diff --git a/pageant.c b/pageant.c
index 6c080bea..6b4c7c91 100644
--- a/pageant.c
+++ b/pageant.c
@@ -352,7 +352,7 @@ void pageant_handle_msg(BinarySink *bs,
             }
 
             signature = strbuf_new();
-            ssh_key_sign(key->key, sigdata.ptr, sigdata.len, flags,
+            ssh_key_sign(key->key, sigdata, flags,
                          BinarySink_UPCAST(signature));
 
             put_byte(bs, SSH2_AGENT_SIGN_RESPONSE);
@@ -1086,7 +1086,8 @@ int pageant_add_keyfile(Filename *filename, const char *passphrase,
 		}
 		/* Now skip over public blob */
 		if (type == SSH_KEYTYPE_SSH1) {
-		    int n = rsa_ssh1_public_blob_len(p, keylistlen);
+		    int n = rsa_ssh1_public_blob_len(
+                        make_ptrlen(p, keylistlen));
 		    if (n < 0) {
                         *retstr = dupstr("Received broken key list from agent");
                         sfree(keylist);
diff --git a/ssh.h b/ssh.h
index e3b967fd..02c4a1ae 100644
--- a/ssh.h
+++ b/ssh.h
@@ -511,7 +511,7 @@ char *rsa_ssh1_fingerprint(struct RSAKey *key);
 bool rsa_verify(struct RSAKey *key);
 void rsa_ssh1_public_blob(BinarySink *bs, struct RSAKey *key,
                           RsaSsh1Order order);
-int rsa_ssh1_public_blob_len(void *data, int maxlen);
+int rsa_ssh1_public_blob_len(ptrlen data);
 void freersapriv(struct RSAKey *key);
 void freersakey(struct RSAKey *key);
 
@@ -532,7 +532,7 @@ struct ssh_hashalg;
 struct ssh_rsa_kex_extra {
     int minklen;
 };
-struct RSAKey *ssh_rsakex_newkey(const void *data, int len);
+struct RSAKey *ssh_rsakex_newkey(ptrlen data);
 void ssh_rsakex_freekey(struct RSAKey *key);
 int ssh_rsakex_klen(struct RSAKey *key);
 void ssh_rsakex_encrypt(const struct ssh_hashalg *h,
@@ -776,8 +776,7 @@ struct ssh_keyalg {
 
     /* Methods that operate on an existing ssh_key */
     void (*freekey) (ssh_key *key);
-    void (*sign) (ssh_key *key, const void *data, int datalen,
-                  unsigned flags, BinarySink *);
+    void (*sign) (ssh_key *key, ptrlen data, unsigned flags, BinarySink *);
     bool (*verify) (ssh_key *key, ptrlen sig, ptrlen data);
     void (*public_blob)(ssh_key *key, BinarySink *);
     void (*private_blob)(ssh_key *key, BinarySink *);
@@ -799,8 +798,8 @@ struct ssh_keyalg {
 #define ssh_key_new_priv_openssh(alg, bs) ((alg)->new_priv_openssh(alg, bs))
 
 #define ssh_key_free(key) ((key)->vt->freekey(key))
-#define ssh_key_sign(key, data, len, flags, bs) \
-    ((key)->vt->sign(key, data, len, flags, bs))
+#define ssh_key_sign(key, data, flags, bs) \
+    ((key)->vt->sign(key, data, flags, bs))
 #define ssh_key_verify(key, sig, data) ((key)->vt->verify(key, sig, data))
 #define ssh_key_public_blob(key, bs) ((key)->vt->public_blob(key, bs))
 #define ssh_key_private_blob(key, bs) ((key)->vt->private_blob(key, bs))
diff --git a/ssh2kex-client.c b/ssh2kex-client.c
index 865397df..f2e5dc13 100644
--- a/ssh2kex-client.c
+++ b/ssh2kex-client.c
@@ -537,7 +537,7 @@ void ssh2kex_coroutine(struct ssh2_transport_state *s, bool *aborted)
 
         rsakeydata = get_string(pktin);
 
-        s->rsa_kex_key = ssh_rsakex_newkey(rsakeydata.ptr, rsakeydata.len);
+        s->rsa_kex_key = ssh_rsakex_newkey(rsakeydata);
         if (!s->rsa_kex_key) {
             ssh_proto_error(s->ppl.ssh,
                             "Unable to parse RSA public key packet");
diff --git a/ssh2kex-server.c b/ssh2kex-server.c
index 22b26961..a5c3fb5c 100644
--- a/ssh2kex-server.c
+++ b/ssh2kex-server.c
@@ -28,8 +28,9 @@ static strbuf *finalise_and_sign_exhash(struct ssh2_transport_state *s)
     strbuf *sb;
     ssh2transport_finalise_exhash(s);
     sb = strbuf_new();
-    ssh_key_sign(s->hkey, s->exchange_hash, s->kex_alg->hash->hlen, 0,
-                 BinarySink_UPCAST(sb));
+    ssh_key_sign(
+        s->hkey, make_ptrlen(s->exchange_hash, s->kex_alg->hash->hlen),
+        0, BinarySink_UPCAST(sb));
     return sb;
 }
 
diff --git a/ssh2userauth.c b/ssh2userauth.c
index d79ab5bd..6148929c 100644
--- a/ssh2userauth.c
+++ b/ssh2userauth.c
@@ -890,7 +890,7 @@ static void ssh2_userauth_process_queue(PacketProtocolLayer *ppl)
                     put_data(sigdata, s->pktout->data + 5,
                              s->pktout->length - 5);
                     sigblob = strbuf_new();
-                    ssh_key_sign(key->key, sigdata->s, sigdata->len, 0,
+                    ssh_key_sign(key->key, ptrlen_from_strbuf(sigdata), 0,
                                  BinarySink_UPCAST(sigblob));
                     strbuf_free(sigdata);
                     ssh2_userauth_add_sigblob(
diff --git a/sshdss.c b/sshdss.c
index 21bb7f82..439ef701 100644
--- a/sshdss.c
+++ b/sshdss.c
@@ -416,14 +416,13 @@ mp_int *dss_gen_k(const char *id_string, mp_int *modulus,
     return k;
 }
 
-static void dss_sign(ssh_key *key, const void *data, int datalen,
-                     unsigned flags, BinarySink *bs)
+static void dss_sign(ssh_key *key, ptrlen data, unsigned flags, BinarySink *bs)
 {
     struct dss_key *dss = container_of(key, struct dss_key, sshk);
     unsigned char digest[20];
     int i;
 
-    SHA_Simple(data, datalen, digest);
+    SHA_Simple(data.ptr, data.len, digest);
 
     mp_int *k = dss_gen_k("DSA deterministic k generator", dss->q, dss->x,
                           digest, sizeof(digest));
diff --git a/sshecc.c b/sshecc.c
index 7d7b13da..01c8dd3c 100644
--- a/sshecc.c
+++ b/sshecc.c
@@ -979,7 +979,7 @@ static bool eddsa_verify(ssh_key *key, ptrlen sig, ptrlen data)
     return valid;
 }
 
-static void ecdsa_sign(ssh_key *key, const void *data, int datalen,
+static void ecdsa_sign(ssh_key *key, ptrlen data,
                        unsigned flags, BinarySink *bs)
 {
     struct ecdsa_key *ek = container_of(key, struct ecdsa_key, sshk);
@@ -987,15 +987,14 @@ static void ecdsa_sign(ssh_key *key, const void *data, int datalen,
         (const struct ecsign_extra *)ek->sshk.vt->extra;
     assert(ek->privateKey);
 
-    mp_int *z = ecdsa_signing_exponent_from_data(
-        ek->curve, extra, make_ptrlen(data, datalen));
+    mp_int *z = ecdsa_signing_exponent_from_data(ek->curve, extra, data);
 
     /* Generate k between 1 and curve->n, using the same deterministic
      * k generation system we use for conventional DSA. */
     mp_int *k;
     {
         unsigned char digest[20];
-        SHA_Simple(data, datalen, digest);
+        SHA_Simple(data.ptr, data.len, digest);
         k = dss_gen_k(
             "ECDSA deterministic k generator", ek->curve->w.G_order,
             ek->privateKey, digest, sizeof(digest));
@@ -1033,7 +1032,7 @@ static void ecdsa_sign(ssh_key *key, const void *data, int datalen,
     mp_free(s);
 }
 
-static void eddsa_sign(ssh_key *key, const void *data, int datalen,
+static void eddsa_sign(ssh_key *key, ptrlen data,
                        unsigned flags, BinarySink *bs)
 {
     struct eddsa_key *ek = container_of(key, struct eddsa_key, sshk);
@@ -1076,7 +1075,7 @@ static void eddsa_sign(ssh_key *key, const void *data, int datalen,
     h = ssh_hash_new(extra->hash);
     put_data(h, hash + ek->curve->fieldBytes,
              extra->hash->hlen - ek->curve->fieldBytes);
-    put_data(h, data, datalen);
+    put_datapl(h, data);
     ssh_hash_final(h, hash);
     mp_int *log_r_unreduced = mp_from_bytes_le(
         make_ptrlen(hash, extra->hash->hlen));
@@ -1097,7 +1096,7 @@ static void eddsa_sign(ssh_key *key, const void *data, int datalen,
      * eddsa_verify does.
      */
     mp_int *H = eddsa_signing_exponent_from_data(
-        ek, extra, ptrlen_from_strbuf(r_enc), make_ptrlen(data, datalen));
+        ek, extra, ptrlen_from_strbuf(r_enc), data);
 
     /* And then s = (log(r) + H*a) mod order(G). */
     mp_int *Ha = mp_modmul(H, a, ek->curve->e.G_order);
diff --git a/sshrsa.c b/sshrsa.c
index 7558abdd..8c768646 100644
--- a/sshrsa.c
+++ b/sshrsa.c
@@ -315,11 +315,11 @@ void rsa_ssh1_public_blob(BinarySink *bs, struct RSAKey *key,
 }
 
 /* Given an SSH-1 public key blob, determine its length. */
-int rsa_ssh1_public_blob_len(void *data, int maxlen)
+int rsa_ssh1_public_blob_len(ptrlen data)
 {
     BinarySource src[1];
 
-    BinarySource_BARE_INIT(src, data, maxlen);
+    BinarySource_BARE_INIT(src, data.ptr, data.len);
 
     /* Expect a length word, then exponent and modulus. (It doesn't
      * even matter which order.) */
@@ -638,7 +638,7 @@ static bool rsa2_verify(ssh_key *key, ptrlen sig, ptrlen data)
     return diff == 0;
 }
 
-static void rsa2_sign(ssh_key *key, const void *data, int datalen,
+static void rsa2_sign(ssh_key *key, ptrlen data,
                       unsigned flags, BinarySink *bs)
 {
     struct RSAKey *rsa = container_of(key, struct RSAKey, sshk);
@@ -661,8 +661,7 @@ static void rsa2_sign(ssh_key *key, const void *data, int datalen,
 
     nbytes = (mp_get_nbits(rsa->modulus) + 7) / 8;
 
-    bytes = rsa_pkcs1_signature_string(
-        nbytes, halg, make_ptrlen(data, datalen));
+    bytes = rsa_pkcs1_signature_string(nbytes, halg, data);
     in = mp_from_bytes_be(make_ptrlen(bytes, nbytes));
     smemclr(bytes, nbytes);
     sfree(bytes);
@@ -700,9 +699,9 @@ const ssh_keyalg ssh_rsa = {
     SSH_AGENT_RSA_SHA2_256 | SSH_AGENT_RSA_SHA2_512,
 };
 
-struct RSAKey *ssh_rsakex_newkey(const void *data, int len)
+struct RSAKey *ssh_rsakex_newkey(ptrlen data)
 {
-    ssh_key *sshk = rsa2_new_pub(&ssh_rsa, make_ptrlen(data, len));
+    ssh_key *sshk = rsa2_new_pub(&ssh_rsa, data);
     if (!sshk)
         return NULL;
     return container_of(sshk, struct RSAKey, sshk);