# for this file format description, # see https://github.com/olivierlacan/keep-a-changelog ## [2.55.0] - 2024-12-30 ### Added - Support boost 1.87 - "i2p.streaming.maxConcurrentStreams" tunnel's param to limit number of simultaneous streams - Separate thread for tunnel build requests - Show next peer and connectivity on "Transit tunnels" page - Tunnel name for local destination thread - Throttle incoming ECIESx25519 sessions - Send tunnel data to transport session directly if possible - Publish 'R' cap for yggdrasil-only routers, and 'U' cap for routers through proxy - Random tunnel rejection when medium congestion - Save unreachable router's endpoint to use it next time without introducers - Recognize symmetric NAT from peer test message 7 - Resend HolePunch and RelayResponse messages ### Changed - Removed own implementation of AESNI and always use one from openssl - Renamed main thread to i2pd-daemon - Set i2p.streaming.profile=2 for shared local destination - Reduced LeaseSet and RouterInfo lookup timeouts - Cleanup ECIES sessions and tags more often - Check LeaseSet expiration time - Handle NTCP2 session handshakes in separate thread - Limit last decline time by 1.5 hours in router's profile - Don't handle RelayRequest and RelayIntro with same nonce twice - Increased hole punch expiration interval - Send peer test message 6 with delay if message 4 was received before message 5 - Pre-calculate more x25519 keys for transports in runtime - Don't request LeaseSet for incoming stream - Terminate incoming stream right away if no remote LeaseSet - Handle choked, new RTO and window size calculation and resetting algorithm for streams ### Fixed - Empty string in addressbook subscriptions - ECIESx25519 sessions without destination - Missing RouterInfo buffer in NetDb - Invalid I2PControl certificate - Routers disappear from NetDb when offline - Peer test message 6 sent to unknown endpoint - Race condition with LeaseSet update - Excessive CPU usage by streams - Crash on shutdown ## [2.54.0] - 2024-10-06 ### Added - Maintain recently connected routers list to avoid false-positive peer test - Limited connectivity mode(through proxy) - "i2p.streaming.profile" tunnel's param to let tunnel select also low-bandwidth routers - Limit stream's inbound speed - Periodic ack requests in ratchets session - Set congestion cap G immediately if through proxy - Show tunnel's routers bandwidth caps in web console - Handle immediate ack requested flag in SSU2 data packets - Resend and ack peer test and relay messages - "senduseragent" HTTP proxy's param to pass through user's User-Agent ### Changed - Exclude 'N' routers from high-bandwidth routers for client tunnels - C++11 support has been dropped, the minimal requirement is C++17 now, C++20 for some compilers - Removed dependency from boost::date_time and boost::filesystem - Set default i2cp.leaseSetEncType to 0,4 and to 4 for server tunnels - Handle i2cp.inboundlimit and i2cp.outboundlimit params in I2CP - Publish LeaseSet with new timestamp update if tunnel was replaced in the same second - Increase max number of generated tags to 800 per tagset - Routing path expiration by time instead num attempts - Save timestamp from epoch instead local time to profiles - Update introducer's iTag if session to introducer was replaced to new one - RTT, window size and number of NACKs calculation for streaming - Don't select same peer for tunnel too often - Use WinApi for data path UTF-8 conversion for Windows ### Fixed - Jump link crash if address book is disabled - Race condition if connect through an introducer - "Date" header in I2PControl response - Incomplete response from web console - AEAD verification with LibreSSL - Number of generated tags and new keys for follow-on tagsets - Expired leases in LeaseSet - Attempts to send HolePunch to 0.0.0.0 - Incorrect options size in quick ack streaming packet - Low bandwidth router appeared as first peer in high-bandwidth client tunnel ## [2.53.1] - 2024-07-29 ### Changed - I2CP performance improvement ### Fixed - 100% CPU usage after I2CP/SAM/BOB session termination - Incorrect client limits returned through I2CP - Build with LibreSSL ## [2.53.0] - 2024-07-19 ### Added - New congestion control algorithm for streaming - Support miniupnp-2.2.8 - Limit stream's outbound speed - Flood to next day closest floodfills before UTC midnight - Recognize duplicated routers and bypass them - Random SSU2 resend interval ### Changed - Set minimal version to 0.9.69 for floodfills and 0.9.58 for client tunnels - Removed openssl 1.0.2 support - Move unsent I2NP messages to the new session if replaced - Use mt19937 RNG instead rand() - Update router's congestion caps before initial publishing - Don't try introducer with invalid address - Select newest introducers to publish - Don't request relay tag for every session if we have enough introducers - Update timestamp for non-reachable or hidden router - Reset streaming routing path if duplicated SYN received - Update LeaseSet if inbound tunnel failed - Reseeds list ### Fixed - Crash when a destination gets terminated - Expired offline signature upon destination creation - Race condition between local RouterInfo buffer creation and sending it through the transports ## [2.52.0] - 2024-05-12 ### Added - Separate threads for persisting RouterInfos and profiles to disk - Give preference to address with direct connection - Exclude addresses with incorrect static or intro key - Avoid two firewalled routers in the row in tunnel - Drop unsolicited database search replies ### Changed - Increase number of hashes to 16 in exploratory lookup reply - Reduce number of a RouterInfo lookup attempts to 5 - Reset stream RTO if outbound tunnel was changed - Insert previously excluded floodfill back when successfully connected - Increase maximum stream resend attempts to 9 - Reply to exploratory lookups with only confirmed routers if low tunnel build rate - Don't accept too old RouterInfo - Build client tunnels through confirmed routers only if low tunnel build rate - Manage netDb requests more frequently - Don't reply with closer than us only floodfills for lookup ### Fixed - Crash on router lookup if exploratory pool is not ready - Race condition in excluded peers for next lookup - Excessive number of lookups for same destination - Race condition with transport peers during shutdown - Corrupted RouterInfo files ## [2.51.0] - 2024-04-06 ### Added - Non-blocking mode for UDP sockets - Set SSU2 socket buffer size based on bandwidth limit - Encrypted tunnel tests - Support for multiple UDP server tunnels on one destination - Publish medium congestion indication - Local domain sockets for SOCKS proxy upstream - Tunnel status "declined" in web console - SAM error reply "Incompatible crypto" if remote destination has incompatible crypto - Reduce amount of traffic by handling local message drops - Keep SSU2 socket open even if it fails to bind - Lower SSU2 resend traffic spikes - Expiration for messages in SSU2 send queue - Use EWMA for stream RTT estimation - Request choking delay if too many NACKs in stream - Allow 0ms latency for tunnel - Randomize tunnels selection for tests ### Changed - Upstream SOCKS proxy from SOCKS4 to SOCKS5 - Transit tunnels limit to 4 bytes. Default value to 10K - Reply CANT_REACH_PEER if connect to ourselves in SAM - Don't send already expired I2NP messages - Use monotonic timer to measure tunnel test latency - Standard NTCP2 frame doesn't exceed 16K - Always send request through tunnels in case of restricted routes - Don't delete connected routers from NetDb - Send lookup reply directly to reply tunnel gateway if possible - Reduce unreachable router ban interval to 8 minutes - Don't request banned routers / don't try to connect to unreachable router - Consider 'M' routers as low bandwidth - Limit minimal received SSU2 packet size to 40 bytes - Bob picks peer test session only if Charlie's address supports peer testing - Reject peer test msg 2 if peer testing is not supported - Don't request termination if SSU2 session was not established - Set maximum SSU2 queue size depending on RTT value - New streaming RTT calculation algorithm - Don't double initial RTO for streams when changing tunnels - Restore failed tunnel if test or data for inbound tunnel received - Don't fail last remaining tunnel in pool - Publish LeasetSet again if local destination was not ready or no tunnels - Make more attempts to pick high bandwidth hop for client tunnel - Reduced SSU2 session termination timeout to 165 seconds - Reseeds list ### Fixed - ECIESx25519 symmetric key tagset early expiration - Encrypted LeaseSet lookup - Outbound tunnel build fails if it's endpoint is the same as reply tunnel gateway - I2PControl RouterManager returns invalid JSON when unknown params are passed - Mix of data between different UDP sessions on the same server - TARGET_OS_SIMULATOR check - Handling of "reservedrange" param - New NTCP2 session gets teminated upon termination of old one - New SSU2 session gets teminated upon termination of old one - Peer test to non-supporting router - Streaming ackThrough off 1 if number of NACKs exceeds 255 - Race condition in ECIESx25519 tags table - Good tunnel becomes failed - Crash when packet comes to terminated stream - Stream hangs during LeaseSet update ## [2.50.2] - 2024-01-06 ###Fixed - Crash with OpenSSL 3.2.0 - False positive clock skew detection ## [2.50.1] - 2023-12-23 ###Fixed - Support for new EdDSA usage behavior in OpenSSL 3.2.0 ## [2.50.0] - 2023-12-18 ### Added - Support of concurrent ACCEPTs on SAM 3.1 - Haiku OS support - Low bandwidth and far routers can expire before 1 hour ### Changed - Don't pick too active peer for first hop - Try peer test again if status is Unknown - Send peer tests with random delay - Reseeds list ### Fixed - XSS vulnerability in addresshelper - Publishing NAT64 ipv6 addresses - Deadlock in AsyncSend callback ## [2.49.0] - 2023-09-18 ### Added - Handle SOCK5 authorization with empty user/password - Drop incoming transport sessions from too old or from future routers - Memory pool for router profiles - Allow 0 hops in explicitPeers ### Changed - Separate network and testing status - Remove AVX code - Improve NTCP2 transport session logging - Select router with ipv4 for tunnel endpoint - Consider all addresses non-published for U and H routers even if they have host/port - Don't pick completely unreachable routers for tunnels - Exclude SSU1 introducers from SSU2 addresses - Don't create paired inbound tunnel if length is different - Remove introducer from RouterInfo after 60 minutes - Reduce SSU2 keep alive interval and add keep alive interval variance - Don't pick too old sessions for introducer ### Fixed - Version of the subnegotiation in user/password SOCKS5 response - Send keepalive for existing session with introducer - Buffer offset for EVP_EncryptFinal_ex() to include outlen - Termination block size processing for transport sessions - Crash if deleted BOB destination was shared between few BOB sessions - Introducers with zero tag - Padding for SSU2 path response ## [2.48.0] - 2023-06-12 ### Added - Allow user/password authentication method for SOCK5 proxy - Publish reject all congestion cap 'G' if transit is not accepted - 'critical' log level - Print b32 on webconsole destination page - Webconsole button to drop a remote LeaseSet - limits.zombies param - minimum percentage of successfully created tunnels for routers cleanup - Recognize real routers if successfully connected or responded to tunnel build request ### Changed - Bypass slow transport sessions for first hop selection - Limit AESNI inline asm to x86/x64 - Create smaller I2NP packets if possible - Make router unreachable if AEAD tag verification fails in SessionCreated - Don't include a router to floodfills list until it's confirmed as real - Drop LeaseSet store request if not floodfill - Bypass medium congestion('D') routers for client tunnels - Publish encrypted RouterInfo through tunnels - Check if s is valid x25519 public key - Check if socket is open before sending data in SSU2 ### Fixed - Webconsole empty page if destination is not found - i2p.streaming.answerPings param - Reload tunnels - Address caps for unspecified ipv6 address - Incomplete HTTP headers in I2P tunnels - SSU2 socket network exceptions on Windows - Use of 'server' type tunnel port as inport (#1936) ## [2.47.0] - 2023-03-11 ### Added - Congestion caps - SAM UDP port parameter - Support domain addresses for yggdrasil reseeds ### Changed - DHT for floodfills instead plain list - Process router's messages in separate thread - Don't publish non-reachable router - Send and check target destination in first streaming SYN packet - Reseeds list ### Fixed - Memory leak in windows network state detection - Reseed attempts from invalid address ## [2.46.1] - 2023-02-20 ### Fixed - Race condition while getting router's peer profile - Creation of new router.info - Displaying LeaseSets in the webconsole - Crash when processing ACK request ## [2.46.0] - 2023-02-15 ### Added - Limit number of acked SSU2 packets to 511 - Localization to Swedish, Portuguese, Turkish, Polish - Periodically send Datetime block in NTCP2 and SSU2 - Don't select random port from reserved - In memory table for peer profiles - Store if router was unreachable in it's peer profile - Show IPv6 addresses in square brackets in webconsole - Check referer when processing Addresshelper ### Changed - Algorithm for tunnel creation success rate calculation - Drop incoming NTCP2 and SSU2 connection if published IP doesn't match actual endpoint - Exclude actually unreachable router from netdb for 2 hours - Select first hop from high bandwidth peers for client tunnels - Drop too long or too short LeaseSet - Delete router from netdb if became invalid after update - Terminate existing session if clock skew detected - Close previous UDP socket if open before reopening - Minimal version for floodfill is 0.9.51 - Sort transports by endpoints in webconsole ### Fixed - Deadlock during processing I2NP block with Garlic in ECIES encrypted message to router - Race condition with encrypted LeaseSets - HTTP query detection - Connection attempts to IPs from invalid ranges - Publish "0.0.0.0" in RouterInfo - Crash upon receiving PeerTest 7 - Tunnels for closed SAM session socket - Missing NTCP2 address in RouterInfo if enabled back ## [2.45.1] - 2023-01-11 ### Added - Full Cone NAT status error ### Changed - Drop duplicated I2NP messages in SSU2 - Set rejection code 30 if tunnel with id already exists - Network status is always OK if peer test msg 5 received ### Fixed - UPnP crash if SSU2 or NTCP2 is disabled - Crash on termination for some platforms ## [2.45.0] - 2023-01-03 ### Added - Test for Symmetric NAT with peer test msgs 6 and 7 - Webconsole "No Descriptors" router error state - 1 and 15 seconds bandwidth calculation for i2pcontrol - Show non-zero send queue size for transports in web console - Compressible padding for I2P addresses - Localization to Czech - Don't accept incoming session from invalid/reserved addresses for NTCP2 and SSU2 - Limit simultaneous tunnel build requests by 4 per pool ### Changed - Removed SSU support - Reduced bandwidth calculation interval from 60 to 15 seconds - Increased default max transit tunnels number from 2500 to 5000 or 10000 for floodfill - Transit tunnels limit is doubled if floodfill mode is enabled - NTCP2 and SSU2 timestamps are rounded to seconds - Drop RouterInfos and LeaseSets with timestamp from future - Don't delete unreachable routers if tunnel creation success rate is too low - Refuse duplicated incoming pending NTCP2 session from same IP - Don't send SSU2 termination again if termination received block received - Handle standard network error for SSU2 without throwing an exception - Don't select overloaded peer for next tunnel - Remove "X-Requested-With" in HTTP Proxy for non-AJAX requests ### Fixed - File descriptors leak - Random crash on AddressBook update - Crash if incorrect LeaseSet size - Spamming to log if no descriptors - ::1 address in RouterInfo - SSU2 network error handling (especially for Windows) - Race condition with pending outgoing SSU2 sessions - RTT self-reduction for long-live streams ## [2.44.0] - 2022-11-20 ### Added - SSL connection for server I2P tunnels - Localization to Italian and Spanish - SSU2 through SOCKS5 UDP proxy - Reload tunnels through web console - SSU2 send immediate ack request flag - SSU2 send and verify path challenge - Configurable ssu2.mtu4 and ssu2.mtu6 ### Changed - SSU2 is enabled and SSU is disabled by default - Separate network status and error - Random selection between NTCP2 and SSU2 priority - Added notbob.i2p to jump services - Remove DoNotTrack flag from HTTP Request header - Skip addresshelper page if destination was not changed - SSU2 allow different ports from RelayReponse and HolePunch - SSU2 resend PeerTest msg 1 and msg 2 - SSU2 Send Retry instead SessionCreated if clock skew detected ### Fixed - Long HTTP headers for HTTP proxy and HTTP server tunnel - SSU2 resends and resend limits - Crash at startup if addressbook is disabled - NTCP2 ipv6 connection through SOCKS5 proxy - SSU2 SessionRequest with zero token - SSU2 MTU less than 1280 - SSU2 port=1 - Incorrect addresses from network interfaces - Definitions for Darwin PPC; do not use pthread_setname_np ## [2.43.0] - 2022-08-22 ### Added - Complete SSU2 implementation - Localization to Chinese - Send RouterInfo update for long live sessions - Explicit ipv6 ranges of known tunnel brokers for MTU detection - Always send "Connection: close" and strip out Keep-Alive for server HTTP tunnel - Show ports for all transports in web console - Translation of webconsole site title - Support for Windows ProgramData path when running as service - Ability to turn off address book - Handle signals TSTP and CONT to stop and resume network ### Changed - Case insensitive headers for server HTTP tunnel - Do not show 'Address registration' line if LeaseSet is encrypted - SSU2 transports have higher priority than SSU - Disable ElGamal precalculated table if no SSU - Deprecate limits.ntcpsoft, limits.ntcphard and limits.ntcpthreads config options - SSU2 is enabled and SSU is disabled by default for new installations ### Fixed - Typo with Referer header name in HTTP proxy - Can't handle garlic message from an exploratory tunnel - Incorrect encryption key for exploratory lookup reply - Bound checks issues in LeaseSets code - MTU detection on Windows - Crash on stop of active server tunnel - Send datagram to wrong destination in SAM - Incorrect static key in RouterInfo if the keys were regenerated - Duplicated sessions in BOB ## [2.42.1] - 2022-05-24 ### Fixed - Incorrect jump link in HTTP Proxy ## [2.42.0] - 2022-05-22 ### Added - Preliminary SSU2 implementation - Tunnel length variance - Localization to French - Daily cleanup of obsolete peer profiles - Ordered jump services list in HTTP proxy - Win32 service - Show port for local non-published SSU addresses in web console ### Changed - Maximum RouterInfo length increased to 3K - Skip unknown addresses in RouterInfo - Don't pick own router for peer test - Reseeds list - Internal numeric id for families - Use ipv6 preference only when netinet headers not used - Close stream if delete requested - Remove version from title in web console - Drop MESHNET build option - Set data path before initialization - Don't show registration block in web console if token is not provided ### Fixed - Encrypted LeaseSet for EdDSA signature - Clients tunnels are not built if clock is not synced on start - Incorrect processing of i2cp.dontPublishLeaseSet param - UDP tunnels reload - Build for LibreSSL 3.5.2 - Race condition in short tunnel build message - Race condition in local RouterInfo buffer allocation ## [2.41.0] - 2022-02-20 ### Added - Clock syncronization through SSU - Drop routers older than 6 months on start - Localization to German - Don't send streaming ack too frequently - Select compatible outbound tunnel for I2CP messages - Restart webconsole's acceptor in case of exception ### Changed - Use builtin bitswap for endian on windows - Send SessionCreated before connection close if clock skew - Try another floodfill for publishing if no compatible tunnels found - Reduce memory usage for RouterInfo structures - Avoid duplicated addresses in RouterInfo. Check presence of netId and version - Use TCP/IP sockets for I2CP on Android instead local sockets - Return uptime as integer in I2PControl - Reseed servers list/cerificates - Webconsole's dark style colors ### Fixed - Attempt to use Yggdrasil on start on Android - Attempts to send peer tests to itself - Severe packets drop in SSU - Crash on tunnel tests - Loading addressbook subscriptions from config - Multiple I2CP session to the same destination - Build on Apple Silicon ## [2.40.0] - 2021-11-29 ### Added - Keep alive parameter for client tunnels - Support openssl 3.0.0 - Localization to Armenian - Show git commit info in version - Windows menu item for opening datadir - Reseed if too few floodfills - Don't publish old and replacing tunnel in LeaseSet - Webconsole light/dark theme depending on system settings (via CSS) ### Changed - Set gzip compression to false by default - Build tunnel through ECIES routers only - Removed ElGamal support for tunnels - Moved webconsole resources to separate file - Pick tunnels with compatible transport with another tunnel of floodfill - Use common cleanup timer for all SSU sessions - Reduced memory usage - Reseed servers list - i18n code called from ClientContext ### Fixed - Tunnels reload - Some typos in log messages - Cleanup relay requests table - Server tunnel is not published - Build on GNU/Hurd. Disable pthread_setname_np - Crash when incorrect sigtype used with blinding ## [2.39.0] - 2021-08-23 ### Added - Short tunnel build messages - Localization. To: Russian, Ukrainian, Turkmen, Uzbek and Afrikaans - Custom CSS styles for webconsole - Avoid slow tunnels with more than 250 ms per hop - Process DELAY_REQUESTED streaming option - "certsdir" options for certificates location - Keep own RouterInfo in NetBb - Pick ECIES routers only for tunnels on non-x64 - NTP sync through ipv6 - Allow ipv6 addresses for UDP server tunnels ### Changed - Rekey of all routers to ECIES - Better distribution for random tunnel's peer selection - Yggdrasil reseed for v0.4, added two more - Encryption type 0,4 by default for server tunnels - Handle i2cp.dontPublishLeaseSet param for all destinations - reg.i2p for subscriptions - LeaseSet type 3 by default - Don't allocate payload buffer for every single ECIESx25519 message - Prefer public ipv6 instead rfc4941 - Optimal padding for one-time ECIESx25519 message - Don't send datetime block for one-time ECIESx25519 message with one-time key - Router with expired introducer is still valid - Don't disable floodfill if still reachable by ipv6 - Set minimal version for floodfill to 0.9.38 - Eliminate extra lookups for sequential fragments on tunnel endpoint - Consistent path for explicit peers - Always create new tunnel from exploratory pool - Don't try to connect to a router not reachable from us - Mark additional ipv6 addresses/nets as reserved (#1679) ### Fixed - Zero-hop tunnels - Crash upon SAM session termination - Build with boost < 1.55.0 - Address type for NTCP2 acceptors - Check of ipv4/ipv6 address - Request router to send to if not in NetDb - Count outbound traffic for zero-hop tunnels - URLdecode domain for registration string generator in webconsole ## [2.38.0] - 2021-05-17 ### Added - Publish ipv6 introducers - Bind ipv6 or yggdrasil NTCP2 acceptor to specified address - Support .b32.i2p addresses and hostnames for SAM STREAM CREATE - ipv6 peer tests - Publish iexp param for introducers - Show ipv6 network status on the webconsole - EdDSA signing keys can also be blinded - Show router version on the webconsole ### Changed - Rekey of all routers but floodfills to ECIES - Increased number of precalculated x25519 keys to 15 - Don't publish LeaseSet without inbound tunnels - Reseed from compatible address(ipv4 or ipv6) - Recongnize v4 and v6 SSU addresses without host - Inbound tunnel gateway must be ipv4 compatible - Don't select next introducers from existing sessions - Set X bandwidth for floodfill by default ### Fixed - Incoming ECIES-x25519 session doesn't send updated LeaseSet - Unique local address for server tunnels - Race condition for LeaseSet creation in I2CP - Relay tag for ipv6 introducer - Already expired introducers - Find connected router for first peer in tunnel - Failed outgoing ECIES-x25519 session's tagset stays forever - Yggdrasil address disappears if router becomes unreachable through ipv6 - Ignore SSU address/introducers if port is not specified - Check identity and signature length for SSU SessionConfirmed ## [2.37.0] - 2021-03-15 ### Added - Address registration line for reg.i2p and stats.i2p through the web console - "4" and "6" caps for addresses without published IP address - Mesh and Proxy network statuses - Symmetric NAT network status error - Bind server tunnel connection to specified address - lookuplocal BOB extended command - address4 and address6 parameters to bind outgoing connections to - Rekey of low-bandwidth routers to ECIES - Popup notification windows when unable to parse config for Windows ### Changed - Floodfills with "U" cap are not ignored anymore - Check transports reachability between tunnel peers and between router and floodfill - NTCP2 and reseed HTTP proxy support authorization now - Show actual IP addresses for proxy connections - Publish and handle SSU addreses without host - Outbound tunnel endpoint must be ipv4 compatible - Logging optimization - Removed Windows service ### Fixed - Incoming SSU session terminates after 5 seconds - Outgoing NTCP2 ipv4 session even if ipv4 is disabled - No incoming Yggdrasil connection if connected through NTCP2 proxy - Race condition between tunnel build and floodfill requests decryption for ECIES routers - Numeric bandwidth limitation - Yggdrasil for Android ## [2.36.0] - 2021-02-15 ### Added - Encrypted lookup and publications to ECIES-x25519 floodfiils - Yggdrasil transports and reseeds - Dump addressbook in hosts.txt format - Request RouterInfo through exploratory tunnels if direct connection to fllodfill is not possible - Threads naming - Check if public x25519 key is valid - ECIES-X25519-AEAD-Ratchet for shared local destination - LeaseSet creation timeout for I2CP session - Resend RouterInfo after some interval for longer NTCP2 sessions - Select reachable router of inbound tunnel gateway - Reseed if no compatible routers in netdb - Refresh on swipe in Android webconsole ### Changed - reg.i2p for default addressbook instead inr.i2p - ECIES-x25519 (crypto type 4) for new routers - Try to connect to all compatible addresses from peer's RouterInfo - Replace LeaseSet completely if store type changes - Try ECIES-X25519-AEAD-Ratchet tag before ElGamal - Don't detach ECIES-X25519-AEAD-Ratchet session from destination immediately - Viewport and styles on error in HTTP proxy - Don't create notification when Windows taskbar restarted - Cumulative SSU ACK bitfields - limit tunnel length to 8 hops - Limit tunnels quantity to 16 ### Fixed - Handling chunked HTTP response in addressbook - Missing ECIES-X25519-AEAD-Ratchet tags for multiple streams with the same destination - Correct NAME for NAMING REPLY in SAM - SSU crash on termination - Offline signature length for stream close packet - Don't send updated LeaseSet through a terminated session - Decryption of follow-on ECIES-X25519-AEAD-Ratchet NSR messages - Non-confirmed LeaseSet is resent too late for ECIES-X25519-AEAD-Ratchet session ## [2.35.0] - 2020-11-30 ### Added - ECIES-x25519 routers - Random intro keys for SSU - Graceful shutdown timer for windows - Send queue for I2CP messages - Update DSA router keys to EdDSA - TCP_QUICKACK for NTCP2 sockets on Linux ### Changed - Exclude floodfills with DSA signatures and < 0.9.28 - Random intervals between tunnel tests and manage for tunnel pools - Don't replace an addressbook record by one with DSA signature - Publish RouterInfo after update - Create paired inbound tunnels if no inbound tunnels yet - Reseed servers list ### Fixed - Transient signature length, if different from identity - Terminate I2CP session if destroyed - RouterInfo publishing confirmation - Check if ECIES-X25519-AEAD-Ratchet session expired before generating more tags - Correct block size for delivery type local for ECIES-X25519-AEAD-Ratchet ## [2.34.0] - 2020-10-27 ### Added - Ping responses for streaming - STREAM FORWARD for SAM - Tunnels through ECIES-x25519 routers - Single thread for I2CP - Shared transient destination between proxies - Database lookups from ECIES destinations with ratchets response - Handle WebDAV HTTP methods - Don't try to connect or build tunnels if offline - Validate IP when trying connect to remote peer - Handle ICMP responses and WinAPI errors for SSU ### Changed - Removed NTCP - Dropped gcc 4.7 support - Encyption type 0,4 by default for client tunnels - Stripped out some HTTP header for HTTP server response - HTTP 1.1 addressbook requests - Set LeaseSet type to 3 for ratchets if not specified - Handle SSU v4 and v6 messages in one thread - Eliminate DH keys thread ### Fixed - Random crashes on I2CP session disconnect - Stream through racthets hangs if first SYN was not acked - Check "Last-Modified" instead "If-Modified-Since" for addressbook reponse - Trim behind ECIESx25519 tags - Few bugs with Android main activity - QT visual and layout issues ## [2.33.0] - 2020-08-24 ### Added - Shared transient addresses - crypto.ratchet.inboundTags paramater - Multiple encryption keys through I2CP - Pre-calculated x25519 ephemeral keys - Change datagram routing path if nothing comes back in 10 seconds - Shared routing path for datagram session ### Changed - UDP tunnels send mix of repliable and raw datagrams in bulk - Encrypt SSU packet again upon resend - Start new tunnel message if remaining buffer is too small - Use LeaseSet2 for ECIES-X25519-AEAD-Ratchet automatically - Save new ECIES-X25519-AEAD-Ratchet session with NSR tagset - Generate random padding lengths for ECIES-X25519-AEAD-Ratchet in bulk - Webconsole layout - Reseed servers list ### Fixed - Don't connect through terminated SAM destination - Differentiate UDP server sessions by port - ECIES-X25519-AEAD-Ratchet through I2CP - Don't save invalid address to AddressBook - ECDSA signatures names in SAM - AppArmor profile ## [2.32.1] - 2020-06-02 ### Added - Read explicit peers in tunnels config ### Fixed - Generation of tags for detached sessions - Non-updating LeaseSet1 - Start when deprecated websocket options present in i2pd.conf ## [2.32.0] - 2020-05-25 ### Added - Multiple encryption types for local destinations - Next key and tagset for ECIES-X25519-AEAD-Ratchet - NTCP2 through SOCKS proxy - Throw error message if any port to bind is occupied - gzip parameter for UDP tunnels - Show ECIES-X25519-AEAD-Ratchet sessions and tags on the web console - Simplified implementation of gzip for no compression mode - Allow ECIES-X25519-AEAD-Ratchet session restart after 2 minutes - Added logrotate config for rpm package ### Changed - Select peers for client tunnels among routers >= 0.9.36 - Check ECIES flag for encrypted lookup reply - Streaming MTU size 1812 for ECIES-X25519-AEAD-Ratchet - Don't calculate checksum for Data message send through ECIES-X25519-AEAD-Ratchet - Catch network connectivity status for Windows - Stop as soon as no more transit tunnels during graceful shutdown for Android - RouterInfo gzip compression level depends on size - Send response to received datagram from ECIES-X25519-AEAD-Ratchet session - Update webconsole functional - Increased max transit tunnels limit - Reseeds list - Dropped windows support in cmake ### Fixed - Correct timestamp check for LeaseSet2 - Encrypted leaseset without authentication - Change SOCKS proxy connection response for clients without socks5h support (#1336) ## [2.31.0] - 2020-04-10 ### Added - NTCP2 through HTTP proxy - Publish LeaseSet2 for I2CP destinations - Show status page on main activity for android - Handle ECIESFlag in DatabaseLookup at floodfill - C++17 features for eligible compilers ### Changed - Droped Websockets and Lua support - Send DeliveryStatusMsg for LeaseSet for ECIES-X25519-AEAD-Ratchet - Keep sending new session reply until established for ECIES-X25519-AEAD-Ratchet - Updated SSU log messages - Reopen SSU socket on exception - Security hardening headers in web console - Various web console changes - Various QT changes ### Fixed - NTCP2 socket descriptors leak - Race condition with router's identity in transport sessions - Not terminated streams remain forever ## [2.30.0] - 2020-02-25 ### Added - Single threaded SAM - Experimental support of ECIES-X25519-AEAD-Ratchet crypto type ### Changed - Minimal MTU size is 1280 for ipv6 - Use unordered_map instead map for destination's sessions and tags list - Use std::shuffle instead std::random_shuffle - SAM is single threaded by default - Reseeds list ### Fixed - Correct termination of streaming destination - Extra ',' in RouterInfo response in I2PControl - SAM crash on session termination - Storage for Android 10 ## [2.29.0] - 2019-10-21 ### Added - Client auth flag for b33 address ### Changed - Remove incoming NTCP2 session from pending list when established - Handle errors for NTCP2 SessionConfrimed send ### Fixed - Failure to start on Windows XP - SAM crash if invalid lookup address - Possible crash when UPnP enabled on shutdown ## [2.28.0] - 2019-08-27 ### Added - RAW datagrams in SAM - Publishing encrypted LeaseSet2 with DH or PSH authentication - Ability to disable battery optimization for Android - Transport Network ID Check ### Changed - Set and handle published encrypted flag for LeaseSet2 ### Fixed - ReceiveID changes in the same stream - "\r\n" command terminator in SAM - Addressbook lines with signatures ## [2.27.0] - 2019-07-03 ### Added - Support of PSK and DH authentication for encrypted LeaseSet2 ### Changed - Uptime is based on monotonic timer ### Fixed - BOB status command response - Correct NTCP2 port if NTCP is disabled - Flood encrypted LeaseSet2 with store hash ## [2.26.0] - 2019-06-07 ### Added - HTTP method "PROPFIND" - Detection of external ipv6 address through the SSU - NTCP2 publishing depends on network status ### Changed - ntcp is disabled by default, ntcp2 is published by default - Response to BOB's "list" command - ipv6 address is not longer NTCP's local endpoint's address - Reseeds list - HTTP_REFERER stripping in httpproxy (#823) ### Fixed - Check and handle incorrect BOB input - Ignore introducers for NTCP or NTCP2 addresses - RouterInfo check from NTCP2 ## [2.25.0] - 2019-05-09 ### Added - Create, publish and handle encrypted LeaseSet2 - Support of b33 addresses - RedDSA key blinding - .b32.i2p addresses in jump links - ntcp2.addressv6 parameter ### Changed - Allow HTTP headers without value - Set data directory from external storage path for Android - addresshelper support is configurable per tunnel - gradlew script for android build ### Fixed - Deletion of expired encrypted LeaseSet2 on floodfills - ipv6 fallback address - SSU incoming packets routing ## [2.24.0] - 2019-03-21 ### Added - Support of transient keys for LeaseSet2 - Support of encrypted LeaseSet2 - Recognize signature type 11 (RedDSA) - Support websocket connections over HTTP proxy - Ability to disable full addressbook persist ### Changed - Don't load peer profiles if non-persistant - REUSE_ADDR for ipv6 acceptors - Reset eTags if addressbook can't be loaded ### Fixed - Build with boost 1.70 - Filter out unspecified addresses from RouterInfo - Check floodfill status change - Correct SAM response for invalid key - SAM crash on termination for Windows - Race condition for publishing ## [2.23.0] - 2019-01-21 ### Added - Standard LeaseSet2 support - Ability to adjust timestamps through the NTP - Ability to disable peer profile persist - Request permission for android >= 6 - Initial addressbook to android assets - Cancel graceful shutdown for android - Russian translation for android ### Changed - Chacha20 and Poly1305 implementation - Eliminate extra copy of NTCP2 send buffers - Extract content of tunnel.d from assets on android - Removed name resolvers from transports - Update reseed certificates ### Fixed - LeaseSet published content verification - Exclude invalid LeaseSets from the list on a floodfill - Build for OpenWrt with openssl 1.1.1 ## [2.22.0] - 2018-11-09 ### Added - Multiple tunnel config files from tunnels.d folder ### Changed - Fetch own RouterInfo upon SessionRequest for NTCP2 - Faster XOR between AES blocks for non AVX capable CPUs ### Fixed - Fixed NTCP2 termination send ## [2.21.1] - 2018-10-22 ### Changed - cost=13 for unpublished NTCP2 address ### Fixed - Handle I2NP messages longer than 32K ## [2.21.0] - 2018-10-04 ### Added - EdDSA, x25519 and SipHash from openssl 1.1.1 - NTCP2 ipv6 incoming connections - Show total number of destination's outgoing tags in the web console ### Changed - Android build with openssl 1.1.1/boost 1.64 - Bandwidth classes 'P' and 'X' don't add 'O' anymore ### Fixed - Update own RouterInfo if no SSU - Recognize 'P' and 'X' routers as high bandwidth without 'O' - NTCP address doesn't disappear if NTCP2 enabled - Android with api 26+ ## [2.20.0] - 2018-08-23 ### Added - Full implementation of NTCP2 - Assets for android ### Changed - armeabi-v7a and x86 in one apk for android - NTCP2 is enabled by default - Show lease's expiration time in readable format in the web console ### Fixed - Correct names for transports in the web console ## [2.19.0] - 2018-06-26 ### Added - ECIES support for RouterInfo - HTTP outproxy authorization - AVX/AESNI runtime detection - Initial implementation of NTCP2 - I2CP session reconfigure - I2CP method ClientServicesInfo - Datagrams to websocks ### Changed - RouterInfo uses EdDSA signature by default - Remove stream bans - Android build system changed to gradle - Multiple changes in QT GUI - Dockerfile ### Fixed - zero tunnelID issue - tunnels reload - headers in webconsole - XSS in webconsole from SAM session name - build for gcc 8 - cmake build scripts - systemd service files - some netbsd issues ## [2.18.0] - 2018-01-30 ### Added - Show tunnel nicknames for I2CP destination in WebUI - Re-create HTTP and SOCKS proxy by tunnel reload - Graceful shutdown as soon as no more transit tunnels ### Changed - Regenerate shared local destination by tunnel reload - Use transient local destination by default if not specified - Return correct code if pid file can't be created - Timing and number of attempts for adressbook requests - Certificates list ### Fixed - Malformed addressbook subsctiption request - Build with boost 1.66 - Few race conditions for SAM - Check LeaseSet's signature before update ## [2.17.0] - 2017-12-04 ### Added - Reseed through HTTP and SOCKS proxy - Show status of client services through web console - Change log level through web connsole - transient keys for tunnels - i2p.streaming.initialAckDelay parameter - CRYPTO_TYPE for SAM destination - signature and crypto type for newkeys BOB command ### Changed - Correct publication of ECIES destinations - Disable RSA signatures completely ### Fixed - CVE-2017-17066 - Possible buffer overflow for RSA-4096 - Shutdown from web console for Windows - Web console page layout ## [2.16.0] - 2017-11-13 ### Added - https and "Connect" method for HTTP proxy - outproxy for HTTP proxy - initial support of ECIES crypto - NTCP soft and hard descriptors limits - Support full timestamps in logs ### Changed - Faster implementation of GOST R 34.11 hash - Reject routers with RSA signtures - Reload config and shudown from Windows GUI - Update tunnels address(destination) without restart ### Fixed - BOB crashes if destination is not set - Correct SAM tunnel name - QT GUI issues ## [2.15.0] - 2017-08-17 ### Added - QT GUI - Ability to add and remove I2P tunnels without restart - Ability to disable SOCKS outproxy option ### Changed - Strip-out Accept-* hedaers in HTTP proxy - Don't run peer test if nat=false - Separate output of NTCP and SSU sessions in Transports tab ### Fixed - Handle lines with comments in hosts.txt file for address book - Run router with empty netdb for testnet - Skip expired introducers by iexp ## [2.14.0] - 2017-06-01 ### Added - Transit traffic bandwidth limitation - NTCP connections through HTTP and SOCKS proxies - Ability to disable address helper for HTTP proxy ### Changed - Reseed servers list - Minimal required version is 4.0 for Android ### Fixed - Ignore comments in addressbook feed ## [2.13.0] - 2017-04-06 ### Added - Persist local destination's tags - GOST signature types 9 and 10 - Exploratory tunnels configuration ### Changed - Reseed servers list - Inactive NTCP sockets get closed faster - Some EdDSA speed up ### Fixed - Multiple acceptors for SAM - Follow on data after STREAM CREATE for SAM - Memory leaks ## [2.12.0] - 2017-02-14 ### Added - Additional HTTP and SOCKS proxy tunnels - Reseed from ZIP archive - Some stats in a main window for Windows version ### Changed - Reseed servers list - MTU of 1488 for ipv6 - Android and Mac OS X versions use OpenSSL 1.1 - New logo for Android ### Fixed - Multiple memory leaks - Incomptibility of some EdDSA private keys with Java - Clock skew for Windows XP - Occasional crashes with I2PSnark ## [2.11.0] - 2016-12-18 ### Added - Websockets support - Reseed through a floodfill - Tunnel configuration for HTTP and SOCKS proxy - Zero-hops tunnels for destinations - Multiple acceptors for SAM ### Changed - Reseed servers list - DHT uses AVX if applicable - New logo - LeaseSet lookups ### Fixed - HTTP Proxy connection reset for Windows - Crash upon SAM session termination - Can't connect to a destination for a longer time after restart - Mass packet loss for UDP tunnels ## [2.10.2] - 2016-12-04 ### Fixed - Fixes UPnP discovery bug, producing excessive CPU usage - Fixes sudden SSU thread stop for Windows. ## [2.10.1] - 2016-11-07 ### Fixed - Fixed some performance issues for Windows and Android ## [2.10.0] - 2016-10-17 ### Added - Datagram i2p tunnels - Unique local addresses for server tunnels - Configurable list of reseed servers and initial addressbook - Configurable netid - Initial iOS support ### Changed - Reduced file descriptors usage - Strict reseed checks enabled by default ## Fixed - Multiple fixes in I2CP and BOB implementations ## [2.9.0] - 2016-08-12 ### Changed - Proxy refactoring & speedup - Transmission-I2P support - Graceful shutdown for Windows - Android without QT - Reduced number of timers in SSU - ipv6 peer test support - Reseed from SU3 file ## [2.8.0] - 2016-06-20 ### Added - Basic Android support - I2CP implementation - 'doxygen' target ### Changed - I2PControl refactoring & fixes (proper jsonrpc responses on errors) - boost::regex no more needed ### Fixed - initscripts: added openrc one, in sysv-ish make I2PD_PORT optional - properly close NTCP sessions (memleak) ## [2.7.0] - 2016-05-18 ### Added - Precomputed El-Gamal/DH tables - Configurable limit of transit tunnels ### Changed - Speed-up of asymmetric crypto for non-x64 platforms - Refactoring of web-console ## [2.6.0] - 2016-03-31 ### Added - Graceful shutdown on SIGINT - Numeric bandwidth limits (was: by router class) - Jumpservices in web-console - Logging to syslog - Tray icon for windows application ### Changed - Logs refactoring - Improved statistics in web-console ### Deprecated: - Renamed main/tunnels config files (will use old, if found, but emits warning) ## [2.5.1] - 2016-03-10 ### Fixed - Doesn't create ~/.i2pd dir if missing ## [2.5.0] - 2016-03-04 ### Added - IRC server tunnels - SOCKS outproxy support - Support for gzipped addressbook updates - Support for router families ### Changed - Shared RTT/RTO between streams - Filesystem work refactoring ## [2.4.0] - 2016-02-03 ### Added - X-I2P-* headers for server http-tunnels - I2CP options for I2P tunnels - Show I2P tunnels in webconsole ### Changed - Refactoring of cmdline/config parsing ## [2.3.0] - 2016-01-12 ### Added - Support for new router bandwidth class codes (P and X) - I2PControl supports external webui - Added --pidfile and --notransit parameters - Ability to specify signature type for i2p tunnel ### Changed - Fixed multiple floodfill-related bugs - New webconsole layout ## [2.2.0] - 2015-12-22 ### Added - Ability to connect to router without ip via introducer ### Changed - Persist temporary encryption keys for local destinations - Performance improvements for EdDSA - New addressbook structure ## [2.1.0] - 2015-11-12 ### Added - Implementation of EdDSA ### Changed - EdDSA is default signature type for new RouterInfos