From ce60ca727c1e51ba54b0b2ecfabd7c2a0eca3a29 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Sat, 20 Feb 2021 10:13:49 +0000
Subject: [PATCH] Correct documentation of PPK key derivation.

When I transcribed the code into this document, I misread 'put_data'
as 'put_string' in several places, and documented SSH-style string
length headers that do not actually exist in the format.
---
 doc/pubkeyfmt.but | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/doc/pubkeyfmt.but b/doc/pubkeyfmt.but
index c8fe665e..d3cea441 100644
--- a/doc/pubkeyfmt.but
+++ b/doc/pubkeyfmt.but
@@ -255,14 +255,18 @@ Each hash in the sequence is a SHA-1 hash of the following data:
 \b \cw{uint32}: a sequence number. This is 0 in the first hash, and
 increments by 1 each time after that.
 
-\b \cw{string}: the passphrase.
+\b the passphrase, without any prefix length field.
 
 The MAC key is also derived from the passphrase. It is a single SHA-1
 hash of the following data:
 
-\b \cw{string}: the fixed string \cq{putty-private-key-file-mac-key}.
+\b the fixed string \cq{putty-private-key-file-mac-key}, without any
+prefix length field.
 
-\b \cw{string}: the passphrase.
+\b the passphrase, without any prefix length field. (If the key file
+is unencrypted, the MAC is still computed in the same way, and the
+passphrase is taken to be the empty string for the purpose of deriving
+the MAC key.)
 
 \H{ppk-v1} PPK version 1