Use libsecp256k1 instead of openssl for crypto.

We still use openssl for bignums (base58) and for ripemd.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

Makefile

@@ -17,7 +17,7 @@ CCAN_OBJS := ccan-crypto-sha256.o ccan-crypto-shachain.o ccan-err.o ccan-tal.o c
 HEADERS := $(wildcard *.h)
 
 CCANDIR := ccan/
-CFLAGS := -g -Wall -I $(CCANDIR) -DVALGRIND_HEADERS=1 $(FEATURES)
+CFLAGS := -g -Wall -I $(CCANDIR) -I secp256k1/include/ -DVALGRIND_HEADERS=1 $(FEATURES)
 LDLIBS := -lcrypto -lprotobuf-c
 $(PROGRAMS): CFLAGS+=-I.
 

bitcoin/base58.c

@@ -5,12 +5,13 @@
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
 #include <ccan/build_assert/build_assert.h>
 #include <ccan/tal/str/str.h>
-#include <openssl/obj_mac.h>
+#include <openssl/bn.h>
-#include <openssl/sha.h>
 #include <assert.h>
+#include <secp256k1.h>
 #include <string.h>
 #include "address.h"
 #include "base58.h"
+#include "privkey.h"
 #include "pubkey.h"
 #include "shadouble.h"
 
@@ -247,20 +248,13 @@ bool ripemd_from_base58(u8 *version, u8 ripemd160[RIPEMD160_DIGEST_LENGTH],
 	return true;
 }
 
-char *key_to_base58(const tal_t *ctx, bool test_net, EC_KEY *key)
+char *key_to_base58(const tal_t *ctx, bool test_net, const struct privkey *key)
 {
 	u8 buf[1 + 32 + 1 + 4];
 	char out[BASE58_KEY_MAX_LEN + 2], *p;
-        const BIGNUM *bn = EC_KEY_get0_private_key(key);
-	int len;
 
 	buf[0] = test_net ? 239 : 128;
-
+	memcpy(buf + 1, key->secret, sizeof(key->secret));
-	/* Make sure any zeroes are at the front of number (MSB) */
-	len = BN_num_bytes(bn);
-	assert(len <= 32);
-	memset(buf + 1, 0, 32 - len);
-	BN_bn2bin(bn, buf + 1 + 32 - len);
 
 	/* Mark this as a compressed key. */
 	buf[1 + 32] = 1;
@@ -272,53 +266,25 @@ char *key_to_base58(const tal_t *ctx, bool test_net, EC_KEY *key)
 	return tal_strdup(ctx, p);
 }
 
-// Thus function based on bitcoin's key.cpp:
+bool key_from_base58(const char *base58, size_t base58_len,
-// Copyright (c) 2009-2012 The Bitcoin developers
+		     bool *test_net, struct privkey *priv, struct pubkey *key)
-// Distributed under the MIT/X11 software license, see the accompanying
-// file COPYING or http://www.opensource.org/licenses/mit-license.php.
-static bool EC_KEY_regenerate_key(EC_KEY *eckey, BIGNUM *priv_key)
-{
-	BN_CTX *ctx = NULL;
-	EC_POINT *pub_key = NULL;
-	const EC_GROUP *group = EC_KEY_get0_group(eckey);
-
-	if ((ctx = BN_CTX_new()) == NULL)
-		return false;
-
-	pub_key = EC_POINT_new(group);
-	if (pub_key == NULL)
-		return false;
-
-	if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, ctx))
-		return false;
-
-	EC_KEY_set_private_key(eckey, priv_key);
-	EC_KEY_set_public_key(eckey, pub_key);
-
-	BN_CTX_free(ctx);
-	EC_POINT_free(pub_key);
-	return true;
-}
-
-EC_KEY *key_from_base58(const char *base58, size_t base58_len,
-			bool *test_net, struct pubkey *key)
 {
-	size_t keylen;
+	u8 keybuf[1 + 32 + 1 + 4];
-	u8 keybuf[1 + 32 + 1 + 4], *kptr;
 	u8 csum[4];
-	EC_KEY *priv;
 	BIGNUM bn;
-	point_conversion_form_t cform;
+	bool compressed;
-
+	secp256k1_context_t *secpctx;
+	int keylen;
+	
 	BN_init(&bn);
 	if (!raw_decode_base58(&bn, base58, base58_len))
-		return NULL;
+		return false;
 
 	keylen = BN_num_bytes(&bn);
 	if (keylen == 1 + 32 + 4)
-		cform = POINT_CONVERSION_UNCOMPRESSED;
+		compressed = false;
 	else if (keylen == 1 + 32 + 1 + 4)
-		cform = POINT_CONVERSION_COMPRESSED;
+		compressed = true;
 	else
 		goto fail_free_bn;
 	BN_bn2bin(&bn, keybuf);
@@ -328,7 +294,7 @@ EC_KEY *key_from_base58(const char *base58, size_t base58_len,
 		goto fail_free_bn;
 
 	/* Byte after key should be 1 to represent a compressed key. */
-	if (cform == POINT_CONVERSION_COMPRESSED && keybuf[1 + 32] != 1)
+	if (compressed && keybuf[1 + 32] != 1)
 		goto fail_free_bn;
 
 	if (keybuf[0] == 128)
@@ -338,27 +304,26 @@ EC_KEY *key_from_base58(const char *base58, size_t base58_len,
 	else
 		goto fail_free_bn;
 
-	priv = EC_KEY_new_by_curve_name(NID_secp256k1);
+	/* Copy out secret. */
-	EC_KEY_set_conv_form(priv, cform);
+	memcpy(priv->secret, keybuf + 1, sizeof(priv->secret));
 
-	BN_free(&bn);
+	secpctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
-        BN_init(&bn);
+	if (!secp256k1_ec_seckey_verify(secpctx, priv->secret))
-        if (!BN_bin2bn(keybuf + 1, 32, &bn))
+		goto fail_free_secpctx;
-		goto fail_free_priv;
+
-        if (!EC_KEY_regenerate_key(priv, &bn))
+	/* Get public key, too. */
-		goto fail_free_priv;
+	if (!secp256k1_ec_pubkey_create(secpctx, key->key, &keylen,
-
+					priv->secret, compressed))
-	/* Save public key */ 
+		goto fail_free_secpctx;
-	kptr = key->key;
-	keylen = i2o_ECPublicKey(priv, &kptr);
 	assert(keylen == pubkey_len(key));
 
 	BN_free(&bn);
-	return priv;
+	secp256k1_context_destroy(secpctx);
+	return true;
 
-fail_free_priv:
+fail_free_secpctx:
-	EC_KEY_free(priv);
+	secp256k1_context_destroy(secpctx);
 fail_free_bn:
 	BN_free(&bn);
-	return NULL;
+	return false;
 }

bitcoin/base58.h

@@ -3,13 +3,13 @@
 /* FIXME: Use libsecpk1 */
 #include <ccan/short_types/short_types.h>
 #include <ccan/tal/tal.h>
-#include <openssl/bn.h>
-#include <openssl/ec.h>
 #include <openssl/ripemd.h>
+#include <openssl/bn.h>
 #include <stdbool.h>
 #include <stdlib.h>
 
 struct pubkey;
+struct privkey;
 struct bitcoin_address;
 
 /* Encoding is version byte + ripemd160 + 4-byte checksum == 200 bits => 2^200.
@@ -36,9 +36,9 @@ bool ripemd_from_base58(u8 *version, u8 ripemd160[RIPEMD160_DIGEST_LENGTH],
 char *base58_with_check(char dest[BASE58_ADDR_MAX_LEN],
 			u8 buf[1 + RIPEMD160_DIGEST_LENGTH + 4]);
 
-char *key_to_base58(const tal_t *ctx, bool test_net, EC_KEY *key);
+char *key_to_base58(const tal_t *ctx, bool test_net, const struct privkey *key);
-EC_KEY *key_from_base58(const char *base58, size_t base58_len,
+bool key_from_base58(const char *base58, size_t base58_len,
-			bool *test_net, struct pubkey *key);
+		     bool *test_net, struct privkey *priv, struct pubkey *key);
 
 bool raw_decode_base_n(BIGNUM *bn, const char *src, size_t len, int base);
 bool raw_decode_base58(BIGNUM *bn, const char *src, size_t len);

bitcoin/privkey.h

@@ -0,0 +1,10 @@
+#ifndef LIGHTNING_BITCOIN_PRIVKEY_H
+#define LIGHTNING_BITCOIN_PRIVKEY_H
+#include <ccan/short_types/short_types.h>
+
+/* This is a private key.  Keep it secret. */
+struct privkey {
+	u8 secret[32];
+};
+
+#endif /* LIGHTNING_BITCOIN_PRIVKEY_H */

bitcoin/pubkey.c

@@ -1,5 +1,4 @@
 #include <ccan/str/hex/hex.h>
-#include <openssl/ecdsa.h>
 #include <assert.h>
 #include "pubkey.h"
 

bitcoin/signature.c

@@ -1,11 +1,11 @@
 #include <ccan/cast/cast.h>
+#include "privkey.h"
 #include "pubkey.h"
 #include "script.h"
+#include "secp256k1.h"
 #include "shadouble.h"
 #include "signature.h"
 #include "tx.h"
-#include <openssl/bn.h>
-#include <openssl/obj_mac.h>
 #include <assert.h>
 
 #undef DEBUG
@@ -64,46 +64,23 @@ static void dump_tx(const char *msg,
 }
 #endif
 	
-bool sign_hash(const tal_t *ctx, EC_KEY *private_key,
+bool sign_hash(const tal_t *ctx, const struct privkey *privkey,
 	       const struct sha256_double *h,
 	       struct signature *s)
 {
-	ECDSA_SIG *sig;
+	secp256k1_context_t *secpctx;
-	int len;
+	bool ok;
 	
-	sig = ECDSA_do_sign(h->sha.u.u8, sizeof(*h), private_key);
+	secpctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
-	if (!sig)
+	if (!secpctx)
 		return false;
 
-	/* See https://github.com/sipa/bitcoin/commit/a81cd9680.
+	ok = secp256k1_ecdsa_sign_compact(secpctx, h->sha.u.u8,
-	 * There can only be one signature with an even S, so make sure we
+					  (unsigned char *)s,
-	 * get that one. */
+					  privkey->secret, NULL, NULL, NULL);
-	if (BN_is_odd(sig->s)) {
+
-		const EC_GROUP *group;
+	secp256k1_context_destroy(secpctx);
-		BIGNUM order;
+	return ok;
-
-		BN_init(&order);
-		group = EC_KEY_get0_group(private_key);
-		EC_GROUP_get_order(group, &order, NULL);
-		BN_sub(sig->s, &order, sig->s);
-		BN_free(&order);
-
-		assert(!BN_is_odd(sig->s));
-        }
-
-	/* In case numbers are small. */
-	memset(s, 0, sizeof(*s));
-
-	/* Pack r and s into signature, 32 bytes each. */
-	len = BN_num_bytes(sig->r);
-	assert(len <= sizeof(s->r));
-	BN_bn2bin(sig->r, s->r + sizeof(s->r) - len);
-	len = BN_num_bytes(sig->s);
-	assert(len <= sizeof(s->s));
-	BN_bn2bin(sig->s, s->s + sizeof(s->s) - len);
-
-	ECDSA_SIG_free(sig);
-	return true;
 }
 
 /* Only does SIGHASH_ALL */
@@ -139,7 +116,7 @@ static void sha256_tx_one_input(struct bitcoin_tx *tx,
 bool sign_tx_input(const tal_t *ctx, struct bitcoin_tx *tx,
 		   unsigned int in,
 		   const u8 *subscript, size_t subscript_len,
-		   EC_KEY *privkey, const struct pubkey *key,
+		   const struct privkey *privkey, const struct pubkey *key,
 		   struct signature *sig)
 {
 	struct sha256_double hash;
@@ -153,46 +130,23 @@ static bool check_signed_hash(const struct sha256_double *hash,
 			      const struct signature *signature,
 			      const struct pubkey *key)
 {
-	bool ok = false;	
+	int ret;
-	BIGNUM r, s;
+	secp256k1_context_t *secpctx;
-	ECDSA_SIG sig = { &r, &s };
+	u8 der[72];
-	EC_KEY *eckey = EC_KEY_new_by_curve_name(NID_secp256k1);
+	size_t der_len;
-	const unsigned char *k = key->key;
-
-	/* S must be even: https://github.com/sipa/bitcoin/commit/a81cd9680 */
-	assert((signature->s[31] & 1) == 0);
-
-	/* Unpack public key. */
-	if (!o2i_ECPublicKey(&eckey, &k, pubkey_len(key)))
-		goto out;
-
-	/* Unpack signature. */
-	BN_init(&r);
-	BN_init(&s);
-	if (!BN_bin2bn(signature->r, sizeof(signature->r), &r)
-	    || !BN_bin2bn(signature->s, sizeof(signature->s), &s))
-		goto free_bns;
-
-	/* Now verify hash with public key and signature. */
-	switch (ECDSA_do_verify(hash->sha.u.u8, sizeof(hash->sha.u), &sig,
-				eckey)) {
-	case 0:
-		/* Invalid signature */
-		goto free_bns;
-	case -1:
-		/* Malformed or other error. */
-		goto free_bns;
-	}
 
-	ok = true;
+	/* FIXME: secp256k1 missing secp256k1_ecdsa_verify_compact */
+	der_len = signature_to_der(der, signature);
+
+	secpctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
+	if (!secpctx)
+		return false;
 
-free_bns:
+	ret = secp256k1_ecdsa_verify(secpctx, hash->sha.u.u8, der, der_len,
-	BN_free(&r);
+				     key->key, pubkey_len(key));
-	BN_free(&s);
 
-out:
+	secp256k1_context_destroy(secpctx);
-	EC_KEY_free(eckey);
+	return ret == 1;
-        return ok;
 }
 
 bool check_tx_sig(struct bitcoin_tx *tx, size_t input_num,

bitcoin/signature.h

@@ -2,7 +2,6 @@
 #define LIGHTNING_BITCOIN_SIGNATURE_H
 #include <ccan/short_types/short_types.h>
 #include <ccan/tal/tal.h>
-#include <openssl/ecdsa.h>
 
 enum sighash_type {
     SIGHASH_ALL = 1,
@@ -20,10 +19,11 @@ struct signature {
 struct sha256_double;
 struct bitcoin_tx;
 struct pubkey;
+struct privkey;
 struct bitcoin_tx_output;
 struct bitcoin_signature;
 
-bool sign_hash(const tal_t *ctx, EC_KEY *private_key,
+bool sign_hash(const tal_t *ctx, const struct privkey *p,
 	       const struct sha256_double *h,
 	       struct signature *s);
 
@@ -31,7 +31,7 @@ bool sign_hash(const tal_t *ctx, EC_KEY *private_key,
 bool sign_tx_input(const tal_t *ctx, struct bitcoin_tx *tx,
 		   unsigned int in,
 		   const u8 *subscript, size_t subscript_len,
-		   EC_KEY *privkey, const struct pubkey *pubkey,
+		   const struct privkey *privkey, const struct pubkey *pubkey,
 		   struct signature *sig);
 
 /* Does this sig sign the tx with this input for this pubkey. */

test-cli/check-anchor-scriptsigs.c

@@ -15,7 +15,6 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])

test-cli/check-commit-sig.c

@@ -14,8 +14,8 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])
@@ -30,7 +30,7 @@ int main(int argc, char *argv[])
 	struct pubkey pubkey1, pubkey2;
 	struct bitcoin_signature sig1, sig2;
 	char *tx_hex;
-	EC_KEY *privkey;
+	struct privkey privkey;
 	bool testnet;
 	struct sha256 rhash;
 
@@ -50,8 +50,7 @@ int main(int argc, char *argv[])
 	o2 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
 	cs2 = pkt_from_file(argv[3], PKT__PKT_OPEN_COMMIT_SIG)->open_commit_sig;
 
-	privkey = key_from_base58(argv[4], strlen(argv[4]), &testnet, &pubkey1);
+	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
-	if (!privkey)
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
@@ -84,7 +83,7 @@ int main(int argc, char *argv[])
 	sig1.stype = SIGHASH_ALL;
 	subscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
 	sign_tx_input(ctx, commit, 0, subscript, tal_count(subscript),
-		      privkey, &pubkey1, &sig1.sig);
+		      &privkey, &pubkey1, &sig1.sig);
 
 	/* Signatures well-formed? */
 	if (!proto_to_signature(cs2->sig, &sig2.sig))

test-cli/close-channel.c

@@ -13,10 +13,10 @@
 #include "permute_tx.h"
 #include "bitcoin/signature.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "close_tx.h"
 #include "find_p2sh_out.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])
@@ -27,7 +27,7 @@ int main(int argc, char *argv[])
 	struct sha256_double anchor_txid;
 	struct pkt *pkt;
 	struct signature sig;
-	EC_KEY *privkey;
+	struct privkey privkey;
 	bool testnet, complete = false;
 	struct pubkey pubkey1, pubkey2;
 	u8 *redeemscript;
@@ -53,8 +53,7 @@ int main(int argc, char *argv[])
 	o1 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
 	o2 = pkt_from_file(argv[3], PKT__PKT_OPEN)->open;
 
-	privkey = key_from_base58(argv[4], strlen(argv[4]), &testnet, &pubkey1);
+	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
-	if (!privkey)
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
@@ -88,7 +87,7 @@ int main(int argc, char *argv[])
 
 	/* Sign it for them. */
 	sign_tx_input(ctx, close_tx, 0, redeemscript, tal_count(redeemscript),
-		      privkey, &pubkey1, &sig);
+		      &privkey, &pubkey1, &sig);
 
 	if (complete)
 		pkt = close_channel_complete_pkt(ctx, &sig);

test-cli/create-close-tx.c

@@ -16,7 +16,6 @@
 #include "close_tx.h"
 #include "find_p2sh_out.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])

test-cli/create-commit-spend-tx.c

@@ -15,11 +15,11 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "bitcoin/address.h"
 #include "opt_bits.h"
 #include "find_p2sh_out.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])
@@ -28,7 +28,7 @@ int main(int argc, char *argv[])
 	OpenChannel *o1, *o2;
 	struct bitcoin_tx *commit, *tx;
 	struct bitcoin_signature sig;
-	EC_KEY *privkey;
+	struct privkey privkey;
 	bool testnet;
 	struct pubkey pubkey1, pubkey2, outpubkey;
 	u8 *redeemscript, *tx_arr;
@@ -63,8 +63,7 @@ int main(int argc, char *argv[])
 		errx(1, "Invalid locktime in o1");
 
  	/* We need our private key to spend commit output. */
-	privkey = key_from_base58(argv[4], strlen(argv[4]), &testnet, &pubkey1);
+	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
-	if (!privkey)
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
@@ -112,7 +111,7 @@ int main(int argc, char *argv[])
 
 	/* Now get signature, to set up input script. */
 	if (!sign_tx_input(tx, tx, 0, redeemscript, tal_count(redeemscript),
-			   privkey, &pubkey1, &sig.sig))
+			   &privkey, &pubkey1, &sig.sig))
 		errx(1, "Could not sign tx");
 	sig.stype = SIGHASH_ALL;
 	tx->input[0].script = scriptsig_p2sh_single_sig(tx, redeemscript,

test-cli/create-commit-tx.c

@@ -14,9 +14,9 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "find_p2sh_out.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 /* FIXME: this code doesn't work if we're not the ones proposing the delta */
@@ -27,7 +27,7 @@ int main(int argc, char *argv[])
 	Pkt *pkt;
 	struct bitcoin_tx *anchor, *commit;
 	struct sha256_double anchor_txid;
-	EC_KEY *privkey;
+	struct privkey privkey;
 	bool testnet;
 	struct bitcoin_signature sig1, sig2;
 	size_t i;
@@ -54,8 +54,7 @@ int main(int argc, char *argv[])
 	o1 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
 	o2 = pkt_from_file(argv[3], PKT__PKT_OPEN)->open;
 
-	privkey = key_from_base58(argv[4], strlen(argv[4]), &testnet, &pubkey1);
+	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
-	if (!privkey)
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
@@ -110,7 +109,7 @@ int main(int argc, char *argv[])
 	/* We generate our signature. */
 	sig1.stype = SIGHASH_ALL;
 	sign_tx_input(ctx, commit, 0, redeemscript, tal_count(redeemscript),
-		      privkey, &pubkey1, &sig1.sig);
+		      &privkey, &pubkey1, &sig1.sig);
 
 	if (!check_2of2_sig(commit, 0, redeemscript, tal_count(redeemscript),
 			    &pubkey1, &pubkey2, &sig1, &sig2))

test-cli/create-steal-tx.c

@@ -14,8 +14,8 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])
@@ -30,7 +30,7 @@ int main(int argc, char *argv[])
 	struct pubkey pubkey1, pubkey2, outpubkey;
 	struct bitcoin_signature sig;
 	char *tx_hex;
-	EC_KEY *privkey;
+	struct privkey privkey;
 	bool testnet;
 	u32 locktime_seconds;
 
@@ -62,8 +62,7 @@ int main(int argc, char *argv[])
 		errx(1, "Expected update or update-complete in %s", argv[2]);
 	}
 
-	privkey = key_from_base58(argv[3], strlen(argv[3]), &testnet, &pubkey1);
+	if (!key_from_base58(argv[3], strlen(argv[3]), &testnet, &privkey, &pubkey1))
-	if (!privkey)
 		errx(1, "Invalid private key '%s'", argv[3]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[3]);
@@ -112,7 +111,7 @@ int main(int argc, char *argv[])
 
 	/* Now get signature, to set up input script. */
 	if (!sign_tx_input(tx, tx, 0, redeemscript, tal_count(redeemscript),
-			   privkey, &pubkey1, &sig.sig))
+			   &privkey, &pubkey1, &sig.sig))
 		errx(1, "Could not sign tx");
 	sig.stype = SIGHASH_ALL;
 	tx->input[0].script = scriptsig_p2sh_revoke(tx, &revoke_preimage, &sig,

test-cli/get-anchor-depth.c

@@ -14,7 +14,6 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])

test-cli/open-anchor-scriptsigs.c

@@ -10,8 +10,8 @@
 #include "bitcoin/base58.h"
 #include "anchor.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 
-#include <openssl/ec.h>
 #include <unistd.h>
 
 /* All the input scripts are already set to 0.  We just need to make this one. */
@@ -19,7 +19,7 @@ static u8 *tx_scriptsig(const tal_t *ctx,
 			struct bitcoin_tx *tx,
 			unsigned int i,
 			const BitcoinInput *input,
-			EC_KEY *privkey,
+			struct privkey *privkey,
 			const struct pubkey *pubkey)
 {
 	struct bitcoin_signature sig;
@@ -75,19 +75,18 @@ int main(int argc, char *argv[])
 	sigs = tal_arr(ctx, u8 *, o1->anchor->n_inputs);
 	for (i = 0; i < o1->anchor->n_inputs; i++) {
 		struct pubkey pubkey;
-		EC_KEY *privkey;
+		struct privkey privkey;
 		bool testnet;
 
-		privkey = key_from_base58(argv[3+i], strlen(argv[3+i]),
+		if (!key_from_base58(argv[3+i], strlen(argv[3+i]),
-					  &testnet, &pubkey);
+							 &testnet, &privkey, &pubkey))
-		if (!privkey)
 			errx(1, "Invalid private key '%s'", argv[3+i]);
 		if (!testnet)
 			errx(1, "Private key '%s' not on testnet!", argv[3+i]);
 		
 		sigs[i] = tx_scriptsig(sigs, anchor, map[i],
 				       o1->anchor->inputs[i],
-				       privkey, &pubkey);
+				       &privkey, &pubkey);
 	}
 
 	pkt = open_anchor_sig_pkt(ctx, sigs, o1->anchor->n_inputs);

test-cli/open-channel.c

@@ -12,10 +12,11 @@
 #include "bitcoin/address.h"
 #include "bitcoin/tx.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "bitcoin/shadouble.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
+#include <time.h>
 #include "opt_bits.h"
 
 /* Bitcoin nodes are allowed to be 2 hours in the future. */ 
@@ -76,7 +77,7 @@ int main(int argc, char *argv[])
 	bool testnet;
 	size_t i;
 	struct pubkey commitkey, outkey, changekey;
-	EC_KEY *commitprivkey, *outprivkey;
+	struct privkey commitprivkey, outprivkey;
 
 	err_set_progname(argv[0]);
 
@@ -123,16 +124,14 @@ int main(int argc, char *argv[])
 
 	/* We don't really need the privkey here, but it's the most
 	 * convenient way to get the pubkey from bitcoind. */
-	commitprivkey = key_from_base58(argv[4], strlen(argv[4]), &testnet,
+	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet,
-					&commitkey);
+			     &commitprivkey, &commitkey))
-	if (!commitprivkey)
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
 
-	outprivkey = key_from_base58(argv[5], strlen(argv[5]), &testnet,
+	if (!key_from_base58(argv[5], strlen(argv[5]), &testnet,
-				     &outkey);
+			     &outprivkey, &outkey))
-	if (!outprivkey)
 		errx(1, "Invalid private key '%s'", argv[5]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[5]);

test-cli/open-commit-sig.c

@@ -14,8 +14,8 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])
@@ -27,7 +27,7 @@ int main(int argc, char *argv[])
 	struct pkt *pkt;
 	struct signature sig;
 	size_t *inmap, *outmap;
-	EC_KEY *privkey;
+	struct privkey privkey;
 	bool testnet;
 	struct pubkey pubkey1, pubkey2;
 	u8 *subscript;
@@ -48,8 +48,7 @@ int main(int argc, char *argv[])
 	o1 = pkt_from_file(argv[1], PKT__PKT_OPEN)->open;
 	o2 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
 
-	privkey = key_from_base58(argv[3], strlen(argv[3]), &testnet, &pubkey1);
+	if (!key_from_base58(argv[3], strlen(argv[3]), &testnet, &privkey, &pubkey1))
-	if (!privkey)
 		errx(1, "Invalid private key '%s'", argv[3]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[3]);
@@ -81,7 +80,7 @@ int main(int argc, char *argv[])
 	/* Sign it for them. */
 	subscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
 	sign_tx_input(ctx, commit, 0, subscript, tal_count(subscript),
-		      privkey, &pubkey1, &sig);
+		      &privkey, &pubkey1, &sig);
 
 	pkt = open_commit_sig_pkt(ctx, &sig);
 	if (!write_all(STDOUT_FILENO, pkt, pkt_totlen(pkt)))

test-cli/update-channel-accept.c

@@ -14,9 +14,9 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "find_p2sh_out.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])
@@ -29,7 +29,7 @@ int main(int argc, char *argv[])
 	struct sha256_double anchor_txid;
 	struct pkt *pkt;
 	struct bitcoin_signature sig;
-	EC_KEY *privkey;
+	struct privkey privkey;
 	bool testnet;
 	struct pubkey pubkey1, pubkey2;
 	u8 *redeemscript;
@@ -56,8 +56,7 @@ int main(int argc, char *argv[])
 	o1 = pkt_from_file(argv[3], PKT__PKT_OPEN)->open;
 	o2 = pkt_from_file(argv[4], PKT__PKT_OPEN)->open;
 
-	privkey = key_from_base58(argv[5], strlen(argv[5]), &testnet, &pubkey1);
+	if (!key_from_base58(argv[5], strlen(argv[5]), &testnet, &privkey, &pubkey1))
-	if (!privkey)
 		errx(1, "Invalid private key '%s'", argv[5]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[5]);
@@ -100,7 +99,7 @@ int main(int argc, char *argv[])
 
 	/* Sign it for them. */
 	sign_tx_input(ctx, commit, 0, redeemscript, tal_count(redeemscript),
-		      privkey, &pubkey1, &sig.sig);
+		      &privkey, &pubkey1, &sig.sig);
 
 	pkt = update_accept_pkt(ctx, &sig.sig, &revocation_hash);
 	if (!write_all(STDOUT_FILENO, pkt, pkt_totlen(pkt)))

test-cli/update-channel-complete.c

@@ -17,7 +17,6 @@
 #include "bitcoin/pubkey.h"
 #include "find_p2sh_out.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])

test-cli/update-channel-signature.c

@@ -14,9 +14,9 @@
 #include "bitcoin/signature.h"
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
+#include "bitcoin/privkey.h"
 #include "find_p2sh_out.h"
 #include "protobuf_convert.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])
@@ -30,7 +30,7 @@ int main(int argc, char *argv[])
 	struct sha256_double anchor_txid;
 	struct pkt *pkt;
 	struct bitcoin_signature sig;
-	EC_KEY *privkey;
+	struct privkey privkey;
 	bool testnet;
 	struct pubkey pubkey1, pubkey2;
 	u8 *redeemscript;
@@ -57,8 +57,7 @@ int main(int argc, char *argv[])
 	o1 = pkt_from_file(argv[3], PKT__PKT_OPEN)->open;
 	o2 = pkt_from_file(argv[4], PKT__PKT_OPEN)->open;
 
-	privkey = key_from_base58(argv[5], strlen(argv[5]), &testnet, &pubkey1);
+	if (!key_from_base58(argv[5], strlen(argv[5]), &testnet, &privkey, &pubkey1))
-	if (!privkey)
 		errx(1, "Invalid private key '%s'", argv[5]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[5]);
@@ -121,7 +120,7 @@ int main(int argc, char *argv[])
 
 	/* Sign it for them. */
 	sign_tx_input(ctx, commit, 0, redeemscript, tal_count(redeemscript),
-		      privkey, &pubkey1, &sig.sig);
+		      &privkey, &pubkey1, &sig.sig);
 
 	pkt = update_signature_pkt(ctx, &sig.sig, &preimage);
 	if (!write_all(STDOUT_FILENO, pkt, pkt_totlen(pkt)))

test-cli/update-channel.c

@@ -15,7 +15,6 @@
 #include "commit_tx.h"
 #include "bitcoin/pubkey.h"
 #include "find_p2sh_out.h"
-#include <openssl/ec.h>
 #include <unistd.h>
 
 int main(int argc, char *argv[])