diff --git a/ripd/ChangeLog b/ripd/ChangeLog
index 60be27e..edb504a 100644
--- a/ripd/ChangeLog
+++ b/ripd/ChangeLog
@@ -1,3 +1,26 @@
+2005-02-04 Paul Jakma <paul@dishone.st>
+
+	* ripd.c: Untangle the construction of RIP auth data.
+	  (rip_auth_prepare_str_send) new helper function, prepare
+	  correct key string.
+	  (rip_auth_simple_write) new helper, write out the
+	  rip simple password auth psuedo-RTE.
+	  (rip_auth_md5_ah_write) new helper, write out the
+	  MD5 auth-header psuedo-RTE.
+	  (rip_auth_header_write) new helper, write out correct
+	  auth header data / psuedo-RTE.
+	  (rip_auth_md5_set) rip out the memmove and writing of the
+	  auth header psuedo-RTE. So that all that is left is to
+	  write the trailing auth digest, and update digest offset
+	  field in the original header.
+	  (rip_write_rte) rip out writing of RIP header, writing of
+	  simple auth data psuedo-RTE. Make it do what its name suggests,
+	  write out actual RTEs.
+	  (rip_output_process) remove the incorrect additional decrements 
+	  of rtemax. Prepare the auth_str, which simple or MD5 auth will
+	  need. Move write out of RIP header and auth data to inside the
+	  loop. Adjust paramaters as required.
+
 2005-01-30 Andrew J. Schorr <ajschorr@alumni.princeton.edu>
 
 	* ripd.c: (rip_create_socket) Replace perror with zlog_err.
diff --git a/ripd/ripd.c b/ripd/ripd.c
index b5d130e..c7ae00d 100644
--- a/ripd/ripd.c
+++ b/ripd/ripd.c
@@ -929,72 +929,73 @@
     return 0;
 }
 
-void
-rip_auth_md5_set (struct stream *s, struct interface *ifp)
+/* Pick correct auth string for sends, prepare auth_str buffer for use.
+ * (left justified and padded).
+ *
+ * presumes one of ri or key is valid, and that the auth strings they point
+ * to are nul terminated. If neither are present, auth_str will be fully
+ * zero padded.
+ *
+ */
+static void
+rip_auth_prepare_str_send (struct rip_interface *ri, struct key *key, 
+                           char *auth_str, int len)
 {
-  struct rip_interface *ri;
-  struct keychain *keychain = NULL;
-  struct key *key = NULL;
-  unsigned long len;
-  struct md5_ctx ctx;
-  unsigned char secret[RIP_AUTH_MD5_SIZE];
-  unsigned char digest[RIP_AUTH_MD5_SIZE];
-  char *auth_str = NULL;
+  assert (ri || key);
 
-  ri = ifp->info;
+  memset (auth_str, 0, len);
+  if (key && key->string)
+    strncpy (auth_str, key->string, len);
+  else if (ri->auth_str)
+    strncpy (auth_str, ri->auth_str, len);
 
-  /* Make it sure this interface is configured as MD5
-     authentication. */
-  if (ri->auth_type != RIP_AUTH_MD5)
-    return;
+  return;
+}
 
-  /* Lookup key chain. */
-  if (ri->key_chain)
-    {
-      keychain = keychain_lookup (ri->key_chain);
-      if (keychain == NULL)
-	return;
-
-      /* Lookup key. */
-      key = key_lookup_for_send (keychain);
-      if (key == NULL)
-	return;
-
-      auth_str = key->string;
-    }
-
-  if (ri->auth_str)
-    auth_str = ri->auth_str;
-
-  if (! auth_str)
-    return;
-
-  /* Get packet length. */
-  len = s->putp;
-
-  /* Check packet length. */
-  if (len < (RIP_HEADER_SIZE + RIP_RTE_SIZE))
-    {
-      zlog_err ("rip_auth_md5_set(): packet length %ld is less than minimum length.", len);
-      return;
-    }
-
-  /* Move RTE. */
-  memmove (s->data + RIP_HEADER_SIZE + RIP_RTE_SIZE,
-	   s->data + RIP_HEADER_SIZE,
-	   len - RIP_HEADER_SIZE);
+/* Write RIPv2 simple password authentication information
+ *
+ * auth_str is presumed to be 2 bytes and correctly prepared 
+ * (left justified and zero padded).
+ */
+static void
+rip_auth_simple_write (struct stream *s, char *auth_str, int len)
+{
+  assert (s && len == RIP_AUTH_SIMPLE_SIZE);
   
-  /* Set pointer to authentication header. */
-  stream_set_putp (s, RIP_HEADER_SIZE);
-  len += RIP_RTE_SIZE;
+  stream_putw (s, RIP_FAMILY_AUTH);
+  stream_putw (s, RIP_AUTH_SIMPLE_PASSWORD);
+  stream_put (s, auth_str, RIP_AUTH_SIMPLE_SIZE);
+  
+  return;
+}
+
+/* write RIPv2 MD5 "authentication header" 
+ * (uses the auth key data field)
+ *
+ * Digest offset field is set to 0.
+ *
+ * returns: offset of the digest offset field, which must be set when
+ * length to the auth-data MD5 digest is known.
+ */
+static size_t
+rip_auth_md5_ah_write (struct stream *s, struct rip_interface *ri, 
+                       struct key *key)
+{
+  size_t len = 0;
+
+  assert (s && ri && ri->auth_type == RIP_AUTH_MD5);
 
   /* MD5 authentication. */
   stream_putw (s, RIP_FAMILY_AUTH);
   stream_putw (s, RIP_AUTH_MD5);
 
-  /* RIP-2 Packet length.  Actual value is filled in
-     rip_auth_md5_set(). */
-  stream_putw (s, len);
+  /* MD5 AH digest offset field.
+   *
+   * Set to placeholder value here, to true value when RIP-2 Packet length
+   * is known.  Actual value is set in .....().
+   */
+  len = stream_get_putp(s);
+  stream_putw (s, 0);
 
   /* Key ID. */
   if (key)
@@ -1018,19 +1019,66 @@
   stream_putl (s, 0);
   stream_putl (s, 0);
 
-  /* Set pointer to authentication data. */
-  stream_set_putp (s, len);
+  return len;
+}
 
+/* If authentication is in used, write the appropriate header
+ * returns stream offset to which length must later be written
+ * or 0 if this is not required
+ */
+static size_t
+rip_auth_header_write (struct stream *s, struct rip_interface *ri, 
+                       struct key *key, char *auth_str, int len)
+{
+  assert (ri->auth_type != RIP_NO_AUTH);
+  
+  switch (ri->auth_type)
+    {
+      case RIP_AUTH_SIMPLE_PASSWORD:
+        rip_auth_prepare_str_send (ri, key, auth_str, len);
+        rip_auth_simple_write (s, auth_str, len);
+        return 0;
+      case RIP_AUTH_MD5:
+        return rip_auth_md5_ah_write (s, ri, key);
+    }
+  assert (1);
+}
+
+/* Write RIPv2 MD5 authentication data trailer */
+static void
+rip_auth_md5_set (struct stream *s, struct rip_interface *ri, size_t doff,
+                  char *auth_str, int authlen)
+{
+  unsigned long len;
+  struct md5_ctx ctx;
+  unsigned char digest[RIP_AUTH_MD5_SIZE];
+
+  /* Make it sure this interface is configured as MD5
+     authentication. */
+  assert ((ri->auth_type == RIP_AUTH_MD5) && (authlen == RIP_AUTH_MD5_SIZE));
+  assert (doff > 0);
+  
+  /* Get packet length. */
+  len = stream_get_endp(s);
+
+  /* Check packet length. */
+  if (len < (RIP_HEADER_SIZE + RIP_RTE_SIZE))
+    {
+      zlog_err ("rip_auth_md5_set(): packet length %ld is less than minimum length.", len);
+      return;
+    }
+
+  /* Set the digest offset length in the header */
+  stream_putw_at (s, doff, len);
+  
   /* Set authentication data. */
   stream_putw (s, RIP_FAMILY_AUTH);
   stream_putw (s, RIP_AUTH_DATA);
 
   /* Generate a digest for the RIP packet. */
-  memset (secret, 0, RIP_AUTH_MD5_SIZE);
-  strncpy ((char *)secret, auth_str, RIP_AUTH_MD5_SIZE);
   md5_init_ctx (&ctx);
   md5_process_bytes (s->data, s->endp, &ctx);
-  md5_process_bytes (secret, RIP_AUTH_MD5_SIZE, &ctx);
+  md5_process_bytes (auth_str, RIP_AUTH_MD5_SIZE, &ctx);
   md5_finish_ctx (&ctx, digest);
 
   /* Copy the digest to the packet. */
@@ -2015,68 +2063,14 @@
   return sock;
 }
 
+
 /* Write routing table entry to the stream and return next index of
    the routing table entry in the stream. */
 int
 rip_write_rte (int num, struct stream *s, struct prefix_ipv4 *p,
-	       u_char version, struct rip_info *rinfo, struct interface *ifp)
+               u_char version, struct rip_info *rinfo)
 {
   struct in_addr mask;
-  struct rip_interface *ri;
-
-  /* RIP packet header. */
-  if (num == 0)
-    {
-      stream_putc (s, RIP_RESPONSE);
-      stream_putc (s, version);
-      stream_putw (s, 0);
-
-      /* In case of we need RIPv2 authentication. */
-      if (version == RIPv2 && ifp)
-	{
-	  ri = ifp->info;
-	      
-	  if (ri->auth_type == RIP_AUTH_SIMPLE_PASSWORD)
-	    {
-	      if (ri->auth_str)
-		{
-		  stream_putw (s, RIP_FAMILY_AUTH);
-		  stream_putw (s, RIP_AUTH_SIMPLE_PASSWORD);
-
-		  memset ((s->data + s->putp), 0, 16);
-		  strncpy ((char *)(s->data + s->putp), ri->auth_str, 16);
-		  stream_set_putp (s, s->putp + 16);
-
-		  num++;
-		}
-	      if (ri->key_chain)
-		{
-		  struct keychain *keychain;
-		  struct key *key;
-
-		  keychain = keychain_lookup (ri->key_chain);
-
-		  if (keychain)
-		    {
-		      key = key_lookup_for_send (keychain);
-		      
-		      if (key)
-			{
-			  stream_putw (s, RIP_FAMILY_AUTH);
-			  stream_putw (s, RIP_AUTH_SIMPLE_PASSWORD);
-
-			  memset ((s->data + s->putp), 0, 16);
-			  strncpy ((char *)(s->data + s->putp), 
-				   key->string, 16);
-			  stream_set_putp (s, s->putp + 16);
-
-			  num++;
-			}
-		    }
-		}
-	    }
-	}
-    }
 
   /* Write routing table entry. */
   if (version == RIPv1)
@@ -2116,6 +2110,11 @@
   struct prefix_ipv4 *p;
   struct prefix_ipv4 classfull;
   struct prefix_ipv4 ifaddrclass;
+  struct key *key = NULL;
+  /* this might need to made dynamic if RIP ever supported auth methods
+     with larger key string sizes */
+  char auth_str[RIP_AUTH_SIMPLE_SIZE];
+  size_t doff; /* offset of digest offset field */
   int num;
   int rtemax;
   int subnetted = 0;
@@ -2153,7 +2152,7 @@
 
   /* If output interface is in simple password authentication mode
      and string or keychain is specified we need space for auth. data */
-  if (ri->auth_type == RIP_AUTH_SIMPLE_PASSWORD)
+  if (ri->auth_type != RIP_NO_AUTH)
     {
       if (ri->key_chain)
        {
@@ -2161,12 +2160,10 @@
 
          keychain = keychain_lookup (ri->key_chain);
          if (keychain)
-           if (key_lookup_for_send (keychain))
-             rtemax -=1;
+           key = key_lookup_for_send (keychain);
        }
-      else
-       if (ri->auth_str)
-         rtemax -=1;
+      /* to be passed to auth functions later */
+      rip_auth_prepare_str_send (ri, key, auth_str, RIP_AUTH_SIMPLE_SIZE);
     }
 
   if (version == RIPv1)
@@ -2344,13 +2341,27 @@
               prefix_match((struct prefix *)p, ifc->address))
 	       rinfo->metric_out = RIP_METRIC_INFINITY;
 	}
- 
+	
+	/* Prepare preamble, auth headers, if needs be */
+	if (num == 0)
+	  {
+	    stream_putc (s, RIP_RESPONSE);
+	    stream_putc (s, version);
+	    stream_putw (s, 0);
+	    
+	    /* auth header for simple or v2 && MD5 */
+            if ( (ri->auth_type == RIP_AUTH_SIMPLE_PASSWORD)
+                || (version == RIPv2 && ri->auth_type == RIP_AUTH_MD5) )
+              doff = rip_auth_header_write (s, ri, key, auth_str, 
+                                              RIP_AUTH_SIMPLE_SIZE);
+          }
+        
 	/* Write RTE to the stream. */
-	num = rip_write_rte (num, s, p, version, rinfo, to ? NULL : ifc->ifp);
+	num = rip_write_rte (num, s, p, version, rinfo);
 	if (num == rtemax)
 	  {
 	    if (version == RIPv2 && ri->auth_type == RIP_AUTH_MD5)
-	      rip_auth_md5_set (s, ifc->ifp);
+              rip_auth_md5_set (s, ri, doff, auth_str, RIP_AUTH_SIMPLE_SIZE);
 
 	    ret = rip_send_packet (STREAM_DATA (s), stream_get_endp (s),
 				   to, ifc);
@@ -2367,7 +2378,7 @@
   if (num != 0)
     {
       if (version == RIPv2 && ri->auth_type == RIP_AUTH_MD5)
-	rip_auth_md5_set (s, ifc->ifp);
+        rip_auth_md5_set (s, ri, doff, auth_str, RIP_AUTH_SIMPLE_SIZE);
 
       ret = rip_send_packet (STREAM_DATA (s), stream_get_endp (s), to, ifc);
 
diff --git a/ripd/ripd.h b/ripd/ripd.h
index 0334888..7874871 100644
--- a/ripd/ripd.h
+++ b/ripd/ripd.h
@@ -87,6 +87,9 @@
 #define RIP_AUTH_SIMPLE_PASSWORD   2
 #define RIP_AUTH_MD5               3
 
+/* RIPv2 Simple authentication */
+#define RIP_AUTH_SIMPLE_SIZE		16
+
 /* RIPv2 MD5 authentication. */
 #define RIP_AUTH_MD5_SIZE               16
 #define RIP_AUTH_MD5_COMPAT_SIZE        RIP_RTE_SIZE