ", family, " is too long");
@ -105,7 +105,7 @@ namespace data
 			memcpy (buf, family.c_str (), len);
 			memcpy (buf + len, (const uint8_t *)ident, 32);
 			len += 32;
-			auto signatureBufLen = Base64ToByteStream (signature, signatureLen, signatureBuf, 64);
+			auto signatureBufLen = Base64ToByteStream (signature.data (), signature.length (), signatureBuf, 64);
 			if (signatureBufLen)
 			{
 				EVP_MD_CTX * ctx = EVP_MD_CTX_create ();
--- a/libi2pd/Family.h
+++ b/libi2pd/Family.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -11,6 +11,7 @@
 #include <map>
 #include <string>
 #include <string_view>
 #include <memory>
 #include <openssl/evp.h>
 #include "Identity.h"
@ -28,7 +29,7 @@ namespace data
 			~Families ();
 			void LoadCertificates ();
 			bool VerifyFamily (const std::string& family, const IdentHash& ident,
-				const char * signature, const char * key = nullptr) const;
+				std::string_view signature, const char * key = nullptr) const;
 			FamilyID GetFamilyID (const std::string& family) const;
 		private:
--- a/libi2pd/Garlic.cpp
+++ b/libi2pd/Garlic.cpp
@ -160,7 +160,7 @@ namespace garlic
 			uint8_t iv[32]; // IV is first 16 bytes
 			SHA256(elGamal.preIV, 32, iv);
 			m_Destination->Encrypt ((uint8_t *)&elGamal, buf);
-			m_Encryption.SetIV (iv);
+			m_IV = iv;
 			buf += 514;
 			len += 514;
 		}
@ -170,7 +170,7 @@ namespace garlic
 			memcpy (buf, tag, 32);
 			uint8_t iv[32]; // IV is first 16 bytes
 			SHA256(tag, 32, iv);
-			m_Encryption.SetIV (iv);
+			m_IV = iv;
 			buf += 32;
 			len += 32;
 		}
@ -210,7 +210,7 @@ namespace garlic
 		size_t rem = blockSize % 16;
 		if (rem)
 			blockSize += (16-rem); //padding
-		m_Encryption.Encrypt(buf, blockSize, buf);
+		m_Encryption.Encrypt(buf, blockSize, m_IV, buf);
 		return blockSize;
 	}
@ -514,8 +514,7 @@ namespace garlic
 				{
 					uint8_t iv[32]; // IV is first 16 bytes
 					SHA256(buf, 32, iv);
-					decryption->SetIV (iv);
+					decryption->Decrypt (buf + 32, length - 32, iv, buf + 32);
 					decryption->Decrypt (buf + 32, length - 32, buf + 32);
 					HandleAESBlock (buf + 32, length - 32, decryption, msg->from);
 					found = true;
 				}
@ -533,8 +532,7 @@ namespace garlic
 					auto decryption = std::make_shared<AESDecryption>(elGamal.sessionKey);
 					uint8_t iv[32]; // IV is first 16 bytes
 					SHA256(elGamal.preIV, 32, iv);
-					decryption->SetIV (iv);
+					decryption->Decrypt(buf + 514, length - 514, iv, buf + 514);
 					decryption->Decrypt(buf + 514, length - 514, buf + 514);
 					HandleAESBlock (buf + 514, length - 514, decryption, msg->from);
 				}
 				else if (SupportsEncryptionType (i2p::data::CRYPTO_KEY_TYPE_ECIES_X25519_AEAD))
@ -550,7 +548,7 @@ namespace garlic
 							LogPrint (eLogError, "Garlic: Can't handle ECIES-X25519-AEAD-Ratchet message");
 					}
 					else
-						LogPrint (eLogWarning, "Garlic: Incoming sessions come too ofter");
+						LogPrint (eLogWarning, "Garlic: Incoming sessions come too often");
 				}
 				else
 					LogPrint (eLogError, "Garlic: Failed to decrypt message");
@ -1105,5 +1103,17 @@ namespace garlic
 			m_PayloadBuffer = new uint8_t[I2NP_MAX_MESSAGE_SIZE];
 		return m_PayloadBuffer;
 	}
 	bool GarlicDestination::AEADChaCha20Poly1305Encrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 		const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len)
 	{
 		return m_Encryptor.Encrypt (msg, msgLen, ad, adLen, key, nonce, buf, len);
 	}
 	bool GarlicDestination::AEADChaCha20Poly1305Decrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 		const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len)
 	{
 		return m_Decryptor.Decrypt (msg, msgLen, ad, adLen, key, nonce, buf, len);
 	}	
 }
 }
--- a/libi2pd/Garlic.h
+++ b/libi2pd/Garlic.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -116,6 +116,7 @@ namespace garlic
 			virtual bool IsReadyToSend () const { return true; };
 			virtual bool IsTerminated () const { return !GetOwner (); };
 			virtual uint64_t GetLastActivityTimestamp () const { return 0; }; // non-zero for rathets only
 			virtual void SetAckRequestInterval (int interval) {}; // in milliseconds, override in ECIESX25519AEADRatchetSession
 			void SetLeaseSetUpdated ()
 			{
@ -205,6 +206,7 @@ namespace garlic
 			std::map<uint32_t, std::unique_ptr<UnconfirmedTags> > m_UnconfirmedTagsMsgs; // msgID->tags
 			i2p::crypto::CBCEncryption m_Encryption;
 			i2p::data::Tag<16> m_IV;
 		public:
@ -242,6 +244,11 @@ namespace garlic
 			std::shared_ptr<I2NPMessage> WrapMessageForRouter (std::shared_ptr<const i2p::data::RouterInfo> router,
 				std::shared_ptr<I2NPMessage> msg);
 			bool AEADChaCha20Poly1305Encrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 				const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len); 
 			bool AEADChaCha20Poly1305Decrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 				const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len); 
 			void AddSessionKey (const uint8_t * key, const uint8_t * tag); // one tag
 			void AddECIESx25519Key (const uint8_t * key, uint64_t tag); // one tag
 			virtual bool SubmitSessionKey (const uint8_t * key, const uint8_t * tag); // from different thread
@ -286,7 +293,7 @@ namespace garlic
 			std::unordered_map<i2p::data::IdentHash, ElGamalAESSessionPtr> m_Sessions;
 			std::unordered_map<i2p::data::Tag<32>, ECIESX25519AEADRatchetSessionPtr> m_ECIESx25519Sessions; // static key -> session
 			uint8_t * m_PayloadBuffer; // for ECIESX25519AEADRatchet
-			uint64_t m_LastIncomingSessionTimestamp; // in millseconds
+			uint64_t m_LastIncomingSessionTimestamp; // in milliseconds
 			// incoming
 			int m_NumRatchetInboundTags;
 			std::unordered_map<SessionTag, std::shared_ptr<AESDecryption>, std::hash<i2p::data::Tag<32> > > m_Tags;
@ -294,6 +301,9 @@ namespace garlic
 			// DeliveryStatus
 			std::mutex m_DeliveryStatusSessionsMutex;
 			std::unordered_map<uint32_t, GarlicRoutingSessionPtr> m_DeliveryStatusSessions; // msgID -> session
 			// encryption
 			i2p::crypto::AEADChaCha20Poly1305Encryptor m_Encryptor;
 			i2p::crypto::AEADChaCha20Poly1305Decryptor m_Decryptor;
 		public:
--- a/libi2pd/HTTP.cpp
+++ b/libi2pd/HTTP.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -10,6 +10,7 @@
 #include <utility>
 #include <stdio.h>
 #include <ctime>
 #include <charconv>
 #include "util.h"
 #include "Base.h"
 #include "HTTP.h"
@ -18,54 +19,51 @@ namespace i2p
 {
 namespace http
 {
-	const std::vector<std::string> HTTP_METHODS = {
+	// list of valid HTTP methods
 	static constexpr std::array<std::string_view, 16> HTTP_METHODS = 
 	{
 		"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS", "CONNECT", // HTTP basic methods
 		"COPY", "LOCK", "MKCOL", "MOVE", "PROPFIND", "PROPPATCH", "UNLOCK", "SEARCH" // WebDAV methods, for SEARCH see rfc5323
 	};
-	const std::vector<std::string> HTTP_VERSIONS = {
+
 	// list of valid HTTP versions
 	static constexpr std::array<std::string_view, 2> HTTP_VERSIONS = 
 	{
 		"HTTP/1.0", "HTTP/1.1"
 	};
-	const std::vector<const char *> weekdays = {
+	
 	static constexpr std::array<const char *, 7> weekdays = 
 	{
 		"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat"
 	};
-	const std::vector<const char *> months = {
+	
 	static constexpr std::array<const char *, 12> months = 
 	{
 		"Jan", "Feb", "Mar", "Apr", "May", "Jun",
 		"Jul", "Aug", "Sep", "Oct", "Nov", "Dec"
 	};
-	inline bool is_http_version(const std::string & str) {
+	static inline bool is_http_version(std::string_view str) 
 	{
 		return std::find(HTTP_VERSIONS.begin(), HTTP_VERSIONS.end(), str) != std::end(HTTP_VERSIONS);
 	}
-	inline bool is_http_method(const std::string & str) {
+	static inline bool is_http_method(std::string_view str) 
 	{
 		return std::find(HTTP_METHODS.begin(), HTTP_METHODS.end(), str) != std::end(HTTP_METHODS);
 	}
-	static void strsplit(std::stringstream& ss, std::vector<std::string> &tokens, char delim, std::size_t limit = 0) 	
+	static void strsplit(std::string_view line, std::vector<std::string_view> &tokens, char delim, std::size_t limit = 0) 
 	{	
-		std::size_t count = 0;
+		size_t count = 0, pos;
-		std::string token;
+		while ((pos = line.find (delim)) != line.npos)
 		while (1) 
 		{
 			count++;
-			if (limit > 0 && count >= limit)
+			if (limit > 0 && count >= limit) delim = '\n'; // reset delimiter
-				delim = '\n'; /* reset delimiter */
+			tokens.push_back (line.substr (0, pos));
-			if (!std::getline(ss, token, delim))
+			line = line.substr (pos + 1);	
 				break;
 			tokens.push_back(token);
 		}
-	}
+		if (!line.empty ()) tokens.push_back (line);
 	static void strsplit(const std::string & line, std::vector<std::string> &tokens, char delim, std::size_t limit = 0) 
 	{
 		std::stringstream ss{line};
 		strsplit (ss, tokens, delim, limit);
 	}
 	static void strsplit(std::string_view line, std::vector<std::string> &tokens, char delim, std::size_t limit = 0) 
 	{	
 		std::stringstream ss{std::string(line)};
 		strsplit (ss, tokens, delim, limit);
 	}
 	static std::pair<std::string, std::string> parse_header_line(std::string_view line)
@ -211,8 +209,9 @@ namespace http
 		return true;
 	}
-	bool URL::parse_query(std::map<std::string, std::string> & params) {
+	bool URL::parse_query(std::map<std::string, std::string> & params) 
-		std::vector<std::string> tokens;
+	{
 		std::vector<std::string_view> tokens;
 		strsplit(query, tokens, '&');
 		params.clear();
@ -308,8 +307,9 @@ namespace http
 			if (expect == REQ_LINE) 
 			{
 				std::string_view line = str.substr(pos, eol - pos);
-				std::vector<std::string> tokens;
+				std::vector<std::string_view> tokens;
 				strsplit(line, tokens, ' ');
 				if (tokens.size() != 3)
 					return -1;
 				if (!is_http_method(tokens[0]))
@ -333,11 +333,11 @@ namespace http
 				else
 					return -1;
 			}
-			pos = eol + strlen(CRLF);
+			pos = eol + CRLF.length();
 			if (pos >= eoh)
 				break;
 		}
-		return eoh + strlen(HTTP_EOH);
+		return eoh + HTTP_EOH.length();
 	}
 	void HTTPReq::write(std::ostream & o)
@ -381,7 +381,7 @@ namespace http
 		}
 	}
-	std::string HTTPReq::GetHeader (const std::string& name) const
+	std::string HTTPReq::GetHeader (std::string_view name) const
 	{
 		for (auto& it : headers)
 			if (it.first == name)
@ -389,7 +389,7 @@ namespace http
 		return "";
 	}
-	size_t HTTPReq::GetNumHeaders (const std::string& name) const
+	size_t HTTPReq::GetNumHeaders (std::string_view name) const
 	{
 		size_t num = 0;
 		for (auto& it : headers)
@ -451,13 +451,15 @@ namespace http
 			if (expect == RES_LINE) 
 			{
 				std::string_view line = str.substr(pos, eol - pos);
-				std::vector<std::string> tokens;
+				std::vector<std::string_view> tokens;
 				strsplit(line, tokens, ' ', 3);
 				if (tokens.size() != 3)
 					return -1;
 				if (!is_http_version(tokens[0]))
 					return -1;
-				code = atoi(tokens[1].c_str());
+				auto res = std::from_chars(tokens[1].data (), tokens[1].data() + tokens[1].size(), code);
 				if (res.ec != std::errc())
 					return -1;
 				if (code < 100 || code >= 600)
 					return -1;
 				/* all ok */
@ -474,11 +476,11 @@ namespace http
 				else
 					return -1;
 			}
-			pos = eol + strlen(CRLF);
+			pos = eol + CRLF.length();
 			if (pos >= eoh)
 				break;
 		}
-		return eoh + strlen(HTTP_EOH);
+		return eoh + HTTP_EOH.length();
 	}
 	std::string HTTPRes::to_string() {
@ -503,9 +505,11 @@ namespace http
 		return ss.str();
 	}
-	const char * HTTPCodeToStatus(int code) {
+	std::string_view HTTPCodeToStatus(int code) 
-		const char *ptr;
+	{
-		switch (code) {
+		std::string_view ptr;
 		switch (code) 
 		{
 			case 105: ptr = "Name Not Resolved"; break;
 			/* success */
 			case 200: ptr = "OK"; break;
--- a/libi2pd/HTTP.h
+++ b/libi2pd/HTTP.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -21,10 +21,8 @@ namespace i2p
 {
 namespace http
 {
-	const char CRLF[] = "\r\n";         /**< HTTP line terminator */
+	constexpr std::string_view CRLF = "\r\n";         /**< HTTP line terminator */
-	const char HTTP_EOH[] = "\r\n\r\n"; /**< HTTP end-of-headers mark */
+	constexpr std::string_view HTTP_EOH = "\r\n\r\n"; /**< HTTP end-of-headers mark */
 	extern const std::vector<std::string> HTTP_METHODS;  /**< list of valid HTTP methods */
 	extern const std::vector<std::string> HTTP_VERSIONS; /**< list of valid HTTP versions */
 	struct URL
 	{
@ -103,8 +101,8 @@ namespace http
 		void UpdateHeader (const std::string& name, const std::string& value);
 		void RemoveHeader (const std::string& name, const std::string& exempt); // remove all headers starting with name, but exempt
 		void RemoveHeader (const std::string& name) { RemoveHeader (name, ""); };
-		std::string GetHeader (const std::string& name) const;
+		std::string GetHeader (std::string_view name) const;
-		size_t GetNumHeaders (const std::string& name) const;
+		size_t GetNumHeaders (std::string_view name) const;
 		size_t GetNumHeaders () const { return headers.size (); };
 	};
@ -154,7 +152,7 @@ namespace http
 	 * @param code HTTP code [100, 599]
 	 * @return Immutable string with status
 	 */
-	const char * HTTPCodeToStatus(int code);
+	std::string_view HTTPCodeToStatus(int code);
 	/**
 	 * @brief Replaces %-encoded characters in string with their values
--- a/libi2pd/Identity.cpp
+++ b/libi2pd/Identity.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -27,18 +27,15 @@ namespace data
 	size_t Identity::FromBuffer (const uint8_t * buf, size_t len)
 	{
-		if ( len < DEFAULT_IDENTITY_SIZE ) {
+		if (len < DEFAULT_IDENTITY_SIZE) return 0; // buffer too small, don't overflow
-			// buffer too small, don't overflow
+		memcpy (this, buf, DEFAULT_IDENTITY_SIZE);
 			return 0;
 		}
 		memcpy (publicKey, buf, DEFAULT_IDENTITY_SIZE);
 		return DEFAULT_IDENTITY_SIZE;
 	}
 	IdentHash Identity::Hash () const
 	{
 		IdentHash hash;
-		SHA256(publicKey, DEFAULT_IDENTITY_SIZE, hash);
+		SHA256((const uint8_t *)this, DEFAULT_IDENTITY_SIZE, hash);
 		return hash;
 	}
@ -122,6 +119,16 @@ namespace data
 					memcpy (m_StandardIdentity.signingKey, signingKey, i2p::crypto::GOSTR3410_512_PUBLIC_KEY_LENGTH);
 					break;
 				}
 #if OPENSSL_PQ
 				case SIGNING_KEY_TYPE_MLDSA44:
 				{
 					memcpy (m_StandardIdentity, signingKey, 384);
 					excessLen = i2p::crypto::MLDSA44_PUBLIC_KEY_LENGTH - 384;
 					excessBuf = new uint8_t[excessLen];
 					memcpy (excessBuf, signingKey + 384, excessLen);
 					break;
 				}	
 #endif					
 				default:
 					LogPrint (eLogError, "Identity: Signing key type ", (int)type, " is not supported");
 			}
@ -262,11 +269,11 @@ namespace data
 		return fullLen;
 	}
-	size_t IdentityEx::FromBase64(const std::string& s)
+	size_t IdentityEx::FromBase64(std::string_view s)
 	{
 		const size_t slen = s.length();
 		std::vector<uint8_t> buf(slen); // binary data can't exceed base64
-		const size_t len = Base64ToByteStream (s.c_str(), slen, buf.data(), slen);
+		const size_t len = Base64ToByteStream (s.data(), slen, buf.data(), slen);
 		return FromBuffer (buf.data(), len);
 	}
@ -355,6 +362,10 @@ namespace data
 				return new i2p::crypto::GOSTR3410_512_Verifier (i2p::crypto::eGOSTR3410TC26A512);
 			case SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519:
 				return new i2p::crypto::RedDSA25519Verifier ();
 #if OPENSSL_PQ				
 			case SIGNING_KEY_TYPE_MLDSA44:
 				return new i2p::crypto::MLDSA44Verifier ();
 #endif				
 			case SIGNING_KEY_TYPE_RSA_SHA256_2048:
 			case SIGNING_KEY_TYPE_RSA_SHA384_3072:
 			case SIGNING_KEY_TYPE_RSA_SHA512_4096:
@ -376,6 +387,18 @@ namespace data
 				auto keyLen = verifier->GetPublicKeyLen ();
 				if (keyLen <= 128)
 					verifier->SetPublicKey (m_StandardIdentity.signingKey + 128 - keyLen);
 #if OPENSSL_PQ
 				else if (keyLen > 384)
 				{
 					// for post-quantum
 					uint8_t * signingKey = new uint8_t[keyLen];
 					memcpy (signingKey, m_StandardIdentity.signingKey, 384);
 					size_t excessLen = keyLen - 384;
 					memcpy (signingKey + 384, m_ExtendedBuffer + 4, excessLen); // right after signing and crypto key types
 					verifier->SetPublicKey (signingKey);
 					delete[] signingKey;
 				}	
 #endif				
 				else
 				{
 					// for P521
@ -402,12 +425,8 @@ namespace data
 				return std::make_shared<i2p::crypto::ECIESX25519AEADRatchetEncryptor>(key);
 			break;
 			case CRYPTO_KEY_TYPE_ECIES_P256_SHA256_AES256CBC:
 			case CRYPTO_KEY_TYPE_ECIES_P256_SHA256_AES256CBC_TEST:
 				return std::make_shared<i2p::crypto::ECIESP256Encryptor>(key);
 			break;
 			case CRYPTO_KEY_TYPE_ECIES_GOSTR3410_CRYPTO_PRO_A_SHA256_AES256CBC:
 				return std::make_shared<i2p::crypto::ECIESGOSTR3410Encryptor>(key);
 			break;
 			default:
 				LogPrint (eLogError, "Identity: Unknown crypto key type ", (int)keyType);
 		};
@ -633,6 +652,11 @@ namespace data
 			case SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519:
 				return new i2p::crypto::RedDSA25519Signer (priv);
 			break;
 #if OPENSSL_PQ
 			case SIGNING_KEY_TYPE_MLDSA44:
 				return new i2p::crypto::MLDSA44Signer (priv);
 			break;	
 #endif				
 			default:
 				LogPrint (eLogError, "Identity: Signing key type ", (int)keyType, " is not supported");
 		}
@ -676,12 +700,8 @@ namespace data
 				return std::make_shared<i2p::crypto::ECIESX25519AEADRatchetDecryptor>(key);
 			break;
 			case CRYPTO_KEY_TYPE_ECIES_P256_SHA256_AES256CBC:
 			case CRYPTO_KEY_TYPE_ECIES_P256_SHA256_AES256CBC_TEST:
 				return std::make_shared<i2p::crypto::ECIESP256Decryptor>(key);
 			break;
 			case CRYPTO_KEY_TYPE_ECIES_GOSTR3410_CRYPTO_PRO_A_SHA256_AES256CBC:
 				return std::make_shared<i2p::crypto::ECIESGOSTR3410Decryptor>(key);
 			break;
 			default:
 				LogPrint (eLogError, "Identity: Unknown crypto key type ", (int)cryptoType);
 		};
@ -728,9 +748,7 @@ namespace data
 			case SIGNING_KEY_TYPE_RSA_SHA384_3072:
 			case SIGNING_KEY_TYPE_RSA_SHA512_4096:
 				LogPrint (eLogWarning, "Identity: RSA signature type is not supported. Creating EdDSA");
 #if (__cplusplus >= 201703L) // C++ 17 or higher
 				[[fallthrough]];
 #endif
 				// no break here
 			case SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519:
 				i2p::crypto::CreateEDDSA25519RandomKeys (priv, pub);
@ -744,6 +762,11 @@ namespace data
 			case SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519:
 				i2p::crypto::CreateRedDSA25519RandomKeys (priv, pub);
 			break;
 #if OPENSSL_PQ				
 			case SIGNING_KEY_TYPE_MLDSA44:
 				i2p::crypto::CreateMLDSA44RandomKeys (priv, pub);
 			break;	
 #endif				
 			default:
 				LogPrint (eLogWarning, "Identity: Signing key type ", (int)type, " is not supported. Create DSA-SHA1");
 				i2p::crypto::CreateDSARandomKeys (priv, pub); // DSA-SHA1
@ -758,12 +781,8 @@ namespace data
 				i2p::crypto::GenerateElGamalKeyPair(priv, pub);
 			break;
 			case CRYPTO_KEY_TYPE_ECIES_P256_SHA256_AES256CBC:
 			case CRYPTO_KEY_TYPE_ECIES_P256_SHA256_AES256CBC_TEST:
 				i2p::crypto::CreateECIESP256RandomKeys (priv, pub);
 			break;
 			case CRYPTO_KEY_TYPE_ECIES_GOSTR3410_CRYPTO_PRO_A_SHA256_AES256CBC:
 				i2p::crypto::CreateECIESGOSTR3410RandomKeys (priv, pub);
 			break;
 			case CRYPTO_KEY_TYPE_ECIES_X25519_AEAD:
 				i2p::crypto::CreateECIESX25519AEADRatchetRandomKeys (priv, pub);
 			break;
--- a/libi2pd/Identity.h
+++ b/libi2pd/Identity.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -12,6 +12,7 @@
 #include <inttypes.h>
 #include <string.h>
 #include <string>
 #include <string_view>
 #include <memory>
 #include <vector>
 #include "Base.h"
@ -54,6 +55,8 @@ namespace data
 		Identity& operator=(const Keys& keys);
 		size_t FromBuffer (const uint8_t * buf, size_t len);
 		IdentHash Hash () const;
 		operator uint8_t * () { return reinterpret_cast<uint8_t *>(this); }
 		operator const uint8_t * () const { return reinterpret_cast<const uint8_t *>(this); }
 	};
 	Keys CreateRandomKeys ();
@ -63,8 +66,6 @@ namespace data
 	const uint16_t CRYPTO_KEY_TYPE_ELGAMAL = 0;
 	const uint16_t CRYPTO_KEY_TYPE_ECIES_P256_SHA256_AES256CBC = 1;
 	const uint16_t CRYPTO_KEY_TYPE_ECIES_X25519_AEAD = 4;
 	const uint16_t CRYPTO_KEY_TYPE_ECIES_P256_SHA256_AES256CBC_TEST = 65280; // TODO: remove later
 	const uint16_t CRYPTO_KEY_TYPE_ECIES_GOSTR3410_CRYPTO_PRO_A_SHA256_AES256CBC = 65281; // TODO: use GOST R 34.11 instead SHA256 and GOST 28147-89 instead AES
 	const uint16_t SIGNING_KEY_TYPE_DSA_SHA1 = 0;
 	const uint16_t SIGNING_KEY_TYPE_ECDSA_SHA256_P256 = 1;
@ -74,10 +75,11 @@ namespace data
 	const uint16_t SIGNING_KEY_TYPE_RSA_SHA384_3072 = 5;
 	const uint16_t SIGNING_KEY_TYPE_RSA_SHA512_4096 = 6;
 	const uint16_t SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519 = 7;
-	const uint16_t SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519ph = 8; // not implemented
+	const uint16_t SIGNING_KEY_TYPE_EDDSA_SHA512_ED25519ph = 8; // since openssl 3.0.0
 	const uint16_t SIGNING_KEY_TYPE_GOSTR3410_CRYPTO_PRO_A_GOSTR3411_256 = 9;
 	const uint16_t SIGNING_KEY_TYPE_GOSTR3410_TC26_A_512_GOSTR3411_512 = 10; // approved by FSB
 	const uint16_t SIGNING_KEY_TYPE_REDDSA_SHA512_ED25519 = 11; // for LeaseSet2 only
 	const uint16_t SIGNING_KEY_TYPE_MLDSA44 = 15;
 	typedef uint16_t SigningKeyType;
 	typedef uint16_t CryptoKeyType;
@ -99,7 +101,7 @@ namespace data
 			size_t FromBuffer (const uint8_t * buf, size_t len);
 			size_t ToBuffer (uint8_t * buf, size_t len) const;
-			size_t FromBase64(const std::string& s);
+			size_t FromBase64(std::string_view s);
 			std::string ToBase64 () const;
 			const Identity& GetStandardIdentity () const { return m_StandardIdentity; };
@ -133,7 +135,7 @@ namespace data
 			IdentHash m_IdentHash;
 			std::unique_ptr<i2p::crypto::Verifier> m_Verifier;
 			size_t m_ExtendedLen;
-			uint8_t m_ExtendedBuffer[MAX_EXTENDED_BUFFER_SIZE];
+			uint8_t m_ExtendedBuffer[MAX_EXTENDED_BUFFER_SIZE]; // TODO: support PQ keys
 	};
 	size_t GetIdentityBufferLen (const uint8_t * buf, size_t len); // return actual identity length in buffer
--- a/libi2pd/NTCP2.cpp
+++ b/libi2pd/NTCP2.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -120,9 +120,8 @@ namespace transport
 		// encrypt X
 		i2p::crypto::CBCEncryption encryption;
 		encryption.SetKey (m_RemoteIdentHash);
-		encryption.SetIV (m_IV);
+		encryption.Encrypt (GetPub (), 32, m_IV, m_SessionRequestBuffer); // X
-		encryption.Encrypt (GetPub (), 32, m_SessionRequestBuffer); // X
+		memcpy (m_IV, m_SessionRequestBuffer + 16, 16); // save last block as IV for SessionCreated
 		encryption.GetIV (m_IV); // save IV for SessionCreated
 		// encryption key for next block
 		if (!KDF1Alice ()) return false;
 		// fill options
@ -161,8 +160,7 @@ namespace transport
 		// encrypt Y
 		i2p::crypto::CBCEncryption encryption;
 		encryption.SetKey (i2p::context.GetIdentHash ());
-		encryption.SetIV (m_IV);
+		encryption.Encrypt (GetPub (), 32, m_IV, m_SessionCreatedBuffer); // Y
 		encryption.Encrypt (GetPub (), 32, m_SessionCreatedBuffer); // Y
 		// encryption key for next block (m_K)
 		if (!KDF2Bob ()) return false;
 		uint8_t options[16];
@ -208,9 +206,8 @@ namespace transport
 		// decrypt X
 		i2p::crypto::CBCDecryption decryption;
 		decryption.SetKey (i2p::context.GetIdentHash ());
-		decryption.SetIV (i2p::context.GetNTCP2IV ());
+		decryption.Decrypt (m_SessionRequestBuffer, 32, i2p::context.GetNTCP2IV (), GetRemotePub ());
-		decryption.Decrypt (m_SessionRequestBuffer, 32, GetRemotePub ());
+		memcpy (m_IV, m_SessionRequestBuffer + 16, 16); // save last block as IV for SessionCreated
 		decryption.GetIV (m_IV); // save IV for SessionCreated
 		// decryption key for next block
 		if (!KDF1Bob ())
 		{
@ -268,8 +265,7 @@ namespace transport
 		// decrypt Y
 		i2p::crypto::CBCDecryption decryption;
 		decryption.SetKey (m_RemoteIdentHash);
-		decryption.SetIV (m_IV);
+		decryption.Decrypt (m_SessionCreatedBuffer, 32, m_IV, GetRemotePub ());
 		decryption.Decrypt (m_SessionCreatedBuffer, 32, GetRemotePub ());
 		// decryption key for next block (m_K)
 		if (!KDF2Alice ())
 		{
@ -823,17 +819,22 @@ namespace transport
 			Terminate ();
 			return;
 		}
-		std::shared_ptr<i2p::data::RouterProfile> profile; // not null if older 
+		
 		bool isOlder = false;
 		if (ri.GetTimestamp () + i2p::data::NETDB_EXPIRATION_TIMEOUT_THRESHOLD*1000LL < ri1->GetTimestamp ())
 		{	
 			// received RouterInfo is older than one in netdb
-			profile = i2p::data::GetRouterProfile (ri1->GetIdentHash ()); // retrieve profile	
+			isOlder = true;
 			if (ri1->HasProfile ())
 			{	
 				auto profile = i2p::data::GetRouterProfile (ri1->GetIdentHash ()); // retrieve profile	
 				if (profile && profile->IsDuplicated ())
 				{	
 					SendTerminationAndTerminate (eNTCP2Banned);
 					return;
 				}	
 			}	
 		}
 		auto addr = m_RemoteEndpoint.address ().is_v4 () ? ri1->GetNTCP2V4Address () :
 			(i2p::util::net::IsYggdrasilAddress (m_RemoteEndpoint.address ()) ? ri1->GetYggdrasilAddress () : ri1->GetNTCP2V6Address ());
@ -848,8 +849,12 @@ namespace transport
 		     memcmp (m_RemoteEndpoint.address ().to_v6 ().to_bytes ().data () + 1, addr->host.to_v6 ().to_bytes ().data () + 1, 7) : // from the same yggdrasil subnet
 		     memcmp (m_RemoteEndpoint.address ().to_v6 ().to_bytes ().data (), addr->host.to_v6 ().to_bytes ().data (), 8)))) // temporary address
 		{
-			if (profile) // older router?
+			if (isOlder) // older router?
-				profile->Duplicated (); // mark router as duplicated in profile
+				i2p::data::UpdateRouterProfile (ri1->GetIdentHash (),
 					[](std::shared_ptr<i2p::data::RouterProfile> profile)
 					{
 						if (profile) profile->Duplicated (); // mark router as duplicated in profile
 					});
 			else
 				LogPrint (eLogInfo, "NTCP2: Host mismatch between published address ", addr->host, " and actual endpoint ", m_RemoteEndpoint.address ());
 			SendTerminationAndTerminate (eNTCP2Banned);
@ -995,7 +1000,7 @@ namespace transport
 			i2p::transport::transports.UpdateReceivedBytes (bytes_transferred + 2);
 			uint8_t nonce[12];
 			CreateNonce (m_ReceiveSequenceNumber, nonce); m_ReceiveSequenceNumber++;
-			if (i2p::crypto::AEADChaCha20Poly1305 (m_NextReceivedBuffer, m_NextReceivedLen-16, nullptr, 0, m_ReceiveKey, nonce, m_NextReceivedBuffer, m_NextReceivedLen, false))
+			if (m_Server.AEADChaCha20Poly1305Decrypt (m_NextReceivedBuffer, m_NextReceivedLen-16, nullptr, 0, m_ReceiveKey, nonce, m_NextReceivedBuffer, m_NextReceivedLen))
 			{
 				LogPrint (eLogDebug, "NTCP2: Received message decrypted");
 				ProcessNextFrame (m_NextReceivedBuffer, m_NextReceivedLen-16);
@ -1184,7 +1189,7 @@ namespace transport
 		}	
 		uint8_t nonce[12];
 		CreateNonce (m_SendSequenceNumber, nonce); m_SendSequenceNumber++;
-		i2p::crypto::AEADChaCha20Poly1305Encrypt (encryptBufs, m_SendKey, nonce, macBuf); // encrypt buffers
+		m_Server.AEADChaCha20Poly1305Encrypt (encryptBufs, m_SendKey, nonce, macBuf); // encrypt buffers
 		SetNextSentFrameLength (totalLen + 16, first->GetNTCP2Header () - 5); // frame length right before first block
 		// send buffers
@ -1215,7 +1220,7 @@ namespace transport
 		// encrypt
 		uint8_t nonce[12];
 		CreateNonce (m_SendSequenceNumber, nonce); m_SendSequenceNumber++;
-		i2p::crypto::AEADChaCha20Poly1305Encrypt ({ {m_NextSendBuffer + 2, payloadLen} }, m_SendKey, nonce, m_NextSendBuffer + payloadLen + 2);
+		m_Server.AEADChaCha20Poly1305Encrypt ({ {m_NextSendBuffer + 2, payloadLen} }, m_SendKey, nonce, m_NextSendBuffer + payloadLen + 2);
 		SetNextSentFrameLength (payloadLen + 16, m_NextSendBuffer);
 		// send
 		m_IsSending = true;
@ -1439,6 +1444,12 @@ namespace transport
 			boost::asio::post (m_Server.GetService (), std::bind (&NTCP2Session::SendRouterInfo, shared_from_this ()));
 	}
 	i2p::data::RouterInfo::SupportedTransports NTCP2Session::GetTransportType () const
 	{
 		if (m_RemoteEndpoint.address ().is_v4 ()) return i2p::data::RouterInfo::eNTCP2V4;
 		return i2p::util::net::IsYggdrasilAddress (m_RemoteEndpoint.address ()) ? i2p::data::RouterInfo::eNTCP2V6Mesh : i2p::data::RouterInfo::eNTCP2V6;
 	}	
 	NTCP2Server::NTCP2Server ():
 		RunnableServiceWithWork ("NTCP2"), m_TerminationTimer (GetService ()),
 		m_ProxyType(eNoProxy), m_Resolver(GetService ()),
@ -1548,6 +1559,7 @@ namespace transport
 	void NTCP2Server::Stop ()
 	{
 		m_EstablisherService.Stop ();
 		{
 			// we have to copy it because Terminate changes m_NTCP2Sessions
 			auto ntcpSessions = m_NTCP2Sessions;
@ -1563,7 +1575,6 @@ namespace transport
 			m_TerminationTimer.cancel ();
 			m_ProxyEndpoint = nullptr;
 		}
 		m_EstablisherService.Stop ();
 		StopIOService ();
 	}
@ -1984,5 +1995,17 @@ namespace transport
 		else
 			m_Address4 = addr;
 	}
 	void NTCP2Server::AEADChaCha20Poly1305Encrypt (const std::vector<std::pair<uint8_t *, size_t> >& bufs, 
 		const uint8_t * key, const uint8_t * nonce, uint8_t * mac)
 	{
 		return m_Encryptor.Encrypt (bufs, key, nonce, mac);
 	}	
 	bool NTCP2Server::AEADChaCha20Poly1305Decrypt (const uint8_t * msg, size_t msgLen,
 		const uint8_t * ad, size_t adLen, const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len)
 	{
 		return m_Decryptor.Decrypt (msg, msgLen, ad, adLen, key, nonce, buf, len);
 	}	
 }
 }
--- a/libi2pd/NTCP2.h
+++ b/libi2pd/NTCP2.h
@ -147,6 +147,7 @@ namespace transport
 			void SetRemoteEndpoint (const boost::asio::ip::tcp::endpoint& ep) { m_RemoteEndpoint = ep; };
 			bool IsEstablished () const override { return m_IsEstablished; };
 			i2p::data::RouterInfo::SupportedTransports GetTransportType () const override;
 			bool IsTerminated () const { return m_IsTerminated; };
 			void ClientLogin (); // Alice
@ -272,6 +273,11 @@ namespace transport
 			auto& GetService () { return GetIOService (); };
 			auto& GetEstablisherService () { return m_EstablisherService.GetService (); };
 			std::mt19937& GetRng () { return m_Rng; };
 			void AEADChaCha20Poly1305Encrypt (const std::vector<std::pair<uint8_t *, size_t> >& bufs, 
 				const uint8_t * key, const uint8_t * nonce, uint8_t * mac);
 			bool AEADChaCha20Poly1305Decrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 				const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len); 
 			bool AddNTCP2Session (std::shared_ptr<NTCP2Session> session, bool incoming = false);
 			void RemoveNTCP2Session (std::shared_ptr<NTCP2Session> session);
@ -309,9 +315,12 @@ namespace transport
 			uint16_t m_ProxyPort;
 			boost::asio::ip::tcp::resolver m_Resolver;
 			std::unique_ptr<boost::asio::ip::tcp::endpoint> m_ProxyEndpoint;
 			std::shared_ptr<boost::asio::ip::tcp::endpoint> m_Address4, m_Address6, m_YggdrasilAddress;
 			std::mt19937 m_Rng;
 			EstablisherService m_EstablisherService;
 			i2p::crypto::AEADChaCha20Poly1305Encryptor m_Encryptor;
 			i2p::crypto::AEADChaCha20Poly1305Decryptor m_Decryptor;
 		public:
--- a/libi2pd/NetDb.cpp
+++ b/libi2pd/NetDb.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -10,7 +10,6 @@
 #include <fstream>
 #include <vector>
 #include <map>
 #include <random>
 #include <boost/asio.hpp>
 #include <stdexcept>
@ -40,7 +39,7 @@ namespace data
 	NetDb::NetDb (): m_IsRunning (false), m_Thread (nullptr), m_Reseeder (nullptr), 
 		m_Storage("netDb", "r", "routerInfo-", "dat"), m_PersistProfiles (true),
-		m_LastExploratorySelectionUpdateTime (0)
+		m_LastExploratorySelectionUpdateTime (0), m_Rng(i2p::util::GetMonotonicMicroseconds () % 1000000LL)
 	{
 	}
@ -119,8 +118,9 @@ namespace data
 		i2p::util::SetThreadName("NetDB");
 		uint64_t lastManage = 0;
-		uint64_t lastProfilesCleanup = i2p::util::GetMonotonicMilliseconds (), lastObsoleteProfilesCleanup = lastProfilesCleanup;
+		uint64_t lastProfilesCleanup = i2p::util::GetMonotonicMilliseconds (), 
-		int16_t profilesCleanupVariance = 0, obsoleteProfilesCleanVariance = 0;
+			lastObsoleteProfilesCleanup = lastProfilesCleanup, lastApplyingProfileUpdates = lastProfilesCleanup;
 		int16_t profilesCleanupVariance = 0, obsoleteProfilesCleanVariance = 0, applyingProfileUpdatesVariance = 0;
 		std::list<std::shared_ptr<const I2NPMessage> > msgs;
 		while (m_IsRunning)
@ -181,7 +181,7 @@ namespace data
 							LogPrint (eLogWarning, "NetDb: Can't persist profiles. Profiles are being saved to disk");
 					}	
 					lastProfilesCleanup = mts;
-					profilesCleanupVariance = rand () % i2p::data::PEER_PROFILE_AUTOCLEAN_VARIANCE;
+					profilesCleanupVariance = m_Rng () % i2p::data::PEER_PROFILE_AUTOCLEAN_VARIANCE;
 				}
 				if (mts >= lastObsoleteProfilesCleanup + (uint64_t)(i2p::data::PEER_PROFILE_OBSOLETE_PROFILES_CLEAN_TIMEOUT + obsoleteProfilesCleanVariance)*1000)
@ -197,7 +197,20 @@ namespace data
 					else
 						LogPrint (eLogWarning, "NetDb: Can't delete profiles. Profiles are being deleted from disk");
 					lastObsoleteProfilesCleanup = mts;
-					obsoleteProfilesCleanVariance = rand () % i2p::data::PEER_PROFILE_OBSOLETE_PROFILES_CLEAN_VARIANCE;
+					obsoleteProfilesCleanVariance = m_Rng () % i2p::data::PEER_PROFILE_OBSOLETE_PROFILES_CLEAN_VARIANCE;
 				}	
 				if (mts >= lastApplyingProfileUpdates + i2p::data::PEER_PROFILE_APPLY_POSTPONED_TIMEOUT + applyingProfileUpdatesVariance)
 				{
 					bool isApplying = m_ApplyingProfileUpdates.valid ();
 					if (isApplying && m_ApplyingProfileUpdates.wait_for(std::chrono::seconds(0)) == std::future_status::ready) // still active?
 					{
 						m_ApplyingProfileUpdates.get ();
 						isApplying = false;
 					}	
 					if (!isApplying)
 						m_ApplyingProfileUpdates = i2p::data::FlushPostponedRouterProfileUpdates ();
 					lastApplyingProfileUpdates = mts;
 					applyingProfileUpdatesVariance = m_Rng () % i2p::data::PEER_PROFILE_APPLY_POSTPONED_TIMEOUT_VARIANCE;
 				}	
 			}
 			catch (std::exception& ex)
@ -281,6 +294,7 @@ namespace data
 			}
 			else
 			{
 				r->CancelBufferToDelete (); // since an update received
 				if (CheckLogLevel (eLogDebug))
 					LogPrint (eLogDebug, "NetDb: RouterInfo is older: ", ident.ToBase64());
 				updated = false;
@ -502,7 +516,7 @@ namespace data
 		}
 		// send them off
-		i2p::transport::transports.SendMessages(ih, requests);
+		i2p::transport::transports.SendMessages(ih, std::move (requests));
 	}
 	bool NetDb::LoadRouterInfo (const std::string& path, uint64_t ts)
@ -557,7 +571,7 @@ namespace data
 		while(n > 0)
 		{
 			std::lock_guard<std::mutex> lock(m_RouterInfosMutex);
-			uint32_t idx = rand () % m_RouterInfos.size ();
+			uint32_t idx = m_Rng () % m_RouterInfos.size ();
 			uint32_t i = 0;
 			for (const auto & it : m_RouterInfos) {
 				if(i >= idx) // are we at the random start point?
@ -637,7 +651,7 @@ namespace data
 		if (checkForExpiration && uptime > i2p::transport::SSU2_TO_INTRODUCER_SESSION_DURATION) // 1 hour
 			expirationTimeout = i2p::context.IsFloodfill () ? NETDB_FLOODFILL_EXPIRATION_TIMEOUT*1000LL :
 				NETDB_MIN_EXPIRATION_TIMEOUT*1000LL + (NETDB_MAX_EXPIRATION_TIMEOUT - NETDB_MIN_EXPIRATION_TIMEOUT)*1000LL*NETDB_MIN_ROUTERS/total;
-		bool isOffline = checkForExpiration && i2p::transport::transports.GetNumPeers () < NETDB_MIN_TRANSPORTS; // enough routers and uptime, but no tranports
+		bool isOffline = checkForExpiration && i2p::transport::transports.GetNumPeers () < NETDB_MIN_TRANSPORTS; // enough routers and uptime, but no transports
 		std::list<std::pair<std::string, std::shared_ptr<RouterInfo::Buffer> > > saveToDisk;
 		std::list<std::string> removeFromDisk;	
@ -660,16 +674,21 @@ namespace data
 					{
 						std::lock_guard<std::mutex> l(m_RouterInfosMutex); // possible collision between DeleteBuffer and Update
 						buffer = r->CopyBuffer ();
 						r->ScheduleBufferToDelete ();
 					}
 					if (!i2p::transport::transports.IsConnected (ident))
 						r->ScheduleBufferToDelete ();
 					if (buffer)
-						saveToDisk.push_back(std::make_pair(ident.ToBase64 (), buffer));
+						saveToDisk.emplace_back(ident.ToBase64 (), buffer);
 				}
 				r->SetUpdated (false);
 				updatedCount++;
 				continue;
 			}
-			if (r->GetProfile ()->IsUnreachable ())
+			else if (r->GetBuffer () && ts > r->GetTimestamp () + NETDB_MIN_EXPIRATION_TIMEOUT*1000LL)
 				// since update was long time ago we assume that router is not connected anymore
 				r->ScheduleBufferToDelete ();
 			if (r->HasProfile () && r->GetProfile ()->IsUnreachable ())
 				r->SetUnreachable (true);
 			// make router reachable back if too few routers or floodfills
 			if (r->IsUnreachable () && (total - deletedCount < NETDB_MIN_ROUTERS || isLowRate || isOffline ||
@ -696,15 +715,16 @@ namespace data
 							r->SetUnreachable (true);
 				}	
 			}
-			// make router reachable back if connected now
+			// make router reachable back if connected now or trusted router
-			if (r->IsUnreachable () && i2p::transport::transports.IsConnected (ident))
+			if (r->IsUnreachable () && (i2p::transport::transports.IsConnected (ident) ||
 				i2p::transport::transports.IsTrustedRouter (ident)))
 				r->SetUnreachable (false);
 			if (r->IsUnreachable ())
 			{
 				if (r->IsFloodfill ()) deletedFloodfillsCount++;
 				// delete RI file
-				removeFromDisk.push_back (ident.ToBase64());
+				removeFromDisk.emplace_back (ident.ToBase64());
 				deletedCount++;
 				if (total - deletedCount < NETDB_MIN_ROUTERS) checkForExpiration = false;
 			}
@ -1331,7 +1351,7 @@ namespace data
 			if (eligible.size () > NETDB_MAX_EXPLORATORY_SELECTION_SIZE)
 			{
 				 std::sample (eligible.begin(), eligible.end(), std::back_inserter(m_ExploratorySelection),
-				 	NETDB_MAX_EXPLORATORY_SELECTION_SIZE, std::mt19937(ts));
+				 	NETDB_MAX_EXPLORATORY_SELECTION_SIZE, m_Rng);
 			}	
 			else
 				std::swap (m_ExploratorySelection, eligible);	
--- a/libi2pd/NetDb.hpp
+++ b/libi2pd/NetDb.hpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -16,6 +16,7 @@
 #include <thread>
 #include <mutex>
 #include <future>
 #include <random>
 #include "Base.h"
 #include "Gzip.h"
@ -52,6 +53,7 @@ namespace data
 	const int NETDB_MIN_HIGHBANDWIDTH_VERSION = MAKE_VERSION_NUMBER(0, 9, 58); // 0.9.58
 	const int NETDB_MIN_FLOODFILL_VERSION = MAKE_VERSION_NUMBER(0, 9, 59); // 0.9.59
 	const int NETDB_MIN_SHORT_TUNNEL_BUILD_VERSION = MAKE_VERSION_NUMBER(0, 9, 51); // 0.9.51
 	const int NETDB_MIN_PEER_TEST_VERSION = MAKE_VERSION_NUMBER(0, 9, 62); // 0.9.62
 	const size_t NETDB_MAX_NUM_SEARCH_REPLY_PEER_HASHES = 16;
 	const size_t NETDB_MAX_EXPLORATORY_SELECTION_SIZE = 500;
 	const int NETDB_EXPLORATORY_SELECTION_UPDATE_INTERVAL = 82; // in seconds. for floodfill
@ -185,10 +187,11 @@ namespace data
 			std::shared_ptr<NetDbRequests> m_Requests;
 			bool m_PersistProfiles;
-			std::future<void> m_SavingProfiles, m_DeletingProfiles, m_PersistingRouters;
+			std::future<void> m_SavingProfiles, m_DeletingProfiles, m_ApplyingProfileUpdates, m_PersistingRouters;
 			std::vector<std::shared_ptr<const RouterInfo> > m_ExploratorySelection;
 			uint64_t m_LastExploratorySelectionUpdateTime; // in monotonic seconds
 			std::mt19937 m_Rng;
 			i2p::util::MemoryPoolMt<RouterInfo::Buffer> m_RouterInfoBuffersPool;
 			i2p::util::MemoryPoolMt<RouterInfo::Address> m_RouterInfoAddressesPool;
--- a/libi2pd/NetDbRequests.cpp
+++ b/libi2pd/NetDbRequests.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -20,8 +20,10 @@ namespace i2p
 namespace data
 {
 	RequestedDestination::RequestedDestination (const IdentHash& destination, bool isExploratory, bool direct):
-		m_Destination (destination), m_IsExploratory (isExploratory), m_IsDirect (direct), m_IsActive (true),
+		m_Destination (destination), m_IsExploratory (isExploratory), m_IsDirect (direct), 
-		m_CreationTime (i2p::util::GetSecondsSinceEpoch ()), m_LastRequestTime (0), m_NumAttempts (0)
+		m_IsActive (true), m_IsSentDirectly (false),
 		m_CreationTime (i2p::util::GetMillisecondsSinceEpoch ()), 
 		m_LastRequestTime (0), m_NumAttempts (0)
 	{
 		if (i2p::context.IsFloodfill ())
 			m_ExcludedPeers.insert (i2p::context.GetIdentHash ()); // exclude self if floodfill
@ -44,8 +46,9 @@ namespace data
 			msg = i2p::CreateRouterInfoDatabaseLookupMsg(m_Destination, i2p::context.GetIdentHash(), 0, m_IsExploratory, &m_ExcludedPeers);
 		if(router)
 			m_ExcludedPeers.insert (router->GetIdentHash ());
-		m_LastRequestTime = i2p::util::GetSecondsSinceEpoch ();
+		m_LastRequestTime = i2p::util::GetMillisecondsSinceEpoch ();
 		m_NumAttempts++;
 		m_IsSentDirectly = false;
 		return msg;
 	}
@ -55,7 +58,8 @@ namespace data
 			i2p::context.GetRouterInfo ().GetIdentHash () , 0, false, &m_ExcludedPeers);
 		m_ExcludedPeers.insert (floodfill);
 		m_NumAttempts++;
-		m_LastRequestTime = i2p::util::GetSecondsSinceEpoch ();
+		m_LastRequestTime = i2p::util::GetMillisecondsSinceEpoch ();
 		m_IsSentDirectly = true;
 		return msg;
 	}
@ -210,7 +214,7 @@ namespace data
 	void NetDbRequests::ManageRequests ()
 	{
-		uint64_t ts = i2p::util::GetSecondsSinceEpoch ();
+		uint64_t ts = i2p::util::GetMillisecondsSinceEpoch ();
 		for (auto it = m_RequestedDestinations.begin (); it != m_RequestedDestinations.end ();)
 		{
 			auto& dest = it->second;
@ -222,7 +226,8 @@ namespace data
 					bool done = false;
 					if (ts < dest->GetCreationTime () + MAX_REQUEST_TIME)
 					{
-						if (ts > dest->GetLastRequestTime () + MIN_REQUEST_TIME) // try next floodfill if no response after min interval
+						if (ts > dest->GetLastRequestTime () + (dest->IsSentDirectly () ? MIN_DIRECT_REQUEST_TIME : MIN_REQUEST_TIME)) 
 						// try next floodfill if no response after min interval
 							done = !SendNextRequest (dest);
 					}
 					else // request is expired
@ -328,7 +333,8 @@ namespace data
 	void NetDbRequests::ScheduleManageRequests ()
 	{
-		m_ManageRequestsTimer.expires_from_now (boost::posix_time::seconds(MANAGE_REQUESTS_INTERVAL));
+		m_ManageRequestsTimer.expires_from_now (boost::posix_time::milliseconds(MANAGE_REQUESTS_INTERVAL +
 			m_Rng () % MANAGE_REQUESTS_INTERVAL_VARIANCE));
 		m_ManageRequestsTimer.async_wait (std::bind (&NetDbRequests::HandleManageRequestsTimer,
 			this, std::placeholders::_1));
 	}
--- a/libi2pd/NetDbRequests.h
+++ b/libi2pd/NetDbRequests.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -24,15 +24,17 @@ namespace i2p
 namespace data
 {
 	const int MAX_NUM_REQUEST_ATTEMPTS = 5;
-	const uint64_t MANAGE_REQUESTS_INTERVAL = 1; // in seconds
+	const uint64_t MANAGE_REQUESTS_INTERVAL = 400; // in milliseconds
-	const uint64_t MIN_REQUEST_TIME = 5; // in seconds
+	const uint64_t MANAGE_REQUESTS_INTERVAL_VARIANCE = 300; // in milliseconds
-	const uint64_t MAX_REQUEST_TIME = MAX_NUM_REQUEST_ATTEMPTS * (MIN_REQUEST_TIME + MANAGE_REQUESTS_INTERVAL);
+	const uint64_t MIN_REQUEST_TIME = 1200; // in milliseconds
 	const uint64_t MAX_REQUEST_TIME = MAX_NUM_REQUEST_ATTEMPTS * (MIN_REQUEST_TIME + MANAGE_REQUESTS_INTERVAL + MANAGE_REQUESTS_INTERVAL_VARIANCE);
 	const uint64_t MIN_DIRECT_REQUEST_TIME = 600; // in milliseconds
 	const uint64_t EXPLORATORY_REQUEST_INTERVAL = 55; // in seconds
 	const uint64_t EXPLORATORY_REQUEST_INTERVAL_VARIANCE = 170; // in seconds 
 	const uint64_t DISCOVERED_REQUEST_INTERVAL = 360; // in milliseconds
 	const uint64_t DISCOVERED_REQUEST_INTERVAL_VARIANCE = 540; // in milliseconds
-	const uint64_t MAX_EXPLORATORY_REQUEST_TIME = 30; // in seconds
+	const uint64_t MAX_EXPLORATORY_REQUEST_TIME = 30000; // in milliseconds
-	const uint64_t REQUEST_CACHE_TIME = MAX_REQUEST_TIME + 40; // in seconds
+	const uint64_t REQUEST_CACHE_TIME = MAX_REQUEST_TIME + 40000; // in milliseconds
 	const uint64_t REQUESTED_DESTINATIONS_POOL_CLEANUP_INTERVAL = 191; // in seconds
 	class RequestedDestination
@ -51,6 +53,7 @@ namespace data
 			bool IsExploratory () const { return m_IsExploratory; };
 			bool IsDirect () const { return m_IsDirect; };
 			bool IsActive () const { return m_IsActive; };
 			bool IsSentDirectly () const { return m_IsSentDirectly; };
 			bool IsExcluded (const IdentHash& ident) const;
 			uint64_t GetCreationTime () const { return m_CreationTime; };
 			uint64_t GetLastRequestTime () const { return m_LastRequestTime; };
@ -69,9 +72,9 @@ namespace data
 		private:
 			IdentHash m_Destination;
-			bool m_IsExploratory, m_IsDirect, m_IsActive;
+			bool m_IsExploratory, m_IsDirect, m_IsActive, m_IsSentDirectly;
 			std::unordered_set<IdentHash> m_ExcludedPeers;
-			uint64_t m_CreationTime, m_LastRequestTime; // in seconds
+			uint64_t m_CreationTime, m_LastRequestTime; // in milliseconds
 			std::list<RequestComplete> m_RequestComplete;
 			int m_NumAttempts;
 	};
@ -115,9 +118,9 @@ namespace data
 		private:
 			i2p::util::MemoryPoolMt<RequestedDestination> m_RequestedDestinationsPool;
 			std::unordered_map<IdentHash, std::shared_ptr<RequestedDestination> > m_RequestedDestinations;
 			std::list<IdentHash> m_DiscoveredRouterHashes;
 			i2p::util::MemoryPoolMt<RequestedDestination> m_RequestedDestinationsPool;
 			boost::asio::deadline_timer m_ManageRequestsTimer, m_ExploratoryTimer,
 				m_CleanupTimer, m_DiscoveredRoutersTimer;
 			std::mt19937 m_Rng;
--- a/libi2pd/Profiling.cpp
+++ b/libi2pd/Profiling.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -27,13 +27,15 @@ namespace data
 	static i2p::fs::HashedStorage g_ProfilesStorage("peerProfiles", "p", "profile-", "txt");
 	static std::unordered_map<i2p::data::IdentHash, std::shared_ptr<RouterProfile> > g_Profiles;
 	static std::mutex g_ProfilesMutex;
 	static std::list<std::pair<i2p::data::IdentHash, std::function<void (std::shared_ptr<RouterProfile>)> > > g_PostponedUpdates;
 	static std::mutex g_PostponedUpdatesMutex;
 	RouterProfile::RouterProfile ():
 		m_IsUpdated (false), m_LastDeclineTime (0), m_LastUnreachableTime (0),
-		m_LastUpdateTime (i2p::util::GetSecondsSinceEpoch ()), 
+		m_LastUpdateTime (i2p::util::GetSecondsSinceEpoch ()), m_LastAccessTime (0),
-		m_NumTunnelsAgreed (0), m_NumTunnelsDeclined (0), m_NumTunnelsNonReplied (0),
+		m_LastPersistTime (0), m_NumTunnelsAgreed (0), m_NumTunnelsDeclined (0),
-		m_NumTimesTaken (0), m_NumTimesRejected (0), m_HasConnected (false),
+		m_NumTunnelsNonReplied (0),m_NumTimesTaken (0), m_NumTimesRejected (0),
-		m_IsDuplicated (false)
+		m_HasConnected (false), m_IsDuplicated (false)
 	{
 	}
@ -78,6 +80,7 @@ namespace data
 	void RouterProfile::Load (const IdentHash& identHash)
 	{
 		m_IsUpdated = false;
 		std::string ident = identHash.ToBase64 ();
 		std::string path = g_ProfilesStorage.Path(ident);
 		boost::property_tree::ptree pt;
@ -255,24 +258,36 @@ namespace data
 			std::unique_lock<std::mutex> l(g_ProfilesMutex);
 			auto it = g_Profiles.find (identHash);
 			if (it != g_Profiles.end ())
 			{
 				it->second->SetLastAccessTime (i2p::util::GetSecondsSinceEpoch ());
 				return it->second;
 			}	
 		}
 		auto profile = netdb.NewRouterProfile ();
 		profile->Load (identHash); // if possible
-		std::unique_lock<std::mutex> l(g_ProfilesMutex);
+		std::lock_guard<std::mutex> l(g_ProfilesMutex);
 		g_Profiles.emplace (identHash, profile);
 		return profile;
 	}
 	bool IsRouterBanned (const IdentHash& identHash)
 	{
-		std::unique_lock<std::mutex> l(g_ProfilesMutex);
+		std::lock_guard<std::mutex> l(g_ProfilesMutex);
 		auto it = g_Profiles.find (identHash);
 		if (it != g_Profiles.end ())
 			return it->second->IsUnreachable ();
 		return false;
 	}	
 	bool IsRouterDuplicated (const IdentHash& identHash)
 	{
 		std::lock_guard<std::mutex> l(g_ProfilesMutex);
 		auto it = g_Profiles.find (identHash);
 		if (it != g_Profiles.end ())
 			return it->second->IsDuplicated ();
 		return false;
 	}	
 	void InitProfilesStorage ()
 	{
 		g_ProfilesStorage.SetPlace(i2p::fs::GetDataDir());
@ -290,15 +305,17 @@ namespace data
 		auto ts = i2p::util::GetSecondsSinceEpoch ();
 		std::list<std::pair<i2p::data::IdentHash, std::shared_ptr<RouterProfile> > > tmp;
 		{
-			std::unique_lock<std::mutex> l(g_ProfilesMutex);
+			std::lock_guard<std::mutex> l(g_ProfilesMutex);
 			for (auto it = g_Profiles.begin (); it != g_Profiles.end ();)
 			{
-				if (ts - it->second->GetLastUpdateTime () > PEER_PROFILE_PERSIST_INTERVAL)
+				if (it->second->IsUpdated () && ts > it->second->GetLastPersistTime () + PEER_PROFILE_PERSIST_INTERVAL)
 				{
-					if (it->second->IsUpdated ())
+					tmp.push_back (*it);
-						tmp.push_back (std::make_pair (it->first, it->second));
+					it->second->SetLastPersistTime (ts);
-					it = g_Profiles.erase (it);
+					it->second->SetUpdated (false);
 				}	
 				if (!it->second->IsUpdated () && ts > std::max (it->second->GetLastUpdateTime (), it->second->GetLastAccessTime ()) + PEER_PROFILE_PERSIST_INTERVAL)
 					it = g_Profiles.erase (it);
 				else
 					it++;
 			}
@ -312,7 +329,7 @@ namespace data
 	{
 		std::unordered_map<i2p::data::IdentHash, std::shared_ptr<RouterProfile> > tmp;
 		{
-			std::unique_lock<std::mutex> l(g_ProfilesMutex);
+			std::lock_guard<std::mutex> l(g_ProfilesMutex);
 			std::swap (tmp, g_Profiles);
 		}
 		auto ts = i2p::util::GetSecondsSinceEpoch ();
@ -347,7 +364,7 @@ namespace data
 	{
 		{
 			auto ts = i2p::util::GetSecondsSinceEpoch ();
-			std::unique_lock<std::mutex> l(g_ProfilesMutex);
+			std::lock_guard<std::mutex> l(g_ProfilesMutex);
 			for (auto it = g_Profiles.begin (); it != g_Profiles.end ();)
 			{
 				if (ts - it->second->GetLastUpdateTime () >= PEER_PROFILE_EXPIRATION_TIMEOUT)
@ -359,5 +376,47 @@ namespace data
 		return std::async (std::launch::async, DeleteFilesFromDisk);
 	}
 	bool UpdateRouterProfile (const IdentHash& identHash, std::function<void (std::shared_ptr<RouterProfile>)> update)
 	{
 		if (!update) return true;
 		std::shared_ptr<RouterProfile> profile;
 		{
 			std::lock_guard<std::mutex> l(g_ProfilesMutex);
 			auto it = g_Profiles.find (identHash);
 			if (it != g_Profiles.end ())
 				profile = it->second;
 		}
 		if (profile)
 		{
 			update (profile);
 			return true;
 		}	
 		// postpone
 		std::lock_guard<std::mutex> l(g_PostponedUpdatesMutex);
 		g_PostponedUpdates.emplace_back (identHash, update);
 		return false;
 	}	
 	static void ApplyPostponedUpdates (std::list<std::pair<i2p::data::IdentHash, std::function<void (std::shared_ptr<RouterProfile>)> > >&& updates)
 	{
 		for (const auto& [ident, update] : updates)
 		{
 			auto profile = GetRouterProfile (ident);
 			update (profile);
 		}	
 	}	
 	std::future<void> FlushPostponedRouterProfileUpdates ()
 	{
 		if (g_PostponedUpdates.empty ()) return std::future<void>();
 		std::list<std::pair<i2p::data::IdentHash, std::function<void (std::shared_ptr<RouterProfile>)> > > updates;
 		{
 			std::lock_guard<std::mutex> l(g_PostponedUpdatesMutex);
 			g_PostponedUpdates.swap (updates);
 		}		
 		return std::async (std::launch::async, ApplyPostponedUpdates, std::move (updates));	
 	}	
 }
 }
--- a/libi2pd/Profiling.h
+++ b/libi2pd/Profiling.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -11,6 +11,7 @@
 #include <memory>
 #include <future>
 #include <functional>
 #include <boost/asio.hpp>
 #include "Identity.h"
@ -40,10 +41,12 @@ namespace data
 	const int PEER_PROFILE_OBSOLETE_PROFILES_CLEAN_VARIANCE = 2400; // in seconds (40 minutes)
 	const int PEER_PROFILE_DECLINED_RECENTLY_INTERVAL = 330; // in seconds (5.5 minutes)
 	const int PEER_PROFILE_MAX_DECLINED_INTERVAL = 4400; // in second (1.5 hours)
-	const int PEER_PROFILE_PERSIST_INTERVAL = 3300; // in seconds (55 minutes)
+	const int PEER_PROFILE_PERSIST_INTERVAL = 1320; // in seconds (22 minutes)
 	const int PEER_PROFILE_UNREACHABLE_INTERVAL = 480; // in seconds (8 minutes)
 	const int PEER_PROFILE_USEFUL_THRESHOLD = 3;
 	const int PEER_PROFILE_ALWAYS_DECLINING_NUM = 5; // num declines in row to consider always declined
 	const int PEER_PROFILE_APPLY_POSTPONED_TIMEOUT = 2100; // in milliseconds	
 	const int PEER_PROFILE_APPLY_POSTPONED_TIMEOUT_VARIANCE = 500; // in milliseconds	
 	class RouterProfile
 	{
@ -67,6 +70,11 @@ namespace data
 			uint64_t GetLastUpdateTime () const { return m_LastUpdateTime; };
 			bool IsUpdated () const { return m_IsUpdated; };
 			void SetUpdated (bool updated) { m_IsUpdated = updated; }
 			uint64_t GetLastAccessTime () const { return m_LastAccessTime; };
 			void SetLastAccessTime (uint64_t ts) { m_LastAccessTime = ts; };
 			uint64_t GetLastPersistTime () const { return m_LastPersistTime; };
 			void SetLastPersistTime (uint64_t ts) { m_LastPersistTime = ts; };
 			bool IsUseful() const;
 			bool IsDuplicated () const { return m_IsDuplicated; };
@ -88,7 +96,8 @@ namespace data
 		private:
 			bool m_IsUpdated;
-			uint64_t m_LastDeclineTime, m_LastUnreachableTime, m_LastUpdateTime; // in seconds
+			uint64_t m_LastDeclineTime, m_LastUnreachableTime, m_LastUpdateTime, 
 				m_LastAccessTime, m_LastPersistTime; // in seconds
 			// participation
 			uint32_t m_NumTunnelsAgreed;
 			uint32_t m_NumTunnelsDeclined;
@ -104,10 +113,13 @@ namespace data
 	std::shared_ptr<RouterProfile> GetRouterProfile (const IdentHash& identHash);
 	bool IsRouterBanned (const IdentHash& identHash); // check only existing profiles
 	bool IsRouterDuplicated (const IdentHash& identHash); // check only existing profiles
 	void InitProfilesStorage ();
 	std::future<void> DeleteObsoleteProfiles ();
 	void SaveProfiles ();
 	std::future<void> PersistProfiles ();
 	bool UpdateRouterProfile (const IdentHash& identHash, std::function<void (std::shared_ptr<RouterProfile>)> update); // return true if updated immediately, and false if postponed
 	std::future<void> FlushPostponedRouterProfileUpdates ();
 }
 }
--- a/libi2pd/RouterContext.cpp
+++ b/libi2pd/RouterContext.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -33,13 +33,14 @@ namespace i2p
 		m_ShareRatio (100), m_Status (eRouterStatusUnknown), m_StatusV6 (eRouterStatusUnknown),
 		m_Error (eRouterErrorNone), m_ErrorV6 (eRouterErrorNone),
 		m_Testing (false), m_TestingV6 (false), m_NetID (I2PD_NET_ID),
-		m_PublishReplyToken (0), m_IsHiddenMode (false)
+		m_PublishReplyToken (0), m_IsHiddenMode (false), 
 		m_Rng(i2p::util::GetMonotonicMicroseconds () % 1000000LL), m_IsSaving (false)
 	{
 	}
 	void RouterContext::Init ()
 	{
-		srand (i2p::util::GetMillisecondsSinceEpoch () % 1000);
+		srand (m_Rng () % 1000);
 		m_StartupTime = i2p::util::GetMonotonicSeconds ();
 		if (!Load ())
@ -253,11 +254,36 @@ namespace i2p
 	void RouterContext::UpdateRouterInfo ()
 	{
 		std::shared_ptr<i2p::data::RouterInfo::Buffer> buffer;
 		{
 			std::lock_guard<std::mutex> l(m_RouterInfoMutex);
 			m_RouterInfo.CreateBuffer (m_Keys);
 			buffer = m_RouterInfo.CopyBuffer ();
 		}
 		{
 			// update save buffer to latest
 			std::lock_guard<std::mutex> l(m_SaveBufferMutex);
 			m_SaveBuffer = buffer;
 		}
 		bool isSaving = false;
 		if (m_IsSaving.compare_exchange_strong (isSaving, true)) // try to save only if not being saved
 		{	
 			auto savingRouterInfo = std::async (std::launch::async, [this]() 
 				{
 					std::shared_ptr<i2p::data::RouterInfo::Buffer> buffer;
 					while (m_SaveBuffer)
 					{
 						{
 							std::lock_guard<std::mutex> l(m_SaveBufferMutex);
 							buffer = m_SaveBuffer;
 							m_SaveBuffer = nullptr;
 						}
 						if (buffer)
 							i2p::data::RouterInfo::SaveToFile (i2p::fs::DataDirPath (ROUTER_INFO), buffer);
 					}	
 					m_IsSaving = false;
 				});
 		}	
 		m_RouterInfo.SaveToFile (i2p::fs::DataDirPath (ROUTER_INFO));
 		m_LastUpdateTime = i2p::util::GetSecondsSinceEpoch ();
 	}
@ -649,11 +675,11 @@ namespace i2p
 	void RouterContext::SetBandwidth (int limit)
 	{
-		if      (limit > 2000) { SetBandwidth('X'); }
+		if      (limit > (int)i2p::data::EXTRA_BANDWIDTH_LIMIT) { SetBandwidth('X'); }
-		else if (limit >  256) { SetBandwidth('P'); }
+		else if (limit > (int)i2p::data::HIGH_BANDWIDTH_LIMIT) { SetBandwidth('P'); }
 		else if (limit > 128) { SetBandwidth('O'); }
 		else if (limit > 64) { SetBandwidth('N'); }
-		else if (limit >   48) { SetBandwidth('M'); }
+		else if (limit > (int)i2p::data::LOW_BANDWIDTH_LIMIT) { SetBandwidth('M'); }
 		else if (limit > 12) { SetBandwidth('L'); }
 		else                   { SetBandwidth('K'); }
 		m_BandwidthLimit = limit; // set precise limit
@ -1359,7 +1385,7 @@ namespace i2p
 		{	
 			m_PublishTimer->cancel ();
 			m_PublishTimer->expires_from_now (boost::posix_time::seconds(ROUTER_INFO_PUBLISH_INTERVAL + 
-				rand () % ROUTER_INFO_PUBLISH_INTERVAL_VARIANCE));
+				m_Rng () % ROUTER_INFO_PUBLISH_INTERVAL_VARIANCE));
 			m_PublishTimer->async_wait (std::bind (&RouterContext::HandlePublishTimer,
 				this, std::placeholders::_1));
 		}	
@ -1434,7 +1460,7 @@ namespace i2p
 						i2p::garlic::WrapECIESX25519MessageForRouter (msg, floodfill->GetIdentity ()->GetEncryptionPublicKey ()));
 				}	
 				else
-					LogPrint (eLogInfo, "Router: Can't publish our RouterInfo. No tunnles. Try again in ", ROUTER_INFO_CONFIRMATION_TIMEOUT, " seconds");
+					LogPrint (eLogInfo, "Router: Can't publish our RouterInfo. No tunnels. Try again in ", ROUTER_INFO_CONFIRMATION_TIMEOUT, " milliseconds");
 			}
 			m_PublishExcluded.insert (floodfill->GetIdentHash ());
 			m_PublishReplyToken = replyToken;
@ -1448,7 +1474,7 @@ namespace i2p
 		if (m_PublishTimer)
 		{
 			m_PublishTimer->cancel ();
-			m_PublishTimer->expires_from_now (boost::posix_time::seconds(ROUTER_INFO_CONFIRMATION_TIMEOUT));
+			m_PublishTimer->expires_from_now (boost::posix_time::milliseconds(ROUTER_INFO_CONFIRMATION_TIMEOUT));
 			m_PublishTimer->async_wait (std::bind (&RouterContext::HandlePublishResendTimer,
 				this, std::placeholders::_1));
 		}	
@ -1471,7 +1497,8 @@ namespace i2p
 		if (m_CongestionUpdateTimer)
 		{	
 			m_CongestionUpdateTimer->cancel ();
-			m_CongestionUpdateTimer->expires_from_now (boost::posix_time::seconds(ROUTER_INFO_CONGESTION_UPDATE_INTERVAL));
+			m_CongestionUpdateTimer->expires_from_now (boost::posix_time::seconds(
 				ROUTER_INFO_CONGESTION_UPDATE_INTERVAL + m_Rng () % ROUTER_INFO_CONGESTION_UPDATE_INTERVAL_VARIANCE));
 			m_CongestionUpdateTimer->async_wait (std::bind (&RouterContext::HandleCongestionUpdateTimer,
 				this, std::placeholders::_1));
 		}	
--- a/libi2pd/RouterContext.h
+++ b/libi2pd/RouterContext.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -12,6 +12,7 @@
 #include <inttypes.h>
 #include <string>
 #include <memory>
 #include <random>
 #include <unordered_set>
 #include <boost/asio.hpp>
 #include "Identity.h"
@ -34,9 +35,10 @@ namespace garlic
 	const int ROUTER_INFO_PUBLISH_INTERVAL = 39*60; // in seconds
 	const int ROUTER_INFO_INITIAL_PUBLISH_INTERVAL = 10; // in seconds
 	const int ROUTER_INFO_PUBLISH_INTERVAL_VARIANCE = 105;// in seconds
-	const int ROUTER_INFO_CONFIRMATION_TIMEOUT = 5; // in seconds
+	const int ROUTER_INFO_CONFIRMATION_TIMEOUT = 1600; // in milliseconds
 	const int ROUTER_INFO_MAX_PUBLISH_EXCLUDED_FLOODFILLS = 15;
-	const int ROUTER_INFO_CONGESTION_UPDATE_INTERVAL = 12*60; // in seconds
+	const int ROUTER_INFO_CONGESTION_UPDATE_INTERVAL = 11*60; // in seconds
 	const int ROUTER_INFO_CONGESTION_UPDATE_INTERVAL_VARIANCE = 130; // in seconds 
 	const int ROUTER_INFO_CLEANUP_INTERVAL = 102; // in seconds
 	enum RouterStatus
@ -263,6 +265,10 @@ namespace garlic
 			uint32_t m_PublishReplyToken;
 			bool m_IsHiddenMode; // not publish
 			mutable std::mutex m_RouterInfoMutex;
 			std::mt19937 m_Rng;
 			std::shared_ptr<i2p::data::RouterInfo::Buffer> m_SaveBuffer;
 			std::mutex m_SaveBufferMutex; // TODO: make m_SaveBuffer atomic
 			std::atomic<bool> m_IsSaving;
 	};
 	extern RouterContext context;
--- a/libi2pd/RouterInfo.cpp
+++ b/libi2pd/RouterInfo.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -11,7 +11,7 @@
 #include "I2PEndian.h"
 #include <fstream>
 #include <memory>
-#include <boost/lexical_cast.hpp>
+#include <charconv>
 #include <boost/algorithm/string.hpp> // for boost::to_lower
 #ifndef __cpp_lib_atomic_shared_ptr
 #include <boost/atomic.hpp>
@ -106,8 +106,7 @@ namespace data
 			// skip identity
 			size_t identityLen = m_RouterIdentity->GetFullLen ();
 			// read new RI
-			std::stringstream str (std::string ((char *)buf + identityLen, len - identityLen));
+			ReadFromBuffer (buf + identityLen, len - identityLen);
 			ReadFromStream (str);
 			if (!m_IsUnreachable)
 				UpdateBuffer (buf, len); // save buffer	
 			// don't delete buffer until saved to the file
@ -195,39 +194,34 @@ namespace data
 			}
 		}
 		// parse RI
-		std::stringstream str;
+		if (!ReadFromBuffer (m_Buffer->data () + identityLen, bufferLen - identityLen))
 		str.write ((const char *)m_Buffer->data () + identityLen, bufferLen - identityLen);
 		ReadFromStream (str);
 		if (!str)
 		{
 			LogPrint (eLogError, "RouterInfo: Malformed message");
 			m_IsUnreachable = true;
 		}	
 	}
-	void RouterInfo::ReadFromStream (std::istream& s)
+	bool RouterInfo::ReadFromBuffer (const uint8_t * buf, size_t len)
 	{
-		if (!s) return;
+		if (len < 9) return false;
 		m_Caps = 0; m_Congestion = eLowCongestion;
-		s.read ((char *)&m_Timestamp, sizeof (m_Timestamp));
+		m_Timestamp = bufbe64toh (buf);
-		m_Timestamp = be64toh (m_Timestamp);
+		size_t offset = 8; // timestamp
 		// read addresses
 		auto addresses = NewAddresses ();
-		uint8_t numAddresses;
+		uint8_t numAddresses = buf[offset]; offset++;
 		s.read ((char *)&numAddresses, sizeof (numAddresses));
 		for (int i = 0; i < numAddresses; i++)
 		{
 			if (offset + 9 > len) return false; // 1 byte cost + 8 bytes date
 			uint8_t supportedTransports = 0;
 			auto address = NewAddress ();
-			uint8_t cost; // ignore
+			offset++; // cost, ignore
-			s.read ((char *)&cost, sizeof (cost));
+			address->date = bufbe64toh (buf + offset); offset += 8; // date
 			s.read ((char *)&address->date, sizeof (address->date));
 			bool isHost = false, isStaticKey = false, isV2 = false, isIntroKey = false;
-			char transportStyle[6];
+			auto transportStyle = ExtractString (buf + offset, len - offset); offset += transportStyle.length () + 1;
-			ReadString (transportStyle, 6, s);
+			if (!transportStyle.compare (0, 4, "NTCP")) // NTCP or NTCP2
 			if (!strncmp (transportStyle, "NTCP", 4)) // NTCP or NTCP2
 				address->transportStyle = eTransportNTCP2;
-			else if (!strncmp (transportStyle, "SSU", 3)) // SSU or SSU2
+			else if (!transportStyle.compare (0, 3, "SSU")) // SSU or SSU2
 			{
 				address->transportStyle = eTransportSSU2;
 				address->ssu.reset (new SSUExt ());
@ -237,24 +231,22 @@ namespace data
 				address->transportStyle = eTransportUnknown;
 			address->caps = 0;
 			address->port = 0;
-			uint16_t size, r = 0;
+			if (offset + 2 > len) return false;
-			s.read ((char *)&size, sizeof (size)); if (!s) return;
+			uint16_t size = bufbe16toh (buf + offset); offset += 2; // size
-			size = be16toh (size);
+			if (offset + size >= len) return false;
 			if (address->transportStyle == eTransportUnknown)
 			{
 				// skip unknown address
-				s.seekg (size, std::ios_base::cur);
+				offset += size;
-				if (s) continue; else return;
+				continue;
 			}
 			size_t r = 0;
 			while (r < size)
 			{
-				char key[255], value[255];
+				auto [key, value, sz] = ExtractParam (buf + offset, len - offset);
-				r += ReadString (key, 255, s);
+				r += sz; offset += sz;
-				s.seekg (1, std::ios_base::cur); r++; // =
+				if (key.empty ()) continue;
-				r += ReadString (value, 255, s);
+				if (key == "host")
 				s.seekg (1, std::ios_base::cur); r++; // ;
 				if (!s) return;
 				if (!strcmp (key, "host"))
 				{
 					boost::system::error_code ecode;
 					address->host = boost::asio::ip::make_address (value, ecode);
@ -268,63 +260,53 @@ namespace data
 							address->transportStyle = eTransportUnknown;
 					}
 				}
-				else if (!strcmp (key, "port"))
+				else if (key == "port")
 				{
-					try
+					auto res = std::from_chars(value.data(), value.data() + value.size(), address->port);
-					{
+					if (res.ec != std::errc())
-						address->port = boost::lexical_cast<int>(value);
+						LogPrint (eLogWarning, "RouterInfo: 'port' conversion error: ", std::make_error_code (res.ec).message ());
 				}
-					catch (std::exception& ex)
+				else if (key == "mtu")
 					{
 						LogPrint (eLogWarning, "RouterInfo: 'port' exception ", ex.what ());
 					}
 				}
 				else if (!strcmp (key, "mtu"))
 				{
 					if (address->ssu)
 					{
-						try
+						auto res = std::from_chars(value.data(), value.data() + value.size(), address->ssu->mtu);
-						{
+						if (res.ec != std::errc())
-							address->ssu->mtu = boost::lexical_cast<int>(value);
+							LogPrint (eLogWarning, "RouterInfo: 'mtu' conversion error: ", std::make_error_code (res.ec).message ());
 						}
 						catch (std::exception& ex)
 						{
 							LogPrint (eLogWarning, "RouterInfo: 'mtu' exception ", ex.what ());
 						}
 					}
 					else
 						LogPrint (eLogWarning, "RouterInfo: Unexpected field 'mtu' for NTCP2");
 				}
-				else if (!strcmp (key, "caps"))
+				else if (key == "caps")
 					address->caps = ExtractAddressCaps (value);
-				else if (!strcmp (key, "s")) // ntcp2 or ssu2 static key
+				else if (key == "s") // ntcp2 or ssu2 static key
 				{
-					if (Base64ToByteStream (value, strlen (value), address->s, 32) == 32 &&
+					if (Base64ToByteStream (value.data (), value.length (), address->s, 32) == 32 &&
 						!(address->s[31] & 0x80)) // check if x25519 public key
 							isStaticKey = true;
 					else
 						address->transportStyle = eTransportUnknown; // invalid address
 				}
-				else if (!strcmp (key, "i")) // ntcp2 iv or ssu2 intro
+				else if (key == "i") // ntcp2 iv or ssu2 intro
 				{
 					if (address->IsNTCP2 ())
 					{
-						if (Base64ToByteStream (value, strlen (value), address->i, 16) == 16)
+						if (Base64ToByteStream (value.data (), value.length (), address->i, 16) == 16)
 							address->published = true; // presence of "i" means "published" NTCP2
 						else
 							address->transportStyle = eTransportUnknown; // invalid address
 					}
 					else if (address->IsSSU2 ())
 					{	
-						if (Base64ToByteStream (value, strlen (value), address->i, 32) == 32)
+						if (Base64ToByteStream (value.data (), value.length (), address->i, 32) == 32)
 							isIntroKey = true;
 						else
 							address->transportStyle = eTransportUnknown; // invalid address
 					}	
 				}
-				else if (!strcmp (key, "v"))
+				else if (key == "v")
 				{
-					if (!strcmp (value, "2"))
+					if (value == "2")
 						isV2 = true;
 					else
 					{	
@ -340,13 +322,11 @@ namespace data
 						LogPrint (eLogError, "RouterInfo: Introducer is presented for non-SSU address. Skipped");
 						continue;
 					}
-					size_t l = strlen(key);
+					unsigned char index = key[key.length () - 1] - '0'; // TODO:
 					unsigned char index = key[l-1] - '0'; // TODO:
 					key[l-1] = 0;
 					if (index > 9)
 					{
 						LogPrint (eLogError, "RouterInfo: Unexpected introducer's index ", index, " skipped");
-						if (s) continue; else return;
+						continue;
 					}
 					if (index >= address->ssu->introducers.size ())
 					{
@ -355,34 +335,23 @@ namespace data
 						address->ssu->introducers.resize (index + 1);
 					}
 					Introducer& introducer = address->ssu->introducers.at (index);
-					if (!strcmp (key, "itag"))
+					auto key1 = key.substr(0, key.length () - 1);
 					if (key1 == "itag")
 					{
-						try
+						auto res = std::from_chars(value.data(), value.data() + value.size(), introducer.iTag);
 						if (res.ec != std::errc())
 							LogPrint (eLogWarning, "RouterInfo: 'itag' conversion error: ", std::make_error_code (res.ec).message ());
 					}
 					else if (key1 == "ih")
 						Base64ToByteStream (value.data (), value.length (), introducer.iH, 32);
 					else if (key1 == "iexp")
 					{
-							introducer.iTag = boost::lexical_cast<uint32_t>(value);
+						auto res = std::from_chars(value.data(), value.data() + value.size(), introducer.iExp);
-						}
+						if (res.ec != std::errc())
-						catch (std::exception& ex)
+							LogPrint (eLogWarning, "RouterInfo: 'iexp' conversion error: ", std::make_error_code (res.ec).message ());
 						{
 							LogPrint (eLogWarning, "RouterInfo: 'itag' exception ", ex.what ());
 						}
 					}
 					else if (!strcmp (key, "ih"))
 						Base64ToByteStream (value, strlen (value), introducer.iH, 32);
 					else if (!strcmp (key, "iexp"))
 					{
 						try
 						{
 							introducer.iExp = boost::lexical_cast<uint32_t>(value);
 						}
 						catch (std::exception& ex)
 						{
 							LogPrint (eLogWarning, "RouterInfo: 'iexp' exception ", ex.what ());
 					}
 				}
 			}	
 				if (!s) return;
 			}
 			if (address->transportStyle == eTransportNTCP2)
 			{
 				if (isStaticKey)
@ -446,66 +415,73 @@ namespace data
 		boost::atomic_store (&m_Addresses, addresses);
 #endif
 		// read peers
-		uint8_t numPeers;
+		if (offset + 1 > len) return false;
-		s.read ((char *)&numPeers, sizeof (numPeers)); if (!s) return;
+		uint8_t numPeers = buf[offset]; offset++; // num peers
-		s.seekg (numPeers*32, std::ios_base::cur); // TODO: read peers
+		offset += numPeers*32; // TODO: read peers
 		// read properties
 		if (offset + 2 > len) return false;
 		m_Version = 0;
 		bool isNetId = false;
 		std::string family;
-		uint16_t size, r = 0;
+		uint16_t size = bufbe16toh (buf + offset); offset += 2; // size
-		s.read ((char *)&size, sizeof (size)); if (!s) return;
+		if (offset + size > len) return false;
-		size = be16toh (size);
+		size_t r = 0;
 		while (r < size)
 		{
-			char key[255], value[255];
+			auto [key, value, sz] = ExtractParam (buf + offset, len - offset);
-			r += ReadString (key, 255, s);
+			r += sz; offset += sz;
-			s.seekg (1, std::ios_base::cur); r++; // =
+			if (key.empty ()) continue;
 			r += ReadString (value, 255, s);
 			s.seekg (1, std::ios_base::cur); r++; // ;
 			if (!s) return;
 			SetProperty (key, value);
 			// extract caps
-			if (!strcmp (key, "caps"))
+			if (key == "caps")
 			{	
 				ExtractCaps (value);
 				m_IsFloodfill = IsDeclaredFloodfill ();
 			}	
 			// extract version
-			else if (!strcmp (key, ROUTER_INFO_PROPERTY_VERSION))
+			else if (key == ROUTER_INFO_PROPERTY_VERSION)
 			{
 				m_Version = 0;
-				char * ch = value;
+				for (auto ch: value)
 				while (*ch)
 				{
-					if (*ch >= '0' && *ch <= '9')
+					if (ch >= '0' && ch <= '9')
 					{
 						m_Version *= 10;
-						m_Version += (*ch - '0');
+						m_Version += (ch - '0');
 					}
 				}
 				if (m_Version < NETDB_MIN_PEER_TEST_VERSION && (m_SupportedTransports & (eSSU2V4 | eSSU2V6)))
 				{
 					auto addresses = GetAddresses ();
 					if (addresses)
 					{
 						if ((*addresses)[eSSU2V4Idx]) (*addresses)[eSSU2V4Idx]->caps &= ~eSSUTesting;
 						if ((*addresses)[eSSU2V6Idx]) (*addresses)[eSSU2V6Idx]->caps &= ~eSSUTesting;
 					}	
 					ch++;
 				}	
 			}
 			// check netId
-			else if (!strcmp (key, ROUTER_INFO_PROPERTY_NETID))
+			else if (key == ROUTER_INFO_PROPERTY_NETID)
 			{
 				isNetId = true;
-				if (atoi (value) != i2p::context.GetNetID ())
+				int netID;
 				auto res = std::from_chars(value.data(), value.data() + value.size(), netID);
 				if (res.ec != std::errc() || netID != i2p::context.GetNetID ())
 				{
 					LogPrint (eLogError, "RouterInfo: Unexpected ", ROUTER_INFO_PROPERTY_NETID, "=", value);
 					m_IsUnreachable = true;
 				}
 			}
 			// family
-			else if (!strcmp (key, ROUTER_INFO_PROPERTY_FAMILY))
+			else if (key == ROUTER_INFO_PROPERTY_FAMILY)
 			{
 				family = value;
 				boost::to_lower (family);
 			}
-			else if (!strcmp (key, ROUTER_INFO_PROPERTY_FAMILY_SIG))
+			else if (key == ROUTER_INFO_PROPERTY_FAMILY_SIG)
 			{
-				if (netdb.GetFamilies ().VerifyFamily (family, GetIdentHash (), value))
+				if (netdb.GetFamilies ().VerifyFamily (family, GetIdentHash (), value)) // TODO
 					m_FamilyID = netdb.GetFamilies ().GetFamilyID (family);
 				else
 				{	
@ -513,12 +489,12 @@ namespace data
 					SetUnreachable (true);	
 				}		
 			}
 			if (!s) return;
 		}
 		if (!m_SupportedTransports || !isNetId || !m_Version)
 			SetUnreachable (true);
 		return true;
 	}	
 	bool RouterInfo::IsFamily (FamilyID famid) const
@ -526,12 +502,11 @@ namespace data
 		return m_FamilyID == famid;
 	}
-	void RouterInfo::ExtractCaps (const char * value)
+	void RouterInfo::ExtractCaps (std::string_view value)
 	{
-		const char * cap = value;
+		for (auto cap: value)
 		while (*cap)
 		{
-			switch (*cap)
+			switch (cap)
 			{
 				case CAPS_FLAG_FLOODFILL:
 					m_Caps |= Caps::eFloodfill;
@ -540,16 +515,16 @@ namespace data
 				case CAPS_FLAG_LOW_BANDWIDTH2:
 				case CAPS_FLAG_LOW_BANDWIDTH3:
 				case CAPS_FLAG_LOW_BANDWIDTH4:
-					m_BandwidthCap = *cap;
+					m_BandwidthCap = cap;
 				break;
 				case CAPS_FLAG_HIGH_BANDWIDTH:
 					m_Caps |= Caps::eHighBandwidth;
-					m_BandwidthCap = *cap;
+					m_BandwidthCap = cap;
 				break;
 				case CAPS_FLAG_EXTRA_BANDWIDTH1:
 				case CAPS_FLAG_EXTRA_BANDWIDTH2:
 					m_Caps |= Caps::eExtraBandwidth | Caps::eHighBandwidth;
-					m_BandwidthCap = *cap;
+					m_BandwidthCap = cap;
 				break;
 				case CAPS_FLAG_HIDDEN:
 					m_Caps |= Caps::eHidden;
@ -571,17 +546,15 @@ namespace data
 				break;	
 				default: ;
 			}
 			cap++;
 		}
 	}	
-	uint8_t RouterInfo::ExtractAddressCaps (const char * value) const
+	uint8_t RouterInfo::ExtractAddressCaps (std::string_view value) const
 	{
 		uint8_t caps = 0;
-		const char * cap = value;
+		for (auto cap: value)
 		while (*cap)
 		{
-			switch (*cap)
+			switch (cap)
 			{
 				case CAPS_FLAG_V4:
 					caps |= AddressCaps::eV4;
@ -597,7 +570,6 @@ namespace data
 				break;
 				default: ;
 			}
 			cap++;
 		}
 		return caps;
 	}	
@ -661,23 +633,39 @@ namespace data
 		return SaveToFile (fullPath, m_Buffer);
 	}
-	size_t RouterInfo::ReadString (char * str, size_t len, std::istream& s) const
+	std::string_view RouterInfo::ExtractString (const uint8_t * buf, size_t len) const
 	{
-		uint8_t l;
+		uint8_t l = buf[0];
-		s.read ((char *)&l, 1);
+		if (l > len)
 		if (l < len)
 		{
 			s.read (str, l);
 			if (!s) l = 0; // failed, return empty string
 			str[l] = 0;
 		}
 		else
 		{
 			LogPrint (eLogWarning, "RouterInfo: String length ", (int)l, " exceeds buffer size ", len);
-			s.seekg (l, std::ios::cur); // skip
+			l = len;
 			str[0] = 0;
 		}	
-		return l+1;
+		return { (const char *)(buf + 1), l };
 	}
 	std::tuple<std::string_view, std::string_view, size_t> RouterInfo::ExtractParam (const uint8_t * buf, size_t len) const
 	{
 		auto key = ExtractString (buf, len);
 		size_t offset = key.length () + 1;
 		if (offset >= len) return { std::string_view(), std::string_view(), len };
 		if (buf[offset] != '=')
 		{	
 			LogPrint (eLogWarning, "RouterInfo: Unexpected character ", buf[offset], " instead '=' after ", key);
 			key = std::string_view();
 		}	
 		offset++;
 		if (offset >= len) return { key, std::string_view(), len };
 		auto value = ExtractString (buf + offset, len - offset);
 		offset += value.length () + 1;
 		if (offset >= len) return { key, std::string_view(), len };
 		if (buf[offset] != ';')
 		{	
 			LogPrint (eLogWarning, "RouterInfo: Unexpected character ", buf[offset], " instead ';' after ", value);
 			value = std::string_view();
 		}	
 		offset++;
 		return { key, value, offset };
 	}	
 	void RouterInfo::AddNTCP2Address (const uint8_t * staticKey, const uint8_t * iv,int port, uint8_t caps)
@ -1136,12 +1124,12 @@ namespace data
 	void RouterInfo::UpdateBuffer (const uint8_t * buf, size_t len)
 	{
 		m_IsBufferScheduledToDelete = false;
 		if (!m_Buffer)
 			m_Buffer = NewBuffer ();
 		if (len > m_Buffer->size ()) len = m_Buffer->size ();
 		memcpy (m_Buffer->data (), buf, len);
 		m_Buffer->SetBufferLen (len);
 		m_IsBufferScheduledToDelete = false;
 	}
 	std::shared_ptr<RouterInfo::Buffer> RouterInfo::CopyBuffer () const
@ -1196,6 +1184,19 @@ namespace data
 		}
 	}
 	std::string RouterInfo::GetTransportName (SupportedTransports tr)
 	{
 		switch (tr)
 		{
 			case eNTCP2V4: return "NTCP2V4";
 			case eNTCP2V6: return "NTCP2V6";
 			case eSSU2V4: return "SSU2V4";
 			case eSSU2V6: return "SSU2V6";
 			case eNTCP2V6Mesh: return "Mesh";
 			default: return "";
 		}
 	}	
 	void LocalRouterInfo::CreateBuffer (const PrivateKeys& privateKeys)
 	{
 		RefreshTimestamp ();
@ -1380,9 +1381,9 @@ namespace data
 						if (!introducer.iTag) continue;
 						if (introducer.iExp) // expiration is specified
 						{
-							WriteString ("iexp" + boost::lexical_cast<std::string>(i), properties);
+							WriteString ("iexp" + std::to_string(i), properties);
 							properties << '=';
-							WriteString (boost::lexical_cast<std::string>(introducer.iExp), properties);
+							WriteString (std::to_string(introducer.iExp), properties);
 							properties << ';';
 						}
 						i++;
@ -1391,7 +1392,7 @@ namespace data
 					for (const auto& introducer: address.ssu->introducers)
 					{
 						if (!introducer.iTag) continue;
-						WriteString ("ih" + boost::lexical_cast<std::string>(i), properties);
+						WriteString ("ih" + std::to_string(i), properties);
 						properties << '=';
 						char value[64];
 						size_t l = ByteStreamToBase64 (introducer.iH, 32, value, 64);
@ -1404,9 +1405,9 @@ namespace data
 					for (const auto& introducer: address.ssu->introducers)
 					{
 						if (!introducer.iTag) continue;
-						WriteString ("itag" + boost::lexical_cast<std::string>(i), properties);
+						WriteString ("itag" + std::to_string(i), properties);
 						properties << '=';
-						WriteString (boost::lexical_cast<std::string>(introducer.iTag), properties);
+						WriteString (std::to_string(introducer.iTag), properties);
 						properties << ';';
 						i++;
 					}
@ -1420,7 +1421,7 @@ namespace data
 				{
 					WriteString ("mtu", properties);
 					properties << '=';
-					WriteString (boost::lexical_cast<std::string>(address.ssu->mtu), properties);
+					WriteString (std::to_string(address.ssu->mtu), properties);
 					properties << ';';
 				}
 			}
@ -1428,7 +1429,7 @@ namespace data
 			{
 				WriteString ("port", properties);
 				properties << '=';
-				WriteString (boost::lexical_cast<std::string>(address.port), properties);
+				WriteString (std::to_string(address.port), properties);
 				properties << ';';
 			}
 			if (address.IsNTCP2 () || address.IsSSU2 ())
@ -1463,9 +1464,11 @@ namespace data
 		s.write (properties.str ().c_str (), properties.str ().size ());
 	}
-	void LocalRouterInfo::SetProperty (const std::string& key, const std::string& value)
+	void LocalRouterInfo::SetProperty (std::string_view key, std::string_view value)
 	{
-		m_Properties[key] = value;
+		auto [it, inserted] = m_Properties.emplace (key, value);
 		if (!inserted)
 			it->second = value;
 	}
 	void LocalRouterInfo::DeleteProperty (const std::string& key)
--- a/libi2pd/RouterInfo.h
+++ b/libi2pd/RouterInfo.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -11,6 +11,8 @@
 #include <inttypes.h>
 #include <string>
 #include <string_view>
 #include <tuple>
 #include <map>
 #include <vector>
 #include <array>
@ -219,7 +221,7 @@ namespace data
 			std::string GetIdentHashBase64 () const { return GetIdentHash ().ToBase64 (); };
 			uint64_t GetTimestamp () const { return m_Timestamp; };
 			int GetVersion () const { return m_Version; };
-			virtual void SetProperty (const std::string& key, const std::string& value) {};
+			virtual void SetProperty (std::string_view key, std::string_view value) {};
 			virtual void ClearProperties () {};
 			AddressesPtr GetAddresses () const; // should be called for local RI only, otherwise must return shared_ptr
 			std::shared_ptr<const Address> GetNTCP2V4Address () const;
@ -294,6 +296,7 @@ namespace data
 			std::shared_ptr<Buffer> GetSharedBuffer () const { return m_Buffer; };	
 			std::shared_ptr<Buffer> CopyBuffer () const;
 			void ScheduleBufferToDelete () { m_IsBufferScheduledToDelete = true; };
 			void CancelBufferToDelete () { m_IsBufferScheduledToDelete = false; };
 			bool IsBufferScheduledToDelete () const { return m_IsBufferScheduledToDelete; };
 			bool IsUpdated () const { return m_IsUpdated; };
@ -332,11 +335,12 @@ namespace data
 			bool LoadFile (const std::string& fullPath);
 			void ReadFromFile (const std::string& fullPath);
-			void ReadFromStream (std::istream& s);
+			bool ReadFromBuffer (const uint8_t * buf, size_t len); // return false if malformed
 			void ReadFromBuffer (bool verifySignature);
-			size_t ReadString (char* str, size_t len, std::istream& s) const;
+			std::string_view ExtractString (const uint8_t * buf, size_t len) const;
-			void ExtractCaps (const char * value);
+			std::tuple<std::string_view, std::string_view, size_t> ExtractParam (const uint8_t * buf, size_t len) const;
-			uint8_t ExtractAddressCaps (const char * value) const;
+			void ExtractCaps (std::string_view value);
 			uint8_t ExtractAddressCaps (std::string_view value) const;
 			void UpdateIntroducers (std::shared_ptr<Address> address, uint64_t ts); 
 			template<typename Filter>
 			std::shared_ptr<const Address> GetAddress (Filter filter) const;
@ -363,6 +367,10 @@ namespace data
 			int m_Version;
 			Congestion m_Congestion;
 			mutable std::shared_ptr<RouterProfile> m_Profile;
 		public:
 			static std::string GetTransportName (SupportedTransports tr);
 	};
 	class LocalRouterInfo: public RouterInfo
@ -374,7 +382,7 @@ namespace data
 			void UpdateCaps (uint8_t caps);
 			bool UpdateCongestion (Congestion c); // returns true if updated
-			void SetProperty (const std::string& key, const std::string& value) override;
+			void SetProperty (std::string_view key, std::string_view value) override;
 			void DeleteProperty (const std::string& key);
 			std::string GetProperty (const std::string& key) const;
 			void ClearProperties () override { m_Properties.clear (); };
--- a/libi2pd/SSU2.cpp
+++ b/libi2pd/SSU2.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2024, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -890,7 +890,7 @@ namespace transport
 			}
 			auto session = std::make_shared<SSU2Session> (*this, router, address);
-			if (!isValidEndpoint && router->GetProfile ()->HasLastEndpoint (address->IsV4 ()))
+			if (!isValidEndpoint && router->HasProfile () && router->GetProfile ()->HasLastEndpoint (address->IsV4 ()))
 			{
 				// router doesn't publish endpoint, but we connected before and hole punch might be alive
 				auto ep = router->GetProfile ()->GetLastEndpoint ();
@ -1251,18 +1251,21 @@ namespace transport
 		}
 		uint64_t token;
 		RAND_bytes ((uint8_t *)&token, 8);
-		m_IncomingTokens.emplace (ep, std::make_pair (token, uint32_t(ts + SSU2_TOKEN_EXPIRATION_TIMEOUT)));
+		if (!token) token = 1; // token can't be zero
 		m_IncomingTokens.try_emplace (ep, token, uint32_t(ts + SSU2_TOKEN_EXPIRATION_TIMEOUT));
 		return token;
 	}
 	std::pair<uint64_t, uint32_t> SSU2Server::NewIncomingToken (const boost::asio::ip::udp::endpoint& ep)
 	{
 		m_IncomingTokens.erase (ep); // drop previous
 		uint64_t token;
 		RAND_bytes ((uint8_t *)&token, 8);
-		auto ret = std::make_pair (token, uint32_t(i2p::util::GetSecondsSinceEpoch () + SSU2_NEXT_TOKEN_EXPIRATION_TIMEOUT));
+		if (!token) token = 1; // token can't be zero
-		m_IncomingTokens.emplace (ep, ret);
+		uint32_t expires = i2p::util::GetSecondsSinceEpoch () + SSU2_NEXT_TOKEN_EXPIRATION_TIMEOUT;
-		return ret;
+		auto [it, inserted] = m_IncomingTokens.try_emplace (ep, token, expires);
 		if (!inserted)
 			it->second = { token, expires }; // override
 		return it->second;
 	}
 	std::vector<std::shared_ptr<SSU2Session> > SSU2Server::FindIntroducers (int maxNumIntroducers,
@ -1389,7 +1392,7 @@ namespace transport
 					excluded.insert (ident);
 			}	
-			// sesssion about to expire are not counted
+			// session about to expire are not counted
 			for (auto i = introducers.size (); i < SSU2_MAX_NUM_INTRODUCERS + numOldSessions; i++)
 			{
 				auto introducer = i2p::data::netdb.GetRandomSSU2Introducer (v4, excluded);
@ -1516,6 +1519,23 @@ namespace transport
 		}
 	}
 	bool SSU2Server::AEADChaCha20Poly1305Encrypt (const uint8_t * msg, size_t msgLen,
 		const uint8_t * ad, size_t adLen, const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len)
 	{
 		return m_Encryptor.Encrypt (msg, msgLen, ad, adLen, key, nonce, buf, len);
 	}
 	bool SSU2Server::AEADChaCha20Poly1305Decrypt (const uint8_t * msg, size_t msgLen,
 		const uint8_t * ad, size_t adLen, const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len)
 	{
 		return m_Decryptor.Decrypt (msg, msgLen, ad, adLen, key, nonce, buf, len);
 	}
 	void SSU2Server::ChaCha20 (const uint8_t * msg, size_t msgLen, const uint8_t * key, const uint8_t * nonce, uint8_t * out)
 	{
 		m_ChaCha20 (msg, msgLen, key, nonce, out);
 	}	
 	void SSU2Server::SendThroughProxy (const uint8_t * header, size_t headerLen, const uint8_t * headerX, size_t headerXLen,
 		const uint8_t * payload, size_t payloadLen, const boost::asio::ip::udp::endpoint& to)
 	{
--- a/libi2pd/SSU2.h
+++ b/libi2pd/SSU2.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2024, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -82,6 +82,11 @@ namespace transport
 			bool IsConnectedRecently (const boost::asio::ip::udp::endpoint& ep, bool max = true);
 			void AddConnectedRecently (const boost::asio::ip::udp::endpoint& ep, uint64_t ts);
 			std::mt19937& GetRng () { return m_Rng; }
 			bool AEADChaCha20Poly1305Encrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 				const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len); 
 			bool AEADChaCha20Poly1305Decrypt (const uint8_t * msg, size_t msgLen, const uint8_t * ad, size_t adLen,
 				const uint8_t * key, const uint8_t * nonce, uint8_t * buf, size_t len); 
 			void ChaCha20 (const uint8_t * msg, size_t msgLen, const uint8_t * key, const uint8_t * nonce, uint8_t * out);
 			bool IsMaxNumIntroducers (bool v4) const { return (v4 ? m_Introducers.size () : m_IntroducersV6.size ()) >= SSU2_MAX_NUM_INTRODUCERS; }
 			bool IsSyncClockFromPeers () const { return m_IsSyncClockFromPeers; };
 			void AdjustTimeOffset (int64_t offset, std::shared_ptr<const i2p::data::IdentityEx> from);
@ -200,6 +205,9 @@ namespace transport
 			std::unordered_map<uint32_t, std::pair <std::weak_ptr<SSU2PeerTestSession>, uint64_t > > m_RequestedPeerTests; // nonce->(Alice, timestamp) 
 			std::list<Packet *> m_ReceivedPacketsQueue;
 			mutable std::mutex m_ReceivedPacketsQueueMutex;
 			i2p::crypto::AEADChaCha20Poly1305Encryptor m_Encryptor;
 			i2p::crypto::AEADChaCha20Poly1305Decryptor m_Decryptor;
 			i2p::crypto::ChaCha20Context m_ChaCha20;
 			// proxy
 			bool m_IsThroughProxy;
--- a/libi2pd/SSU2OutOfSession.cpp
+++ b/libi2pd/SSU2OutOfSession.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2024, The PurpleI2P Project
+* Copyright (c) 2024-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -46,7 +46,7 @@ namespace transport
 		}
 		uint8_t nonce[12] = {0};
 		uint64_t headerX[2]; // sourceConnID, token
-		i2p::crypto::ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, (uint8_t *)headerX);
+		GetServer ().ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, (uint8_t *)headerX);
 		SetDestConnID (headerX[0]);
 		// decrypt and handle payload
 		uint8_t * payload = buf + 32;
@ -68,7 +68,7 @@ namespace transport
 	void SSU2PeerTestSession::HandleAddress (const uint8_t * buf, size_t len)
 	{
 		if (!ExtractEndpoint (buf, len, m_OurEndpoint))
-			LogPrint (eLogWarning, "SSU2: Can't hanlde address block from peer test message");
+			LogPrint (eLogWarning, "SSU2: Can't handle address block from peer test message");
 	}	
 	void SSU2PeerTestSession::HandlePeerTest (const uint8_t * buf, size_t len)
@ -89,7 +89,7 @@ namespace transport
 			{	
 				if (htobe64 (((uint64_t)nonce << 32) | nonce) == GetSourceConnID ())
 				{
-					m_PeerTestResendTimer.cancel (); // calcel delayed msg 6 if any
+					m_PeerTestResendTimer.cancel (); // cancel delayed msg 6 if any
 					m_IsConnectedRecently = GetServer ().IsConnectedRecently (GetRemoteEndpoint ());
 					if (GetAddress ())
 					{
@ -183,7 +183,7 @@ namespace transport
 		header.ll[0] ^= CreateHeaderMask (addr->i, payload + (payloadSize - 24));
 		header.ll[1] ^= CreateHeaderMask (addr->i, payload + (payloadSize - 12));
 		memset (n, 0, 12);
-		i2p::crypto::ChaCha20 (h + 16, 16, addr->i, n, h + 16);
+		GetServer ().ChaCha20 (h + 16, 16, addr->i, n, h + 16);
 		// send
 		GetServer ().Send (header.buf, 16, h + 16, 16, payload, payloadSize, GetRemoteEndpoint ());
 		UpdateNumSentBytes (payloadSize + 32);
@ -191,12 +191,7 @@ namespace transport
 	void SSU2PeerTestSession::SendPeerTest (uint8_t msg, const uint8_t * signedData, size_t signedDataLen, bool delayed)
 	{
 #if __cplusplus >= 202002L // C++20
 		m_SignedData.assign (signedData, signedData + signedDataLen);
 #else		
 		m_SignedData.resize (signedDataLen);
 		memcpy (m_SignedData.data (), signedData, signedDataLen);
 #endif		
 		if (!delayed)
 			SendPeerTest (msg);
 		// schedule resend for msgs 5 or 6
@ -257,7 +252,7 @@ namespace transport
 	{
 		// we are Charlie
 		uint64_t destConnID = htobe64 (((uint64_t)nonce << 32) | nonce); // dest id
-		uint32_t sourceConnID = ~destConnID;
+		uint64_t sourceConnID = ~destConnID;
 		SetSourceConnID (sourceConnID);
 		SetDestConnID (destConnID);	
 		SetState (eSSU2SessionStateHolePunch);
@ -305,7 +300,7 @@ namespace transport
 		header.ll[0] ^= CreateHeaderMask (addr->i, payload + (payloadSize - 24));
 		header.ll[1] ^= CreateHeaderMask (addr->i, payload + (payloadSize - 12));
 		memset (n, 0, 12);
-		i2p::crypto::ChaCha20 (h + 16, 16, addr->i, n, h + 16);
+		GetServer ().ChaCha20 (h + 16, 16, addr->i, n, h + 16);
 		// send
 		GetServer ().Send (header.buf, 16, h + 16, 16, payload, payloadSize, ep);
 		UpdateNumSentBytes (payloadSize + 32);
@ -313,12 +308,7 @@ namespace transport
 	void SSU2HolePunchSession::SendHolePunch (const uint8_t * relayResponseBlock, size_t relayResponseBlockLen)
 	{
 #if __cplusplus >= 202002L // C++20
 		m_RelayResponseBlock.assign (relayResponseBlock, relayResponseBlock + relayResponseBlockLen);
 #else		
 		m_RelayResponseBlock.resize (relayResponseBlockLen);
 		memcpy (m_RelayResponseBlock.data (), relayResponseBlock, relayResponseBlockLen);
 #endif		
 		SendHolePunch ();
 		ScheduleResend ();
 	}	
--- a/libi2pd/SSU2Session.cpp
+++ b/libi2pd/SSU2Session.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2024, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -92,7 +92,7 @@ namespace transport
 		m_RTO (SSU2_INITIAL_RTO), m_RelayTag (0),m_ConnectTimer (server.GetService ()), 
 		m_TerminationReason (eSSU2TerminationReasonNormalClose),
 		m_MaxPayloadSize (SSU2_MIN_PACKET_SIZE - IPV6_HEADER_SIZE - UDP_HEADER_SIZE - 32), // min size
-		m_LastResendTime (0), m_LastResendAttemptTime (0)
+		m_LastResendTime (0), m_LastResendAttemptTime (0), m_NumRanges (0)
 	{
 		if (noise)	
 			m_NoiseState.reset (new i2p::crypto::NoiseSymmetricState);
@ -189,7 +189,7 @@ namespace transport
 		if (!asz) return false;
 		payload[17] = asz;
 		packet->payloadSize = asz + 18;
-		SignedData s;
+		SignedData<128> s;
 		s.Insert ((const uint8_t *)"RelayRequestData", 16); // prologue
 		s.Insert (GetRemoteIdentity ()->GetIdentHash (), 32); // bhash
 		s.Insert (session->GetRemoteIdentity ()->GetIdentHash (), 32); // chash
@ -349,7 +349,7 @@ namespace transport
 	void SSU2Session::Done ()
 	{
-		m_Server.GetService ().post (std::bind (&SSU2Session::Terminate, shared_from_this ()));
+		boost::asio::post (m_Server.GetService (), std::bind (&SSU2Session::Terminate, shared_from_this ()));
 	}
 	void SSU2Session::SendLocalRouterInfo (bool update)
@ -357,7 +357,7 @@ namespace transport
 		if (update || !IsOutgoing ())
 		{
 			auto s = shared_from_this ();
-			m_Server.GetService ().post ([s]()
+			boost::asio::post (m_Server.GetService (), [s]()
 				{
 					if (!s->IsEstablished ()) return;
 					uint8_t payload[SSU2_MAX_PACKET_SIZE];
@ -389,7 +389,7 @@ namespace transport
 			m_IntermediateQueue.splice (m_IntermediateQueue.end (), msgs);
 		}
 		if (empty)
-			m_Server.GetService ().post (std::bind (&SSU2Session::PostI2NPMessages, shared_from_this ()));
+			boost::asio::post (m_Server.GetService (), std::bind (&SSU2Session::PostI2NPMessages, shared_from_this ()));
 	}
 	void SSU2Session::PostI2NPMessages ()
@ -623,7 +623,8 @@ namespace transport
 				}
 				else
 				{
-					uint32_t packetNum = SendData (it->second->payload, it->second->payloadSize);
+					uint32_t packetNum = SendData (it->second->payload, it->second->payloadSize, 
 						it->second->numResends > 1 ? SSU2_FLAG_IMMEDIATE_ACK_REQUESTED : 0);
 					it->second->numResends++;
 					it->second->sendTime = ts;
 					resentPackets.emplace (packetNum, it->second);
@ -682,7 +683,7 @@ namespace transport
 				}
 				const uint8_t nonce[12] = {0};
 				uint64_t headerX[2];
-				i2p::crypto::ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, (uint8_t *)headerX);
+				m_Server.ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, (uint8_t *)headerX);
 				LogPrint (eLogWarning, "SSU2: Unexpected PeerTest message SourceConnID=", connID, " DestConnID=", headerX[0]);
 				break;
 			}
@ -748,7 +749,7 @@ namespace transport
 		payloadSize += 16;
 		header.ll[0] ^= CreateHeaderMask (m_Address->i, payload + (payloadSize - 24));
 		header.ll[1] ^= CreateHeaderMask (m_Address->i, payload + (payloadSize - 12));
-		i2p::crypto::ChaCha20 (headerX, 48, m_Address->i, nonce, headerX);
+		m_Server.ChaCha20 (headerX, 48, m_Address->i, nonce, headerX);
 		m_NoiseState->MixHash (payload, payloadSize); // h = SHA256(h || encrypted payload from Session Request) for SessionCreated
 		m_SentHandshakePacket->payloadSize = payloadSize;
 		// send
@ -775,7 +776,7 @@ namespace transport
 		}
 		const uint8_t nonce[12] = {0};
 		uint8_t headerX[48];
-		i2p::crypto::ChaCha20 (buf + 16, 48, i2p::context.GetSSU2IntroKey (), nonce, headerX);
+		m_Server.ChaCha20 (buf + 16, 48, i2p::context.GetSSU2IntroKey (), nonce, headerX);
 		memcpy (&m_DestConnID, headerX, 8);
 		uint64_t token;
 		memcpy (&token, headerX + 8, 8);
@ -874,7 +875,7 @@ namespace transport
 		m_NoiseState->MixHash (payload, payloadSize); // h = SHA256(h || encrypted Noise payload from Session Created)
 		header.ll[0] ^= CreateHeaderMask (i2p::context.GetSSU2IntroKey (), payload + (payloadSize - 24));
 		header.ll[1] ^= CreateHeaderMask (kh2, payload + (payloadSize - 12));
-		i2p::crypto::ChaCha20 (headerX, 48, kh2, nonce, headerX);
+		m_Server.ChaCha20 (headerX, 48, kh2, nonce, headerX);
 		m_State = eSSU2SessionStateSessionCreatedSent;
 		m_SentHandshakePacket->payloadSize = payloadSize;
 		// send
@ -902,7 +903,7 @@ namespace transport
 		m_HandshakeInterval = i2p::util::GetMillisecondsSinceEpoch () - m_HandshakeInterval;
 		const uint8_t nonce[12] = {0};
 		uint8_t headerX[48];
-		i2p::crypto::ChaCha20 (buf + 16, 48, kh2, nonce, headerX);
+		m_Server.ChaCha20 (buf + 16, 48, kh2, nonce, headerX);
 		// KDF for SessionCreated
 		m_NoiseState->MixHash ( { {header.buf, 16}, {headerX, 16} } ); // h = SHA256(h || header)
 		m_NoiseState->MixHash (headerX + 16, 32); // h = SHA256(h || bepk);
@ -1178,14 +1179,19 @@ namespace transport
 			LogPrint (eLogError, "SSU2: Couldn't update RouterInfo from SessionConfirmed in netdb");
 			return false;
 		}
-		std::shared_ptr<i2p::data::RouterProfile> profile; // not null if older 
+		
 		bool isOlder = false;
 		if (ri->GetTimestamp () + i2p::data::NETDB_EXPIRATION_TIMEOUT_THRESHOLD*1000LL < ri1->GetTimestamp ())
 		{	
 			// received RouterInfo is older than one in netdb
-			profile = i2p::data::GetRouterProfile (ri->GetIdentHash ()); // retrieve profile	
+			isOlder = true;
 			if (ri->HasProfile ())
 			{	
 				auto profile = i2p::data::GetRouterProfile (ri->GetIdentHash ()); // retrieve profile	
 				if (profile && profile->IsDuplicated ())
 					return false;
 			}	
 		}	
 		ri = ri1;
 		m_Address = m_RemoteEndpoint.address ().is_v6 () ? ri->GetSSU2V6Address () : ri->GetSSU2V4Address ();
@ -1198,15 +1204,28 @@ namespace transport
 		    (!m_RemoteEndpoint.address ().is_v6 () ||
 			 memcmp (m_RemoteEndpoint.address ().to_v6 ().to_bytes ().data (), m_Address->host.to_v6 ().to_bytes ().data (), 8))) // temporary address
 		{
-			if (profile) // older router?
+			if (isOlder) // older router?
-				profile->Duplicated (); // mark router as duplicated in profile
+				i2p::data::UpdateRouterProfile (ri->GetIdentHash (),
 					[](std::shared_ptr<i2p::data::RouterProfile> profile)
 					{
 						if (profile) profile->Duplicated (); // mark router as duplicated in profile
 					});
 			else	
 				LogPrint (eLogInfo, "SSU2: Host mismatch between published address ", m_Address->host,
 					" and actual endpoint ", m_RemoteEndpoint.address (), " from ", i2p::data::GetIdentHashAbbreviation (ri->GetIdentHash ()));
 			return false;
 		}
 		if (!m_Address->published)
 		{	
 			if (ri->HasProfile ())	
 				ri->GetProfile ()->SetLastEndpoint (m_RemoteEndpoint);
 			else
 				i2p::data::UpdateRouterProfile (ri->GetIdentHash (), 
 					[ep = m_RemoteEndpoint](std::shared_ptr<i2p::data::RouterProfile> profile)
 				    {
 						if (profile) profile->SetLastEndpoint (ep);
 					});	
 		}	
 		SetRemoteIdentity (ri->GetRouterIdentity ());
 		AdjustMaxPayloadSize ();
 		m_Server.AddSessionByRouterHash (shared_from_this ()); // we know remote router now
@ -1264,7 +1283,7 @@ namespace transport
 		header.ll[0] ^= CreateHeaderMask (m_Address->i, payload + (payloadSize - 24));
 		header.ll[1] ^= CreateHeaderMask (m_Address->i, payload + (payloadSize - 12));
 		memset (nonce, 0, 12);
-		i2p::crypto::ChaCha20 (h + 16, 16, m_Address->i, nonce, h + 16);
+		m_Server.ChaCha20 (h + 16, 16, m_Address->i, nonce, h + 16);
 		// send
 		if (m_Server.AddPendingOutgoingSession (shared_from_this ()))
 			m_Server.Send (header.buf, 16, h + 16, 16, payload, payloadSize, m_RemoteEndpoint);
@ -1286,7 +1305,7 @@ namespace transport
 		uint8_t nonce[12] = {0};
 		uint8_t h[32];
 		memcpy (h, header.buf, 16);
-		i2p::crypto::ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, h + 16);
+		m_Server.ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, h + 16);
 		memcpy (&m_DestConnID, h + 16, 8);
 		// decrypt
 		CreateNonce (be32toh (header.h.packetNum), nonce);
@ -1338,7 +1357,7 @@ namespace transport
 		header.ll[0] ^= CreateHeaderMask (i2p::context.GetSSU2IntroKey (), payload + (payloadSize - 24));
 		header.ll[1] ^= CreateHeaderMask (i2p::context.GetSSU2IntroKey (), payload + (payloadSize - 12));
 		memset (nonce, 0, 12);
-		i2p::crypto::ChaCha20 (h + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, h + 16);
+		m_Server.ChaCha20 (h + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, h + 16);
 		// send
 		m_Server.Send (header.buf, 16, h + 16, 16, payload, payloadSize, m_RemoteEndpoint);
 	}
@ -1362,7 +1381,7 @@ namespace transport
 		}
 		uint8_t nonce[12] = {0};
 		uint64_t headerX[2]; // sourceConnID, token
-		i2p::crypto::ChaCha20 (buf + 16, 16, m_Address->i, nonce, (uint8_t *)headerX);
+		m_Server.ChaCha20 (buf + 16, 16, m_Address->i, nonce, (uint8_t *)headerX);
 		uint64_t token = headerX[1];
 		if (token)
 			m_Server.UpdateOutgoingToken (m_RemoteEndpoint, token, i2p::util::GetSecondsSinceEpoch () + SSU2_TOKEN_EXPIRATION_TIMEOUT);
@ -1411,7 +1430,7 @@ namespace transport
 		}
 		uint8_t nonce[12] = {0};
 		uint64_t headerX[2]; // sourceConnID, token
-		i2p::crypto::ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, (uint8_t *)headerX);
+		m_Server.ChaCha20 (buf + 16, 16, i2p::context.GetSSU2IntroKey (), nonce, (uint8_t *)headerX);
 		m_DestConnID = headerX[0];
 		// decrypt and handle payload
 		uint8_t * payload = buf + 32;
@ -1455,7 +1474,7 @@ namespace transport
 		uint8_t nonce[12];
 		CreateNonce (m_SendPacketNum, nonce);
 		uint8_t payload[SSU2_MAX_PACKET_SIZE];
-		i2p::crypto::AEADChaCha20Poly1305 (buf, len, header.buf, 16, m_KeyDataSend, nonce, payload, SSU2_MAX_PACKET_SIZE, true);
+		m_Server.AEADChaCha20Poly1305Encrypt (buf, len, header.buf, 16, m_KeyDataSend, nonce, payload, SSU2_MAX_PACKET_SIZE);
 		header.ll[0] ^= CreateHeaderMask (m_Address->i, payload + (len - 8));
 		header.ll[1] ^= CreateHeaderMask (m_KeyDataSend + 32, payload + (len + 4));
 		m_Server.Send (header.buf, 16, payload, len + 16, m_RemoteEndpoint);
@ -1495,8 +1514,8 @@ namespace transport
 		uint32_t packetNum = be32toh (header.h.packetNum);
 		uint8_t nonce[12];
 		CreateNonce (packetNum, nonce);
-		if (!i2p::crypto::AEADChaCha20Poly1305 (buf + 16, payloadSize, header.buf, 16,
+		if (!m_Server.AEADChaCha20Poly1305Decrypt (buf + 16, payloadSize, header.buf, 16,
-			m_KeyDataReceive, nonce, payload, payloadSize, false))
+			m_KeyDataReceive, nonce, payload, payloadSize))
 		{
 			LogPrint (eLogWarning, "SSU2: Data AEAD verification failed ");
 			return;
@ -1744,6 +1763,7 @@ namespace transport
 		HandleAckRange (firstPacketNum, ackThrough, i2p::util::GetMillisecondsSinceEpoch ()); // acnt
 		// ranges
 		len -= 5;
 		if (!len || m_SentPackets.empty ()) return; // don't handle ranges if nothing to acknowledge
 		const uint8_t * ranges = buf + 5;
 		while (len > 0 && firstPacketNum && ackThrough - firstPacketNum < SSU2_MAX_NUM_ACK_PACKETS)
 		{
@ -1945,6 +1965,7 @@ namespace transport
 	void SSU2Session::HandleRelayRequest (const uint8_t * buf, size_t len)
 	{
 		// we are Bob
 		if (len < 9) return;
 		auto mts = i2p::util::GetMillisecondsSinceEpoch ();
 		uint32_t nonce = bufbe32toh (buf + 1); // nonce
 		uint32_t relayTag = bufbe32toh (buf + 5); // relay tag
@ -1978,7 +1999,7 @@ namespace transport
 			packet->payloadSize = r ? CreateRouterInfoBlock (packet->payload, m_MaxPayloadSize - len - 32, r) : 0;
 			if (!packet->payloadSize && r)
 				session->SendFragmentedMessage (CreateDatabaseStoreMsg (r));
-			packet->payloadSize += CreateRelayIntroBlock (packet->payload + packet->payloadSize, m_MaxPayloadSize - packet->payloadSize, buf + 1, len -1);
+			packet->payloadSize += CreateRelayIntroBlock (packet->payload + packet->payloadSize, m_MaxPayloadSize - packet->payloadSize, buf + 1, len - 1);
 			if (packet->payloadSize < m_MaxPayloadSize)
 				packet->payloadSize += CreatePaddingBlock (packet->payload + packet->payloadSize, m_MaxPayloadSize - packet->payloadSize);
 			uint32_t packetNum = session->SendData (packet->payload, packet->payloadSize);
@ -1993,18 +2014,24 @@ namespace transport
 	void SSU2Session::HandleRelayIntro (const uint8_t * buf, size_t len, int attempts)
 	{
 		// we are Charlie
 		if (len < 47) return;
 		SSU2RelayResponseCode code = eSSU2RelayResponseCodeAccept;
 		boost::asio::ip::udp::endpoint ep;
 		std::shared_ptr<const i2p::data::RouterInfo::Address> addr;
 		auto r = i2p::data::netdb.FindRouter (buf + 1); // Alice
 		if (r)
 		{
-			SignedData s;
+			SignedData<128> s;
 			s.Insert ((const uint8_t *)"RelayRequestData", 16); // prologue
 			s.Insert (GetRemoteIdentity ()->GetIdentHash (), 32); // bhash
 			s.Insert (i2p::context.GetIdentHash (), 32); // chash
 			s.Insert (buf + 33, 14); // nonce, relay tag, timestamp, ver, asz
 			uint8_t asz = buf[46];
 			if (asz + 47 + r->GetIdentity ()->GetSignatureLen () > len) 
 			{	
 				LogPrint (eLogWarning, "SSU2: Malformed RelayIntro len=", len);
 				return; 
 			}	
 			s.Insert (buf + 47, asz); // Alice Port, Alice IP
 			if (s.Verify (r->GetIdentity (), buf + 47 + asz))
 			{
@ -2052,7 +2079,7 @@ namespace transport
 			auto vec = std::make_shared<std::vector<uint8_t> >(len);
 			memcpy (vec->data (), buf, len);
 			auto s = shared_from_this ();
-			m_Server.GetService ().post ([s, vec, attempts]()
+			boost::asio::post (m_Server.GetService (), [s, vec, attempts]()
 				{
 					LogPrint (eLogDebug, "SSU2: RelayIntro attempt ", attempts + 1);
 					s->HandleRelayIntro (vec->data (), vec->size (), attempts + 1);
@ -2093,6 +2120,7 @@ namespace transport
 	void SSU2Session::HandleRelayResponse (const uint8_t * buf, size_t len)
 	{
 		if (len < 6) return;
 		uint32_t nonce = bufbe32toh (buf + 2);
 		if (m_State == eSSU2SessionStateIntroduced)
 		{
@ -2113,7 +2141,9 @@ namespace transport
 		auto it = m_RelaySessions.find (nonce);
 		if (it != m_RelaySessions.end ())
 		{
-			if (it->second.first && it->second.first->IsEstablished ())
+			auto relaySession = it->second.first;
 			m_RelaySessions.erase (it);
 			if (relaySession && relaySession->IsEstablished ())
 			{
 				// we are Bob, message from Charlie
 				auto packet = m_Server.GetSentPacketsPool ().AcquireShared ();
@ -2123,12 +2153,12 @@ namespace transport
 				memcpy (payload + 3, buf, len); // forward to Alice as is
 				packet->payloadSize = len + 3;
 				packet->payloadSize += CreatePaddingBlock (payload + packet->payloadSize, m_MaxPayloadSize - packet->payloadSize);
-				uint32_t packetNum = it->second.first->SendData (packet->payload, packet->payloadSize);
+				uint32_t packetNum = relaySession->SendData (packet->payload, packet->payloadSize);
 				if (m_RemoteVersion >= SSU2_MIN_RELAY_RESPONSE_RESEND_VERSION)
 				{	
 					// sometimes Alice doesn't ack this RelayResponse in older versions
 					packet->sendTime = i2p::util::GetMillisecondsSinceEpoch ();
-					it->second.first->m_SentPackets.emplace (packetNum, packet);
+					relaySession->m_SentPackets.emplace (packetNum, packet);
 				}	
 			}
 			else
@ -2137,25 +2167,31 @@ namespace transport
 				if (!buf[1]) // status code accepted?
 				{
 					// verify signature
-					uint8_t csz = buf[11];
+					uint8_t csz = (len >= 12) ? buf[11] : 0;
-					SignedData s;
+					if (csz + 12 + relaySession->GetRemoteIdentity ()->GetSignatureLen () > len)
 					{
 						LogPrint (eLogWarning, "SSU2: Malformed RelayResponse len=", len);
 						relaySession->Done ();
 						return;
 					}	
 					SignedData<128> s;
 					s.Insert ((const uint8_t *)"RelayAgreementOK", 16); // prologue
 					s.Insert (GetRemoteIdentity ()->GetIdentHash (), 32); // bhash
 					s.Insert (buf + 2, 10 + csz); // nonce, timestamp, ver, csz and Charlie's endpoint
-					if (s.Verify (it->second.first->GetRemoteIdentity (), buf + 12 + csz))
+					if (s.Verify (relaySession->GetRemoteIdentity (), buf + 12 + csz))
 					{
-						if (it->second.first->m_State == eSSU2SessionStateIntroduced) // HolePunch not received yet
+						if (relaySession->m_State == eSSU2SessionStateIntroduced) // HolePunch not received yet
 						{
 							// update Charlie's endpoint
-							if (ExtractEndpoint (buf + 12, csz, it->second.first->m_RemoteEndpoint))
+							if (ExtractEndpoint (buf + 12, csz, relaySession->m_RemoteEndpoint))
 							{
 								// update token
 								uint64_t token;
 								memcpy (&token, buf + len - 8, 8);
-								m_Server.UpdateOutgoingToken (it->second.first->m_RemoteEndpoint,
+								m_Server.UpdateOutgoingToken (relaySession->m_RemoteEndpoint,
 									token, i2p::util::GetSecondsSinceEpoch () + SSU2_TOKEN_EXPIRATION_TIMEOUT);
 								// connect to Charlie, HolePunch will be ignored
-								it->second.first->ConnectAfterIntroduction ();
+								relaySession->ConnectAfterIntroduction ();
 							}
 							else
 								LogPrint (eLogWarning, "SSU2: RelayResponse can't extract endpoint");
@ -2164,16 +2200,15 @@ namespace transport
 					else
 					{
 						LogPrint (eLogWarning, "SSU2: RelayResponse signature verification failed");
-						it->second.first->Done ();
+						relaySession->Done ();
 					}
 				}
 				else
 				{
 					LogPrint (eLogInfo, "SSU2: RelayResponse status code=", (int)buf[1], " nonce=", bufbe32toh (buf + 2));
-					it->second.first->Done ();
+					relaySession->Done ();
 				}
 			}
 			m_RelaySessions.erase (it);
 		}
 		else
 			LogPrint (eLogDebug, "SSU2: RelayResponse unknown nonce ", bufbe32toh (buf + 2));
@ -2242,10 +2277,13 @@ namespace transport
 			case 2: // Charlie from Bob
 			{
 				// sign with Charlie's key
 				if (len < offset + 9) return;
 				uint8_t asz = buf[offset + 9];
-				std::vector<uint8_t> newSignedData (asz + 10 + i2p::context.GetIdentity ()->GetSignatureLen ());
+				size_t l = asz + 10 + i2p::context.GetIdentity ()->GetSignatureLen ();
 				if (len < offset + l) return;
 				std::vector<uint8_t> newSignedData (l);
 				memcpy (newSignedData.data (), buf + offset, asz + 10);
-				SignedData s;
+				SignedData<128> s;
 				s.Insert ((const uint8_t *)"PeerTestValidate", 16); // prologue
 				s.Insert (GetRemoteIdentity ()->GetIdentHash (), 32); // bhash
 				s.Insert (buf + 3, 32); // ahash
@ -2353,10 +2391,16 @@ namespace transport
 						if (GetRouterStatus () == eRouterStatusUnknown)
 							SetTestingState (true);
 						auto r = i2p::data::netdb.FindRouter (buf + 3); // find Charlie
-						if (r)
+						if (r && len >= offset + 9)
 						{
 							uint8_t asz = buf[offset + 9];
-							SignedData s;
+							if (len < offset + asz + 10 + r->GetIdentity ()->GetSignatureLen ())
 							{
 								LogPrint (eLogWarning, "Malformed PeerTest 4 len=", len);
 								session->Done ();
 								return;
 							}	
 							SignedData<128> s;
 							s.Insert ((const uint8_t *)"PeerTestValidate", 16); // prologue
 							s.Insert (GetRemoteIdentity ()->GetIdentHash (), 32); // bhash
 							s.Insert (i2p::context.GetIdentity ()->GetIdentHash (), 32); // ahash
@ -2624,17 +2668,17 @@ namespace transport
 	size_t SSU2Session::CreateAckBlock (uint8_t * buf, size_t len)
 	{
 		if (len < 8) return 0;
 		int maxNumRanges = (len - 8) >> 1;
 		if (maxNumRanges > SSU2_MAX_NUM_ACK_RANGES) maxNumRanges = SSU2_MAX_NUM_ACK_RANGES;
 		buf[0] = eSSU2BlkAck;
 		uint32_t ackThrough = m_OutOfSequencePackets.empty () ? m_ReceivePacketNum : *m_OutOfSequencePackets.rbegin ();
 		htobe32buf (buf + 3, ackThrough); // Ack Through
 		uint16_t acnt = 0;
 		int numRanges = 0;
 		if (ackThrough)
 		{
 			if (m_OutOfSequencePackets.empty ())
 			{	
 				acnt = std::min ((int)ackThrough, SSU2_MAX_NUM_ACNT); // no gaps
 				m_NumRanges = 0;
 			}	
 			else
 			{
 				auto it = m_OutOfSequencePackets.rbegin (); it++; // prev packet num
@ -2647,6 +2691,11 @@ namespace transport
 						it++;
 				}
 				// ranges
 				if (!m_NumRanges)
 				{	
 					int maxNumRanges = (len - 8) >> 1;
 					if (maxNumRanges > SSU2_MAX_NUM_ACK_RANGES) maxNumRanges = SSU2_MAX_NUM_ACK_RANGES;
 					int numRanges = 0;
 					uint32_t lastNum = ackThrough - acnt;
 					if (acnt > SSU2_MAX_NUM_ACNT)
 					{
@ -2660,12 +2709,12 @@ namespace transport
 						// Acks only ranges for acnt
 						for (int i = 0; i < d.quot; i++)
 						{
-						buf[8 + numRanges*2] = 0; buf[8 + numRanges*2 + 1] = SSU2_MAX_NUM_ACNT; // NACKs 0, Acks 255
+							m_Ranges[numRanges*2] = 0; m_Ranges[numRanges*2 + 1] = SSU2_MAX_NUM_ACNT; // NACKs 0, Acks 255
 							numRanges++;
 						}
 						if (d.rem > 0)
 						{
-						buf[8 + numRanges*2] = 0; buf[8 + numRanges*2 + 1] = d.rem;
+							m_Ranges[numRanges*2] = 0; m_Ranges[numRanges*2 + 1] = d.rem;
 							numRanges++;
 						}
 					}
@ -2679,15 +2728,15 @@ namespace transport
 							if (lastNum > (*it) + SSU2_MAX_NUM_ACNT*(maxNumRanges - numRanges)) break; // too many NACKs
 							while (lastNum - (*it) > SSU2_MAX_NUM_ACNT)
 							{
-							buf[8 + numRanges*2] = SSU2_MAX_NUM_ACNT; buf[8 + numRanges*2 + 1] = 0; // NACKs 255, Acks 0
+								m_Ranges[numRanges*2] = SSU2_MAX_NUM_ACNT; m_Ranges[numRanges*2 + 1] = 0; // NACKs 255, Acks 0
 								lastNum -= SSU2_MAX_NUM_ACNT;
 								numRanges++;
 								numPackets += SSU2_MAX_NUM_ACNT;
 							}
 						}
 						// NACKs and Acks ranges
-					buf[8 + numRanges*2] = lastNum - (*it) - 1; // NACKs
+						m_Ranges[numRanges*2] = lastNum - (*it) - 1; // NACKs
-					numPackets += buf[8 + numRanges*2];
+						numPackets += m_Ranges[numRanges*2];
 						lastNum = *it; it++;
 						int numAcks = 1;
 						while (it != m_OutOfSequencePackets.rend () && lastNum > 0 && *it == lastNum - 1)
@ -2698,15 +2747,15 @@ namespace transport
 						while (numAcks > SSU2_MAX_NUM_ACNT)
 						{
 							// Acks only ranges
-						buf[8 + numRanges*2 + 1] = SSU2_MAX_NUM_ACNT; // Acks 255
+							m_Ranges[numRanges*2 + 1] = SSU2_MAX_NUM_ACNT; // Acks 255
 							numAcks -= SSU2_MAX_NUM_ACNT;
 							numRanges++;
 							numPackets += SSU2_MAX_NUM_ACNT;
-						buf[8 + numRanges*2] = 0; // NACKs 0
+							m_Ranges[numRanges*2] = 0; // NACKs 0
 							if (numRanges >= maxNumRanges || numPackets >= SSU2_MAX_NUM_ACK_PACKETS) break;
 						}
 						if (numAcks > SSU2_MAX_NUM_ACNT) numAcks = SSU2_MAX_NUM_ACNT;
-					buf[8 + numRanges*2 + 1] = (uint8_t)numAcks; // Acks
+						m_Ranges[numRanges*2 + 1] = (uint8_t)numAcks; // Acks
 						numPackets += numAcks;
 						numRanges++;
 					}
@ -2718,22 +2767,26 @@ namespace transport
 						if (nacks > 0)
 						{
 							if (nacks > SSU2_MAX_NUM_ACNT) nacks = SSU2_MAX_NUM_ACNT;
-						buf[8 + numRanges*2] = nacks;
+							m_Ranges[numRanges*2] = nacks;
-						buf[8 + numRanges*2 + 1] = std::min ((int)m_ReceivePacketNum + 1, SSU2_MAX_NUM_ACNT);
+							m_Ranges[numRanges*2 + 1] = std::min ((int)m_ReceivePacketNum + 1, SSU2_MAX_NUM_ACNT);
 							numRanges++;
 						}
 					}
 					m_NumRanges = numRanges;
 				}	
 				if (m_NumRanges)
 					memcpy (buf + 8, m_Ranges, m_NumRanges*2);
 			}
 		}
 		buf[7] = (uint8_t)acnt; // acnt
-		htobe16buf (buf + 1, 5 + numRanges*2);
+		htobe16buf (buf + 1, 5 + m_NumRanges*2);
-		return 8 + numRanges*2;
+		return 8 + m_NumRanges*2;
 	}
 	size_t SSU2Session::CreatePaddingBlock (uint8_t * buf, size_t len, size_t minSize)
 	{
 		if (len < 3 || len < minSize) return 0;
-		size_t paddingSize = m_Server.GetRng ()() & 0x0F; // 0 - 15
+		size_t paddingSize = m_Server.GetRng ()() & 0x1F; // 0 - 31
 		if (paddingSize + 3 > len) paddingSize = len - 3;
 		else if (paddingSize + 3 < minSize) paddingSize = minSize - 3;
 		buf[0] = eSSU2BlkPadding;
@ -2835,7 +2888,7 @@ namespace transport
 			LogPrint (eLogError, "SSU2: Buffer for RelayResponse signature is too small ", len);
 			return 0;
 		}
-		SignedData s;
+		SignedData<128> s;
 		s.Insert ((const uint8_t *)"RelayAgreementOK", 16); // prologue
 		if (code == eSSU2RelayResponseCodeAccept || code >= 64) // Charlie
 			s.Insert (GetRemoteIdentity ()->GetIdentHash (), 32); // bhash
@ -2897,7 +2950,7 @@ namespace transport
 		size_t asz = CreateEndpoint (signedData + 10, 86, boost::asio::ip::udp::endpoint (localAddress->host, localAddress->port));
 		signedData[9] = asz;
 		// signature
-		SignedData s;
+		SignedData<128> s;
 		s.Insert ((const uint8_t *)"PeerTestValidate", 16); // prologue
 		s.Insert (GetRemoteIdentity ()->GetIdentHash (), 32); // bhash
 		s.Insert (signedData, 10 + asz); // ver, nonce, ts, asz, Alice's endpoint
@ -2961,11 +3014,17 @@ namespace transport
 					}
 					m_OutOfSequencePackets.erase (m_OutOfSequencePackets.begin (), it);
 				}
 				m_NumRanges = 0; // recalculate ranges when create next Ack
 			}
 			m_ReceivePacketNum = packetNum;
 		}
 		else
 		{
 			if (m_NumRanges && (m_OutOfSequencePackets.empty () ||
 				packetNum != (*m_OutOfSequencePackets.rbegin ()) + 1))
 				m_NumRanges = 0; // reset ranges if received packet is not next
 			m_OutOfSequencePackets.insert (packetNum);
 		}	
 		return true;
 	}
@ -3114,5 +3173,10 @@ namespace transport
 		else if (!sent && !m_SentPackets.empty ()) // if only acks received, nothing sent and we still have something to resend
 			Resend (i2p::util::GetMillisecondsSinceEpoch ()); // than right time to resend
 	}
 	i2p::data::RouterInfo::SupportedTransports SSU2Session::GetTransportType () const
 	{
 		return m_RemoteEndpoint.address ().is_v4 () ? i2p::data::RouterInfo::eSSU2V4 : i2p::data::RouterInfo::eSSU2V6;
 	}	
 }
 }
--- a/libi2pd/SSU2Session.h
+++ b/libi2pd/SSU2Session.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2022-2024, The PurpleI2P Project
+* Copyright (c) 2022-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -267,6 +267,7 @@ namespace transport
 			size_t Resend (uint64_t ts); // return number of resent packets
 			uint64_t GetLastResendTime () const { return m_LastResendTime; };
 			bool IsEstablished () const override { return m_State == eSSU2SessionStateEstablished; };
 			i2p::data::RouterInfo::SupportedTransports GetTransportType () const override;
 			uint64_t GetConnID () const { return m_SourceConnID; };
 			SSU2SessionState GetState () const { return m_State; };
 			void SetState (SSU2SessionState state) { m_State = state; };
@ -396,6 +397,8 @@ namespace transport
 			std::unique_ptr<i2p::data::IdentHash> m_PathChallenge;
 			std::unordered_map<uint32_t, uint32_t> m_ReceivedI2NPMsgIDs; // msgID -> timestamp in seconds
 			uint64_t m_LastResendTime, m_LastResendAttemptTime; // in milliseconds
 			int m_NumRanges;
 			uint8_t m_Ranges[SSU2_MAX_NUM_ACK_RANGES*2]; // ranges sent with previous Ack if any
 	};
 	inline uint64_t CreateHeaderMask (const uint8_t * kh, const uint8_t * nonce)
--- a/libi2pd/Signature.cpp
+++ b/libi2pd/Signature.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -149,5 +149,179 @@ namespace crypto
 			LogPrint (eLogError, "EdDSA signing key is not set");
 	}
 #endif
 #if (OPENSSL_VERSION_NUMBER >= 0x030000000)
 	static const OSSL_PARAM EDDSA25519phParams[] =
 	{
 		OSSL_PARAM_utf8_string ("instance", (char *)"Ed25519ph", 9),
 		OSSL_PARAM_END
 	};
 	bool EDDSA25519phVerifier::Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
 	{
 		auto pkey = GetPkey ();
 		if (pkey)
 		{	
 			uint8_t digest[64];
 			SHA512 (buf, len, digest);
 			EVP_MD_CTX * ctx = EVP_MD_CTX_create ();
 			EVP_DigestVerifyInit_ex (ctx, NULL, NULL, NULL, NULL, pkey, EDDSA25519phParams);
 			auto ret = EVP_DigestVerify (ctx, signature, 64, digest, 64);
 			EVP_MD_CTX_destroy (ctx);	
 			return ret;	
 		}	
 		else
 			LogPrint (eLogError, "EdDSA verification key is not set");
 		return false;
 	}
 	EDDSA25519phSigner::EDDSA25519phSigner (const uint8_t * signingPrivateKey): 
 		EDDSA25519Signer (signingPrivateKey)
 	{		
 	}
 	void EDDSA25519phSigner::Sign (const uint8_t * buf, int len, uint8_t * signature) const
 	{
 		auto pkey = GetPkey ();
 		if (pkey)
 		{	
 			uint8_t digest[64];
 			SHA512 (buf, len, digest);
 			EVP_MD_CTX * ctx = EVP_MD_CTX_create ();
 			size_t l = 64;
 			uint8_t sig[64];
 			EVP_DigestSignInit_ex (ctx, NULL, NULL, NULL, NULL, pkey, EDDSA25519phParams);
 			if (!EVP_DigestSign (ctx, sig, &l, digest, 64))
 				LogPrint (eLogError, "EdDSA signing failed");
 			memcpy (signature, sig, 64);
 			EVP_MD_CTX_destroy (ctx);
 		}
 		else
 			LogPrint (eLogError, "EdDSA signing key is not set");
 	}		
 #endif	
 #if OPENSSL_PQ
 #include <openssl/core_names.h>
 	MLDSA44Verifier::MLDSA44Verifier ():
 		m_Pkey (nullptr)
 	{
 	}
 	MLDSA44Verifier::~MLDSA44Verifier ()
 	{
 		EVP_PKEY_free (m_Pkey);
 	}
 	void MLDSA44Verifier::SetPublicKey (const uint8_t * signingKey)
 	{
 		if (m_Pkey) 
 		{ 
 			EVP_PKEY_free (m_Pkey);
 			m_Pkey = nullptr;
 		}	
 		OSSL_PARAM params[] =
 		{
 			OSSL_PARAM_octet_string (OSSL_PKEY_PARAM_PUB_KEY, (uint8_t *)signingKey, GetPublicKeyLen ()),
 			OSSL_PARAM_END
 		};		
 		EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name (NULL, "ML-DSA-44", NULL);
 		if (ctx)
 		{
 			EVP_PKEY_fromdata_init (ctx);
 			EVP_PKEY_fromdata (ctx, &m_Pkey, OSSL_KEYMGMT_SELECT_PUBLIC_KEY, params);
 			EVP_PKEY_CTX_free (ctx);
 		}
 		else
 			LogPrint (eLogError, "MLDSA44 can't create PKEY context");
 	}
 	bool MLDSA44Verifier::Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const
 	{
 		bool ret = false;
 		if (m_Pkey)
 		{	
 			EVP_PKEY_CTX * vctx = EVP_PKEY_CTX_new_from_pkey (NULL, m_Pkey, NULL);
 			if (vctx)
 			{
 				EVP_SIGNATURE * sig = EVP_SIGNATURE_fetch (NULL, "ML-DSA-44", NULL);
 				if (sig)
 				{
 					int encode = 1;
 					OSSL_PARAM params[] =
 					{
 						OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING, &encode),
 						OSSL_PARAM_END
 					};		
 					EVP_PKEY_verify_message_init (vctx, sig, params);
 					ret = EVP_PKEY_verify (vctx, signature, GetSignatureLen (), buf, len);
 					EVP_SIGNATURE_free (sig);
 				}	
 				EVP_PKEY_CTX_free (vctx);
 			}	
 			else
 				LogPrint (eLogError, "MLDSA44 can't obtain context from PKEY");
 		}	
 		else
 			LogPrint (eLogError, "MLDSA44 verification key is not set");
 		return ret;
 	}
 	MLDSA44Signer::MLDSA44Signer (const uint8_t * signingPrivateKey):
 		m_Pkey (nullptr)
 	{
 		OSSL_PARAM params[] =
 		{
 			OSSL_PARAM_octet_string (OSSL_PKEY_PARAM_PRIV_KEY, (uint8_t *)signingPrivateKey, MLDSA44_PRIVATE_KEY_LENGTH),
 			OSSL_PARAM_END
 		};		
 		EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_name (NULL, "ML-DSA-44", NULL);
 		if (ctx)
 		{
 			EVP_PKEY_fromdata_init (ctx);
 			EVP_PKEY_fromdata (ctx, &m_Pkey, OSSL_KEYMGMT_SELECT_PRIVATE_KEY, params);
 			EVP_PKEY_CTX_free (ctx);
 		}
 		else
 			LogPrint (eLogError, "MLDSA44 can't create PKEY context");
 	}
 	MLDSA44Signer::~MLDSA44Signer ()
 	{
 		if (m_Pkey) EVP_PKEY_free (m_Pkey);
 	}
 	void MLDSA44Signer::Sign (const uint8_t * buf, int len, uint8_t * signature) const
 	{
 		if (m_Pkey)
 		{	
 			EVP_PKEY_CTX * sctx = EVP_PKEY_CTX_new_from_pkey (NULL, m_Pkey, NULL);
 			if (sctx)
 			{
 				EVP_SIGNATURE * sig = EVP_SIGNATURE_fetch (NULL, "ML-DSA-44", NULL);
 				if (sig)
 				{
 					int encode = 1;
 					OSSL_PARAM params[] =
 					{
 						OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING, &encode),
 						OSSL_PARAM_END
 					};		
 					EVP_PKEY_sign_message_init (sctx, sig, params);
 					size_t siglen = MLDSA44_SIGNATURE_LENGTH;
 					EVP_PKEY_sign (sctx, signature, &siglen, buf, len);
 					EVP_SIGNATURE_free (sig);
 				}	
 				EVP_PKEY_CTX_free (sctx);
 			}	
 			else
 				LogPrint (eLogError, "MLDSA44 can't obtain context from PKEY");
 		}	
 		else
 			LogPrint (eLogError, "MLDSA44 signing key is not set");
 	}	
 #endif		
 }
 }
--- a/libi2pd/Signature.h
+++ b/libi2pd/Signature.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -304,13 +304,27 @@ namespace crypto
 		private:
 #if OPENSSL_EDDSA	
 			EVP_PKEY * m_Pkey;
 		protected:
 			EVP_PKEY * GetPkey () const { return m_Pkey; };
 #else
 			EDDSAPoint m_PublicKey;
 			uint8_t m_PublicKeyEncoded[EDDSA25519_PUBLIC_KEY_LENGTH];
 #endif
 	};
 #if (OPENSSL_VERSION_NUMBER >= 0x030000000) // since 3.0.0
 	class EDDSA25519phVerifier: public EDDSA25519Verifier
 	{
 		public:
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const;
 	};
 #endif	
 	class EDDSA25519SignerCompat: public Signer
 	{
 		public:
@ -339,6 +353,10 @@ namespace crypto
 			void Sign (const uint8_t * buf, int len, uint8_t * signature) const;
 		protected:
 			EVP_PKEY * GetPkey () const { return m_Pkey; };
 		private:
 			EVP_PKEY * m_Pkey;
@ -348,6 +366,18 @@ namespace crypto
 	typedef EDDSA25519SignerCompat EDDSA25519Signer;
 #endif
 #if (OPENSSL_VERSION_NUMBER >= 0x030000000) // since 3.0.0
 	class EDDSA25519phSigner: public EDDSA25519Signer
 	{
 		public:
 			EDDSA25519phSigner (const uint8_t * signingPrivateKey);
 			void Sign (const uint8_t * buf, int len, uint8_t * signature) const;
 	};
 #endif	
 	inline void CreateEDDSA25519RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
@ -530,6 +560,57 @@ namespace crypto
 		RedDSA25519Signer signer (signingPrivateKey);
 		memcpy (signingPublicKey, signer.GetPublicKey (), EDDSA25519_PUBLIC_KEY_LENGTH);
 	}
 #if OPENSSL_PQ
 #include <openssl/core_names.h>
 	// Post-Quantum
 	const size_t MLDSA44_PUBLIC_KEY_LENGTH = 1312;
 	const size_t MLDSA44_SIGNATURE_LENGTH = 2420;
 	const size_t MLDSA44_PRIVATE_KEY_LENGTH = 2560;
 	class MLDSA44Verifier: public Verifier
 	{
 		public:
 			MLDSA44Verifier ();
 			void SetPublicKey (const uint8_t * signingKey);
 			~MLDSA44Verifier ();
 			bool Verify (const uint8_t * buf, size_t len, const uint8_t * signature) const;
 			size_t GetPublicKeyLen () const { return MLDSA44_PUBLIC_KEY_LENGTH; };
 			size_t GetSignatureLen () const { return MLDSA44_SIGNATURE_LENGTH; };
 			size_t GetPrivateKeyLen () const { return MLDSA44_PRIVATE_KEY_LENGTH; };
 		private:
 			EVP_PKEY * m_Pkey;
 	};
 	class MLDSA44Signer: public Signer
 	{
 		public:
 			MLDSA44Signer (const uint8_t * signingPrivateKey);
 			~MLDSA44Signer ();
 			void Sign (const uint8_t * buf, int len, uint8_t * signature) const;
 		private:
 			EVP_PKEY * m_Pkey;
 	};
 	inline void CreateMLDSA44RandomKeys (uint8_t * signingPrivateKey, uint8_t * signingPublicKey)
 	{
 		EVP_PKEY * pkey = EVP_PKEY_Q_keygen (NULL, NULL, "ML-DSA-44");
 		size_t len = MLDSA44_PUBLIC_KEY_LENGTH;
        EVP_PKEY_get_octet_string_param (pkey, OSSL_PKEY_PARAM_PUB_KEY, signingPublicKey, MLDSA44_PUBLIC_KEY_LENGTH, &len);
 		len = MLDSA44_PRIVATE_KEY_LENGTH;
 		EVP_PKEY_get_octet_string_param (pkey, OSSL_PKEY_PARAM_PRIV_KEY, signingPrivateKey, MLDSA44_PRIVATE_KEY_LENGTH, &len);
 		EVP_PKEY_free (pkey);
 	}	
 #endif	
 }
 }
--- a/libi2pd/Streaming.cpp
+++ b/libi2pd/Streaming.cpp
@ -72,15 +72,15 @@ namespace stream
 		m_TunnelsChangeSequenceNumber (0), m_LastReceivedSequenceNumber (-1), m_PreviousReceivedSequenceNumber (-1),
 		m_LastConfirmedReceivedSequenceNumber (0), // for limit inbound speed
 		m_Status (eStreamStatusNew), m_IsIncoming (false), m_IsAckSendScheduled (false), m_IsNAcked (false), m_IsFirstACK (false), 
-		m_IsResendNeeded (false), m_IsFirstRttSample (false), m_IsSendTime (true), m_IsWinDropped (false),
+		m_IsResendNeeded (false), m_IsFirstRttSample (false), m_IsSendTime (true), m_IsWinDropped (false), m_IsClientChoked (false),
 		m_IsTimeOutResend (false), m_IsImmediateAckRequested (false), m_IsRemoteLeaseChangeInProgress (false), m_DoubleWinIncCounter (false), m_LocalDestination (local),
 		m_RemoteLeaseSet (remote), m_ReceiveTimer (m_Service), m_SendTimer (m_Service), m_ResendTimer (m_Service),
 		m_AckSendTimer (m_Service), m_NumSentBytes (0), m_NumReceivedBytes (0), m_Port (port),
 		m_RTT (INITIAL_RTT), m_SlowRTT (INITIAL_RTT), m_SlowRTT2 (INITIAL_RTT), m_WindowSize (INITIAL_WINDOW_SIZE), m_LastWindowDropSize  (0),
 		m_WindowDropTargetSize (0), m_WindowIncCounter (0), m_RTO (INITIAL_RTO),
-		m_AckDelay (local.GetOwner ()->GetStreamingAckDelay ()), m_PrevRTTSample (INITIAL_RTT), 
+		m_AckDelay (local.GetOwner ()->GetStreamingAckDelay ()), m_PrevRTTSample (INITIAL_RTT), m_WindowSizeTail (0), 
 		m_Jitter (0), m_MinPacingTime (0),
-		m_PacingTime (INITIAL_PACING_TIME), m_PacingTimeRem (0), m_LastSendTime (0), m_RemoteLeaseChangeTime (0),
+		m_PacingTime (INITIAL_PACING_TIME), m_PacingTimeRem (0), m_LastSendTime (0), m_LastACKRecieveTime (0), m_ACKRecieveInterval (local.GetOwner ()->GetStreamingAckDelay ()), m_RemoteLeaseChangeTime (0), m_LastWindowIncTime (0),
 		m_LastACKSendTime (0), m_PacketACKInterval (1), m_PacketACKIntervalRem (0), // for limit inbound speed
 		m_NumResendAttempts (0), m_NumPacketsToSend (0), m_MTU (STREAMING_MTU)
 	{
@ -100,14 +100,14 @@ namespace stream
 		m_TunnelsChangeSequenceNumber (0), m_LastReceivedSequenceNumber (-1), m_PreviousReceivedSequenceNumber (-1),
 		m_LastConfirmedReceivedSequenceNumber (0), // for limit inbound speed
 		m_Status (eStreamStatusNew), m_IsIncoming (true), m_IsAckSendScheduled (false), m_IsNAcked (false), m_IsFirstACK (false),  
-		m_IsResendNeeded (false), m_IsFirstRttSample (false), m_IsSendTime (true), m_IsWinDropped (false),
+		m_IsResendNeeded (false), m_IsFirstRttSample (false), m_IsSendTime (true), m_IsWinDropped (false), m_IsClientChoked (false),
 		m_IsTimeOutResend (false), m_IsImmediateAckRequested (false), m_IsRemoteLeaseChangeInProgress (false), m_DoubleWinIncCounter (false), m_LocalDestination (local),
 		m_ReceiveTimer (m_Service), m_SendTimer (m_Service), m_ResendTimer (m_Service), m_AckSendTimer (m_Service),
 		m_NumSentBytes (0), m_NumReceivedBytes (0), m_Port (0), m_RTT (INITIAL_RTT), m_SlowRTT (INITIAL_RTT), m_SlowRTT2 (INITIAL_RTT),
 		m_WindowSize (INITIAL_WINDOW_SIZE), m_LastWindowDropSize  (0), m_WindowDropTargetSize (0), m_WindowIncCounter (0), 
 		m_RTO (INITIAL_RTO), m_AckDelay (local.GetOwner ()->GetStreamingAckDelay ()),
-		m_PrevRTTSample (INITIAL_RTT), m_Jitter (0), m_MinPacingTime (0),
+		m_PrevRTTSample (INITIAL_RTT), m_WindowSizeTail (0), m_Jitter (0), m_MinPacingTime (0),
-		m_PacingTime (INITIAL_PACING_TIME), m_PacingTimeRem (0), m_LastSendTime (0), m_RemoteLeaseChangeTime (0),
+		m_PacingTime (INITIAL_PACING_TIME), m_PacingTimeRem (0), m_LastSendTime (0), m_LastACKRecieveTime (0), m_ACKRecieveInterval (local.GetOwner ()->GetStreamingAckDelay ()), m_RemoteLeaseChangeTime (0), m_LastWindowIncTime (0),
 		m_LastACKSendTime (0), m_PacketACKInterval (1), m_PacketACKIntervalRem (0), // for limit inbound speed
 		m_NumResendAttempts (0), m_NumPacketsToSend (0), m_MTU (STREAMING_MTU)
 	{
@ -364,12 +364,14 @@ namespace stream
 				}
 				if (delayRequested >= DELAY_CHOKING)
 				{
-					if (!m_IsWinDropped)
+					if (!m_IsClientChoked)
 					{
 						LogPrint (eLogDebug, "Streaming: Client choked, set min. window size");
 						m_WindowDropTargetSize = MIN_WINDOW_SIZE;
 						m_LastWindowDropSize = 0;
 						m_WindowIncCounter = 0;
-						m_IsWinDropped = true; // don't drop window twice
+						m_IsClientChoked = true;
 						m_IsWinDropped = false;
 						m_DropWindowDelaySequenceNumber = m_SequenceNumber;
 						UpdatePacingTime ();
 					}
@ -537,12 +539,21 @@ namespace stream
 				m_SentPackets.erase (it++);
 				m_LocalDestination.DeletePacket (sentPacket);
 				acknowledged = true;
-				if (m_WindowSize < MAX_WINDOW_SIZE && !m_IsFirstACK)
+				if (m_WindowIncCounter < MAX_WINDOW_SIZE && !m_IsFirstACK && !m_IsWinDropped)
 					incCounter++;
 			}
 			else
 				break;
 		}
 		if (m_LastACKRecieveTime)
 		{
 			uint64_t interval = ts - m_LastACKRecieveTime;
 			if (m_ACKRecieveInterval)
 				m_ACKRecieveInterval = (m_ACKRecieveInterval + interval) / 2;
 			else
 				m_ACKRecieveInterval = interval;
 		}
 		m_LastACKRecieveTime = ts;
 		if (rttSample != INT_MAX)
 		{
 			if (m_IsFirstRttSample && !m_IsFirstACK)
@ -588,36 +599,31 @@ namespace stream
 			m_WindowIncCounter = m_WindowIncCounter + incCounter;
 			//
 			// delay-based CC
-			if ((m_SlowRTT2 > m_SlowRTT + m_Jitter && rttSample > m_SlowRTT2 && rttSample > m_PrevRTTSample) && !m_IsWinDropped) // Drop window if RTT grows too fast, late detection
+			if ((m_SlowRTT2 > m_SlowRTT + m_Jitter && rttSample > m_SlowRTT2 && rttSample > m_PrevRTTSample) && !m_IsWinDropped && !m_IsClientChoked) // Drop window if RTT grows too fast, late detection
 			{
 				LogPrint (eLogDebug, "Streaming: Congestion detected, reduce window size");
 				ProcessWindowDrop ();
 			}
 			UpdatePacingTime ();
 			m_PrevRTTSample = rttSample;
 			bool wasInitial = m_RTO == INITIAL_RTO;
-			m_RTO = std::max (MIN_RTO, (int)(m_RTT * 1.3 + m_Jitter)); // TODO: implement it better
+			m_RTO = std::max (MIN_RTO, (int)(m_RTT * 1.3 + m_Jitter + m_ACKRecieveInterval)); // TODO: implement it better
 			if (wasInitial)
 				ScheduleResend ();
 		}
 		if (m_IsClientChoked && ackThrough >= m_DropWindowDelaySequenceNumber)
 			m_IsClientChoked = false;
 		if (m_IsWinDropped && ackThrough > m_DropWindowDelaySequenceNumber)
 		{
 			m_IsFirstRttSample = true;
 			m_IsWinDropped = false;
 		}
-		if (m_WindowDropTargetSize && m_WindowSize <= m_WindowDropTargetSize)
+		if (m_WindowDropTargetSize && int(m_SentPackets.size ()) <= m_WindowDropTargetSize)
 		{
 			m_WindowSize = m_WindowDropTargetSize;
 			m_WindowDropTargetSize = 0;
 			m_DropWindowDelaySequenceNumber = m_SequenceNumber;
 		}
 		if (acknowledged && m_WindowDropTargetSize && m_WindowSize > m_WindowDropTargetSize)
 		{
 			m_RTO = std::max (MIN_RTO, (int)(m_RTT * 1.5 + m_Jitter)); // we assume that the next rtt sample may be much larger than the current
 			m_IsResendNeeded = true;
 			m_WindowSize = m_SentPackets.size () + 1; // if there are no packets to resend, just send one regular packet
 			if (m_WindowSize < MIN_WINDOW_SIZE) m_WindowSize = MIN_WINDOW_SIZE;
 			if (m_WindowSize > MAX_WINDOW_SIZE) m_WindowSize = MAX_WINDOW_SIZE;
 			m_WindowIncCounter = 0;
 			UpdatePacingTime ();
 		}
 		if (acknowledged || m_IsNAcked)
 		{
@ -626,12 +632,14 @@ namespace stream
 		if (m_SendBuffer.IsEmpty () && m_SentPackets.size () > 0) // tail loss
 		{
 			m_IsResendNeeded = true;
-			m_RTO = std::max (MIN_RTO, (int)(m_RTT * 1.5 + m_Jitter)); // to prevent spurious retransmit
+			m_RTO = std::max (MIN_RTO, (int)(m_RTT * 1.5 + m_Jitter + m_ACKRecieveInterval)); // to prevent spurious retransmit
 		}
 		if (m_SentPackets.empty () && m_SendBuffer.IsEmpty ())
 		{
 			m_ResendTimer.cancel ();
 			m_SendTimer.cancel ();
 			m_LastACKRecieveTime = 0;
 			m_ACKRecieveInterval = m_AckDelay;
 		}
 		if (acknowledged && m_IsFirstACK)
 		{
@ -958,7 +966,7 @@ namespace stream
 		if (choking || requestImmediateAck)
 		{
 			htobe16buf (packet + size, 2); // 2 bytes delay interval
-			htobe16buf (packet + size + 2, choking ? DELAY_CHOKING : 0); // set choking or immediated ack interval
+			htobe16buf (packet + size + 2, choking ? DELAY_CHOKING : 0); // set choking or immediate ack interval
 			size += 2;
 			if (requestImmediateAck) // ack request sent
 			{
@ -1147,7 +1155,6 @@ namespace stream
 				m_CurrentOutboundTunnel = routingPath->outboundTunnel;
 				m_CurrentRemoteLease = routingPath->remoteLease;
 				m_RTT = routingPath->rtt;
 				m_RTO = std::max (MIN_RTO, (int)(m_RTT * 1.3 + m_Jitter)); // TODO: implement it better
 			}
 		}
@ -1159,9 +1166,10 @@ namespace stream
 		}
 		if (m_RemoteLeaseChangeTime && m_IsRemoteLeaseChangeInProgress && ts > m_RemoteLeaseChangeTime + INITIAL_RTO)
 		{
 			LogPrint (eLogDebug, "Streaming: RemoteLease changed, set initial window size");
 			CancelRemoteLeaseChange ();
 			m_CurrentRemoteLease = m_NextRemoteLease;
-			HalveWindowSize ();
+			ResetWindowSize ();
 		}
 		auto currentRemoteLease = m_CurrentRemoteLease;
 		if (!m_IsRemoteLeaseChangeInProgress && m_RemoteLeaseSet && m_CurrentRemoteLease && ts >= m_CurrentRemoteLease->endDate - i2p::data::LEASE_ENDDATE_THRESHOLD)
@ -1196,7 +1204,8 @@ namespace stream
 			}
 			if (freshTunnel)
 			{
-				m_RTO = INITIAL_RTO;
+				LogPrint (eLogDebug, "Streaming: OutboundTunnel changed, set initial window size");
 				ResetWindowSize ();
 //				m_TunnelsChangeSequenceNumber = m_SequenceNumber; // should be determined more precisely
 			}
@ -1286,11 +1295,35 @@ namespace stream
 					m_NumPacketsToSend = 1; m_PacingTimeRem = 0;
 				}	
 				m_IsSendTime = true;
-				if (m_WindowIncCounter && m_WindowSize < MAX_WINDOW_SIZE && !m_SendBuffer.IsEmpty () && m_PacingTime > m_MinPacingTime)
+				if (m_WindowIncCounter && (m_WindowSize < MAX_WINDOW_SIZE || m_WindowDropTargetSize) && !m_SendBuffer.IsEmpty () && m_PacingTime > m_MinPacingTime && m_RTT <= m_SlowRTT)
 				{
 					float winSize = m_WindowSize;
 					if (m_WindowDropTargetSize)
 						winSize = m_WindowDropTargetSize;
 					float maxWinSize = MAX_WINDOW_SIZE;
 					if (m_LastWindowIncTime)
 						maxWinSize = (ts - m_LastWindowIncTime) / (m_RTT / MAX_WINDOW_SIZE_INC_PER_RTT) + winSize;
 					for (int i = 0; i < m_NumPacketsToSend; i++)
 					{
 						if (m_WindowIncCounter)
 						{
 							if (m_WindowDropTargetSize)
 							{
 								if (m_LastWindowDropSize && (m_LastWindowDropSize >= m_WindowDropTargetSize))
 									m_WindowDropTargetSize += 1 - (1 / ((m_LastWindowDropSize + PREV_SPEED_KEEP_TIME_COEFF) / m_WindowDropTargetSize)); // some magic here
 								else if (m_LastWindowDropSize && (m_LastWindowDropSize < m_WindowDropTargetSize))
 									m_WindowDropTargetSize += (m_WindowDropTargetSize - (m_LastWindowDropSize - PREV_SPEED_KEEP_TIME_COEFF)) / m_WindowDropTargetSize; // some magic here
 								else
 									m_WindowDropTargetSize += (m_WindowDropTargetSize - (1 - PREV_SPEED_KEEP_TIME_COEFF)) / m_WindowDropTargetSize;
 								if (m_WindowDropTargetSize > MAX_WINDOW_SIZE) m_WindowDropTargetSize = MAX_WINDOW_SIZE;
 								m_WindowIncCounter--;
 								if (m_WindowDropTargetSize >= maxWinSize)
 								{
 									m_WindowDropTargetSize = maxWinSize;
 									break;
 								}
 							}
 							else
 							{
 								if (m_LastWindowDropSize && (m_LastWindowDropSize >= m_WindowSize))
 									m_WindowSize += 1 - (1 / ((m_LastWindowDropSize + PREV_SPEED_KEEP_TIME_COEFF) / m_WindowSize)); // some magic here
@ -1300,17 +1333,26 @@ namespace stream
 									m_WindowSize += (m_WindowSize - (1 - PREV_SPEED_KEEP_TIME_COEFF)) / m_WindowSize;
 								if (m_WindowSize > MAX_WINDOW_SIZE) m_WindowSize = MAX_WINDOW_SIZE;
 								m_WindowIncCounter--;
 								if (m_WindowSize >= maxWinSize)
 								{
 									m_WindowSize = maxWinSize;
 									break;
 								}
 							}
 						}
 						else
 							break;
 					}
 					m_LastWindowIncTime = ts;
 					UpdatePacingTime ();
 				}
-				if (m_IsNAcked)
+				else if (m_WindowIncCounter && m_WindowSize == MAX_WINDOW_SIZE && !m_SendBuffer.IsEmpty () && m_PacingTime > m_MinPacingTime)
 				{
 					m_WindowSizeTail = m_WindowSizeTail + m_WindowIncCounter;
 					if (m_WindowSizeTail > MAX_WINDOW_SIZE) m_WindowSizeTail = MAX_WINDOW_SIZE;
 				}
 				if (m_IsNAcked || m_IsResendNeeded || m_IsClientChoked) // resend packets
 					ResendPacket ();
 				else if (m_IsResendNeeded) // resend packets
 					ResendPacket ();
 				// delay-based CC
 				else if (m_WindowSize > int(m_SentPackets.size ())) // send packets
 					SendBuffer ();
 			}
@ -1409,9 +1451,12 @@ namespace stream
 			if (m_NumResendAttempts == 1 && m_RTO != INITIAL_RTO)
 			{
 				// loss-based CC
-				if (!m_IsWinDropped && LOSS_BASED_CONTROL_ENABLED)
+				if (!m_IsWinDropped && LOSS_BASED_CONTROL_ENABLED && !m_IsClientChoked)
 				{
 					LogPrint (eLogDebug, "Streaming: Packet loss, reduce window size");
 					ProcessWindowDrop ();
 				}
 			}
 			else if (m_IsTimeOutResend)
 			{
 				m_IsTimeOutResend = false;
@ -1423,6 +1468,8 @@ namespace stream
 				m_IsFirstRttSample = true;
 				m_DropWindowDelaySequenceNumber = 0;
 				m_IsFirstACK = true;
 				m_LastACKRecieveTime = 0;
 				m_ACKRecieveInterval = m_AckDelay;
 				UpdatePacingTime ();
 				if (m_RoutingSession) m_RoutingSession->SetSharedRoutingPath (nullptr);
 				if (m_NumResendAttempts & 1)
@ -1443,11 +1490,12 @@ namespace stream
 			SendPackets (packets);
 			m_LastSendTime = ts;
 			m_IsSendTime = false;
-			if (m_IsNAcked || m_IsResendNeeded) ScheduleSend ();
+			if (m_IsNAcked || m_IsResendNeeded || m_IsClientChoked) ScheduleSend ();
 		}
-		else
+		else if (!m_IsClientChoked)
 			SendBuffer ();
 		if (!m_IsNAcked && !m_IsResendNeeded) ScheduleResend ();
 		if (m_IsClientChoked) ScheduleSend ();
 	}
 	void Stream::ScheduleAck (int timeout)
@ -1586,7 +1634,8 @@ namespace stream
 		}
 		if (isLeaseChanged && !m_IsRemoteLeaseChangeInProgress)
 		{
-			HalveWindowSize ();
+			LogPrint (eLogDebug, "Streaming: RemoteLease changed, set initial window size");
 			ResetWindowSize ();
 		}
 	}
@ -1602,6 +1651,9 @@ namespace stream
 	void Stream::UpdatePacingTime ()
 	{
 		if (m_WindowDropTargetSize)
 			m_PacingTime = std::round (m_RTT*1000/m_WindowDropTargetSize);
 		else
 			m_PacingTime = std::round (m_RTT*1000/m_WindowSize);
 		if (m_MinPacingTime && m_PacingTime < m_MinPacingTime)
 			m_PacingTime = m_MinPacingTime;
@ -1609,36 +1661,50 @@ namespace stream
 	void Stream::ProcessWindowDrop ()
 	{
-		if (m_WindowSize > m_LastWindowDropSize)
+		if (m_WindowDropTargetSize)
-			m_LastWindowDropSize = (m_LastWindowDropSize + m_WindowSize) / 2;
+			m_WindowDropTargetSize = (m_WindowDropTargetSize / 2) * 0.75; // congestion window size and -25% to drain queue
 		else
-			m_LastWindowDropSize = m_WindowSize;
+		{
-		m_WindowDropTargetSize = m_LastWindowDropSize - (m_LastWindowDropSize / 4); // -25%;
+			if (m_WindowSize < m_LastWindowDropSize)
-		if (m_WindowDropTargetSize < MIN_WINDOW_SIZE + 1)
+			{
-			m_WindowDropTargetSize = MIN_WINDOW_SIZE + 1;
+				m_LastWindowDropSize = std::max ((m_WindowSize - MAX_WINDOW_SIZE_INC_PER_RTT), (m_WindowSize - (m_LastWindowDropSize - m_WindowSize)));
-		m_WindowSize = m_SentPackets.size (); // stop sending now
+				if (m_LastWindowDropSize < MIN_WINDOW_SIZE) m_LastWindowDropSize = MIN_WINDOW_SIZE;
-		if (m_WindowSize < MIN_WINDOW_SIZE) m_WindowSize = MIN_WINDOW_SIZE;
+			}
 			else
 			{
 				m_LastWindowDropSize = std::max ((m_WindowSize - MAX_WINDOW_SIZE_INC_PER_RTT), ((m_LastWindowDropSize + m_WindowSize + m_WindowSizeTail) / 2));
 				if (m_LastWindowDropSize > MAX_WINDOW_SIZE) m_LastWindowDropSize = MAX_WINDOW_SIZE;
 			}
 			m_WindowDropTargetSize = m_LastWindowDropSize * 0.75; // -25% to drain queue
 		}
 		if (m_WindowDropTargetSize < MIN_WINDOW_SIZE)
 			m_WindowDropTargetSize = MIN_WINDOW_SIZE;
 		m_WindowIncCounter = 0; // disable window growth
-		m_DropWindowDelaySequenceNumber = m_SequenceNumber;
+		m_DropWindowDelaySequenceNumber = m_SequenceNumber + int(m_WindowDropTargetSize);
 		m_IsFirstACK = true; // ignore first RTT sample
 		m_IsWinDropped = true; // don't drop window twice
 		m_WindowSizeTail = 0;
 		UpdatePacingTime ();
 	}
-	void Stream::HalveWindowSize ()
+	void Stream::ResetWindowSize ()
 	{
 		m_RTO = INITIAL_RTO;
 		if (!m_IsClientChoked)
 		{
 			if (m_WindowSize > INITIAL_WINDOW_SIZE)
 			{
-			m_WindowDropTargetSize = std::max (m_WindowSize/2, (float)INITIAL_WINDOW_SIZE);
+				m_WindowDropTargetSize = (float)INITIAL_WINDOW_SIZE;
 				m_IsWinDropped = true;
 			}
 			else
 				m_WindowSize = INITIAL_WINDOW_SIZE;
 		}
 		m_LastWindowDropSize = 0;
 		m_WindowIncCounter = 0;
 		m_IsFirstRttSample = true;
 		m_IsFirstACK = true;
 		m_WindowSizeTail = 0;
 		UpdatePacingTime ();
 	}
--- a/libi2pd/Streaming.h
+++ b/libi2pd/Streaming.h
@ -57,6 +57,7 @@ namespace stream
 	const int INITIAL_WINDOW_SIZE = 10;
 	const int MIN_WINDOW_SIZE = 3;
 	const int MAX_WINDOW_SIZE = 512;
 	const int MAX_WINDOW_SIZE_INC_PER_RTT = 16;
 	const double RTT_EWMA_ALPHA = 0.25;
 	const double SLOWRTT_EWMA_ALPHA = 0.05;
 	const double PREV_SPEED_KEEP_TIME_COEFF = 0.35; // 0.1 - 1 // how long will the window size stay around the previous drop level, less is longer
@ -251,7 +252,7 @@ namespace stream
 			void UpdatePacingTime ();
 			void ProcessWindowDrop ();
-			void HalveWindowSize ();
+			void ResetWindowSize ();
 			void CancelRemoteLeaseChange ();
 		private:
@ -272,6 +273,7 @@ namespace stream
 			bool m_IsFirstRttSample;
 			bool m_IsSendTime;
 			bool m_IsWinDropped;
 			bool m_IsClientChoked;
 			bool m_IsTimeOutResend;
 			bool m_IsImmediateAckRequested;
 			bool m_IsRemoteLeaseChangeInProgress;
@ -295,10 +297,10 @@ namespace stream
 			SendBufferQueue m_SendBuffer;
 			double m_RTT, m_SlowRTT, m_SlowRTT2;
 			float m_WindowSize, m_LastWindowDropSize, m_WindowDropTargetSize;
-			int m_WindowIncCounter, m_RTO, m_AckDelay, m_PrevRTTSample;
+			int m_WindowIncCounter, m_RTO, m_AckDelay, m_PrevRTTSample, m_WindowSizeTail;
 			double m_Jitter;
 			uint64_t m_MinPacingTime, m_PacingTime, m_PacingTimeRem, // microseconds
-				m_LastSendTime, m_RemoteLeaseChangeTime;	// miliseconds
+				m_LastSendTime, m_LastACKRecieveTime, m_ACKRecieveInterval, m_RemoteLeaseChangeTime, m_LastWindowIncTime;	// milliseconds
 			uint64_t m_LastACKSendTime, m_PacketACKInterval, m_PacketACKIntervalRem; // for limit inbound speed
 			int m_NumResendAttempts, m_NumPacketsToSend;
 			size_t m_MTU;
--- a/libi2pd/Tag.h
+++ b/libi2pd/Tag.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -12,10 +12,14 @@
 #include <boost/static_assert.hpp>
 #include <string.h>
 #include <openssl/rand.h>
 #include <string>
 #include <string_view>
 #include "Base.h"
-namespace i2p {
+namespace i2p 
-namespace data {
+{
 namespace data 
 {
 	template<size_t sz>
 	class Tag
 	{
@ -65,19 +69,17 @@ namespace data {
 			std::string ToBase32 (size_t len = sz) const
 			{
-				char str[sz*2];
+				return i2p::data::ByteStreamToBase32 (m_Buf, len);
 				size_t l = i2p::data::ByteStreamToBase32 (m_Buf, len, str, sz*2);
 				return std::string (str, str + l);
 			}
-			size_t FromBase32 (const std::string& s)
+			size_t FromBase32 (std::string_view s)
 			{
-				return i2p::data::Base32ToByteStream (s.c_str (), s.length (), m_Buf, sz);
+				return i2p::data::Base32ToByteStream (s, m_Buf, sz);
 			}
-			size_t FromBase64 (const std::string& s)
+			size_t FromBase64 (std::string_view s)
 			{
-				return i2p::data::Base64ToByteStream (s.c_str (), s.length (), m_Buf, sz);
+				return i2p::data::Base64ToByteStream (s.data (), s.length (), m_Buf, sz);
 			}
 			uint8_t GetBit (int i) const
--- a/libi2pd/TransitTunnel.cpp
+++ b/libi2pd/TransitTunnel.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -10,6 +10,8 @@
 #include "I2PEndian.h"
 #include "Crypto.h"
 #include "Log.h"
 #include "Identity.h"
 #include "RouterInfo.h"
 #include "RouterContext.h"
 #include "I2NPProtocol.h"
 #include "Garlic.h"
@ -41,6 +43,21 @@ namespace tunnel
 		i2p::transport::transports.UpdateTotalTransitTransmittedBytes (TUNNEL_DATA_MSG_SIZE);
 	}
 	std::string TransitTunnel::GetNextPeerName () const
 	{
 		return i2p::data::GetIdentHashAbbreviation (GetNextIdentHash ());
 	}	
 	void TransitTunnel::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		LogPrint (eLogError, "TransitTunnel: We are not a gateway for ", GetTunnelID ());
 	}
 	void TransitTunnel::HandleTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage>&& tunnelMsg)
 	{
 		LogPrint (eLogError, "TransitTunnel: Incoming tunnel message is not supported ", GetTunnelID ());
 	}
 	TransitTunnelParticipant::~TransitTunnelParticipant ()
 	{
 	}
@ -62,18 +79,21 @@ namespace tunnel
 			auto num = m_TunnelDataMsgs.size ();
 			if (num > 1)
 				LogPrint (eLogDebug, "TransitTunnel: ", GetTunnelID (), "->", GetNextTunnelID (), " ", num);
-			i2p::transport::transports.SendMessages (GetNextIdentHash (), m_TunnelDataMsgs); // send and clear
+			if (!m_Sender) m_Sender = std::make_unique<TunnelTransportSender>();
 			m_Sender->SendMessagesTo (GetNextIdentHash (), m_TunnelDataMsgs); // send and clear
 		}
 	}
-	void TransitTunnel::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
+	std::string TransitTunnelParticipant::GetNextPeerName () const
 	{
-		LogPrint (eLogError, "TransitTunnel: We are not a gateway for ", GetTunnelID ());
+		if (m_Sender)
 		{
 			auto transport = m_Sender->GetCurrentTransport ();
 			if (transport)
 				return TransitTunnel::GetNextPeerName () + "-" + 
 					i2p::data::RouterInfo::GetTransportName (transport->GetTransportType ());
 		}	
-
+		return TransitTunnel::GetNextPeerName ();
 	void TransitTunnel::HandleTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage>&& tunnelMsg)
 	{
 		LogPrint (eLogError, "TransitTunnel: Incoming tunnel message is not supported ", GetTunnelID ());
 	}	
 	void TransitTunnelGateway::SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg)
@ -81,23 +101,76 @@ namespace tunnel
 		TunnelMessageBlock block;
 		block.deliveryType = eDeliveryTypeLocal;
 		block.data = msg;
-		std::unique_lock<std::mutex> l(m_SendMutex);
+		std::lock_guard<std::mutex> l(m_SendMutex);
 		m_Gateway.PutTunnelDataMsg (block);
 	}
 	void TransitTunnelGateway::FlushTunnelDataMsgs ()
 	{
-		std::unique_lock<std::mutex> l(m_SendMutex);
+		std::lock_guard<std::mutex> l(m_SendMutex);
 		m_Gateway.SendBuffer ();
 	}
 	std::string TransitTunnelGateway::GetNextPeerName () const
 	{
 		const auto& sender = m_Gateway.GetSender ();
 		if (sender)
 		{
 			auto transport = sender->GetCurrentTransport ();
 			if (transport)
 				return TransitTunnel::GetNextPeerName () + "-" + 
 					i2p::data::RouterInfo::GetTransportName (transport->GetTransportType ());
 		}	
 		return TransitTunnel::GetNextPeerName ();
 	}	
 	void TransitTunnelEndpoint::HandleTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage>&& tunnelMsg)
 	{
 		auto newMsg = CreateEmptyTunnelDataMsg (true);
 		EncryptTunnelMsg (tunnelMsg, newMsg);
 		LogPrint (eLogDebug, "TransitTunnel: handle msg for endpoint ", GetTunnelID ());
-		m_Endpoint.HandleDecryptedTunnelDataMsg (newMsg);
+		std::lock_guard<std::mutex> l(m_HandleMutex);
 		if (!m_Endpoint) m_Endpoint = std::make_unique<TunnelEndpoint>(false); // transit endpoint is always outbound
 		m_Endpoint->HandleDecryptedTunnelDataMsg (newMsg);
 	}
 	void TransitTunnelEndpoint::FlushTunnelDataMsgs ()
 	{
 		if (m_Endpoint)
 		{
 			std::lock_guard<std::mutex> l(m_HandleMutex);
 			m_Endpoint->FlushI2NPMsgs ();
 		}	
 	}	
 	void TransitTunnelEndpoint::Cleanup ()
 	{ 
 		if (m_Endpoint)
 		{	
 			std::lock_guard<std::mutex> l(m_HandleMutex);
 			m_Endpoint->Cleanup ();
 		}	
 	}	
 	std::string TransitTunnelEndpoint::GetNextPeerName () const
 	{ 
 		if (!m_Endpoint) return "";
 		auto hash = m_Endpoint->GetCurrentHash ();
 		if (hash)
 		{	
 			const auto& sender = m_Endpoint->GetSender ();
 			if (sender)
 			{
 				auto transport = sender->GetCurrentTransport ();
 				if (transport)
 					return i2p::data::GetIdentHashAbbreviation (*hash) + "-" + 
 						i2p::data::RouterInfo::GetTransportName (transport->GetTransportType ());
 				else
 					return i2p::data::GetIdentHashAbbreviation (*hash);
 			}	
 		}
 		return "";
 	}	
 	std::shared_ptr<TransitTunnel> CreateTransitTunnel (uint32_t receiveTunnelID,
@ -123,7 +196,7 @@ namespace tunnel
 	}
 	TransitTunnels::TransitTunnels ():
-		m_IsRunning (false)
+		m_IsRunning (false), m_Rng(i2p::util::GetMonotonicMicroseconds ()%1000000LL)
 	{
 	}
@ -263,21 +336,46 @@ namespace tunnel
 				// check if we accept this tunnel
 				std::shared_ptr<i2p::tunnel::TransitTunnel> transitTunnel;
 				uint8_t retCode = 0;
-				if (!i2p::context.AcceptsTunnels () || i2p::context.GetCongestionLevel (false) >= CONGESTION_LEVEL_FULL)
+				if (i2p::context.AcceptsTunnels ())
 				{
 					auto congestionLevel = i2p::context.GetCongestionLevel (false);
 					if (congestionLevel < CONGESTION_LEVEL_FULL)
 					{	
 						if (congestionLevel >= CONGESTION_LEVEL_MEDIUM)
 						{	
 							// random reject depending on congestion level
 							int level = m_Rng () % (CONGESTION_LEVEL_FULL - CONGESTION_LEVEL_MEDIUM) + CONGESTION_LEVEL_MEDIUM;
 							if (congestionLevel > level)
 								retCode = 30;
 						}	
 					}	
 					else
 						retCode = 30;
 				}	
 				else	
 					retCode = 30;
 				if (!retCode)
 				{
 					i2p::data::IdentHash nextIdent(clearText + SHORT_REQUEST_RECORD_NEXT_IDENT_OFFSET);
 					bool isEndpoint = clearText[SHORT_REQUEST_RECORD_FLAG_OFFSET] & TUNNEL_BUILD_RECORD_ENDPOINT_FLAG;
 					if (isEndpoint || !i2p::data::IsRouterDuplicated (nextIdent))
 					{	
 						// create new transit tunnel
-					transitTunnel = i2p::tunnel::CreateTransitTunnel (
+						transitTunnel = CreateTransitTunnel (
 							bufbe32toh (clearText + SHORT_REQUEST_RECORD_RECEIVE_TUNNEL_OFFSET),
-						clearText + SHORT_REQUEST_RECORD_NEXT_IDENT_OFFSET,
+							nextIdent,
 							bufbe32toh (clearText + SHORT_REQUEST_RECORD_NEXT_TUNNEL_OFFSET),
 							layerKey, ivKey,
 							clearText[SHORT_REQUEST_RECORD_FLAG_OFFSET] & TUNNEL_BUILD_RECORD_GATEWAY_FLAG,
-						clearText[SHORT_REQUEST_RECORD_FLAG_OFFSET] & TUNNEL_BUILD_RECORD_ENDPOINT_FLAG);
+							isEndpoint);
 						if (!AddTransitTunnel (transitTunnel))
 							retCode = 30;
 					}
 					else
 						// decline tunnel going to duplicated router 
 						retCode = 30;
 				}
 				// encrypt reply
 				uint8_t nonce[12];
@ -387,7 +485,7 @@ namespace tunnel
 						if (congestionLevel < CONGESTION_LEVEL_FULL)
 						{
 							// random reject depending on congestion level
-							int level = i2p::tunnel::tunnels.GetRng ()() % (CONGESTION_LEVEL_FULL - CONGESTION_LEVEL_MEDIUM) + CONGESTION_LEVEL_MEDIUM;
+							int level = m_Rng () % (CONGESTION_LEVEL_FULL - CONGESTION_LEVEL_MEDIUM) + CONGESTION_LEVEL_MEDIUM;
 							if (congestionLevel > level)
 								accept = false;
 						}	
@ -395,23 +493,32 @@ namespace tunnel
 							accept = false;
 					}	
 				}	
-				// replace record to reply
+					
 				if (accept)
 				{
-					auto transitTunnel = i2p::tunnel::CreateTransitTunnel (
+					i2p::data::IdentHash nextIdent(clearText + ECIES_BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET);
 					bool isEndpoint = clearText[ECIES_BUILD_REQUEST_RECORD_FLAG_OFFSET] & TUNNEL_BUILD_RECORD_ENDPOINT_FLAG;
 					if (isEndpoint || !i2p::data::IsRouterDuplicated (nextIdent))
 					{	
 						auto transitTunnel = CreateTransitTunnel (
 								bufbe32toh (clearText + ECIES_BUILD_REQUEST_RECORD_RECEIVE_TUNNEL_OFFSET),
-							clearText + ECIES_BUILD_REQUEST_RECORD_NEXT_IDENT_OFFSET,
+								nextIdent,
 								bufbe32toh (clearText + ECIES_BUILD_REQUEST_RECORD_NEXT_TUNNEL_OFFSET),
 								clearText + ECIES_BUILD_REQUEST_RECORD_LAYER_KEY_OFFSET,
 								clearText + ECIES_BUILD_REQUEST_RECORD_IV_KEY_OFFSET,
 								clearText[ECIES_BUILD_REQUEST_RECORD_FLAG_OFFSET] & TUNNEL_BUILD_RECORD_GATEWAY_FLAG,
-							clearText[ECIES_BUILD_REQUEST_RECORD_FLAG_OFFSET] & TUNNEL_BUILD_RECORD_ENDPOINT_FLAG);
+								isEndpoint);
 						if (!AddTransitTunnel (transitTunnel))
 							retCode = 30;
 					}	
 					else
 						// decline tunnel going to duplicated router 
 						retCode = 30;
 				}
 				else
 					retCode = 30; // always reject with bandwidth reason (30)
 				// replace record to reply
 				memset (record + ECIES_BUILD_RESPONSE_RECORD_OPTIONS_OFFSET, 0, 2); // no options
 				record[ECIES_BUILD_RESPONSE_RECORD_RET_OFFSET] = retCode;
 				// encrypt reply
@ -434,8 +541,7 @@ namespace tunnel
 					else
 					{
 						encryption.SetKey (clearText + ECIES_BUILD_REQUEST_RECORD_REPLY_KEY_OFFSET);
-						encryption.SetIV (clearText + ECIES_BUILD_REQUEST_RECORD_REPLY_IV_OFFSET);
+						encryption.Encrypt(reply, TUNNEL_BUILD_RECORD_SIZE, clearText + ECIES_BUILD_REQUEST_RECORD_REPLY_IV_OFFSET, reply);
 						encryption.Encrypt(reply, TUNNEL_BUILD_RECORD_SIZE, reply);
 					}
 				}
 				return true;
--- a/libi2pd/TransitTunnel.h
+++ b/libi2pd/TransitTunnel.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -33,11 +33,13 @@ namespace tunnel
 				const i2p::crypto::AESKey& layerKey, const i2p::crypto::AESKey& ivKey);
 			virtual size_t GetNumTransmittedBytes () const { return 0; };
 			virtual std::string GetNextPeerName () const;
 			// implements TunnelBase
 			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg) override;
 			void HandleTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage>&& tunnelMsg) override;
 			void EncryptTunnelMsg (std::shared_ptr<const I2NPMessage> in, std::shared_ptr<I2NPMessage> out) override;
 		private:
 			i2p::crypto::AESKey m_LayerKey, m_IVKey;
@ -56,6 +58,7 @@ namespace tunnel
 			~TransitTunnelParticipant ();
 			size_t GetNumTransmittedBytes () const override { return m_NumTransmittedBytes; };
 			std::string GetNextPeerName () const override;
 			void HandleTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage>&& tunnelMsg) override;
 			void FlushTunnelDataMsgs () override;
@ -63,6 +66,7 @@ namespace tunnel
 			size_t m_NumTransmittedBytes;
 			std::list<std::shared_ptr<i2p::I2NPMessage> > m_TunnelDataMsgs;
 			std::unique_ptr<TunnelTransportSender> m_Sender;
 	};
 	class TransitTunnelGateway: public TransitTunnel
@ -78,6 +82,7 @@ namespace tunnel
 			void SendTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage> msg) override;
 			void FlushTunnelDataMsgs () override;
 			size_t GetNumTransmittedBytes () const override { return m_Gateway.GetNumSentBytes (); };
 			std::string GetNextPeerName () const override;
 		private:
@ -92,17 +97,19 @@ namespace tunnel
 			TransitTunnelEndpoint (uint32_t receiveTunnelID,
 				const i2p::data::IdentHash& nextIdent, uint32_t nextTunnelID,
 				const i2p::crypto::AESKey& layerKey, const i2p::crypto::AESKey& ivKey):
-				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey),
+				TransitTunnel (receiveTunnelID, nextIdent, nextTunnelID, layerKey, ivKey) {}; 
 				m_Endpoint (false) {}; // transit endpoint is always outbound
-			void Cleanup () override { m_Endpoint.Cleanup (); }
+			void Cleanup () override;
 			void HandleTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage>&& tunnelMsg) override;
-			size_t GetNumTransmittedBytes () const override { return m_Endpoint.GetNumReceivedBytes (); }
+			void FlushTunnelDataMsgs () override;
 			size_t GetNumTransmittedBytes () const override { return m_Endpoint ? m_Endpoint->GetNumReceivedBytes () : 0; }
 			std::string GetNextPeerName () const override;
 		private:
-			TunnelEndpoint m_Endpoint;
+			std::mutex m_HandleMutex;
 			std::unique_ptr<TunnelEndpoint> m_Endpoint;
 	};
 	std::shared_ptr<TransitTunnel> CreateTransitTunnel (uint32_t receiveTunnelID,
@ -144,6 +151,7 @@ namespace tunnel
 			std::unique_ptr<std::thread> m_Thread;
 			std::list<std::shared_ptr<TransitTunnel> > m_TransitTunnels;
 			i2p::util::Queue<std::shared_ptr<I2NPMessage> > m_TunnelBuildMsgQueue;
 			std::mt19937 m_Rng;
 		public:
--- a/libi2pd/TransportSession.h
+++ b/libi2pd/TransportSession.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -10,7 +10,7 @@
 #define TRANSPORT_SESSION_H__
 #include <inttypes.h>
-#include <iostream>
+#include <string.h>
 #include <memory>
 #include <vector>
 #include <mutex>
@ -28,45 +28,51 @@ namespace transport
 	const size_t IPV6_HEADER_SIZE = 40;
 	const size_t UDP_HEADER_SIZE = 8;
 	template<size_t sz>
 	class SignedData
 	{
 		public:
-			SignedData () {}
+			SignedData (): m_Size(0) {}
 			SignedData (const SignedData& other)
 			{
-				m_Stream << other.m_Stream.rdbuf ();
+				m_Size = other.m_Size;
 				memcpy (m_Buf, other.m_Buf, m_Size);
 			}
 			void Reset ()
 			{
-				m_Stream.str("");
+				m_Size = 0;
 			}
-			void Insert (const uint8_t * buf, size_t len)
+			size_t Insert (const uint8_t * buf, size_t len)
 			{
-				m_Stream.write ((char *)buf, len);
+				if (m_Size + len > sz) len = sz - m_Size;
 				memcpy (m_Buf + m_Size, buf, len); 
 				m_Size += len;
 				return len;
 			}
 			template<typename T>
 			void Insert (T t)
 			{
-				m_Stream.write ((char *)&t, sizeof (T));
+				Insert ((const uint8_t *)&t, sizeof (T));
 			}
 			bool Verify (std::shared_ptr<const i2p::data::IdentityEx> ident, const uint8_t * signature) const
 			{
-				return ident->Verify ((const uint8_t *)m_Stream.str ().c_str (), m_Stream.str ().size (), signature);
+				return ident->Verify (m_Buf, m_Size, signature);
 			}
 			void Sign (const i2p::data::PrivateKeys& keys, uint8_t * signature) const
 			{
-				keys.Sign ((const uint8_t *)m_Stream.str ().c_str (), m_Stream.str ().size (), signature);
+				keys.Sign (m_Buf, m_Size, signature);
 			}
 		private:
-			std::stringstream m_Stream;
+			uint8_t m_Buf[sz];
 			size_t m_Size;
 	};
 	const int64_t TRANSPORT_SESSION_SLOWNESS_THRESHOLD = 500; // in milliseconds
@ -151,6 +157,7 @@ namespace transport
 			};
 			virtual void SendI2NPMessages (std::list<std::shared_ptr<I2NPMessage> >& msgs) = 0;
 			virtual bool IsEstablished () const = 0;
 			virtual i2p::data::RouterInfo::SupportedTransports GetTransportType () const = 0;
 		private:
--- a/libi2pd/Transports.cpp
+++ b/libi2pd/Transports.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -55,6 +55,13 @@ namespace transport
 			m_Thread->join ();
 			m_Thread = nullptr;
 		}
 		if (!m_Queue.empty ())
 		{
 			// clean up queue
 			std::queue<std::shared_ptr<Keys> > tmp;
 	   		std::swap (m_Queue, tmp);
 		}
 		m_KeysPool.CleanUpMt ();
 	}
 	template<typename Keys>
@ -153,7 +160,8 @@ namespace transport
 		m_TotalSentBytes (0), m_TotalReceivedBytes (0), m_TotalTransitTransmittedBytes (0),
 		m_InBandwidth (0), m_OutBandwidth (0), m_TransitBandwidth (0),
 		m_InBandwidth15s (0), m_OutBandwidth15s (0), m_TransitBandwidth15s (0),
-		m_InBandwidth5m (0), m_OutBandwidth5m (0), m_TransitBandwidth5m (0)
+		m_InBandwidth5m (0), m_OutBandwidth5m (0), m_TransitBandwidth5m (0),
 		m_Rng(i2p::util::GetMonotonicMicroseconds () % 1000000LL)
 	{
 	}
@ -331,7 +339,7 @@ namespace transport
 		if (m_IsNAT)
 		{
-			m_PeerTestTimer->expires_from_now (boost::posix_time::minutes(PEER_TEST_INTERVAL));
+			m_PeerTestTimer->expires_from_now (boost::posix_time::seconds(PEER_TEST_INTERVAL + m_Rng() % PEER_TEST_INTERVAL_VARIANCE));
 			m_PeerTestTimer->async_wait (std::bind (&Transports::HandlePeerTestTimer, this, std::placeholders::_1));
 		}
 	}
@ -454,13 +462,6 @@ namespace transport
 		return {}; // invalid future
 	}
 	std::future<std::shared_ptr<TransportSession> > Transports::SendMessages (const i2p::data::IdentHash& ident, std::list<std::shared_ptr<i2p::I2NPMessage> >& msgs)
 	{
 		std::list<std::shared_ptr<i2p::I2NPMessage> > msgs1;
 		msgs.swap (msgs1);
 		return SendMessages (ident, std::move (msgs1));
 	}
 	std::future<std::shared_ptr<TransportSession> > Transports::SendMessages (const i2p::data::IdentHash& ident, std::list<std::shared_ptr<i2p::I2NPMessage> >&& msgs)
 	{
 		return boost::asio::post (*m_Service, boost::asio::use_future ([this, ident, msgs = std::move(msgs)] () mutable
@ -560,7 +561,14 @@ namespace transport
 	bool Transports::ConnectToPeer (const i2p::data::IdentHash& ident, std::shared_ptr<Peer> peer)
 	{
 		if (!peer->router) // reconnect
-			peer->SetRouter (netdb.FindRouter (ident)); // try to get new one from netdb
+		{	
 			auto r = netdb.FindRouter (ident); // try to get new one from netdb
 			if (r)
 			{	
 				peer->SetRouter (r); 
 				r->CancelBufferToDelete ();
 			}	
 		}	
 		if (peer->router) // we have RI already
 		{
 			if (peer->priority.empty ())
@ -647,7 +655,7 @@ namespace transport
 		return true;
 	}
-	void Transports::SetPriority (std::shared_ptr<Peer> peer) const
+	void Transports::SetPriority (std::shared_ptr<Peer> peer)
 	{
 		static const std::vector<i2p::data::RouterInfo::SupportedTransports>
 			ntcp2Priority =
@ -672,8 +680,21 @@ namespace transport
 		auto directTransports = compatibleTransports & peer->router->GetPublishedTransports ();
 		peer->numAttempts = 0;
 		peer->priority.clear ();
-		bool isReal = peer->router->GetProfile ()->IsReal (); 
+		
-		bool ssu2 = isReal ? (rand () & 1) : false; // try NTCP2 if router is not confirmed real
+		std::shared_ptr<RouterProfile> profile;
 		if (peer->router->HasProfile ()) profile = peer->router->GetProfile (); // only if in memory
 		bool ssu2 = false; // NTCP2 by default
 		bool isReal = profile ? profile->IsReal () : true;
 		if (isReal) 
 		{	
 			ssu2 = m_Rng () & 1; // 1/2
 			if (ssu2 && !profile)
 			{	
 				profile = peer->router->GetProfile (); // load profile if necessary
 				isReal = profile->IsReal ();  
 				if (!isReal) ssu2 = false; // try NTCP2 if router is not confirmed real
 			}
 		}	
 		const auto& priority = ssu2 ? ssu2Priority : ntcp2Priority;
 		if (directTransports)
 		{	
@ -701,7 +722,8 @@ namespace transport
 			// try recently connected SSU2 if any
 			auto supportedTransports = context.GetRouterInfo ().GetCompatibleTransports (false) &
 				peer->router->GetCompatibleTransports (false);
-			if (supportedTransports & (i2p::data::RouterInfo::eSSU2V4 | i2p::data::RouterInfo::eSSU2V6))
+			if ((supportedTransports & (i2p::data::RouterInfo::eSSU2V4 | i2p::data::RouterInfo::eSSU2V6)) &&
 			    peer->router->HasProfile ())
 			{
 				auto ep = peer->router->GetProfile ()->GetLastEndpoint ();
 				if (!ep.address ().is_unspecified () && ep.port ())
@ -791,7 +813,7 @@ namespace transport
 					}	
 					else
 					{
-						testDelay += PEER_TEST_DELAY_INTERVAL + rand() % PEER_TEST_DELAY_INTERVAL_VARIANCE;
+						testDelay += PEER_TEST_DELAY_INTERVAL + m_Rng() % PEER_TEST_DELAY_INTERVAL_VARIANCE;
 						if (m_Service)
 						{	
 							auto delayTimer = std::make_shared<boost::asio::deadline_timer>(*m_Service);
@ -829,7 +851,7 @@ namespace transport
 					}	
 					else
 					{
-						testDelay += PEER_TEST_DELAY_INTERVAL + rand() % PEER_TEST_DELAY_INTERVAL_VARIANCE;
+						testDelay += PEER_TEST_DELAY_INTERVAL + m_Rng() % PEER_TEST_DELAY_INTERVAL_VARIANCE;
 						if (m_Service)
 						{	
 							auto delayTimer = std::make_shared<boost::asio::deadline_timer>(*m_Service);
@ -886,7 +908,11 @@ namespace transport
 					auto transport = peer->priority[peer->numAttempts-1];
 					if (transport == i2p::data::RouterInfo::eNTCP2V4 || 
 						transport == i2p::data::RouterInfo::eNTCP2V6 || transport == i2p::data::RouterInfo::eNTCP2V6Mesh)
-						peer->router->GetProfile ()->Connected (); // outgoing NTCP2 connection if always real
+							i2p::data::UpdateRouterProfile (ident,
 								[](std::shared_ptr<i2p::data::RouterProfile> profile)
 								{
 									if (profile) profile->Connected (); // outgoing NTCP2 connection if always real
 								});
 					i2p::data::netdb.SetUnreachable (ident, false); // clear unreachable 
 				}		
 				peer->numAttempts = 0;
@ -921,7 +947,11 @@ namespace transport
 					session->SendI2NPMessages (msgs); // send DatabaseStore
 				}	
 				auto r = i2p::data::netdb.FindRouter (ident); // router should be in netdb after SessionConfirmed
-				if (r) r->GetProfile ()->Connected ();
+				i2p::data::UpdateRouterProfile (ident,
 					[](std::shared_ptr<i2p::data::RouterProfile> profile)
 					{
 						if (profile) profile->Connected ();
 					});
 				auto ts = i2p::util::GetSecondsSinceEpoch ();
 				auto peer = std::make_shared<Peer>(r, ts);
 				peer->sessions.push_back (session);
@ -954,10 +984,15 @@ namespace transport
 						ConnectToPeer (ident, peer);
 					}
 					else
 					{
 						{
 							std::lock_guard<std::mutex> l(m_PeersMutex);
 							m_Peers.erase (it);
 						}
 						// delete buffer of just disconnected router 
 						auto r = i2p::data::netdb.FindRouter (ident);
 						if (r && !r->IsUpdated ()) r->ScheduleBufferToDelete ();
 					}
 				}
 			}
 		});
@ -1006,7 +1041,7 @@ namespace transport
 						if (session)
 							session->SendLocalRouterInfo (true);
 						it->second->nextRouterInfoUpdateTime = ts + PEER_ROUTER_INFO_UPDATE_INTERVAL +
-							rand () % PEER_ROUTER_INFO_UPDATE_INTERVAL_VARIANCE;
+							m_Rng() % PEER_ROUTER_INFO_UPDATE_INTERVAL_VARIANCE;
 					}
 					++it;
 				}
@ -1020,7 +1055,7 @@ namespace transport
 			// if still testing or unknown, repeat peer test
 			if (ipv4Testing || ipv6Testing)
 				PeerTest (ipv4Testing, ipv6Testing);
-			m_PeerCleanupTimer->expires_from_now (boost::posix_time::seconds(3 * SESSION_CREATION_TIMEOUT));
+			m_PeerCleanupTimer->expires_from_now (boost::posix_time::seconds(2 * SESSION_CREATION_TIMEOUT + m_Rng() % SESSION_CREATION_TIMEOUT));
 			m_PeerCleanupTimer->async_wait (std::bind (&Transports::HandlePeerCleanupTimer, this, std::placeholders::_1));
 		}
 	}
@ -1030,7 +1065,7 @@ namespace transport
 		if (ecode != boost::asio::error::operation_aborted)
 		{
 			PeerTest ();
-			m_PeerTestTimer->expires_from_now (boost::posix_time::minutes(PEER_TEST_INTERVAL));
+			m_PeerTestTimer->expires_from_now (boost::posix_time::seconds(PEER_TEST_INTERVAL + m_Rng() % PEER_TEST_INTERVAL_VARIANCE));
 			m_PeerTestTimer->async_wait (std::bind (&Transports::HandlePeerTestTimer, this, std::placeholders::_1));
 		}
 	}
@ -1160,7 +1195,7 @@ namespace transport
 		std::lock_guard<std::mutex> lock(m_TrustedRoutersMutex);
 		m_TrustedRouters.clear();
 		for (const auto & ri : routers )
-			m_TrustedRouters.push_back(ri);
+			m_TrustedRouters.insert(ri);
 	}
 	bool Transports::RoutesRestricted() const 
@ -1177,7 +1212,7 @@ namespace transport
 	}
 	/** XXX: if routes are not restricted this dies */
-	std::shared_ptr<const i2p::data::RouterInfo> Transports::GetRestrictedPeer() const
+	std::shared_ptr<const i2p::data::RouterInfo> Transports::GetRestrictedPeer()
 	{
 		{
 			std::lock_guard<std::mutex> l(m_FamilyMutex);
@ -1186,7 +1221,7 @@ namespace transport
 			if(sz > 1)
 			{
 				auto it = m_TrustedFamilies.begin ();
-				std::advance(it, rand() % sz);
+				std::advance(it, m_Rng() % sz);
 				fam = *it;
 			}
 			else if (sz == 1)
@ -1201,23 +1236,32 @@ namespace transport
 			auto sz = m_TrustedRouters.size();
 			if (sz)
 			{
 				if(sz == 1)
 					return i2p::data::netdb.FindRouter(m_TrustedRouters[0]);
 				auto it = m_TrustedRouters.begin();
-				std::advance(it, rand() % sz);
+				if(sz > 1)
 					std::advance(it, m_Rng() % sz);
 				return i2p::data::netdb.FindRouter(*it);
 			}
 		}
 		return nullptr;
 	}
-	bool Transports::IsRestrictedPeer(const i2p::data::IdentHash & ih) const
+	bool Transports::IsTrustedRouter (const i2p::data::IdentHash& ih) const
 	{
 	{
 		if (m_TrustedRouters.empty ()) return false;
 		std::lock_guard<std::mutex> l(m_TrustedRoutersMutex);
-			for (const auto & r : m_TrustedRouters )
+#if __cplusplus >= 202002L // C++20
-				if ( r == ih ) return true;
+		if (m_TrustedRouters.contains (ih))
 #else
 		if (m_TrustedRouters.count (ih) > 0)
 #endif		
 			return true;
 		return false;
 	}	
 	bool Transports::IsRestrictedPeer(const i2p::data::IdentHash& ih) const
 	{
 		if (IsTrustedRouter (ih)) return true;
 		{
 			std::lock_guard<std::mutex> l(m_FamilyMutex);
 			auto ri = i2p::data::netdb.FindRouter(ih);
--- a/libi2pd/Transports.h
+++ b/libi2pd/Transports.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -15,11 +15,13 @@
 #include <condition_variable>
 #include <functional>
 #include <unordered_map>
 #include <unordered_set>
 #include <vector>
 #include <queue>
 #include <string>
 #include <memory>
 #include <atomic>
 #include <random>
 #include <boost/asio.hpp>
 #include "TransportSession.h"
 #include "SSU2.h"
@ -54,8 +56,8 @@ namespace transport
 		private:
 			const int m_QueueSize;
 			std::queue<std::shared_ptr<Keys> > m_Queue;
 			i2p::util::MemoryPoolMt<Keys> m_KeysPool;
 			std::queue<std::shared_ptr<Keys> > m_Queue;
 			bool m_IsRunning;
 			std::unique_ptr<std::thread> m_Thread;
@ -106,7 +108,8 @@ namespace transport
 	};
 	const uint64_t SESSION_CREATION_TIMEOUT = 15; // in seconds
-	const int PEER_TEST_INTERVAL = 71; // in minutes
+	const int PEER_TEST_INTERVAL = 68*60; // in seconds
 	const int PEER_TEST_INTERVAL_VARIANCE = 3*60; // in seconds
 	const int PEER_TEST_DELAY_INTERVAL = 20; // in milliseconds
 	const int PEER_TEST_DELAY_INTERVAL_VARIANCE = 30; // in milliseconds
 	const int MAX_NUM_DELAYED_MESSAGES = 150;
@ -145,7 +148,6 @@ namespace transport
 			void ReuseX25519KeysPair (std::shared_ptr<i2p::crypto::X25519Keys> pair);
 			std::future<std::shared_ptr<TransportSession> > SendMessage (const i2p::data::IdentHash& ident, std::shared_ptr<i2p::I2NPMessage> msg);
 			std::future<std::shared_ptr<TransportSession> > SendMessages (const i2p::data::IdentHash& ident, std::list<std::shared_ptr<i2p::I2NPMessage> >& msgs);
 			std::future<std::shared_ptr<TransportSession> > SendMessages (const i2p::data::IdentHash& ident, std::list<std::shared_ptr<i2p::I2NPMessage> >&& msgs);
 			void PeerConnected (std::shared_ptr<TransportSession> session);
@ -169,7 +171,7 @@ namespace transport
 			std::shared_ptr<const i2p::data::RouterInfo> GetRandomPeer (bool isHighBandwidth) const;
 			/** get a trusted first hop for restricted routes */
-			std::shared_ptr<const i2p::data::RouterInfo> GetRestrictedPeer() const;
+			std::shared_ptr<const i2p::data::RouterInfo> GetRestrictedPeer();
 			/** do we want to use restricted routes? */
 			bool RoutesRestricted() const;
 			/** restrict routes to use only these router families for first hops */
@ -177,7 +179,8 @@ namespace transport
 			/** restrict routes to use only these routers for first hops */
 			void RestrictRoutesToRouters(const std::set<i2p::data::IdentHash>& routers);
-			bool IsRestrictedPeer(const i2p::data::IdentHash & ident) const;
+			bool IsTrustedRouter (const i2p::data::IdentHash& ih) const;
 			bool IsRestrictedPeer(const i2p::data::IdentHash& ih) const;
 			void PeerTest (bool ipv4 = true, bool ipv6 = true);
@ -192,7 +195,7 @@ namespace transport
 			void HandleRequestComplete (std::shared_ptr<const i2p::data::RouterInfo> r, i2p::data::IdentHash ident);
 			std::shared_ptr<TransportSession> PostMessages (const i2p::data::IdentHash& ident, std::list<std::shared_ptr<i2p::I2NPMessage> >& msgs);
 			bool ConnectToPeer (const i2p::data::IdentHash& ident, std::shared_ptr<Peer> peer);
-			void SetPriority (std::shared_ptr<Peer> peer) const;
+			void SetPriority (std::shared_ptr<Peer> peer);
 			void HandlePeerCleanupTimer (const boost::system::error_code& ecode);
 			void HandlePeerTestTimer (const boost::system::error_code& ecode);
 			void HandleUpdateBandwidthTimer (const boost::system::error_code& ecode);
@ -236,10 +239,11 @@ namespace transport
 			mutable std::mutex m_FamilyMutex;
 			/** which routers for first hop to trust */
-			std::vector<i2p::data::IdentHash> m_TrustedRouters;
+			std::unordered_set<i2p::data::IdentHash> m_TrustedRouters;
 			mutable std::mutex m_TrustedRoutersMutex;
 			i2p::I2NPMessagesHandler m_LoopbackHandler;
 			std::mt19937 m_Rng;
 		public:
--- a/libi2pd/Tunnel.cpp
+++ b/libi2pd/Tunnel.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -103,7 +103,7 @@ namespace tunnel
 			if (m_Config->IsShort ())
 			{
 				auto ident = m_Config->GetFirstHop () ? m_Config->GetFirstHop ()->ident : nullptr;
-				if (ident && ident->GetIdentHash () != outboundTunnel->GetNextIdentHash ()) // don't encrypt if IBGW = OBEP
+				if (ident && ident->GetIdentHash () != outboundTunnel->GetEndpointIdentHash ()) // don't encrypt if IBGW = OBEP
 				{
 					auto msg1 = i2p::garlic::WrapECIESX25519MessageForRouter (msg, ident->GetEncryptionPublicKey ());
 					if (msg1) msg = msg1;
@ -179,9 +179,12 @@ namespace tunnel
 		{
 			uint8_t ret = hop->GetRetCode (msg + 1);
 			LogPrint (eLogDebug, "Tunnel: Build response ret code=", (int)ret);
-			auto profile = i2p::data::netdb.FindRouterProfile (hop->ident->GetIdentHash ());
+			if (hop->ident)
-			if (profile)
+				i2p::data::UpdateRouterProfile (hop->ident->GetIdentHash (),
-				profile->TunnelBuildResponse (ret);
+					[ret](std::shared_ptr<i2p::data::RouterProfile> profile)
 					{
 						if (profile) profile->TunnelBuildResponse (ret);
 					});
 			if (ret)
 				// if any of participants declined the tunnel is not established
 				established = false;
@ -278,6 +281,21 @@ namespace tunnel
 		m_Endpoint.HandleDecryptedTunnelDataMsg (msg);
 	}
 	bool InboundTunnel::Recreate ()
 	{
 		if (!IsRecreated ())
 		{
 			auto pool = GetTunnelPool ();
 			if (pool)
 			{
 				SetRecreated (true);
 				pool->RecreateInboundTunnel (std::static_pointer_cast<InboundTunnel>(shared_from_this ()));
 				return true;
 			}	
 		}
 		return false;
 	}	
 	ZeroHopsInboundTunnel::ZeroHopsInboundTunnel ():
 		InboundTunnel (std::make_shared<ZeroHopsTunnelConfig> ()),
 		m_NumReceivedBytes (0)
@ -297,22 +315,28 @@ namespace tunnel
 	void OutboundTunnel::SendTunnelDataMsgTo (const uint8_t * gwHash, uint32_t gwTunnel, std::shared_ptr<i2p::I2NPMessage> msg)
 	{
 		TunnelMessageBlock block;
 		block.tunnelID = 0; // Initialize tunnelID to a default value
 		if (gwHash)
 		{
 			block.hash = gwHash;
 			if (gwTunnel)
 			{
 				block.deliveryType = eDeliveryTypeTunnel;
-				block.tunnelID = gwTunnel;
+				block.tunnelID = gwTunnel; // Set tunnelID only if gwTunnel is non-zero
 			}
 			else
 			{
 				block.deliveryType = eDeliveryTypeRouter;
 			}
 		}
 		else
 		{
 			block.deliveryType = eDeliveryTypeLocal;
-		block.data = msg;
+		}
-		SendTunnelDataMsgs ({block});
+		block.data = msg;
 		SendTunnelDataMsgs({block});
 	}
 	void OutboundTunnel::SendTunnelDataMsgs (const std::vector<TunnelMessageBlock>& msgs)
@ -328,6 +352,21 @@ namespace tunnel
 		LogPrint (eLogError, "Tunnel: Incoming message for outbound tunnel ", GetTunnelID ());
 	}
 	bool OutboundTunnel::Recreate ()
 	{
 		if (!IsRecreated ())
 		{
 			auto pool = GetTunnelPool ();
 			if (pool)
 			{
 				SetRecreated (true);
 				pool->RecreateOutboundTunnel (std::static_pointer_cast<OutboundTunnel>(shared_from_this ()));
 				return true;
 			}	
 		}
 		return false;
 	}
 	ZeroHopsOutboundTunnel::ZeroHopsOutboundTunnel ():
 		OutboundTunnel (std::make_shared<ZeroHopsTunnelConfig> ()),
 		m_NumSentBytes (0)
@ -434,7 +473,7 @@ namespace tunnel
 	std::shared_ptr<OutboundTunnel> Tunnels::GetNextOutboundTunnel ()
 	{
 		if (m_OutboundTunnels.empty ()) return nullptr;
-		uint32_t ind = rand () % m_OutboundTunnels.size (), i = 0;
+		uint32_t ind = m_Rng () % m_OutboundTunnels.size (), i = 0;
 		std::shared_ptr<OutboundTunnel> tunnel;
 		for (const auto& it: m_OutboundTunnels)
 		{
@ -711,8 +750,17 @@ namespace tunnel
 	void Tunnels::ManageTunnels (uint64_t ts)
 	{
 		ManagePendingTunnels (ts);
-		ManageInboundTunnels (ts);
+		std::vector<std::shared_ptr<Tunnel> > tunnelsToRecreate;
-		ManageOutboundTunnels (ts);
+		ManageInboundTunnels (ts, tunnelsToRecreate);
 		ManageOutboundTunnels (ts, tunnelsToRecreate);
 		// rec-create in random order
 		if (!tunnelsToRecreate.empty ())
 		{	
 			if (tunnelsToRecreate.size () > 1)
 				std::shuffle (tunnelsToRecreate.begin(), tunnelsToRecreate.end(), m_Rng);
 			for (auto& it: tunnelsToRecreate)
 				it->Recreate ();
 		}	
 	}
 	void Tunnels::ManagePendingTunnels (uint64_t ts)
@ -743,11 +791,11 @@ namespace tunnel
 							while (hop)
 							{
 								if (hop->ident)
 									i2p::data::UpdateRouterProfile (hop->ident->GetIdentHash (),
 										[](std::shared_ptr<i2p::data::RouterProfile> profile)
 				    					{
-									auto profile = i2p::data::netdb.FindRouterProfile (hop->ident->GetIdentHash ());
+											if (profile) profile->TunnelNonReplied ();
-									if (profile)
+										});
 										profile->TunnelNonReplied ();
 								}
 								hop = hop->next;
 							}
 						}
@ -775,7 +823,7 @@ namespace tunnel
 		}
 	}
-	void Tunnels::ManageOutboundTunnels (uint64_t ts)
+	void Tunnels::ManageOutboundTunnels (uint64_t ts, std::vector<std::shared_ptr<Tunnel> >& toRecreate)
 	{
 		for (auto it = m_OutboundTunnels.begin (); it != m_OutboundTunnels.end ();)
 		{
@ -799,10 +847,7 @@ namespace tunnel
 						auto pool = tunnel->GetTunnelPool ();
 						// let it die if the tunnel pool has been reconfigured and this is old
 						if (pool && tunnel->GetNumHops() == pool->GetNumOutboundHops())
-						{
+							toRecreate.push_back (tunnel);
 							tunnel->SetRecreated (true);
 							pool->RecreateOutboundTunnel (tunnel);
 						}
 					}
 					if (ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
 						tunnel->SetState (eTunnelStateExpiring);
@ -827,7 +872,7 @@ namespace tunnel
 		}
 	}
-	void Tunnels::ManageInboundTunnels (uint64_t ts)
+	void Tunnels::ManageInboundTunnels (uint64_t ts, std::vector<std::shared_ptr<Tunnel> >& toRecreate)
 	{
 		for (auto it = m_InboundTunnels.begin (); it != m_InboundTunnels.end ();)
 		{
@ -851,10 +896,7 @@ namespace tunnel
 						auto pool = tunnel->GetTunnelPool ();
 						// let it die if the tunnel pool was reconfigured and has different number of hops
 						if (pool && tunnel->GetNumHops() == pool->GetNumInboundHops())
-						{
+							toRecreate.push_back (tunnel);
 							tunnel->SetRecreated (true);
 							pool->RecreateInboundTunnel (tunnel);
 						}
 					}
 					if (ts + TUNNEL_EXPIRATION_THRESHOLD > tunnel->GetCreationTime () + TUNNEL_EXPIRATION_TIMEOUT)
--- a/libi2pd/Tunnel.h
+++ b/libi2pd/Tunnel.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2024, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -99,6 +99,7 @@ namespace tunnel
 			void SetRecreated (bool recreated) { m_IsRecreated = recreated; };
 			int GetNumHops () const { return m_Hops.size (); };
 			virtual bool IsInbound() const = 0;
 			virtual bool Recreate () = 0;
 			std::shared_ptr<TunnelPool> GetTunnelPool () const { return m_Pool; };
 			void SetTunnelPool (std::shared_ptr<TunnelPool> pool) { m_Pool = pool; };
@ -150,6 +151,7 @@ namespace tunnel
 			void HandleTunnelDataMsg (std::shared_ptr<i2p::I2NPMessage>&& tunnelMsg) override;
 			bool IsInbound() const override { return false; }
 			bool Recreate () override;
 		private:
@ -166,6 +168,7 @@ namespace tunnel
 			void HandleTunnelDataMsg (std::shared_ptr<I2NPMessage>&& msg) override;
 			virtual size_t GetNumReceivedBytes () const { return m_Endpoint.GetNumReceivedBytes (); };
 			bool IsInbound() const override { return true; }
 			bool Recreate () override;
 			// override TunnelBase
 			void Cleanup () override { m_Endpoint.Cleanup (); };
@ -246,8 +249,6 @@ namespace tunnel
 			uint32_t GetMaxNumTransitTunnels () const { return m_MaxNumTransitTunnels; };
 			int GetCongestionLevel() const { return m_MaxNumTransitTunnels ? CONGESTION_LEVEL_FULL * m_TransitTunnels.GetNumTransitTunnels () / m_MaxNumTransitTunnels : CONGESTION_LEVEL_FULL; }
 			std::mt19937& GetRng () { return m_Rng; };
 		private:
 			template<class TTunnel>
@ -264,8 +265,8 @@ namespace tunnel
 			void Run ();
 			void ManageTunnels (uint64_t ts);
-			void ManageOutboundTunnels (uint64_t ts);
+			void ManageOutboundTunnels (uint64_t ts, std::vector<std::shared_ptr<Tunnel> >& toRecreate);
-			void ManageInboundTunnels (uint64_t ts);
+			void ManageInboundTunnels (uint64_t ts, std::vector<std::shared_ptr<Tunnel> >& toRecreate);
 			void ManagePendingTunnels (uint64_t ts);
 			template<class PendingTunnels>
 			void ManagePendingTunnels (PendingTunnels& pendingTunnels, uint64_t ts);
@ -296,6 +297,8 @@ namespace tunnel
 			bool m_IsRunning;
 			std::thread * m_Thread;
 			i2p::util::MemoryPoolMt<I2NPMessageBuffer<I2NP_TUNNEL_ENPOINT_MESSAGE_SIZE> > m_I2NPTunnelEndpointMessagesMemoryPool;
 			i2p::util::MemoryPoolMt<I2NPMessageBuffer<I2NP_TUNNEL_MESSAGE_SIZE> > m_I2NPTunnelMessagesMemoryPool;
 			std::map<uint32_t, std::shared_ptr<InboundTunnel> > m_PendingInboundTunnels; // by replyMsgID
 			std::map<uint32_t, std::shared_ptr<OutboundTunnel> > m_PendingOutboundTunnels; // by replyMsgID
 			std::list<std::shared_ptr<InboundTunnel> > m_InboundTunnels;
@ -306,8 +309,6 @@ namespace tunnel
 			std::list<std::shared_ptr<TunnelPool>> m_Pools;
 			std::shared_ptr<TunnelPool> m_ExploratoryPool;
 			i2p::util::Queue<std::shared_ptr<I2NPMessage> > m_Queue;
 			i2p::util::MemoryPoolMt<I2NPMessageBuffer<I2NP_TUNNEL_ENPOINT_MESSAGE_SIZE> > m_I2NPTunnelEndpointMessagesMemoryPool;
 			i2p::util::MemoryPoolMt<I2NPMessageBuffer<I2NP_TUNNEL_MESSAGE_SIZE> > m_I2NPTunnelMessagesMemoryPool;
 			uint32_t m_MaxNumTransitTunnels;
 			// count of tunnels for total TCSR algorithm
 			int m_TotalNumSuccesiveTunnelCreations, m_TotalNumFailedTunnelCreations;
--- a/libi2pd/TunnelBase.cpp
+++ b/libi2pd/TunnelBase.cpp
@ -0,0 +1,71 @@
 /*
 * Copyright (c) 2024, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
 * See full license text in LICENSE file at top of project tree
 *
 */
 #include "Transports.h"
 #include "TunnelBase.h"
 namespace i2p
 {
 namespace tunnel
 {
 	void TunnelTransportSender::SendMessagesTo (const i2p::data::IdentHash& to,
 		std::list<std::shared_ptr<I2NPMessage> >&& msgs)
 	{
 		if (msgs.empty ()) return;
 		auto currentTransport = m_CurrentTransport.lock ();
 		if (!currentTransport)
 		{
 			// try to obtain transport from pending request or send thought transport is not complete
 			if (m_PendingTransport.valid ()) // pending request?
 			{
 				if (m_PendingTransport.wait_for(std::chrono::seconds(0)) == std::future_status::ready) 
 				{	
 					// pending request complete
 					currentTransport = m_PendingTransport.get (); // take transports used in pending request
 					if (currentTransport)
 					{	
 						if (currentTransport->IsEstablished ()) 
 							m_CurrentTransport = currentTransport;
 						else
 							currentTransport = nullptr;
 					}
 				}	
 				else // still pending
 				{	
 					// send through transports, but don't update pending transport
 					i2p::transport::transports.SendMessages (to, std::move (msgs));
 					return;
 				}	
 			}
 		}
 		if (currentTransport) // session is good
 			// send to session directly
 			currentTransport->SendI2NPMessages (msgs);
 		else // no session yet
 			// send through transports
 			m_PendingTransport = i2p::transport::transports.SendMessages (to, std::move (msgs));
 	}
 	void TunnelTransportSender::SendMessagesTo (const i2p::data::IdentHash& to,
 		std::list<std::shared_ptr<I2NPMessage> >& msgs)
 	{
 		std::list<std::shared_ptr<i2p::I2NPMessage> > msgs1;
 		msgs.swap (msgs1);
 		SendMessagesTo (to, std::move (msgs1));
 	}	
 	void TunnelTransportSender::Reset ()
 	{
 		m_CurrentTransport.reset ();
 		if (m_PendingTransport.valid ())
 			m_PendingTransport = std::future<std::shared_ptr<i2p::transport::TransportSession> >();
 	}	
 }
 }
--- a/libi2pd/TunnelBase.h
+++ b/libi2pd/TunnelBase.h
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2022, The PurpleI2P Project
+* Copyright (c) 2013-2024, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -11,12 +11,19 @@
 #include <inttypes.h>
 #include <memory>
 #include <future>
 #include <list>
 #include "Timestamp.h"
 #include "I2NPProtocol.h"
 #include "Identity.h"
 namespace i2p
 {
 namespace transport
 {
 	class TransportSession;
 }	
 namespace tunnel
 {
 	const size_t TUNNEL_DATA_MSG_SIZE = 1028;
@ -76,6 +83,25 @@ namespace tunnel
 				return t1 < t2;
 		}
 	};
 	class TunnelTransportSender final
 	{
 		public: 
 			TunnelTransportSender () = default;
 			~TunnelTransportSender () = default;
 			void SendMessagesTo (const i2p::data::IdentHash& to, std::list<std::shared_ptr<I2NPMessage> >&& msgs);
 			void SendMessagesTo (const i2p::data::IdentHash& to, std::list<std::shared_ptr<I2NPMessage> >& msgs); // send and clear
 			std::shared_ptr<const i2p::transport::TransportSession> GetCurrentTransport () const { return m_CurrentTransport.lock (); }
 			void Reset ();
 		private:
 			std::weak_ptr<i2p::transport::TransportSession> m_CurrentTransport;
 			std::future<std::shared_ptr<i2p::transport::TransportSession> > m_PendingTransport;
 	};	
 }
 }
--- a/libi2pd/TunnelConfig.cpp
+++ b/libi2pd/TunnelConfig.cpp
@ -79,8 +79,7 @@ namespace tunnel
 		uint8_t * record = records + index*TUNNEL_BUILD_RECORD_SIZE;
 		i2p::crypto::CBCDecryption decryption;
 		decryption.SetKey (replyKey);
-		decryption.SetIV (replyIV);
+		decryption.Decrypt(record, TUNNEL_BUILD_RECORD_SIZE, replyIV, record);
 		decryption.Decrypt(record, TUNNEL_BUILD_RECORD_SIZE, record);
 	}
 	void ECIESTunnelHopConfig::EncryptECIES (const uint8_t * plainText, size_t len, uint8_t * encrypted)
--- a/libi2pd/TunnelEndpoint.cpp
+++ b/libi2pd/TunnelEndpoint.cpp
@ -1,5 +1,5 @@
 /*
-* Copyright (c) 2013-2023, The PurpleI2P Project
+* Copyright (c) 2013-2025, The PurpleI2P Project
 *
 * This file is part of Purple i2pd project and licensed under BSD3
 *
@ -21,9 +21,6 @@ namespace i2p
 {
 namespace tunnel
 {
 	TunnelEndpoint::~TunnelEndpoint ()
 	{
 	}
 	void TunnelEndpoint::HandleDecryptedTunnelDataMsg (std::shared_ptr<I2NPMessage> msg)
 	{
@ -261,9 +258,8 @@ namespace tunnel
 	void TunnelEndpoint::AddOutOfSequenceFragment (uint32_t msgID, uint8_t fragmentNum,
 		bool isLastFragment, const uint8_t * fragment, size_t size)
 	{
-		std::unique_ptr<Fragment> f(new Fragment (isLastFragment, i2p::util::GetMillisecondsSinceEpoch (), size));
+		if (!m_OutOfSequenceFragments.try_emplace ((uint64_t)msgID << 32 | fragmentNum, 
-		memcpy (f->data.data (), fragment, size);
+			isLastFragment, i2p::util::GetMillisecondsSinceEpoch (), fragment, size).second)
 		if (!m_OutOfSequenceFragments.emplace ((uint64_t)msgID << 32 | fragmentNum, std::move (f)).second)
 			LogPrint (eLogInfo, "TunnelMessage: Duplicate out-of-sequence fragment ", fragmentNum, " of message ", msgID);
 	}
@ -293,7 +289,7 @@ namespace tunnel
 		if (it != m_OutOfSequenceFragments.end ())
 		{
 			LogPrint (eLogDebug, "TunnelMessage: Out-of-sequence fragment ", (int)msg.nextFragmentNum, " of message ", msgID, " found");
-			size_t size = it->second->data.size ();
+			size_t size = it->second.data.size ();
 			if (msg.data->len + size > msg.data->maxLen)
 			{
 				LogPrint (eLogWarning, "TunnelMessage: Tunnel endpoint I2NP message size ", msg.data->maxLen, " is not enough");
@ -301,9 +297,9 @@ namespace tunnel
 				*newMsg = *(msg.data);
 				msg.data = newMsg;
 			}
-			if (msg.data->Concat (it->second->data.data (), size) < size) // concatenate out-of-sync fragment	
+			if (msg.data->Concat (it->second.data.data (), size) < size) // concatenate out-of-sync fragment	
 				LogPrint (eLogError, "TunnelMessage: Tunnel endpoint I2NP buffer overflow ", msg.data->maxLen);
-			if (it->second->isLastFragment)
+			if (it->second.isLastFragment)
 				// message complete
 				msg.nextFragmentNum = 0;
 			else
@ -331,13 +327,13 @@ namespace tunnel
 			break;
 			case eDeliveryTypeTunnel:
 				if (!m_IsInbound) // outbound transit tunnel
-					i2p::transport::transports.SendMessage (msg.hash, i2p::CreateTunnelGatewayMsg (msg.tunnelID, msg.data));
+					SendMessageTo (msg.hash, i2p::CreateTunnelGatewayMsg (msg.tunnelID, msg.data));
 				else
 					LogPrint (eLogError, "TunnelMessage: Delivery type 'tunnel' arrived from an inbound tunnel, dropped");
 			break;
 			case eDeliveryTypeRouter:
 				if (!m_IsInbound) // outbound transit tunnel
-					i2p::transport::transports.SendMessage (msg.hash, msg.data);
+					i2p::transport::transports.SendMessage (msg.hash, msg.data); // send right away, because most likely it's single message
 				else // we shouldn't send this message. possible leakage
 					LogPrint (eLogError, "TunnelMessage: Delivery type 'router' arrived from an inbound tunnel, dropped");
 			break;
@ -352,7 +348,7 @@ namespace tunnel
 		// out-of-sequence fragments
 		for (auto it = m_OutOfSequenceFragments.begin (); it != m_OutOfSequenceFragments.end ();)
 		{
-			if (ts > it->second->receiveTime + i2p::I2NP_MESSAGE_EXPIRATION_TIMEOUT)
+			if (ts > it->second.receiveTime + i2p::I2NP_MESSAGE_EXPIRATION_TIMEOUT)
 				it = m_OutOfSequenceFragments.erase (it);
 			else
 				++it;
@ -366,5 +362,35 @@ namespace tunnel
 				++it;
 		}
 	}
 	void TunnelEndpoint::SendMessageTo (const i2p::data::IdentHash& to, std::shared_ptr<i2p::I2NPMessage> msg)
 	{	
 		if (msg)
 		{	
 			if (!m_Sender && m_I2NPMsgs.empty ()) // first message
 				m_CurrentHash = to;
 			else if (m_CurrentHash != to) // new target router
 			{
 				FlushI2NPMsgs (); //  flush message to previous
 				if (m_Sender) m_Sender->Reset (); // reset sender
 				m_CurrentHash = to; // set new target router
 			}	// otherwise add msg to the list for current target router
 			m_I2NPMsgs.push_back (msg);
 		}	
 	}
 	void TunnelEndpoint::FlushI2NPMsgs ()
 	{
 		if (!m_I2NPMsgs.empty ())
 		{
 			if (!m_Sender) m_Sender = std::make_unique<TunnelTransportSender>();
 			m_Sender->SendMessagesTo (m_CurrentHash, m_I2NPMsgs); // send and clear
 		}	
 	}	
 	const i2p::data::IdentHash * TunnelEndpoint::GetCurrentHash () const
 	{
 		return (m_Sender || !m_I2NPMsgs.empty ()) ? &m_CurrentHash : nullptr;
 	}	
 }
 }
--- a/Show more
+++ b/Show more