Index: sys/dev/cesa/cesa.h
===================================================================
--- sys/dev/cesa/cesa.h
+++ sys/dev/cesa/cesa.h
@@ -68,7 +68,7 @@
 #define CESA_TDMA_DESCRIPTORS		(CESA_TDMA_DESC_PER_REQ * CESA_REQUESTS)
 
 /* Useful constants */
-#define CESA_HMAC_HASH_LENGTH		12
+#define CESA_HMAC_TRUNC_LEN		12
 #define CESA_MAX_FRAGMENTS		64
 #define CESA_SRAM_SIZE			2048
 
@@ -293,8 +293,10 @@
 
 #define CESA_CSHD_MD5			(4 << 4)
 #define CESA_CSHD_SHA1			(5 << 4)
-#define CESA_CSHD_MD5_HMAC		((6 << 4) | (1 << 7))
-#define CESA_CSHD_SHA1_HMAC		((7 << 4) | (1 << 7))
+#define CESA_CSHD_MD5_HMAC		(6 << 4)
+#define CESA_CSHD_SHA1_HMAC		(7 << 4)
+
+#define CESA_CSHD_96_BIT_HMAC		(1 << 7)
 
 #define CESA_CSHD_DES			(1 << 8)
 #define CESA_CSHD_3DES			(2 << 8)
Index: sys/dev/cesa/cesa.c
===================================================================
--- sys/dev/cesa/cesa.c
+++ sys/dev/cesa/cesa.c
@@ -1451,24 +1451,32 @@
 	if (!error && mac) {
 		switch (mac->cri_alg) {
 		case CRYPTO_MD5:
-			cs->cs_config |= CESA_CSHD_MD5;
 			cs->cs_mblen = 1;
-			cs->cs_hlen = MD5_HASH_LEN;
+			cs->cs_hlen = (mac->cri_mlen == 0) ? MD5_HASH_LEN :
+			    mac->cri_mlen;
+			cs->cs_config |= CESA_CSHD_MD5;
 			break;
 		case CRYPTO_MD5_HMAC:
-			cs->cs_config |= CESA_CSHD_MD5_HMAC;
 			cs->cs_mblen = MD5_HMAC_BLOCK_LEN;
-			cs->cs_hlen = CESA_HMAC_HASH_LENGTH;
+			cs->cs_hlen = (mac->cri_mlen == 0) ? MD5_HASH_LEN :
+			    mac->cri_mlen;
+			cs->cs_config |= CESA_CSHD_MD5_HMAC;
+			if (cs->cs_hlen == CESA_HMAC_TRUNC_LEN)
+				cs->cs_config |= CESA_CSHD_96_BIT_HMAC;
 			break;
 		case CRYPTO_SHA1:
-			cs->cs_config |= CESA_CSHD_SHA1;
 			cs->cs_mblen = 1;
-			cs->cs_hlen = SHA1_HASH_LEN;
+			cs->cs_hlen = (mac->cri_mlen == 0) ? SHA1_HASH_LEN :
+			    mac->cri_mlen;
+			cs->cs_config |= CESA_CSHD_SHA1;
 			break;
 		case CRYPTO_SHA1_HMAC:
-			cs->cs_config |= CESA_CSHD_SHA1_HMAC;
 			cs->cs_mblen = SHA1_HMAC_BLOCK_LEN;
-			cs->cs_hlen = CESA_HMAC_HASH_LENGTH;
+			cs->cs_hlen = (mac->cri_mlen == 0) ? SHA1_HASH_LEN :
+			    mac->cri_mlen;
+			cs->cs_config |= CESA_CSHD_SHA1_HMAC;
+			if (cs->cs_hlen == CESA_HMAC_TRUNC_LEN)
+				cs->cs_config |= CESA_CSHD_96_BIT_HMAC;
 			break;
 		default:
 			error = EINVAL;