The HMAC spec says that the key should be hashed if it is longer than the block size but zero-padded to the right if it is shorter. Why? Why not hash a short key? That would simplify the code without (AFAICT) compromising security in any way. rg