lightningdevkit
diff --git a/‎fuzz/src/peer_crypt.rs
+5-3 b/‎fuzz/src/peer_crypt.rs
+5-3
diff --git a/‎lightning/src/ln/channelmanager.rs
+6-5 b/‎lightning/src/ln/channelmanager.rs
+6-5
@@ -8,6 +8,7 @@
 // licenses.
 
 use lightning::ln::peer_channel_encryptor::PeerChannelEncryptor;
+use lightning::util::test_utils::TestNodeSigner;
 
 use bitcoin::secp256k1::{Secp256k1, PublicKey, SecretKey};
 
@@ -41,6 +42,7 @@ pub fn do_test(data: &[u8]) {
 		Ok(key) => key,
 		Err(_) => return,
 	};
+	let node_signer = TestNodeSigner::new(our_network_key);
 	let ephemeral_key = match SecretKey::from_slice(get_slice!(32)) {
 		Ok(key) => key,
 		Err(_) => return,
@@ -53,15 +55,15 @@ pub fn do_test(data: &[u8]) {
 		};
 		let mut crypter = PeerChannelEncryptor::new_outbound(their_pubkey, ephemeral_key);
 		crypter.get_act_one(&secp_ctx);
-		match crypter.process_act_two(get_slice!(50), &our_network_key, &secp_ctx) {
+		match crypter.process_act_two(get_slice!(50), &&node_signer) {
 			Ok(_) => {},
 			Err(_) => return,
 		}
 		assert!(crypter.is_ready_for_encryption());
 		crypter
 	} else {
-		let mut crypter = PeerChannelEncryptor::new_inbound(&our_network_key, &secp_ctx);
-		match crypter.process_act_one_with_keys(get_slice!(50), &our_network_key, ephemeral_key, &secp_ctx) {
+		let mut crypter = PeerChannelEncryptor::new_inbound(&&node_signer);
+		match crypter.process_act_one_with_keys(get_slice!(50), &&node_signer, ephemeral_key, &secp_ctx) {
 			Ok(_) => {},
 			Err(_) => return,
 		}
 
@@ -30,7 +30,6 @@ use bitcoin::hash_types::{BlockHash, Txid};
 
 use bitcoin::secp256k1::{SecretKey,PublicKey};
 use bitcoin::secp256k1::Secp256k1;
-use bitcoin::secp256k1::ecdh::SharedSecret;
 use bitcoin::{LockTime, secp256k1, Sequence};
 
 use crate::chain;
@@ -2016,7 +2015,9 @@ where
 			return_malformed_err!("invalid ephemeral pubkey", 0x8000 | 0x4000 | 6);
 		}
 
-		let shared_secret = SharedSecret::new(&msg.onion_routing_packet.public_key.unwrap(), &self.our_network_key).secret_bytes();
+		let shared_secret = self.node_signer.ecdh(
+			Recipient::Node, &msg.onion_routing_packet.public_key.unwrap(), None
+		).unwrap().secret_bytes();
 
 		if msg.onion_routing_packet.version != 0 {
 			//TODO: Spec doesn't indicate if we should only hash hop_data here (and in other
@@ -2924,9 +2925,9 @@ where
 											}
 										}
 										if let PendingHTLCRouting::Forward { onion_packet, .. } = routing {
-											let phantom_secret_res = self.node_signer.get_node_secret(Recipient::PhantomNode);
-											if phantom_secret_res.is_ok() && fake_scid::is_valid_phantom(&self.fake_scid_rand_bytes, short_chan_id, &self.genesis_hash) {
-												let phantom_shared_secret = SharedSecret::new(&onion_packet.public_key.unwrap(), &phantom_secret_res.unwrap()).secret_bytes();
+											let phantom_pubkey_res = self.node_signer.get_node_id(Recipient::PhantomNode);
+											if phantom_pubkey_res.is_ok() && fake_scid::is_valid_phantom(&self.fake_scid_rand_bytes, short_chan_id, &self.genesis_hash) {
+												let phantom_shared_secret = self.node_signer.ecdh(Recipient::PhantomNode, &onion_packet.public_key.unwrap(), None).unwrap().secret_bytes();
 												let next_hop = match onion_utils::decode_next_payment_hop(phantom_shared_secret, &onion_packet.hop_data, onion_packet.hmac, payment_hash) {
 													Ok(res) => res,
 													Err(onion_utils::OnionDecodeErr::Malformed { err_msg, err_code }) => {