Index: sys/netipsec/key.c =================================================================== --- sys/netipsec/key.c +++ sys/netipsec/key.c @@ -6263,8 +6263,8 @@ u_int16_t* max) { - *min = *max = ah->keysize; - if (ah->keysize == 0) { + *min = *max = ah->max_keysize; + if (ah->max_keysize == 0) { /* * Transform takes arbitrary key size but algorithm * key size is restricted. Enforce this here. Index: sys/netipsec/xform_ah.c =================================================================== --- sys/netipsec/xform_ah.c +++ sys/netipsec/xform_ah.c @@ -193,10 +193,10 @@ return EINVAL; } keylen = _KEYLEN(sav->key_auth); - if (keylen != thash->keysize && thash->keysize != 0) { + if (keylen > thash->max_keysize && thash->max_keysize != 0) { DPRINTF(("%s: invalid keylength %d, algorithm %s requires " - "keysize %d\n", __func__, - keylen, thash->name, thash->keysize)); + "keysize less than %d\n", __func__, + keylen, thash->name, thash->max_keysize)); return EINVAL; } Index: sys/opencrypto/cryptodev.h =================================================================== --- sys/opencrypto/cryptodev.h +++ sys/opencrypto/cryptodev.h @@ -95,13 +95,6 @@ #define HMAC_IPAD_VAL 0x36 #define HMAC_OPAD_VAL 0x5C /* HMAC Key Length */ -#define NULL_HMAC_KEY_LEN 0 -#define MD5_HMAC_KEY_LEN 16 -#define SHA1_HMAC_KEY_LEN 20 -#define RIPEMD160_HMAC_KEY_LEN 20 -#define SHA2_256_HMAC_KEY_LEN 32 -#define SHA2_384_HMAC_KEY_LEN 48 -#define SHA2_512_HMAC_KEY_LEN 64 #define AES_128_GMAC_KEY_LEN 16 #define AES_192_GMAC_KEY_LEN 24 #define AES_256_GMAC_KEY_LEN 32 Index: sys/opencrypto/cryptodev.c =================================================================== --- sys/opencrypto/cryptodev.c +++ sys/opencrypto/cryptodev.c @@ -520,7 +520,8 @@ if (thash) { cria.cri_alg = thash->type; cria.cri_klen = sop->mackeylen * 8; - if (sop->mackeylen != thash->keysize) { + if (thash->max_keysize != 0 && + sop->mackeylen > thash->max_keysize) { CRYPTDEB("invalid mac key length"); error = EINVAL; goto bail; Index: sys/opencrypto/xform_auth.h =================================================================== --- sys/opencrypto/xform_auth.h +++ sys/opencrypto/xform_auth.h @@ -52,7 +52,7 @@ struct auth_hash { int type; char *name; - u_int16_t keysize; + u_int16_t max_keysize; u_int16_t hashsize; u_int16_t ctxsize; u_int16_t blocksize; Index: sys/opencrypto/xform_md5.c =================================================================== --- sys/opencrypto/xform_md5.c +++ sys/opencrypto/xform_md5.c @@ -58,14 +58,14 @@ /* Authentication instances */ struct auth_hash auth_hash_hmac_md5 = { CRYPTO_MD5_HMAC, "HMAC-MD5", - MD5_HMAC_KEY_LEN, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN, + MD5_HMAC_BLOCK_LEN, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN, (void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int, (void (*) (u_int8_t *, void *)) MD5Final }; struct auth_hash auth_hash_key_md5 = { CRYPTO_MD5_KPDK, "Keyed MD5", - NULL_HMAC_KEY_LEN, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0, + 0, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0, (void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int, (void (*)(u_int8_t *, void *)) MD5Final }; Index: sys/opencrypto/xform_null.c =================================================================== --- sys/opencrypto/xform_null.c +++ sys/opencrypto/xform_null.c @@ -78,7 +78,7 @@ /* Authentication instances */ struct auth_hash auth_hash_null = { /* NB: context isn't used */ CRYPTO_NULL_HMAC, "NULL-HMAC", - NULL_HMAC_KEY_LEN, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN, + 0, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN, null_init, null_reinit, null_reinit, null_update, null_final }; Index: sys/opencrypto/xform_rmd160.c =================================================================== --- sys/opencrypto/xform_rmd160.c +++ sys/opencrypto/xform_rmd160.c @@ -58,7 +58,7 @@ /* Authentication instances */ struct auth_hash auth_hash_hmac_ripemd_160 = { CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160", - RIPEMD160_HMAC_KEY_LEN, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), + RIPEMD160_HMAC_BLOCK_LEN, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX), RIPEMD160_HMAC_BLOCK_LEN, (void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int, (void (*)(u_int8_t *, void *)) RMD160Final Index: sys/opencrypto/xform_sha1.c =================================================================== --- sys/opencrypto/xform_sha1.c +++ sys/opencrypto/xform_sha1.c @@ -60,13 +60,13 @@ /* Authentication instances */ struct auth_hash auth_hash_hmac_sha1 = { CRYPTO_SHA1_HMAC, "HMAC-SHA1", - SHA1_HMAC_KEY_LEN, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN, + SHA1_HMAC_BLOCK_LEN, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN, SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int }; struct auth_hash auth_hash_key_sha1 = { CRYPTO_SHA1_KPDK, "Keyed SHA1", - NULL_HMAC_KEY_LEN, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0, + 0, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0, SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int }; Index: sys/opencrypto/xform_sha2.c =================================================================== --- sys/opencrypto/xform_sha2.c +++ sys/opencrypto/xform_sha2.c @@ -62,7 +62,7 @@ /* Authentication instances */ struct auth_hash auth_hash_hmac_sha2_256 = { CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256", - SHA2_256_HMAC_KEY_LEN, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), + SHA2_256_HMAC_BLOCK_LEN, SHA2_256_HASH_LEN, sizeof(SHA256_CTX), SHA2_256_HMAC_BLOCK_LEN, (void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int, (void (*)(u_int8_t *, void *)) SHA256_Final @@ -70,7 +70,7 @@ struct auth_hash auth_hash_hmac_sha2_384 = { CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384", - SHA2_384_HMAC_KEY_LEN, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), + SHA2_384_HMAC_BLOCK_LEN, SHA2_384_HASH_LEN, sizeof(SHA384_CTX), SHA2_384_HMAC_BLOCK_LEN, (void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int, (void (*)(u_int8_t *, void *)) SHA384_Final @@ -78,7 +78,7 @@ struct auth_hash auth_hash_hmac_sha2_512 = { CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512", - SHA2_512_HMAC_KEY_LEN, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), + SHA2_512_HMAC_BLOCK_LEN, SHA2_512_HASH_LEN, sizeof(SHA512_CTX), SHA2_512_HMAC_BLOCK_LEN, (void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int, (void (*)(u_int8_t *, void *)) SHA512_Final