bitcoin: hand in a secp256k1_context to all routines.

We don't want to re-create them internally, ever.

The test-cli tools are patched to generate them all the time, but
they're not performance critical.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

bitcoin/base58.c

@@ -306,14 +306,14 @@ char *key_to_base58(const tal_t *ctx, bool test_net, const struct privkey *key)
 	return tal_strdup(ctx, p);
 }
 
-bool key_from_base58(const char *base58, size_t base58_len,
+bool key_from_base58(secp256k1_context *secpctx,
+		     const char *base58, size_t base58_len,
 		     bool *test_net, struct privkey *priv, struct pubkey *key)
 {
 	u8 keybuf[1 + 32 + 1 + 4];
 	u8 csum[4];
 	BIGNUM bn;
 	bool compressed;
-	secp256k1_context *secpctx;
 	size_t keylen;
 	
 	BN_init(&bn);
@@ -347,21 +347,17 @@ bool key_from_base58(const char *base58, size_t base58_len,
 	/* Copy out secret. */
 	memcpy(priv->secret, keybuf + 1, sizeof(priv->secret));
 
-	secpctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
 	if (!secp256k1_ec_seckey_verify(secpctx, priv->secret))
-		goto fail_free_secpctx;
+		goto fail_free_bn;
 
 	/* Get public key, too, since we know if it's compressed. */
-	if (!pubkey_from_privkey(priv, key,
+	if (!pubkey_from_privkey(secpctx, priv, key,
 				 compressed ? SECP256K1_EC_COMPRESSED : 0))
-		goto fail_free_secpctx;
+		goto fail_free_bn;
 
 	BN_free(&bn);
-	secp256k1_context_destroy(secpctx);
 	return true;
 
-fail_free_secpctx:
-	secp256k1_context_destroy(secpctx);
 fail_free_bn:
 	BN_free(&bn);
 	return false;

bitcoin/base58.h

@@ -2,6 +2,7 @@
 #define LIGHTNING_BITCOIN_BASE58_H
 #include "config.h"
 
+#include "secp256k1.h"
 #include <ccan/crypto/ripemd160/ripemd160.h>
 #include <ccan/short_types/short_types.h>
 #include <ccan/tal/tal.h>
@@ -45,7 +46,8 @@ char *base58_with_check(char dest[BASE58_ADDR_MAX_LEN],
 			u8 buf[1 + sizeof(struct ripemd160) + 4]);
 
 char *key_to_base58(const tal_t *ctx, bool test_net, const struct privkey *key);
-bool key_from_base58(const char *base58, size_t base58_len,
+bool key_from_base58(secp256k1_context *secpctx,
+		     const char *base58, size_t base58_len,
 		     bool *test_net, struct privkey *priv, struct pubkey *key);
 
 bool raw_decode_base_n(BIGNUM *bn, const char *src, size_t len, int base);

bitcoin/pubkey.c

@@ -27,52 +27,40 @@ size_t pubkey_derlen(const struct pubkey *key)
 	return len;
 }
 
-bool pubkey_from_der(const u8 *der, size_t len, struct pubkey *key)
+bool pubkey_from_der(secp256k1_context *secpctx,
+		     const u8 *der, size_t len,
+		     struct pubkey *key)
 {
-	secp256k1_context *secpctx = secp256k1_context_create(0);
-
 	if (len > sizeof(key->der))
-		goto fail_free_secpctx;
+		return false;
 
 	memcpy(key->der, der, len);
 	if (!secp256k1_ec_pubkey_parse(secpctx, &key->pubkey, key->der, len))
-		goto fail_free_secpctx;
+		return false;
 
-	secp256k1_context_destroy(secpctx);
 	return true;
-	
-fail_free_secpctx:
-	secp256k1_context_destroy(secpctx);
-	return false;
 }
 
 /* Pubkey from privkey */
-bool pubkey_from_privkey(const struct privkey *privkey,
+bool pubkey_from_privkey(secp256k1_context *secpctx,
+			 const struct privkey *privkey,
 			 struct pubkey *key,
 			 unsigned int compressed_flags)
 {
-	secp256k1_context *secpctx;
 	size_t outlen;
 	
-	secpctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
-
 	if (!secp256k1_ec_pubkey_create(secpctx, &key->pubkey, privkey->secret))
-		goto fail_free_secpctx;
+		return false;
 
 	if (!secp256k1_ec_pubkey_serialize(secpctx, key->der, &outlen,
 					   &key->pubkey, compressed_flags))
-		goto fail_free_secpctx;
+		return false;
 	assert(outlen == pubkey_derlen(key));
-	
-	secp256k1_context_destroy(secpctx);
 	return true;
-
-fail_free_secpctx:
-	secp256k1_context_destroy(secpctx);
-	return false;
 }
 	
-bool pubkey_from_hexstr(const char *derstr, size_t slen, struct pubkey *key)
+bool pubkey_from_hexstr(secp256k1_context *secpctx,
+			const char *derstr, size_t slen, struct pubkey *key)
 {
 	size_t dlen;
 	unsigned char der[65];
@@ -84,7 +72,7 @@ bool pubkey_from_hexstr(const char *derstr, size_t slen, struct pubkey *key)
 	if (!hex_decode(derstr, slen, der, dlen))
 		return false;
 
-	return pubkey_from_der(der, dlen, key);
+	return pubkey_from_der(secpctx, der, dlen, key);
 }
 
 bool pubkey_eq(const struct pubkey *a, const struct pubkey *b)

bitcoin/pubkey.h

@@ -15,15 +15,18 @@ struct pubkey {
 };
 
 /* Convert from hex string of DER (scriptPubKey from validateaddress) */
-bool pubkey_from_hexstr(const char *derstr, size_t derlen, struct pubkey *key);
+bool pubkey_from_hexstr(secp256k1_context *secpctx,
+			const char *derstr, size_t derlen, struct pubkey *key);
 
 /* Pubkey from privkey */
-bool pubkey_from_privkey(const struct privkey *privkey,
+bool pubkey_from_privkey(secp256k1_context *secpctx,
+			 const struct privkey *privkey,
 			 struct pubkey *key,
 			 unsigned int compressed_flags);
 
 /* Pubkey from DER encoding. */
-bool pubkey_from_der(const u8 *der, size_t len, struct pubkey *key);
+bool pubkey_from_der(secp256k1_context *secpctx,
+		     const u8 *der, size_t len, struct pubkey *key);
 
 /* How many bytes of key->der are valid. */
 size_t pubkey_derlen(const struct pubkey *key);

bitcoin/script.c

@@ -109,11 +109,13 @@ static void add_push_sig(u8 **scriptp, const struct bitcoin_signature *sig)
 /* Bitcoin wants DER encoding. */
 #ifdef SCRIPTS_USE_DER
 	u8 der[73];
-	size_t len = signature_to_der(der, &sig->sig);
+	secp256k1_context *secpctx = secp256k1_context_create(0);
+	size_t len = signature_to_der(secpctx, der, &sig->sig);
 
 	/* Append sighash type */
 	der[len++] = sig->stype;
 	add_push_bytes(scriptp, der, len);
+	secp256k1_context_destroy(secpctx);
 #else /* Alpha uses raw encoding */
 	u8 with_sighash[sizeof(sig->sig) + 1];
 	memcpy(with_sighash, &sig->sig, sizeof(sig->sig));

bitcoin/signature.c

@@ -76,16 +76,12 @@ static void dump_tx(const char *msg,
 }
 #endif
 	
-bool sign_hash(const struct privkey *privkey,
+void sign_hash(secp256k1_context *secpctx,
+	       const struct privkey *privkey,
 	       const struct sha256_double *h,
 	       struct signature *s)
 {
-	secp256k1_context *secpctx;
 	bool ok;
-	
-	secpctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
-	if (!secpctx)
-		return false;
 
 #ifdef USE_SCHNORR
 	ok = secp256k1_schnorr_sign(secpctx,
@@ -98,9 +94,7 @@ bool sign_hash(const struct privkey *privkey,
 				  h->sha.u.u8,
 				  privkey->secret, NULL, NULL);
 #endif
-
-	secp256k1_context_destroy(secpctx);
-	return ok;
+	assert(ok);
 }
 
 /* Only does SIGHASH_ALL */
@@ -133,7 +127,8 @@ static void sha256_tx_one_input(struct bitcoin_tx *tx,
 }
 
 /* Only does SIGHASH_ALL */
-bool sign_tx_input(struct bitcoin_tx *tx,
+void sign_tx_input(secp256k1_context *secpctx,
+		   struct bitcoin_tx *tx,
 		   unsigned int in,
 		   const u8 *subscript, size_t subscript_len,
 		   const struct privkey *privkey, const struct pubkey *key,
@@ -143,19 +138,15 @@ bool sign_tx_input(struct bitcoin_tx *tx,
 
 	sha256_tx_one_input(tx, in, subscript, subscript_len, &hash);
 	dump_tx("Signing", tx, in, subscript, subscript_len, key, &hash);
-	return sign_hash(privkey, &hash, sig);
+	sign_hash(secpctx, privkey, &hash, sig);
 }
 
-bool check_signed_hash(const struct sha256_double *hash,
+bool check_signed_hash(secp256k1_context *secpctx,
+		       const struct sha256_double *hash,
 		       const struct signature *signature,
 		       const struct pubkey *key)
 {
 	int ret;
-	secp256k1_context *secpctx;
-
-	secpctx = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
-	if (!secpctx)
-		return false;
 
 #ifdef USE_SCHNORR
 	ret = secp256k1_schnorr_verify(secpctx, signature->schnorr,
@@ -165,12 +156,11 @@ bool check_signed_hash(const struct sha256_double *hash,
 				     &signature->sig,
 				     hash->sha.u.u8, &key->pubkey);
 #endif
-
-	secp256k1_context_destroy(secpctx);
 	return ret == 1;
 }
 
-bool check_tx_sig(struct bitcoin_tx *tx, size_t input_num,
+bool check_tx_sig(secp256k1_context *secpctx,
+		  struct bitcoin_tx *tx, size_t input_num,
 		  const u8 *redeemscript, size_t redeemscript_len,
 		  const struct pubkey *key,
 		  const struct bitcoin_signature *sig)
@@ -187,14 +177,15 @@ bool check_tx_sig(struct bitcoin_tx *tx, size_t input_num,
 	if (sig->stype != SIGHASH_ALL)
 		return false;
 	
-	ret = check_signed_hash(&hash, &sig->sig, key);
+	ret = check_signed_hash(secpctx, &hash, &sig->sig, key);
 	if (!ret)
 		dump_tx("Sig failed", tx, input_num,
 			redeemscript, redeemscript_len, key, &hash);
 	return ret;
 }
 
-bool check_2of2_sig(struct bitcoin_tx *tx, size_t input_num,
+bool check_2of2_sig(secp256k1_context *secpctx,
+		    struct bitcoin_tx *tx, size_t input_num,
 		    const u8 *redeemscript, size_t redeemscript_len,
 		    const struct pubkey *key1, const struct pubkey *key2,
 		    const struct bitcoin_signature *sig1,
@@ -210,8 +201,8 @@ bool check_2of2_sig(struct bitcoin_tx *tx, size_t input_num,
 	if (sig1->stype != SIGHASH_ALL || sig2->stype != SIGHASH_ALL)
 		return false;
 	
-	return check_signed_hash(&hash, &sig1->sig, key1)
-		&& check_signed_hash(&hash, &sig2->sig, key2);
+	return check_signed_hash(secpctx, &hash, &sig1->sig, key1)
+		&& check_signed_hash(secpctx, &hash, &sig2->sig, key2);
 }
 
 #ifndef USE_SCHNORR
@@ -287,12 +278,12 @@ static bool IsValidSignatureEncoding(const unsigned char sig[], size_t len)
     return true;
 }
 
-size_t signature_to_der(u8 der[72], const struct signature *sig)
+size_t signature_to_der(secp256k1_context *secpctx,
+			u8 der[72], const struct signature *sig)
 {
 	size_t len = 72;
-	secp256k1_context *ctx = secp256k1_context_create(0);
 
-	secp256k1_ecdsa_signature_serialize_der(ctx, der, &len, &sig->sig);
+	secp256k1_ecdsa_signature_serialize_der(secpctx, der, &len, &sig->sig);
 
 	/* IsValidSignatureEncoding() expect extra byte for sighash */
 	assert(IsValidSignatureEncoding(der, len + 1));

bitcoin/signature.h

@@ -28,28 +28,33 @@ struct privkey;
 struct bitcoin_tx_output;
 struct bitcoin_signature;
 
-bool sign_hash(const struct privkey *p,
+void sign_hash(secp256k1_context *secpctx,
+	       const struct privkey *p,
 	       const struct sha256_double *h,
 	       struct signature *s);
 
-bool check_signed_hash(const struct sha256_double *hash,
+bool check_signed_hash(secp256k1_context *secpctx,
+		       const struct sha256_double *hash,
 		       const struct signature *signature,
 		       const struct pubkey *key);
 
 /* All tx input scripts must be set to 0 len. */
-bool sign_tx_input(struct bitcoin_tx *tx,
+void sign_tx_input(secp256k1_context *secpctx,
+		   struct bitcoin_tx *tx,
 		   unsigned int in,
 		   const u8 *subscript, size_t subscript_len,
 		   const struct privkey *privkey, const struct pubkey *pubkey,
 		   struct signature *sig);
 
 /* Does this sig sign the tx with this input for this pubkey. */
-bool check_tx_sig(struct bitcoin_tx *tx, size_t input_num,
+bool check_tx_sig(secp256k1_context *secpctx,
+		  struct bitcoin_tx *tx, size_t input_num,
 		  const u8 *redeemscript, size_t redeemscript_len,
 		  const struct pubkey *key,
 		  const struct bitcoin_signature *sig);
 
-bool check_2of2_sig(struct bitcoin_tx *tx, size_t input_num,
+bool check_2of2_sig(secp256k1_context *secpctx,
+		    struct bitcoin_tx *tx, size_t input_num,
 		    const u8 *redeemscript, size_t redeemscript_len,
 		    const struct pubkey *key1, const struct pubkey *key2,
 		    const struct bitcoin_signature *sig1,
@@ -60,7 +65,8 @@ bool sig_valid(const struct signature *s);
 
 #ifndef USE_SCHNORR
 /* Give DER encoding of signature: returns length used (<= 72). */
-size_t signature_to_der(u8 der[72], const struct signature *s);
+size_t signature_to_der(secp256k1_context *secpctx,
+			u8 der[72], const struct signature *s);
 #endif
 
 #endif /* LIGHTNING_BITCOIN_SIGNATURE_H */

close_tx.c

@@ -6,7 +6,8 @@
 #include "permute_tx.h"
 #include "protobuf_convert.h"
 
-struct bitcoin_tx *create_close_tx(const tal_t *ctx,
+struct bitcoin_tx *create_close_tx(secp256k1_context *secpctx,
+				   const tal_t *ctx,
 				   OpenChannel *ours,
 				   OpenChannel *theirs,
 				   OpenAnchor *anchor,
@@ -26,9 +27,9 @@ struct bitcoin_tx *create_close_tx(const tal_t *ctx,
 	tx->input[0].input_amount = anchor->amount;
 
 	/* Outputs goes to final pubkey */
-	if (!proto_to_pubkey(ours->final_key, &ourkey))
+	if (!proto_to_pubkey(secpctx, ours->final_key, &ourkey))
 		return tal_free(tx);
-	if (!proto_to_pubkey(theirs->final_key, &theirkey))
+	if (!proto_to_pubkey(secpctx, theirs->final_key, &theirkey))
 		return tal_free(tx);
 
 

close_tx.h

@@ -2,13 +2,15 @@
 #define LIGHTNING_CLOSE_TX_H
 #include "config.h"
 #include "lightning.pb-c.h"
+#include "secp256k1.h"
 #include <ccan/tal/tal.h>
 
 struct sha256_double;
 
 /* Create close tx to spend the anchor tx output; doesn't fill in
  * input scriptsig. */
-struct bitcoin_tx *create_close_tx(const tal_t *ctx,
+struct bitcoin_tx *create_close_tx(secp256k1_context *secpctx,
+				   const tal_t *ctx,
 				   OpenChannel *ours,
 				   OpenChannel *theirs,
 				   OpenAnchor *anchor,

protobuf_convert.c

@@ -74,14 +74,19 @@ BitcoinPubkey *pubkey_to_proto(const tal_t *ctx, const struct pubkey *key)
 	p->key.len = pubkey_derlen(key);
 	p->key.data = tal_dup_arr(p, u8, key->der, p->key.len, 0);
 
-	assert(pubkey_from_der(p->key.data, p->key.len, &check));
-	assert(pubkey_eq(&check, key));
+	{
+		secp256k1_context *secpctx = secp256k1_context_create(0);
+		assert(pubkey_from_der(secpctx, p->key.data, p->key.len, &check));
+		assert(pubkey_eq(&check, key));
+		secp256k1_context_destroy(secpctx);
+	}
 	return p;
 }
 
-bool proto_to_pubkey(const BitcoinPubkey *pb, struct pubkey *key)
+bool proto_to_pubkey(secp256k1_context *secpctx,
+		     const BitcoinPubkey *pb, struct pubkey *key)
 {
-	return pubkey_from_der(pb->key.data, pb->key.len, key);
+	return pubkey_from_der(secpctx, pb->key.data, pb->key.len, key);
 }
 
 Sha256Hash *sha256_to_proto(const tal_t *ctx, const struct sha256 *hash)

protobuf_convert.h

@@ -2,6 +2,7 @@
 #define LIGHTNING_PROTOBUF_CONVERT_H
 #include "config.h"
 #include "lightning.pb-c.h"
+#include "secp256k1.h"
 #include <ccan/tal/tal.h>
 #include <stdbool.h>
 
@@ -13,7 +14,8 @@ bool proto_to_signature(const Signature *pb, struct signature *sig);
 /* Convert to-from protobuf to internal representation. */
 struct pubkey;
 BitcoinPubkey *pubkey_to_proto(const tal_t *ctx, const struct pubkey *key);
-bool proto_to_pubkey(const BitcoinPubkey *pb, struct pubkey *key);
+bool proto_to_pubkey(secp256k1_context *secpctx,
+		     const BitcoinPubkey *pb, struct pubkey *key);
 
 /* Useful helper for allocating & populating a protobuf Sha256Hash */
 struct sha256;

test-cli/check-commit-sig.c

@@ -50,7 +50,9 @@ int main(int argc, char *argv[])
 	o2 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
 	a = pkt_from_file(argv[3], PKT__PKT_OPEN_ANCHOR)->open_anchor;
 
-	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
@@ -68,7 +70,8 @@ int main(int argc, char *argv[])
 	}
 
 	/* Pubkey well-formed? */
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit_key");
 
 	if (is_funder(o1) == is_funder(o2))
@@ -86,7 +89,8 @@ int main(int argc, char *argv[])
 
 	/* Check signature. */
 	subscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
-	if (!check_tx_sig(commit, 0, subscript, tal_count(subscript),
+	if (!check_tx_sig(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY),
+			  commit, 0, subscript, tal_count(subscript),
 			  &pubkey2, &sig))
 		errx(1, "Their signature invalid");
 

test-cli/close-channel.c

@@ -62,7 +62,9 @@ int main(int argc, char *argv[])
 	o2 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
 	a = pkt_from_file(argv[3], PKT__PKT_OPEN_ANCHOR)->open_anchor;
 
-	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
@@ -77,22 +79,26 @@ int main(int argc, char *argv[])
 		       NULL, NULL, NULL);
 
 	/* Get pubkeys */
-	if (!proto_to_pubkey(o1->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->commit_key, &pubkey2))
 		errx(1, "Invalid o1 commit pubkey");
 	if (!pubkey_eq(&pubkey1, &pubkey2))
 		errx(1, "o1 pubkey != this privkey");
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit pubkey");
 
 	/* This is what the anchor pays to. */
 	redeemscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
 
-	close_tx = create_close_tx(ctx, o1, o2, a,
+	close_tx = create_close_tx(secp256k1_context_create(0),
+				   ctx, o1, o2, a,
 				   cstate->a.pay_msat / 1000,
 				   cstate->b.pay_msat / 1000);
 
 	/* Sign it for them. */
-	sign_tx_input(close_tx, 0, redeemscript, tal_count(redeemscript),
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      close_tx, 0, redeemscript, tal_count(redeemscript),
 		      &privkey, &pubkey1, &sig);
 
 	if (close_file)

test-cli/create-anchor-tx.c

@@ -64,7 +64,9 @@ static void parse_anchor_input(const char *spec, struct input *in)
 	if (*end != '/')
 		errx(1, "Expected / after hexscript");
 
-	if (!key_from_base58(end+1, strlen(end + 1), &testnet,
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     end+1, strlen(end + 1), &testnet,
 			     &in->privkey, &in->pubkey))
 		errx(1, "Invalid private key '%s'", end+1);
 	if (!testnet)
@@ -102,9 +104,11 @@ int main(int argc, char *argv[])
 
 	o1 = pkt_from_file(argv[1], PKT__PKT_OPEN)->open;
 	o2 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
-	if (!proto_to_pubkey(o1->commit_key, &pubkey1))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->commit_key, &pubkey1))
 		errx(1, "Invalid o1 commit_key");
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit_key");
 
 	amount = atol(argv[3]);
@@ -142,7 +146,8 @@ int main(int argc, char *argv[])
 	if (change) {
 		struct pubkey change_key;
 
-		if (!pubkey_from_hexstr(argv[4], strlen(argv[4]), &change_key))
+		if (!pubkey_from_hexstr(secp256k1_context_create(0),
+					argv[4], strlen(argv[4]), &change_key))
 			errx(1, "Invalid change key %s", argv[3]);
 
 		redeemscript = bitcoin_redeem_single(anchor, &change_key);
@@ -163,11 +168,11 @@ int main(int argc, char *argv[])
 	/* Now, sign each input. */
 	for (i = 0; i < tal_count(in); i++) {
 		in[i].sig.stype = SIGHASH_ALL;
-		if (!sign_tx_input(anchor, i, in[i].in.script,
-				   in[i].in.script_length,
-				   &in[i].privkey, &in[i].pubkey,
-				   &in[i].sig.sig))
-			errx(1, "Error signing input %zi", i);
+		sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+			      anchor, i, in[i].in.script,
+			      in[i].in.script_length,
+			      &in[i].privkey, &in[i].pubkey,
+			      &in[i].sig.sig);
 	}
 
 	/* Finally, complete inputs using signatures. */

test-cli/create-close-tx.c

@@ -53,9 +53,11 @@ int main(int argc, char *argv[])
 	closecomplete = pkt_from_file(argv[5], PKT__PKT_CLOSE_COMPLETE)->close_complete;
 
 	/* Pubkeys well-formed? */
-	if (!proto_to_pubkey(o1->commit_key, &pubkey1))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->commit_key, &pubkey1))
 		errx(1, "Invalid o1 commit_key");
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit_key");
 	
 	/* Get delta by accumulting all the updates. */
@@ -66,7 +68,8 @@ int main(int argc, char *argv[])
 	redeemscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
 
 	/* Now create the close tx to spend 2/2 output of anchor. */
-	close_tx = create_close_tx(ctx, o1, o2, a,
+	close_tx = create_close_tx(secp256k1_context_create(0),
+				   ctx, o1, o2, a,
 				   cstate->a.pay_msat / 1000,
 				   cstate->b.pay_msat / 1000);
 
@@ -78,7 +81,8 @@ int main(int argc, char *argv[])
 		errx(1, "Invalid closecomplete-packet");
 
 	/* Combined signatures must validate correctly. */
-	if (!check_2of2_sig(close_tx, 0, redeemscript, tal_count(redeemscript),
+	if (!check_2of2_sig(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY),
+			    close_tx, 0, redeemscript, tal_count(redeemscript),
 			    &pubkey1, &pubkey2, &sig1, &sig2))
 		errx(1, "Signature failed");
 

test-cli/create-commit-spend-tx.c

@@ -68,20 +68,25 @@ int main(int argc, char *argv[])
 		errx(1, "Invalid locktime in o2");
 
  	/* We need our private key to spend commit output. */
-	if (!key_from_base58(argv[5], strlen(argv[5]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[5], strlen(argv[5]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[5]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[5]);
 
-	if (!pubkey_from_hexstr(argv[6], strlen(argv[6]), &outpubkey))
+	if (!pubkey_from_hexstr(secp256k1_context_create(0),
+				argv[6], strlen(argv[6]), &outpubkey))
 		errx(1, "Invalid bitcoin pubkey '%s'", argv[6]);
 
 	/* Get pubkeys */
-	if (!proto_to_pubkey(o1->final_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->final_key, &pubkey2))
 		errx(1, "Invalid o1 final pubkey");
 	if (!pubkey_eq(&pubkey1, &pubkey2))
 		errx(1, "o1 pubkey != this privkey");
-	if (!proto_to_pubkey(o2->final_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->final_key, &pubkey2))
 		errx(1, "Invalid o2 final pubkey");
 
 	/* We use this simply to get final revocation hash. */
@@ -114,9 +119,9 @@ int main(int argc, char *argv[])
 	tx->output[0].script_length = tal_count(tx->output[0].script);
 
 	/* Now get signature, to set up input script. */
-	if (!sign_tx_input(tx, 0, redeemscript, tal_count(redeemscript),
-			   &privkey, &pubkey1, &sig.sig))
-		errx(1, "Could not sign tx");
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      tx, 0, redeemscript, tal_count(redeemscript),
+		      &privkey, &pubkey1, &sig.sig);
 	sig.stype = SIGHASH_ALL;
 	tx->input[0].script = scriptsig_p2sh_secret(tx, NULL, 0, &sig,
 						    redeemscript,

test-cli/create-commit-tx.c

@@ -52,17 +52,21 @@ int main(int argc, char *argv[])
 	o2 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
 	a = pkt_from_file(argv[3], PKT__PKT_OPEN_ANCHOR)->open_anchor;
 
-	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
 
 	/* Get pubkeys */
-	if (!proto_to_pubkey(o1->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->commit_key, &pubkey2))
 		errx(1, "Invalid o1 commit pubkey");
 	if (!pubkey_eq(&pubkey1, &pubkey2))
 		errx(1, "o1 pubkey != this privkey");
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit pubkey");
 
 	sig2.stype = SIGHASH_ALL;
@@ -84,11 +88,13 @@ int main(int argc, char *argv[])
 
 	/* We generate our signature. */
 	sig1.stype = SIGHASH_ALL;
-	sign_tx_input(commit, 0, redeemscript, tal_count(redeemscript),
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      commit, 0, redeemscript, tal_count(redeemscript),
 		      &privkey, &pubkey1, &sig1.sig);
 
 	/* Check it works with theirs... */
-	if (!check_2of2_sig(commit, 0, redeemscript, tal_count(redeemscript),
+	if (!check_2of2_sig(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY),
+			    commit, 0, redeemscript, tal_count(redeemscript),
 			    &pubkey1, &pubkey2, &sig1, &sig2))
 		errx(1, "Signature failed");
 

test-cli/create-htlc-spend-tx.c

@@ -88,18 +88,23 @@ int main(int argc, char *argv[])
 		errx(1, "Expected update or update-add-htlc for %s", argv[5]);
 	}
 
-	if (!key_from_base58(argv[6], strlen(argv[6]), &testnet, &privkey, &key))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[6], strlen(argv[6]), &testnet, &privkey, &key))
 		errx(1, "Invalid private key '%s'", argv[6]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[6]);
 
-	if (!pubkey_from_hexstr(argv[7], strlen(argv[7]), &outpubkey))
+	if (!pubkey_from_hexstr(secp256k1_context_create(0),
+				argv[7], strlen(argv[7]), &outpubkey))
 		errx(1, "Invalid commit key '%s'", argv[7]);
 
 	/* Get pubkeys */
-	if (!proto_to_pubkey(o1->final_key, &pubkey1))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->final_key, &pubkey1))
 		errx(1, "Invalid o1 final pubkey");
-	if (!proto_to_pubkey(o2->final_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->final_key, &pubkey2))
 		errx(1, "Invalid o2 final pubkey");
 
 	if (pubkey_eq(&key, &pubkey1)) {
@@ -186,9 +191,9 @@ int main(int argc, char *argv[])
 	tx->output[0].script_length = tal_count(tx->output[0].script);
 
 	/* Now get signature, to set up input script. */
-	if (!sign_tx_input(tx, 0, redeemscript, tal_count(redeemscript),
-			   &privkey, &key, &sig.sig))
-		errx(1, "Could not sign tx");
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      tx, 0, redeemscript, tal_count(redeemscript),
+		      &privkey, &key, &sig.sig);
 
 	sig.stype = SIGHASH_ALL;
 	tx->input[0].script = scriptsig_p2sh_secret(tx, secret, secret_len,

test-cli/create-steal-tx.c

@@ -63,7 +63,9 @@ int main(int argc, char *argv[])
 		errx(1, "Expected update or update-complete in %s", argv[2]);
 	}
 
-	if (!key_from_base58(argv[3], strlen(argv[3]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[3], strlen(argv[3]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[3]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[3]);
@@ -73,15 +75,18 @@ int main(int argc, char *argv[])
 	if (!proto_to_rel_locktime(o1->delay, &locktime))
 		errx(1, "Invalid locktime in o2");
 
-	if (!pubkey_from_hexstr(argv[6], strlen(argv[6]), &outpubkey))
+	if (!pubkey_from_hexstr(secp256k1_context_create(0),
+				argv[6], strlen(argv[6]), &outpubkey))
 		errx(1, "Invalid bitcoin pubkey '%s'", argv[6]);
 
 	/* Get pubkeys */
-	if (!proto_to_pubkey(o1->final_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->final_key, &pubkey2))
 		errx(1, "Invalid o1 final pubkey");
 	if (!pubkey_eq(&pubkey1, &pubkey2))
 		errx(1, "o1 pubkey != this privkey");
-	if (!proto_to_pubkey(o2->final_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->final_key, &pubkey2))
 		errx(1, "Invalid o2 final pubkey");
 
 	/* Now, which commit output?  Match redeem script. */
@@ -113,9 +118,9 @@ int main(int argc, char *argv[])
 	tx->output[0].script_length = tal_count(tx->output[0].script);
 
 	/* Now get signature, to set up input script. */
-	if (!sign_tx_input(tx, 0, redeemscript, tal_count(redeemscript),
-			   &privkey, &pubkey1, &sig.sig))
-		errx(1, "Could not sign tx");
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      tx, 0, redeemscript, tal_count(redeemscript),
+		      &privkey, &pubkey1, &sig.sig);
 	sig.stype = SIGHASH_ALL;
 	tx->input[0].script = scriptsig_p2sh_secret(tx,
 						    &revoke_preimage,

test-cli/open-anchor.c

@@ -56,13 +56,16 @@ int main(int argc, char *argv[])
 
 	o1 = pkt_from_file(argv[1], PKT__PKT_OPEN)->open;
 	o2 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit_key");
 
 	anchor = bitcoin_tx_from_file(ctx, argv[3]);
 	bitcoin_txid(anchor, &txid);
 
-	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
@@ -88,7 +91,8 @@ int main(int argc, char *argv[])
 	invert_cstate(cstate);
 	commit = commit_tx_from_pkts(ctx, o2, o1, &oa, &rhash, cstate);
 
-	sign_tx_input(commit, 0, redeemscript, tal_count(redeemscript),
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      commit, 0, redeemscript, tal_count(redeemscript),
 		      &privkey, &pubkey1, &sig);
 
 	oa.commit_sig = signature_to_proto(ctx, &sig);

test-cli/open-channel.c

@@ -69,10 +69,12 @@ int main(int argc, char *argv[])
 	if (!hex_decode(argv[1], strlen(argv[1]), &seed, sizeof(seed)))
 		errx(1, "Invalid seed '%s' - need 256 hex bits", argv[1]);
 
-	if (!pubkey_from_hexstr(argv[2], strlen(argv[2]), &commitkey))
+	if (!pubkey_from_hexstr(secp256k1_context_create(0),
+				argv[2], strlen(argv[2]), &commitkey))
 		errx(1, "Invalid commit key '%s'", argv[2]);
 
-	if (!pubkey_from_hexstr(argv[3], strlen(argv[3]), &finalkey))
+	if (!pubkey_from_hexstr(secp256k1_context_create(0),
+				argv[3], strlen(argv[3]), &finalkey))
 		errx(1, "Invalid final key '%s'", argv[3]);
 
 	if (offer_anchor && min_confirms == 0)

test-cli/open-commit-sig.c

@@ -52,7 +52,9 @@ int main(int argc, char *argv[])
 	o2 = pkt_from_file(argv[2], PKT__PKT_OPEN)->open;
 	a = pkt_from_file(argv[3], PKT__PKT_OPEN_ANCHOR)->open_anchor;
 	
-	if (!key_from_base58(argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[4], strlen(argv[4]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[4]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[4]);
@@ -75,12 +77,14 @@ int main(int argc, char *argv[])
 		errx(1, "Invalid packets?");
 
 	/* Their pubkey must be valid */
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid public open-channel-file2");
 
 	/* Sign it for them. */
 	subscript = bitcoin_redeem_2of2(ctx, &pubkey1, &pubkey2);
-	sign_tx_input(commit, 0, subscript, tal_count(subscript),
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      commit, 0, subscript, tal_count(subscript),
 		      &privkey, &pubkey1, &sig);
 
 	pkt = open_commit_sig_pkt(ctx, &sig);

test-cli/pkt.c

@@ -240,9 +240,11 @@ struct bitcoin_tx *commit_tx_from_pkts(const tal_t *ctx,
 
 	proto_to_sha256(anchor->txid, &txid.sha);
 	/* Output goes to our final pubkeys */
-	if (!proto_to_pubkey(ours->final_key, &ourkey))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     ours->final_key, &ourkey))
 		return NULL;
-	if (!proto_to_pubkey(theirs->final_key, &theirkey))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     theirs->final_key, &theirkey))
 		return NULL;
 	if (!proto_to_rel_locktime(theirs->delay, &locktime))
 		return NULL;

test-cli/update-channel-accept.c

@@ -57,7 +57,9 @@ int main(int argc, char *argv[])
 	o2 = pkt_from_file(argv[3], PKT__PKT_OPEN)->open;
 	a = pkt_from_file(argv[4], PKT__PKT_OPEN_ANCHOR)->open_anchor;
 
-	if (!key_from_base58(argv[5], strlen(argv[5]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[5], strlen(argv[5]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[5]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[5]);
@@ -75,11 +77,13 @@ int main(int argc, char *argv[])
 	       revocation_hash.u.u8, sizeof(revocation_hash.u.u8));
 	
 	/* Get pubkeys */
-	if (!proto_to_pubkey(o1->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->commit_key, &pubkey2))
 		errx(1, "Invalid o1 commit pubkey");
 	if (!pubkey_eq(&pubkey1, &pubkey2))
 		errx(1, "o1 pubkey != this privkey");
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit pubkey");
 
 	/* This is what the anchor pays to; figure out whick output. */
@@ -94,7 +98,8 @@ int main(int argc, char *argv[])
 		errx(1, "Delta too large");
 
 	/* Sign it for them. */
-	sign_tx_input(commit, 0, redeemscript, tal_count(redeemscript),
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      commit, 0, redeemscript, tal_count(redeemscript),
 		      &privkey, &pubkey1, &sig.sig);
 
 	pkt = update_accept_pkt(ctx, &sig.sig, &revocation_hash);

test-cli/update-channel-complete.c

@@ -68,9 +68,11 @@ int main(int argc, char *argv[])
 		errx(1, "Expected at least one update!");
 
 	/* Get pubkeys */
-	if (!proto_to_pubkey(o1->commit_key, &pubkey1))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->commit_key, &pubkey1))
 		errx(1, "Invalid o1 commit pubkey");
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit pubkey");
 
 	/* This is what the anchor pays to. */
@@ -81,7 +83,8 @@ int main(int argc, char *argv[])
 	if (!commit)
 		errx(1, "Delta too large");
 
-	if (!check_tx_sig(commit, 0, redeemscript, tal_count(redeemscript),
+	if (!check_tx_sig(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY),
+			  commit, 0, redeemscript, tal_count(redeemscript),
 			  &pubkey2, &sig))
 		errx(1, "Invalid signature.");
 	

test-cli/update-channel-signature.c

@@ -57,7 +57,9 @@ int main(int argc, char *argv[])
 	o2 = pkt_from_file(argv[3], PKT__PKT_OPEN)->open;
 	a = pkt_from_file(argv[4], PKT__PKT_OPEN_ANCHOR)->open_anchor;
 
-	if (!key_from_base58(argv[5], strlen(argv[5]), &testnet, &privkey, &pubkey1))
+	if (!key_from_base58(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
+						      | SECP256K1_CONTEXT_SIGN),
+			     argv[5], strlen(argv[5]), &testnet, &privkey, &pubkey1))
 		errx(1, "Invalid private key '%s'", argv[5]);
 	if (!testnet)
 		errx(1, "Private key '%s' not on testnet!", argv[5]);
@@ -78,11 +80,13 @@ int main(int argc, char *argv[])
 	shachain_from_seed(&seed, num_updates - 1, &preimage);
 	
 	/* Get pubkeys */
-	if (!proto_to_pubkey(o1->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o1->commit_key, &pubkey2))
 		errx(1, "Invalid o1 commit pubkey");
 	if (!pubkey_eq(&pubkey1, &pubkey2))
 		errx(1, "o1 pubkey != this privkey");
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid o2 commit pubkey");
 
 	/* This is what the anchor pays to. */
@@ -94,7 +98,8 @@ int main(int argc, char *argv[])
 		errx(1, "Invalid packets");
 
 	/* Check their signature signs this input correctly. */
-	if (!check_tx_sig(commit, 0, redeemscript, tal_count(redeemscript),
+	if (!check_tx_sig(secp256k1_context_create(SECP256K1_CONTEXT_VERIFY),
+			  commit, 0, redeemscript, tal_count(redeemscript),
 			  &pubkey2, &sig))
 		errx(1, "Invalid signature.");
 
@@ -105,11 +110,13 @@ int main(int argc, char *argv[])
 		errx(1, "Invalid packets");
 
 	/* Their pubkey must be valid */
-	if (!proto_to_pubkey(o2->commit_key, &pubkey2))
+	if (!proto_to_pubkey(secp256k1_context_create(0),
+			     o2->commit_key, &pubkey2))
 		errx(1, "Invalid public open-channel-file2");
 
 	/* Sign it for them. */
-	sign_tx_input(commit, 0, redeemscript, tal_count(redeemscript),
+	sign_tx_input(secp256k1_context_create(SECP256K1_CONTEXT_SIGN),
+		      commit, 0, redeemscript, tal_count(redeemscript),
 		      &privkey, &pubkey1, &sig.sig);
 
 	pkt = update_signature_pkt(ctx, &sig.sig, &preimage);