Index: sys/netipsec/xform_ah.c
===================================================================
--- sys/netipsec/xform_ah.c
+++ sys/netipsec/xform_ah.c
@@ -193,9 +193,9 @@
 		return EINVAL;
 	}
 	keylen = _KEYLEN(sav->key_auth);
-	if (keylen != thash->keysize && thash->keysize != 0) {
+	if (keylen > thash->keysize && thash->keysize != 0) {
 		DPRINTF(("%s: invalid keylength %d, algorithm %s requires "
-			"keysize %d\n", __func__,
+			"keysize less than %d\n", __func__,
 			 keylen, thash->name, thash->keysize));
 		return EINVAL;
 	}
Index: sys/opencrypto/cryptodev.h
===================================================================
--- sys/opencrypto/cryptodev.h
+++ sys/opencrypto/cryptodev.h
@@ -95,13 +95,6 @@
 #define	HMAC_IPAD_VAL			0x36
 #define	HMAC_OPAD_VAL			0x5C
 /* HMAC Key Length */
-#define	NULL_HMAC_KEY_LEN		0
-#define	MD5_HMAC_KEY_LEN		16
-#define	SHA1_HMAC_KEY_LEN		20
-#define	RIPEMD160_HMAC_KEY_LEN		20
-#define	SHA2_256_HMAC_KEY_LEN		32
-#define	SHA2_384_HMAC_KEY_LEN		48
-#define	SHA2_512_HMAC_KEY_LEN		64
 #define	AES_128_GMAC_KEY_LEN		16
 #define	AES_192_GMAC_KEY_LEN		24
 #define	AES_256_GMAC_KEY_LEN		32
Index: sys/opencrypto/cryptodev.c
===================================================================
--- sys/opencrypto/cryptodev.c
+++ sys/opencrypto/cryptodev.c
@@ -520,7 +520,8 @@
 		if (thash) {
 			cria.cri_alg = thash->type;
 			cria.cri_klen = sop->mackeylen * 8;
-			if (sop->mackeylen != thash->keysize) {
+			if (thash->keysize != 0 &&
+			    sop->mackeylen > thash->keysize) {
 				CRYPTDEB("invalid mac key length");
 				error = EINVAL;
 				goto bail;
Index: sys/opencrypto/xform_md5.c
===================================================================
--- sys/opencrypto/xform_md5.c
+++ sys/opencrypto/xform_md5.c
@@ -58,14 +58,14 @@
 /* Authentication instances */
 struct auth_hash auth_hash_hmac_md5 = {
 	CRYPTO_MD5_HMAC, "HMAC-MD5",
-	MD5_HMAC_KEY_LEN, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN,
+	MD5_HMAC_BLOCK_LEN, MD5_HASH_LEN, sizeof(MD5_CTX), MD5_HMAC_BLOCK_LEN,
 	(void (*) (void *)) MD5Init, NULL, NULL, MD5Update_int,
 	(void (*) (u_int8_t *, void *)) MD5Final
 };
 
 struct auth_hash auth_hash_key_md5 = {
 	CRYPTO_MD5_KPDK, "Keyed MD5",
-	NULL_HMAC_KEY_LEN, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0,
+	0, MD5_KPDK_HASH_LEN, sizeof(MD5_CTX), 0,
 	(void (*)(void *)) MD5Init, NULL, NULL, MD5Update_int,
 	(void (*)(u_int8_t *, void *)) MD5Final
 };
Index: sys/opencrypto/xform_null.c
===================================================================
--- sys/opencrypto/xform_null.c
+++ sys/opencrypto/xform_null.c
@@ -78,7 +78,7 @@
 /* Authentication instances */
 struct auth_hash auth_hash_null = {	/* NB: context isn't used */
 	CRYPTO_NULL_HMAC, "NULL-HMAC",
-	NULL_HMAC_KEY_LEN, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN,
+	0, NULL_HASH_LEN, sizeof(int), NULL_HMAC_BLOCK_LEN,
 	null_init, null_reinit, null_reinit, null_update, null_final
 };
 
Index: sys/opencrypto/xform_rmd160.c
===================================================================
--- sys/opencrypto/xform_rmd160.c
+++ sys/opencrypto/xform_rmd160.c
@@ -58,7 +58,7 @@
 /* Authentication instances */
 struct auth_hash auth_hash_hmac_ripemd_160 = {
 	CRYPTO_RIPEMD160_HMAC, "HMAC-RIPEMD-160",
-	RIPEMD160_HMAC_KEY_LEN, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX),
+	RIPEMD160_HMAC_BLOCK_LEN, RIPEMD160_HASH_LEN, sizeof(RMD160_CTX),
 	RIPEMD160_HMAC_BLOCK_LEN,
 	(void (*)(void *)) RMD160Init, NULL, NULL, RMD160Update_int,
 	(void (*)(u_int8_t *, void *)) RMD160Final
Index: sys/opencrypto/xform_sha1.c
===================================================================
--- sys/opencrypto/xform_sha1.c
+++ sys/opencrypto/xform_sha1.c
@@ -60,13 +60,13 @@
 /* Authentication instances */
 struct auth_hash auth_hash_hmac_sha1 = {
 	CRYPTO_SHA1_HMAC, "HMAC-SHA1",
-	SHA1_HMAC_KEY_LEN, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN,
+	SHA1_HMAC_BLOCK_LEN, SHA1_HASH_LEN, sizeof(SHA1_CTX), SHA1_HMAC_BLOCK_LEN,
 	SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
 };
 
 struct auth_hash auth_hash_key_sha1 = {
 	CRYPTO_SHA1_KPDK, "Keyed SHA1",
-	NULL_HMAC_KEY_LEN, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0,
+	0, SHA1_KPDK_HASH_LEN, sizeof(SHA1_CTX), 0,
 	SHA1Init_int, NULL, NULL, SHA1Update_int, SHA1Final_int
 };
 
Index: sys/opencrypto/xform_sha2.c
===================================================================
--- sys/opencrypto/xform_sha2.c
+++ sys/opencrypto/xform_sha2.c
@@ -62,7 +62,7 @@
 /* Authentication instances */
 struct auth_hash auth_hash_hmac_sha2_256 = {
 	CRYPTO_SHA2_256_HMAC, "HMAC-SHA2-256",
-	SHA2_256_HMAC_KEY_LEN, SHA2_256_HASH_LEN, sizeof(SHA256_CTX),
+	SHA2_256_HMAC_BLOCK_LEN, SHA2_256_HASH_LEN, sizeof(SHA256_CTX),
 	SHA2_256_HMAC_BLOCK_LEN,
 	(void (*)(void *)) SHA256_Init, NULL, NULL, SHA256Update_int,
 	(void (*)(u_int8_t *, void *)) SHA256_Final
@@ -70,7 +70,7 @@
 
 struct auth_hash auth_hash_hmac_sha2_384 = {
 	CRYPTO_SHA2_384_HMAC, "HMAC-SHA2-384",
-	SHA2_384_HMAC_KEY_LEN, SHA2_384_HASH_LEN, sizeof(SHA384_CTX),
+	SHA2_384_HMAC_BLOCK_LEN, SHA2_384_HASH_LEN, sizeof(SHA384_CTX),
 	SHA2_384_HMAC_BLOCK_LEN,
 	(void (*)(void *)) SHA384_Init, NULL, NULL, SHA384Update_int,
 	(void (*)(u_int8_t *, void *)) SHA384_Final
@@ -78,7 +78,7 @@
 
 struct auth_hash auth_hash_hmac_sha2_512 = {
 	CRYPTO_SHA2_512_HMAC, "HMAC-SHA2-512",
-	SHA2_512_HMAC_KEY_LEN, SHA2_512_HASH_LEN, sizeof(SHA512_CTX),
+	SHA2_512_HMAC_BLOCK_LEN, SHA2_512_HASH_LEN, sizeof(SHA512_CTX),
 	SHA2_512_HMAC_BLOCK_LEN,
 	(void (*)(void *)) SHA512_Init, NULL, NULL, SHA512Update_int,
 	(void (*)(u_int8_t *, void *)) SHA512_Final