Remove support for DES and Triple DES from OCF.

It no longer has any in-kernel consumers via OCF.  smbfs still uses
single DES directly, so sys/crypto/des remains for that use case.

Reviewed by:	cem
Relnotes:	yes
Sponsored by:	Chelsio Communications
Differential Revision:	https://reviews.freebsd.org/D24773

23 files changed, 11 insertions, 1173 deletions

diff --git a/sys/conf/files b/sys/conf/files
index 03f365bcd7da..56acd0ddc4af 100644
--- a/sys/conf/files
+++ b/sys/conf/files
@@ -684,8 +684,8 @@ crypto/camellia/camellia.c	optional crypto | ipsec | ipsec_support
 crypto/camellia/camellia-api.c	optional crypto | ipsec | ipsec_support
 crypto/chacha20/chacha.c	standard
 crypto/chacha20/chacha-sw.c	optional crypto | ipsec | ipsec_support
-crypto/des/des_ecb.c		optional crypto | ipsec | ipsec_support | netsmb
-crypto/des/des_setkey.c		optional crypto | ipsec | ipsec_support | netsmb
+crypto/des/des_ecb.c		optional netsmb
+crypto/des/des_setkey.c		optional netsmb
 crypto/rc4/rc4.c		optional netgraph_mppc_encryption | kgssapi
 crypto/rijndael/rijndael-alg-fst.c optional crypto | ekcd | geom_bde | \
 	ipsec | ipsec_support | !random_loadable | wlan_ccmp
diff --git a/sys/conf/files.amd64 b/sys/conf/files.amd64
index 72ca22070a87..e6d91e96b423 100644
--- a/sys/conf/files.amd64
+++ b/sys/conf/files.amd64
@@ -136,8 +136,7 @@ amd64/pci/pci_cfgreg.c		optional	pci
 cddl/dev/dtrace/amd64/dtrace_asm.S			optional dtrace compile-with "${DTRACE_S}"
 cddl/dev/dtrace/amd64/dtrace_subr.c			optional dtrace compile-with "${DTRACE_C}"
 crypto/aesni/aeskeys_amd64.S	optional aesni
-crypto/des/des_enc.c		optional	crypto | ipsec | \
-	ipsec_support | netsmb
+crypto/des/des_enc.c		optional	netsmb
 dev/acpi_support/acpi_wmi_if.m	standard
 dev/agp/agp_amd64.c		optional	agp
 dev/agp/agp_i810.c		optional	agp
diff --git a/sys/conf/files.arm b/sys/conf/files.arm
index 5d7900121a2f..11a357364fda 100644
--- a/sys/conf/files.arm
+++ b/sys/conf/files.arm
@@ -91,7 +91,7 @@ cddl/compat/opensolaris/kern/opensolaris_atomic.c	optional !armv7 !armv6 zfs | !
 cddl/dev/dtrace/arm/dtrace_asm.S			optional dtrace compile-with "${DTRACE_S}"
 cddl/dev/dtrace/arm/dtrace_subr.c			optional dtrace compile-with "${DTRACE_C}"
 cddl/dev/fbt/arm/fbt_isa.c				optional dtrace_fbt | dtraceall compile-with "${FBT_C}"
-crypto/des/des_enc.c		optional	crypto | ipsec | ipsec_support | netsmb
+crypto/des/des_enc.c		optional	netsmb
 dev/cpufreq/cpufreq_dt.c	optional	cpufreq fdt
 dev/dwc/if_dwc.c		optional	dwc
 dev/dwc/if_dwc_if.m		optional	dwc
diff --git a/sys/conf/files.arm64 b/sys/conf/files.arm64
index 2bfa9ea8015a..3477292bda44 100644
--- a/sys/conf/files.arm64
+++ b/sys/conf/files.arm64
@@ -221,7 +221,7 @@ armv8_crypto_wrap.o		optional	armv8crypto		\
 	compile-with	"${CC} -c ${CFLAGS:C/^-O2$/-O3/:N-nostdinc:N-mgeneral-regs-only} -I$S/crypto/armv8/ ${WERROR} ${NO_WCAST_QUAL} ${PROF} -march=armv8-a+crypto ${.IMPSRC}" \
 	no-implicit-rule						\
 	clean		"armv8_crypto_wrap.o"
-crypto/des/des_enc.c		optional	crypto | ipsec | ipsec_support | netsmb
+crypto/des/des_enc.c		optional	netsmb
 dev/acpica/acpi_bus_if.m	optional	acpi
 dev/acpica/acpi_if.m		optional	acpi
 dev/acpica/acpi_pci_link.c	optional	acpi pci
diff --git a/sys/conf/files.i386 b/sys/conf/files.i386
index 97946cdbb904..30dedced8813 100644
--- a/sys/conf/files.i386
+++ b/sys/conf/files.i386
@@ -76,7 +76,7 @@ compat/linux/linux_vdso.c	optional compat_linux
 compat/linux/linux.c		optional compat_linux
 compat/ndis/winx32_wrap.S	optional ndisapi pci
 crypto/aesni/aeskeys_i386.S	optional aesni
-crypto/des/arch/i386/des_enc.S	optional crypto | ipsec | ipsec_support | netsmb
+crypto/des/arch/i386/des_enc.S	optional netsmb
 dev/agp/agp_ali.c		optional agp
 dev/agp/agp_amd.c		optional agp
 dev/agp/agp_amd64.c		optional agp
diff --git a/sys/conf/files.mips b/sys/conf/files.mips
index 150878a88032..496352c63090 100644
--- a/sys/conf/files.mips
+++ b/sys/conf/files.mips
@@ -82,8 +82,7 @@ mips/mips/sc_machdep.c			optional	sc
 dev/uart/uart_cpu_fdt.c			optional	uart fdt
 
 # crypto support -- use generic
-crypto/des/des_enc.c			optional	crypto | ipsec | \
-	ipsec_support | netsmb
+crypto/des/des_enc.c			optional	netsmb
 
 # AP common nvram interface MIPS specific, but maybe should be more generic
 dev/nvram2env/nvram2env_mips.c		optional	nvram2env
diff --git a/sys/conf/files.powerpc b/sys/conf/files.powerpc
index 1d611fc13af4..4359279c9c73 100644
--- a/sys/conf/files.powerpc
+++ b/sys/conf/files.powerpc
@@ -14,7 +14,7 @@ cddl/compat/opensolaris/kern/opensolaris_atomic.c			optional zfs powerpc | dtrac
 cddl/dev/dtrace/powerpc/dtrace_asm.S		optional dtrace compile-with "${DTRACE_S}"
 cddl/dev/dtrace/powerpc/dtrace_subr.c		optional dtrace compile-with "${DTRACE_C}"
 cddl/dev/fbt/powerpc/fbt_isa.c			optional dtrace_fbt | dtraceall compile-with "${FBT_C}"
-crypto/des/des_enc.c		optional	crypto | ipsec | ipsec_support | netsmb
+crypto/des/des_enc.c		optional	netsmb
 dev/aacraid/aacraid_endian.c	optional	aacraid
 dev/adb/adb_bus.c		optional	adb
 dev/adb/adb_kbd.c		optional	adb
diff --git a/sys/conf/files.riscv b/sys/conf/files.riscv
index 7659db79c741..b59141e27750 100644
--- a/sys/conf/files.riscv
+++ b/sys/conf/files.riscv
@@ -2,7 +2,7 @@
 cddl/dev/dtrace/riscv/dtrace_asm.S			optional dtrace compile-with "${DTRACE_S}"
 cddl/dev/dtrace/riscv/dtrace_subr.c			optional dtrace compile-with "${DTRACE_C}"
 cddl/dev/fbt/riscv/fbt_isa.c				optional dtrace_fbt | dtraceall compile-with "${FBT_C}"
-crypto/des/des_enc.c		optional	crypto | ipsec | ipsec_support | netsmb
+crypto/des/des_enc.c		optional	netsmb
 dev/ofw/ofw_cpu.c		optional	fdt
 dev/ofw/ofwpci.c		optional 	pci fdt
 dev/pci/pci_host_generic.c	optional	pci
diff --git a/sys/dev/cesa/cesa.c b/sys/dev/cesa/cesa.c
index eb7ef532ab76..782a37cdc8e2 100644
--- a/sys/dev/cesa/cesa.c
+++ b/sys/dev/cesa/cesa.c
@@ -1577,14 +1577,6 @@ cesa_cipher_supported(const struct crypto_session_params *csp)
 		if (csp->csp_ivlen != AES_BLOCK_LEN)
 			return (false);
 		break;
-	case CRYPTO_DES_CBC:
-		if (csp->csp_ivlen != DES_BLOCK_LEN)
-			return (false);
-		break;
-	case CRYPTO_3DES_CBC:
-		if (csp->csp_ivlen != DES3_BLOCK_LEN)
-			return (false);
-		break;
 	default:
 		return (false);
 	}
@@ -1673,15 +1665,6 @@ cesa_newsession(device_t dev, crypto_session_t cses,
 		cs->cs_config |= CESA_CSHD_AES | CESA_CSHD_CBC;
 		cs->cs_ivlen = AES_BLOCK_LEN;
 		break;
-	case CRYPTO_DES_CBC:
-		cs->cs_config |= CESA_CSHD_DES | CESA_CSHD_CBC;
-		cs->cs_ivlen = DES_BLOCK_LEN;
-		break;
-	case CRYPTO_3DES_CBC:
-		cs->cs_config |= CESA_CSHD_3DES | CESA_CSHD_3DES_EDE |
-		    CESA_CSHD_CBC;
-		cs->cs_ivlen = DES3_BLOCK_LEN;
-		break;
 	}
 
 	switch (csp->csp_auth_alg) {
diff --git a/sys/dev/hifn/hifn7751.c b/sys/dev/hifn/hifn7751.c
index b090316d86a3..bd234db134f3 100644
--- a/sys/dev/hifn/hifn7751.c
+++ b/sys/dev/hifn/hifn7751.c
@@ -1604,14 +1604,6 @@ hifn_write_command(struct hifn_command *cmd, u_int8_t *buf)
 
 	if (using_crypt && cmd->cry_masks & HIFN_CRYPT_CMD_NEW_KEY) {
 		switch (cmd->cry_masks & HIFN_CRYPT_CMD_ALG_MASK) {
-		case HIFN_CRYPT_CMD_ALG_3DES:
-			bcopy(cmd->ck, buf_pos, HIFN_3DES_KEY_LENGTH);
-			buf_pos += HIFN_3DES_KEY_LENGTH;
-			break;
-		case HIFN_CRYPT_CMD_ALG_DES:
-			bcopy(cmd->ck, buf_pos, HIFN_DES_KEY_LENGTH);
-			buf_pos += HIFN_DES_KEY_LENGTH;
-			break;
 		case HIFN_CRYPT_CMD_ALG_AES:
 			/*
 			 * AES keys are variable 128, 192 and
@@ -2328,8 +2320,6 @@ hifn_cipher_supported(struct hifn_softc *sc,
 	switch (sc->sc_ena) {
 	case HIFN_PUSTAT_ENA_2:
 		switch (csp->csp_cipher_alg) {
-		case CRYPTO_3DES_CBC:
-			break;
 		case CRYPTO_AES_CBC:
 			if ((sc->sc_flags & HIFN_HAS_AES) == 0)
 				return (false);
@@ -2343,13 +2333,6 @@ hifn_cipher_supported(struct hifn_softc *sc,
 			}
 			return (true);
 		}
-		/*FALLTHROUGH*/
-	case HIFN_PUSTAT_ENA_1:
-		switch (csp->csp_cipher_alg) {
-		case CRYPTO_DES_CBC:
-			return (true);
-		}
-		break;
 	}
 	return (false);
 }
@@ -2448,16 +2431,6 @@ hifn_process(device_t dev, struct cryptop *crp, int hint)
 			cmd->base_masks |= HIFN_BASE_CMD_DECODE;
 		cmd->base_masks |= HIFN_BASE_CMD_CRYPT;
 		switch (csp->csp_cipher_alg) {
-		case CRYPTO_DES_CBC:
-			cmd->cry_masks |= HIFN_CRYPT_CMD_ALG_DES |
-			    HIFN_CRYPT_CMD_MODE_CBC |
-			    HIFN_CRYPT_CMD_NEW_IV;
-			break;
-		case CRYPTO_3DES_CBC:
-			cmd->cry_masks |= HIFN_CRYPT_CMD_ALG_3DES |
-			    HIFN_CRYPT_CMD_MODE_CBC |
-			    HIFN_CRYPT_CMD_NEW_IV;
-			break;
 		case CRYPTO_AES_CBC:
 			cmd->cry_masks |= HIFN_CRYPT_CMD_ALG_AES |
 			    HIFN_CRYPT_CMD_MODE_CBC |
diff --git a/sys/dev/safe/safe.c b/sys/dev/safe/safe.c
index 80e938155b09..48dfbf68130c 100644
--- a/sys/dev/safe/safe.c
+++ b/sys/dev/safe/safe.c
@@ -694,20 +694,6 @@ safe_cipher_supported(struct safe_softc *sc,
 {
 
 	switch (csp->csp_cipher_alg) {
-	case CRYPTO_DES_CBC:
-	case CRYPTO_3DES_CBC:
-		if ((sc->sc_devinfo & SAFE_DEVINFO_DES) == 0)
-			return (false);
-		if (csp->csp_ivlen != 8)
-			return (false);
-		if (csp->csp_cipher_alg == CRYPTO_DES_CBC) {
-			if (csp->csp_cipher_klen != 8)
-				return (false);
-		} else {
-			if (csp->csp_cipher_klen != 24)
-				return (false);
-		}
-		break;
 	case CRYPTO_AES_CBC:
 		if ((sc->sc_devinfo & SAFE_DEVINFO_AES) == 0)
 			return (false);
@@ -866,14 +852,6 @@ safe_process(device_t dev, struct cryptop *crp, int hint)
 			safe_setup_enckey(ses, crp->crp_cipher_key);
 
 		switch (csp->csp_cipher_alg) {
-		case CRYPTO_DES_CBC:
-			cmd0 |= SAFE_SA_CMD0_DES;
-			cmd1 |= SAFE_SA_CMD1_CBC;
-			break;
-		case CRYPTO_3DES_CBC:
-			cmd0 |= SAFE_SA_CMD0_3DES;
-			cmd1 |= SAFE_SA_CMD1_CBC;
-			break;
 		case CRYPTO_AES_CBC:
 			cmd0 |= SAFE_SA_CMD0_AES;
 			cmd1 |= SAFE_SA_CMD1_CBC;
diff --git a/sys/dev/sec/sec.c b/sys/dev/sec/sec.c
index 1ea5039f18ae..9aec4163724f 100644
--- a/sys/dev/sec/sec.c
+++ b/sys/dev/sec/sec.c
@@ -106,12 +106,6 @@ static int	sec_aesu_make_desc(struct sec_softc *sc,
     const struct crypto_session_params *csp, struct sec_desc *desc,
     struct cryptop *crp);
 
-/* DEU */
-static bool	sec_deu_newsession(const struct crypto_session_params *csp);
-static int	sec_deu_make_desc(struct sec_softc *sc,
-    const struct crypto_session_params *csp, struct sec_desc *desc,
-    struct cryptop *crp);
-
 /* MDEU */
 static bool	sec_mdeu_can_handle(u_int alg);
 static int	sec_mdeu_config(const struct crypto_session_params *csp,
@@ -154,10 +148,6 @@ static struct sec_eu_methods sec_eus[] = {
 		sec_aesu_make_desc,
 	},
 	{
-		sec_deu_newsession,
-		sec_deu_make_desc,
-	},
-	{
 		sec_mdeu_newsession,
 		sec_mdeu_make_desc,
 	},
@@ -1147,12 +1137,6 @@ sec_cipher_supported(const struct crypto_session_params *csp)
 		if (csp->csp_ivlen != AES_BLOCK_LEN)
 			return (false);
 		break;
-	case CRYPTO_DES_CBC:
-	case CRYPTO_3DES_CBC:
-		/* DEU */
-		if (csp->csp_ivlen != DES_BLOCK_LEN)
-			return (false);
-		break;
 	default:
 		return (false);
 	}
@@ -1474,55 +1458,6 @@ sec_aesu_make_desc(struct sec_softc *sc,
 	return (error);
 }
 
-/* DEU */
-
-static bool
-sec_deu_newsession(const struct crypto_session_params *csp)
-{
-
-	switch (csp->csp_cipher_alg) {
-	case CRYPTO_DES_CBC:
-	case CRYPTO_3DES_CBC:
-		return (true);
-	default:
-		return (false);
-	}
-}
-
-static int
-sec_deu_make_desc(struct sec_softc *sc, const struct crypto_session_params *csp,
-    struct sec_desc *desc, struct cryptop *crp)
-{
-	struct sec_hw_desc *hd = desc->sd_desc;
-	int error;
-
-	hd->shd_eu_sel0 = SEC_EU_DEU;
-	hd->shd_mode0 = SEC_DEU_MODE_CBC;
-
-	switch (csp->csp_cipher_alg) {
-	case CRYPTO_3DES_CBC:
-		hd->shd_mode0 |= SEC_DEU_MODE_TS;
-		break;
-	case CRYPTO_DES_CBC:
-		break;
-	default:
-		return (EINVAL);
-	}
-
-	if (CRYPTO_OP_IS_ENCRYPT(crp->crp_op)) {
-		hd->shd_mode0 |= SEC_DEU_MODE_ED;
-		hd->shd_dir = 0;
-	} else
-		hd->shd_dir = 1;
-
-	if (csp->csp_mode == CSP_MODE_ETA)
-		error = sec_build_common_s_desc(sc, desc, csp, crp);
-	else
-		error = sec_build_common_ns_desc(sc, desc, csp, crp);
-
-	return (error);
-}
-
 /* MDEU */
 
 static bool
diff --git a/sys/mips/cavium/cryptocteon/cavium_crypto.c b/sys/mips/cavium/cryptocteon/cavium_crypto.c
index e68a2757b466..ac15c2974274 100644
--- a/sys/mips/cavium/cryptocteon/cavium_crypto.c
+++ b/sys/mips/cavium/cryptocteon/cavium_crypto.c
@@ -90,12 +90,10 @@ __FBSDID("$FreeBSD$");
 	} while (0)
 
 #define ESP_HEADER_LENGTH     8
-#define DES_CBC_IV_LENGTH     8
 #define AES_CBC_IV_LENGTH     16
 #define ESP_HMAC_LEN          12
 
 #define ESP_HEADER_LENGTH 8
-#define DES_CBC_IV_LENGTH 8
 
 /****************************************************************************/
 
@@ -320,125 +318,6 @@ octo_calc_hash(uint8_t auth, unsigned char *key, uint64_t *inner, uint64_t *oute
 }
 
 /****************************************************************************/
-/* DES functions */
-
-int
-octo_des_cbc_encrypt(
-    struct octo_sess *od,
-    struct iovec *iov, size_t iovcnt, size_t iovlen,
-    int auth_off, int auth_len,
-    int crypt_off, int crypt_len,
-    uint8_t *icv, uint8_t *ivp)
-{
-    uint64_t *data;
-    int data_i, data_l;
-
-    dprintf("%s()\n", __func__);
-
-    if (__predict_false(od == NULL || iov==NULL || iovlen==0 || ivp==NULL ||
-	    (crypt_off & 0x7) || (crypt_off + crypt_len > iovlen))) {
-	dprintf("%s: Bad parameters od=%p iov=%p iovlen=%jd "
-		"auth_off=%d auth_len=%d crypt_off=%d crypt_len=%d "
-		"icv=%p ivp=%p\n", __func__, od, iov, iovlen,
-		auth_off, auth_len, crypt_off, crypt_len, icv, ivp);
-	return -EINVAL;
-    }
-
-    IOV_INIT(iov, data, data_i, data_l);
-
-    CVMX_PREFETCH0(ivp);
-    CVMX_PREFETCH0(od->octo_enckey);
-
-
-    /* load 3DES Key */
-    CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 0);
-    if (od->octo_encklen == 24) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[1], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[2], 2);
-    } else if (od->octo_encklen == 8) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 2);
-    } else {
-	dprintf("%s: Bad key length %d\n", __func__, od->octo_encklen);
-	return -EINVAL;
-    }
-
-    CVMX_MT_3DES_IV(* (uint64_t *) ivp);
-
-    while (crypt_off > 0) {
-	IOV_CONSUME(iov, data, data_i, data_l);
-	crypt_off -= 8;
-    }
-
-    while (crypt_len > 0) {
-	CVMX_MT_3DES_ENC_CBC(*data);
-	CVMX_MF_3DES_RESULT(*data);
-	IOV_CONSUME(iov, data, data_i, data_l);
-	crypt_len -= 8;
-    }
-
-    return 0;
-}
-
-
-int
-octo_des_cbc_decrypt(
-    struct octo_sess *od,
-    struct iovec *iov, size_t iovcnt, size_t iovlen,
-    int auth_off, int auth_len,
-    int crypt_off, int crypt_len,
-    uint8_t *icv, uint8_t *ivp)
-{
-    uint64_t *data;
-    int data_i, data_l;
-
-    dprintf("%s()\n", __func__);
-
-    if (__predict_false(od == NULL || iov==NULL || iovlen==0 || ivp==NULL ||
-	    (crypt_off & 0x7) || (crypt_off + crypt_len > iovlen))) {
-	dprintf("%s: Bad parameters od=%p iov=%p iovlen=%jd "
-		"auth_off=%d auth_len=%d crypt_off=%d crypt_len=%d "
-		"icv=%p ivp=%p\n", __func__, od, iov, iovlen,
-		auth_off, auth_len, crypt_off, crypt_len, icv, ivp);
-	return -EINVAL;
-    }
-
-    IOV_INIT(iov, data, data_i, data_l);
-
-    CVMX_PREFETCH0(ivp);
-    CVMX_PREFETCH0(od->octo_enckey);
-
-    /* load 3DES Key */
-    CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 0);
-    if (od->octo_encklen == 24) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[1], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[2], 2);
-    } else if (od->octo_encklen == 8) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 2);
-    } else {
-	dprintf("%s: Bad key length %d\n", __func__, od->octo_encklen);
-	return -EINVAL;
-    }
-
-    CVMX_MT_3DES_IV(* (uint64_t *) ivp);
-
-    while (crypt_off > 0) {
-	IOV_CONSUME(iov, data, data_i, data_l);
-	crypt_off -= 8;
-    }
-
-    while (crypt_len > 0) {
-	CVMX_MT_3DES_DEC_CBC(*data);
-	CVMX_MF_3DES_RESULT(*data);
-	IOV_CONSUME(iov, data, data_i, data_l);
-	crypt_len -= 8;
-    }
-
-    return 0;
-}
-
-/****************************************************************************/
 /* AES functions */
 
 int
@@ -778,593 +657,6 @@ octo_null_sha1_encrypt(
 }
 
 /****************************************************************************/
-/* DES MD5 */
-
-int
-octo_des_cbc_md5_encrypt(
-    struct octo_sess *od,
-    struct iovec *iov, size_t iovcnt, size_t iovlen,
-    int auth_off, int auth_len,
-    int crypt_off, int crypt_len,
-    uint8_t *icv, uint8_t *ivp)
-{
-    int next = 0;
-    union {
-	uint32_t data32[2];
-	uint64_t data64[1];
-    } mydata;
-    uint64_t *data = &mydata.data64[0];
-    uint32_t *data32;
-    uint64_t tmp1, tmp2;
-    int data_i, data_l, alen = auth_len;
-
-    dprintf("%s()\n", __func__);
-
-    if (__predict_false(od == NULL || iov==NULL || iovlen==0 || ivp==NULL ||
-	    (crypt_off & 0x3) || (crypt_off + crypt_len > iovlen) ||
-	    (crypt_len  & 0x7) ||
-	    (auth_len  & 0x7) ||
-	    (auth_off & 0x3) || (auth_off + auth_len > iovlen))) {
-	dprintf("%s: Bad parameters od=%p iov=%p iovlen=%jd "
-		"auth_off=%d auth_len=%d crypt_off=%d crypt_len=%d "
-		"icv=%p ivp=%p\n", __func__, od, iov, iovlen,
-		auth_off, auth_len, crypt_off, crypt_len, icv, ivp);
-	return -EINVAL;
-    }
-
-    IOV_INIT(iov, data32, data_i, data_l);
-
-    CVMX_PREFETCH0(ivp);
-    CVMX_PREFETCH0(od->octo_enckey);
-
-    /* load 3DES Key */
-    CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 0);
-    if (od->octo_encklen == 24) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[1], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[2], 2);
-    } else if (od->octo_encklen == 8) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 2);
-    } else {
-	dprintf("%s: Bad key length %d\n", __func__, od->octo_encklen);
-	return -EINVAL;
-    }
-
-    CVMX_MT_3DES_IV(* (uint64_t *) ivp);
-
-    /* Load MD5 IV */
-    CVMX_MT_HSH_IV(od->octo_hminner[0], 0);
-    CVMX_MT_HSH_IV(od->octo_hminner[1], 1);
-
-    while (crypt_off > 0 && auth_off > 0) {
-	IOV_CONSUME(iov, data32, data_i, data_l);
-	crypt_off -= 4;
-	auth_off -= 4;
-    }
-
-    while (crypt_len > 0 || auth_len > 0) {
-    	uint32_t *first = data32;
-	mydata.data32[0] = *first;
-	IOV_CONSUME(iov, data32, data_i, data_l);
-	mydata.data32[1] = *data32;
-    	if (crypt_off <= 0) {
-	    if (crypt_len > 0) {
-		CVMX_MT_3DES_ENC_CBC(*data);
-		CVMX_MF_3DES_RESULT(*data);
-		crypt_len -= 8;
-	    }
-	} else
-	    crypt_off -= 8;
-    	if (auth_off <= 0) {
-	    if (auth_len > 0) {
-		CVM_LOAD_MD5_UNIT(*data, next);
-		auth_len -= 8;
-	    }
-	} else
-	    auth_off -= 8;
-	*first = mydata.data32[0];
-	*data32 = mydata.data32[1];
-	IOV_CONSUME(iov, data32, data_i, data_l);
-    }
-
-    /* finish the hash */
-    CVMX_PREFETCH0(od->octo_hmouter);
-#if 0
-    if (__predict_false(inplen)) {
-	uint64_t tmp = 0;
-	uint8_t *p = (uint8_t *) & tmp;
-	p[inplen] = 0x80;
-	do {
-	    inplen--;
-	    p[inplen] = ((uint8_t *) data)[inplen];
-	} while (inplen);
-	CVM_LOAD_MD5_UNIT(tmp, next);
-    } else {
-	CVM_LOAD_MD5_UNIT(0x8000000000000000ULL, next);
-    }
-#else
-    CVM_LOAD_MD5_UNIT(0x8000000000000000ULL, next);
-#endif
-
-    /* Finish Inner hash */
-    while (next != 7) {
-	CVM_LOAD_MD5_UNIT(((uint64_t) 0x0ULL), next);
-    }
-    CVMX_ES64(tmp1, ((alen + 64) << 3));
-    CVM_LOAD_MD5_UNIT(tmp1, next);
-
-    /* Get the inner hash of HMAC */
-    CVMX_MF_HSH_IV(tmp1, 0);
-    CVMX_MF_HSH_IV(tmp2, 1);
-
-    /* Initialize hash unit */
-    CVMX_MT_HSH_IV(od->octo_hmouter[0], 0);
-    CVMX_MT_HSH_IV(od->octo_hmouter[1], 1);
-
-    CVMX_MT_HSH_DAT(tmp1, 0);
-    CVMX_MT_HSH_DAT(tmp2, 1);
-    CVMX_MT_HSH_DAT(0x8000000000000000ULL, 2);
-    CVMX_MT_HSH_DATZ(3);
-    CVMX_MT_HSH_DATZ(4);
-    CVMX_MT_HSH_DATZ(5);
-    CVMX_MT_HSH_DATZ(6);
-    CVMX_ES64(tmp1, ((64 + 16) << 3));
-    CVMX_MT_HSH_STARTMD5(tmp1);
-
-    /* save the HMAC */
-    data32 = (uint32_t *)icv;
-    CVMX_MF_HSH_IV(tmp1, 0);
-    *data32 = (uint32_t) (tmp1 >> 32);
-    data32++;
-    *data32 = (uint32_t) tmp1;
-    data32++;
-    CVMX_MF_HSH_IV(tmp1, 1);
-    *data32 = (uint32_t) (tmp1 >> 32);
-
-    return 0;
-}
-
-int
-octo_des_cbc_md5_decrypt(
-    struct octo_sess *od,
-    struct iovec *iov, size_t iovcnt, size_t iovlen,
-    int auth_off, int auth_len,
-    int crypt_off, int crypt_len,
-    uint8_t *icv, uint8_t *ivp)
-{
-    int next = 0;
-    union {
-	uint32_t data32[2];
-	uint64_t data64[1];
-    } mydata;
-    uint64_t *data = &mydata.data64[0];
-    uint32_t *data32;
-    uint64_t tmp1, tmp2;
-    int data_i, data_l, alen = auth_len;
-
-    dprintf("%s()\n", __func__);
-
-    if (__predict_false(od == NULL || iov==NULL || iovlen==0 || ivp==NULL ||
-	    (crypt_off & 0x3) || (crypt_off + crypt_len > iovlen) ||
-	    (crypt_len  & 0x7) ||
-	    (auth_len  & 0x7) ||
-	    (auth_off & 0x3) || (auth_off + auth_len > iovlen))) {
-	dprintf("%s: Bad parameters od=%p iov=%p iovlen=%jd "
-		"auth_off=%d auth_len=%d crypt_off=%d crypt_len=%d "
-		"icv=%p ivp=%p\n", __func__, od, iov, iovlen,
-		auth_off, auth_len, crypt_off, crypt_len, icv, ivp);
-	return -EINVAL;
-    }
-
-    IOV_INIT(iov, data32, data_i, data_l);
-
-    CVMX_PREFETCH0(ivp);
-    CVMX_PREFETCH0(od->octo_enckey);
-
-    /* load 3DES Key */
-    CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 0);
-    if (od->octo_encklen == 24) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[1], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[2], 2);
-    } else if (od->octo_encklen == 8) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 2);
-    } else {
-	dprintf("%s: Bad key length %d\n", __func__, od->octo_encklen);
-	return -EINVAL;
-    }
-
-    CVMX_MT_3DES_IV(* (uint64_t *) ivp);
-
-    /* Load MD5 IV */
-    CVMX_MT_HSH_IV(od->octo_hminner[0], 0);
-    CVMX_MT_HSH_IV(od->octo_hminner[1], 1);
-
-    while (crypt_off > 0 && auth_off > 0) {
-	IOV_CONSUME(iov, data32, data_i, data_l);
-	crypt_off -= 4;
-	auth_off -= 4;
-    }
-
-    while (crypt_len > 0 || auth_len > 0) {
-    	uint32_t *first = data32;
-	mydata.data32[0] = *first;
-	IOV_CONSUME(iov, data32, data_i, data_l);
-	mydata.data32[1] = *data32;
-    	if (auth_off <= 0) {
-	    if (auth_len > 0) {
-		CVM_LOAD_MD5_UNIT(*data, next);
-		auth_len -= 8;
-	    }
-	} else
-	    auth_off -= 8;
-    	if (crypt_off <= 0) {
-	    if (crypt_len > 0) {
-		CVMX_MT_3DES_DEC_CBC(*data);
-		CVMX_MF_3DES_RESULT(*data);
-		crypt_len -= 8;
-	    }
-	} else
-	    crypt_off -= 8;
-	*first = mydata.data32[0];
-	*data32 = mydata.data32[1];
-	IOV_CONSUME(iov, data32, data_i, data_l);
-    }
-
-    /* finish the hash */
-    CVMX_PREFETCH0(od->octo_hmouter);
-#if 0
-    if (__predict_false(inplen)) {
-	uint64_t tmp = 0;
-	uint8_t *p = (uint8_t *) & tmp;
-	p[inplen] = 0x80;
-	do {
-	    inplen--;
-	    p[inplen] = ((uint8_t *) data)[inplen];
-	} while (inplen);
-	CVM_LOAD_MD5_UNIT(tmp, next);
-    } else {
-	CVM_LOAD_MD5_UNIT(0x8000000000000000ULL, next);
-    }
-#else
-    CVM_LOAD_MD5_UNIT(0x8000000000000000ULL, next);
-#endif
-
-    /* Finish Inner hash */
-    while (next != 7) {
-	CVM_LOAD_MD5_UNIT(((uint64_t) 0x0ULL), next);
-    }
-    CVMX_ES64(tmp1, ((alen + 64) << 3));
-    CVM_LOAD_MD5_UNIT(tmp1, next);
-
-    /* Get the inner hash of HMAC */
-    CVMX_MF_HSH_IV(tmp1, 0);
-    CVMX_MF_HSH_IV(tmp2, 1);
-
-    /* Initialize hash unit */
-    CVMX_MT_HSH_IV(od->octo_hmouter[0], 0);
-    CVMX_MT_HSH_IV(od->octo_hmouter[1], 1);
-
-    CVMX_MT_HSH_DAT(tmp1, 0);
-    CVMX_MT_HSH_DAT(tmp2, 1);
-    CVMX_MT_HSH_DAT(0x8000000000000000ULL, 2);
-    CVMX_MT_HSH_DATZ(3);
-    CVMX_MT_HSH_DATZ(4);
-    CVMX_MT_HSH_DATZ(5);
-    CVMX_MT_HSH_DATZ(6);
-    CVMX_ES64(tmp1, ((64 + 16) << 3));
-    CVMX_MT_HSH_STARTMD5(tmp1);
-
-    /* save the HMAC */
-    data32 = (uint32_t *)icv;
-    CVMX_MF_HSH_IV(tmp1, 0);
-    *data32 = (uint32_t) (tmp1 >> 32);
-    data32++;
-    *data32 = (uint32_t) tmp1;
-    data32++;
-    CVMX_MF_HSH_IV(tmp1, 1);
-    *data32 = (uint32_t) (tmp1 >> 32);
-
-    return 0;
-}
-
-/****************************************************************************/
-/* DES SHA */
-
-int
-octo_des_cbc_sha1_encrypt(
-    struct octo_sess *od,
-    struct iovec *iov, size_t iovcnt, size_t iovlen,
-    int auth_off, int auth_len,
-    int crypt_off, int crypt_len,
-    uint8_t *icv, uint8_t *ivp)
-{
-    int next = 0;
-    union {
-	uint32_t data32[2];
-	uint64_t data64[1];
-    } mydata;
-    uint64_t *data = &mydata.data64[0];
-    uint32_t *data32;
-    uint64_t tmp1, tmp2, tmp3;
-    int data_i, data_l, alen = auth_len;
-
-    dprintf("%s()\n", __func__);
-
-    if (__predict_false(od == NULL || iov==NULL || iovlen==0 || ivp==NULL ||
-	    (crypt_off & 0x3) || (crypt_off + crypt_len > iovlen) ||
-	    (crypt_len  & 0x7) ||
-	    (auth_len  & 0x7) ||
-	    (auth_off & 0x3) || (auth_off + auth_len > iovlen))) {
-	dprintf("%s: Bad parameters od=%p iov=%p iovlen=%jd "
-		"auth_off=%d auth_len=%d crypt_off=%d crypt_len=%d "
-		"icv=%p ivp=%p\n", __func__, od, iov, iovlen,
-		auth_off, auth_len, crypt_off, crypt_len, icv, ivp);
-	return -EINVAL;
-    }
-
-    IOV_INIT(iov, data32, data_i, data_l);
-
-    CVMX_PREFETCH0(ivp);
-    CVMX_PREFETCH0(od->octo_enckey);
-
-    /* load 3DES Key */
-    CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 0);
-    if (od->octo_encklen == 24) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[1], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[2], 2);
-    } else if (od->octo_encklen == 8) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 2);
-    } else {
-	dprintf("%s: Bad key length %d\n", __func__, od->octo_encklen);
-	return -EINVAL;
-    }
-
-    CVMX_MT_3DES_IV(* (uint64_t *) ivp);
-
-    /* Load SHA1 IV */
-    CVMX_MT_HSH_IV(od->octo_hminner[0], 0);
-    CVMX_MT_HSH_IV(od->octo_hminner[1], 1);
-    CVMX_MT_HSH_IV(od->octo_hminner[2], 2);
-
-    while (crypt_off > 0 && auth_off > 0) {
-	IOV_CONSUME(iov, data32, data_i, data_l);
-	crypt_off -= 4;
-	auth_off -= 4;
-    }
-
-    while (crypt_len > 0 || auth_len > 0) {
-    	uint32_t *first = data32;
-	mydata.data32[0] = *first;
-	IOV_CONSUME(iov, data32, data_i, data_l);
-	mydata.data32[1] = *data32;
-    	if (crypt_off <= 0) {
-	    if (crypt_len > 0) {
-		CVMX_MT_3DES_ENC_CBC(*data);
-		CVMX_MF_3DES_RESULT(*data);
-		crypt_len -= 8;
-	    }
-	} else
-	    crypt_off -= 8;
-    	if (auth_off <= 0) {
-	    if (auth_len > 0) {
-		CVM_LOAD_SHA_UNIT(*data, next);
-		auth_len -= 8;
-	    }
-	} else
-	    auth_off -= 8;
-	*first = mydata.data32[0];
-	*data32 = mydata.data32[1];
-	IOV_CONSUME(iov, data32, data_i, data_l);
-    }
-
-    /* finish the hash */
-    CVMX_PREFETCH0(od->octo_hmouter);
-#if 0
-    if (__predict_false(inplen)) {
-	uint64_t tmp = 0;
-	uint8_t *p = (uint8_t *) & tmp;
-	p[inplen] = 0x80;
-	do {
-	    inplen--;
-	    p[inplen] = ((uint8_t *) data)[inplen];
-	} while (inplen);
-	CVM_LOAD_SHA_UNIT(tmp, next);
-    } else {
-	CVM_LOAD_SHA_UNIT(0x8000000000000000ULL, next);
-    }
-#else
-    CVM_LOAD_SHA_UNIT(0x8000000000000000ULL, next);
-#endif
-
-    /* Finish Inner hash */
-    while (next != 7) {
-	CVM_LOAD_SHA_UNIT(((uint64_t) 0x0ULL), next);
-    }
-	CVM_LOAD_SHA_UNIT((uint64_t) ((alen + 64) << 3), next);
-
-    /* Get the inner hash of HMAC */
-    CVMX_MF_HSH_IV(tmp1, 0);
-    CVMX_MF_HSH_IV(tmp2, 1);
-    tmp3 = 0;
-    CVMX_MF_HSH_IV(tmp3, 2);
-
-    /* Initialize hash unit */
-    CVMX_MT_HSH_IV(od->octo_hmouter[0], 0);
-    CVMX_MT_HSH_IV(od->octo_hmouter[1], 1);
-    CVMX_MT_HSH_IV(od->octo_hmouter[2], 2);
-
-    CVMX_MT_HSH_DAT(tmp1, 0);
-    CVMX_MT_HSH_DAT(tmp2, 1);
-    tmp3 |= 0x0000000080000000;
-    CVMX_MT_HSH_DAT(tmp3, 2);
-    CVMX_MT_HSH_DATZ(3);
-    CVMX_MT_HSH_DATZ(4);
-    CVMX_MT_HSH_DATZ(5);
-    CVMX_MT_HSH_DATZ(6);
-    CVMX_MT_HSH_STARTSHA((uint64_t) ((64 + 20) << 3));
-
-    /* save the HMAC */
-    data32 = (uint32_t *)icv;
-    CVMX_MF_HSH_IV(tmp1, 0);
-    *data32 = (uint32_t) (tmp1 >> 32);
-    data32++;
-    *data32 = (uint32_t) tmp1;
-    data32++;
-    CVMX_MF_HSH_IV(tmp1, 1);
-    *data32 = (uint32_t) (tmp1 >> 32);
-
-    return 0;
-}
-
-int
-octo_des_cbc_sha1_decrypt(
-    struct octo_sess *od,
-    struct iovec *iov, size_t iovcnt, size_t iovlen,
-    int auth_off, int auth_len,
-    int crypt_off, int crypt_len,
-    uint8_t *icv, uint8_t *ivp)
-{
-    int next = 0;
-    union {
-	uint32_t data32[2];
-	uint64_t data64[1];
-    } mydata;
-    uint64_t *data = &mydata.data64[0];
-    uint32_t *data32;
-    uint64_t tmp1, tmp2, tmp3;
-    int data_i, data_l, alen = auth_len;
-
-    dprintf("%s()\n", __func__);
-
-    if (__predict_false(od == NULL || iov==NULL || iovlen==0 || ivp==NULL ||
-	    (crypt_off & 0x3) || (crypt_off + crypt_len > iovlen) ||
-	    (crypt_len  & 0x7) ||
-	    (auth_len  & 0x7) ||
-	    (auth_off & 0x3) || (auth_off + auth_len > iovlen))) {
-	dprintf("%s: Bad parameters od=%p iov=%p iovlen=%jd "
-		"auth_off=%d auth_len=%d crypt_off=%d crypt_len=%d "
-		"icv=%p ivp=%p\n", __func__, od, iov, iovlen,
-		auth_off, auth_len, crypt_off, crypt_len, icv, ivp);
-	return -EINVAL;
-    }
-
-    IOV_INIT(iov, data32, data_i, data_l);
-
-    CVMX_PREFETCH0(ivp);
-    CVMX_PREFETCH0(od->octo_enckey);
-
-    /* load 3DES Key */
-    CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 0);
-    if (od->octo_encklen == 24) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[1], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[2], 2);
-    } else if (od->octo_encklen == 8) {
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 1);
-	CVMX_MT_3DES_KEY(((uint64_t *) od->octo_enckey)[0], 2);
-    } else {
-	dprintf("%s: Bad key length %d\n", __func__, od->octo_encklen);
-	return -EINVAL;
-    }
-
-    CVMX_MT_3DES_IV(* (uint64_t *) ivp);
-
-    /* Load SHA1 IV */
-    CVMX_MT_HSH_IV(od->octo_hminner[0], 0);
-    CVMX_MT_HSH_IV(od->octo_hminner[1], 1);
-    CVMX_MT_HSH_IV(od->octo_hminner[2], 2);
-
-    while (crypt_off > 0 && auth_off > 0) {
-	IOV_CONSUME(iov, data32, data_i, data_l);
-	crypt_off -= 4;
-	auth_off -= 4;
-    }
-
-    while (crypt_len > 0 || auth_len > 0) {
-    	uint32_t *first = data32;
-	mydata.data32[0] = *first;
-	IOV_CONSUME(iov, data32, data_i, data_l);
-	mydata.data32[1] = *data32;
-    	if (auth_off <= 0) {
-	    if (auth_len > 0) {
-		CVM_LOAD_SHA_UNIT(*data, next);
-		auth_len -= 8;
-	    }
-	} else
-	    auth_off -= 8;
-    	if (crypt_off <= 0) {
-	    if (crypt_len > 0) {
-		CVMX_MT_3DES_DEC_CBC(*data);
-		CVMX_MF_3DES_RESULT(*data);
-		crypt_len -= 8;
-	    }
-	} else
-	    crypt_off -= 8;
-	*first = mydata.data32[0];
-	*data32 = mydata.data32[1];
-	IOV_CONSUME(iov, data32, data_i, data_l);
-    }
-
-    /* finish the hash */
-    CVMX_PREFETCH0(od->octo_hmouter);
-#if 0
-    if (__predict_false(inplen)) {
-	uint64_t tmp = 0;
-	uint8_t *p = (uint8_t *) & tmp;
-	p[inplen] = 0x80;
-	do {
-	    inplen--;
-	    p[inplen] = ((uint8_t *) data)[inplen];
-	} while (inplen);
-	CVM_LOAD_SHA_UNIT(tmp, next);
-    } else {
-	CVM_LOAD_SHA_UNIT(0x8000000000000000ULL, next);
-    }
-#else
-    CVM_LOAD_SHA_UNIT(0x8000000000000000ULL, next);
-#endif
-
-    /* Finish Inner hash */
-    while (next != 7) {
-	CVM_LOAD_SHA_UNIT(((uint64_t) 0x0ULL), next);
-    }
-	CVM_LOAD_SHA_UNIT((uint64_t) ((alen + 64) << 3), next);
-
-    /* Get the inner hash of HMAC */
-    CVMX_MF_HSH_IV(tmp1, 0);
-    CVMX_MF_HSH_IV(tmp2, 1);
-    tmp3 = 0;
-    CVMX_MF_HSH_IV(tmp3, 2);
-
-    /* Initialize hash unit */
-    CVMX_MT_HSH_IV(od->octo_hmouter[0], 0);
-    CVMX_MT_HSH_IV(od->octo_hmouter[1], 1);
-    CVMX_MT_HSH_IV(od->octo_hmouter[2], 2);
-
-    CVMX_MT_HSH_DAT(tmp1, 0);
-    CVMX_MT_HSH_DAT(tmp2, 1);
-    tmp3 |= 0x0000000080000000;
-    CVMX_MT_HSH_DAT(tmp3, 2);
-    CVMX_MT_HSH_DATZ(3);
-    CVMX_MT_HSH_DATZ(4);
-    CVMX_MT_HSH_DATZ(5);
-    CVMX_MT_HSH_DATZ(6);
-    CVMX_MT_HSH_STARTSHA((uint64_t) ((64 + 20) << 3));
-    /* save the HMAC */
-    data32 = (uint32_t *)icv;
-    CVMX_MF_HSH_IV(tmp1, 0);
-    *data32 = (uint32_t) (tmp1 >> 32);
-    data32++;
-    *data32 = (uint32_t) tmp1;
-    data32++;
-    CVMX_MF_HSH_IV(tmp1, 1);
-    *data32 = (uint32_t) (tmp1 >> 32);
-
-    return 0;
-}
-
-/****************************************************************************/
 /* AES MD5 */
 
 int
diff --git a/sys/mips/cavium/cryptocteon/cryptocteon.c b/sys/mips/cavium/cryptocteon/cryptocteon.c
index 56030979f24e..2fe2e9f29c63 100644
--- a/sys/mips/cavium/cryptocteon/cryptocteon.c
+++ b/sys/mips/cavium/cryptocteon/cryptocteon.c
@@ -121,14 +121,6 @@ cryptocteon_cipher_supported(const struct crypto_session_params *csp)
 {
 
 	switch (csp->csp_cipher_alg) {
-	case CRYPTO_DES_CBC:
-	case CRYPTO_3DES_CBC:
-		if (csp->csp_ivlen != 8)
-			return (false);
-		if (csp->csp_cipher_klen != 8 &&
-		    csp->csp_cipher_klen != 24)
-			return (false);
-		break;
 	case CRYPTO_AES_CBC:
 		if (csp->csp_ivlen != 16)
 			return (false);
@@ -229,11 +221,6 @@ cryptocteon_newsession(device_t dev, crypto_session_t cses,
 		break;
 	case CSP_MODE_CIPHER:
 		switch (csp->csp_cipher_alg) {
-		case CRYPTO_DES_CBC:
-		case CRYPTO_3DES_CBC:
-			ocd->octo_encrypt = octo_des_cbc_encrypt;
-			ocd->octo_decrypt = octo_des_cbc_decrypt;
-			break;
 		case CRYPTO_AES_CBC:
 			ocd->octo_encrypt = octo_aes_cbc_encrypt;
 			ocd->octo_decrypt = octo_aes_cbc_decrypt;
@@ -242,19 +229,6 @@ cryptocteon_newsession(device_t dev, crypto_session_t cses,
 		break;
 	case CSP_MODE_ETA:
 		switch (csp->csp_cipher_alg) {
-		case CRYPTO_DES_CBC:
-		case CRYPTO_3DES_CBC:
-			switch (csp->csp_auth_alg) {
-			case CRYPTO_MD5_HMAC:
-				ocd->octo_encrypt = octo_des_cbc_md5_encrypt;
-				ocd->octo_decrypt = octo_des_cbc_md5_decrypt;
-				break;
-			case CRYPTO_SHA1_HMAC:
-				ocd->octo_encrypt = octo_des_cbc_sha1_encrypt;
-				ocd->octo_decrypt = octo_des_cbc_sha1_encrypt;
-				break;
-			}
-			break;
 		case CRYPTO_AES_CBC:
 			switch (csp->csp_auth_alg) {
 			case CRYPTO_MD5_HMAC:
diff --git a/sys/mips/cavium/cryptocteon/cryptocteonvar.h b/sys/mips/cavium/cryptocteon/cryptocteonvar.h
index e7bc445deefb..2e071f7240b3 100644
--- a/sys/mips/cavium/cryptocteon/cryptocteonvar.h
+++ b/sys/mips/cavium/cryptocteon/cryptocteonvar.h
@@ -67,14 +67,6 @@ void octo_calc_hash(uint8_t, unsigned char *, uint64_t *, uint64_t *);
 octo_encrypt_t octo_null_md5_encrypt;
 octo_encrypt_t octo_null_sha1_encrypt;
 
-octo_encrypt_t octo_des_cbc_encrypt;
-octo_encrypt_t octo_des_cbc_md5_encrypt;
-octo_encrypt_t octo_des_cbc_sha1_encrypt;
-
-octo_decrypt_t octo_des_cbc_decrypt;
-octo_decrypt_t octo_des_cbc_md5_decrypt;
-octo_decrypt_t octo_des_cbc_sha1_decrypt;
-
 octo_encrypt_t octo_aes_cbc_encrypt;
 octo_encrypt_t octo_aes_cbc_md5_encrypt;
 octo_encrypt_t octo_aes_cbc_sha1_encrypt;
diff --git a/sys/mips/nlm/dev/sec/nlmsec.c b/sys/mips/nlm/dev/sec/nlmsec.c
index b32ec3406bb4..52dd46429e8f 100644
--- a/sys/mips/nlm/dev/sec/nlmsec.c
+++ b/sys/mips/nlm/dev/sec/nlmsec.c
@@ -391,11 +391,6 @@ xlp_sec_cipher_supported(const struct crypto_session_params *csp)
 {
 
 	switch (csp->csp_cipher_alg) {
-	case CRYPTO_DES_CBC:
-	case CRYPTO_3DES_CBC:
-		if (csp->csp_ivlen != XLP_SEC_DES_IV_LENGTH)
-			return (false);
-		break;
 	case CRYPTO_AES_CBC:
 		if (csp->csp_ivlen != XLP_SEC_AES_IV_LENGTH)
 			return (false);
diff --git a/sys/mips/nlm/dev/sec/nlmseclib.c b/sys/mips/nlm/dev/sec/nlmseclib.c
index a613fe93509f..56de5b5cc022 100644
--- a/sys/mips/nlm/dev/sec/nlmseclib.c
+++ b/sys/mips/nlm/dev/sec/nlmseclib.c
@@ -172,18 +172,6 @@ nlm_crypto_do_cipher(struct xlp_sec_softc *sc, struct xlp_sec_command *cmd,
 		cipkey = cmd->crp->crp_cipher_key;
 	else
 		cipkey = csp->csp_cipher_key;
-	if (cmd->cipheralg == NLM_CIPHER_3DES) {
-		if (!CRYPTO_OP_IS_ENCRYPT(cmd->crp->crp_op)) {
-                        const uint64_t *k;
-                        uint64_t *tkey;
-			k = (const uint64_t *)cipkey;
-			tkey = (uint64_t *)cmd->des3key;
-			tkey[2] = k[0];
-			tkey[1] = k[1];
-			tkey[0] = k[2];
-			cipkey = (const unsigned char *)tkey;
-		}
-	}
 	nlm_crypto_fill_pkt_ctrl(cmd->ctrlp, 0, NLM_HASH_BYPASS, 0,
 	    cmd->cipheralg, cmd->ciphermode, cipkey,
 	    csp->csp_cipher_klen, NULL, 0);
@@ -239,18 +227,6 @@ nlm_crypto_do_cipher_digest(struct xlp_sec_softc *sc,
 		authkey = cmd->crp->crp_auth_key;
 	else
 		authkey = csp->csp_auth_key;
-	if (cmd->cipheralg == NLM_CIPHER_3DES) {
-		if (!CRYPTO_OP_IS_ENCRYPT(cmd->crp->crp_op)) {
-			const uint64_t *k;
-			uint64_t *tkey;
-			k = (const uint64_t *)cipkey;
-			tkey = (uint64_t *)cmd->des3key;
-			tkey[2] = k[0];
-			tkey[1] = k[1];
-			tkey[0] = k[2];
-			cipkey = (const unsigned char *)tkey;
-		}
-	}
 	nlm_crypto_fill_pkt_ctrl(cmd->ctrlp, csp->csp_auth_klen ? 1 : 0,
 	    cmd->hashalg, cmd->hashmode, cmd->cipheralg, cmd->ciphermode,
 	    cipkey, csp->csp_cipher_klen,
@@ -296,16 +272,6 @@ nlm_get_cipher_param(struct xlp_sec_command *cmd,
     const struct crypto_session_params *csp)
 {
 	switch(csp->csp_cipher_alg) {
-	case CRYPTO_DES_CBC:
-		cmd->cipheralg  = NLM_CIPHER_DES;
-		cmd->ciphermode = NLM_CIPHER_MODE_CBC;
-		cmd->ivlen	= XLP_SEC_DES_IV_LENGTH;
-		break;
-	case CRYPTO_3DES_CBC:
-		cmd->cipheralg  = NLM_CIPHER_3DES;
-		cmd->ciphermode = NLM_CIPHER_MODE_CBC;
-		cmd->ivlen	= XLP_SEC_DES_IV_LENGTH;
-		break;
 	case CRYPTO_AES_CBC:
 		cmd->cipheralg  = NLM_CIPHER_AES128;
 		cmd->ciphermode = NLM_CIPHER_MODE_CBC;
diff --git a/sys/opencrypto/crypto.c b/sys/opencrypto/crypto.c
index 2dee7477c713..c5aaec71f2a5 100644
--- a/sys/opencrypto/crypto.c
+++ b/sys/opencrypto/crypto.c
@@ -594,10 +594,6 @@ crypto_cipher(const struct crypto_session_params *csp)
 {
 
 	switch (csp->csp_cipher_alg) {
-	case CRYPTO_DES_CBC:
-		return (&enc_xform_des);
-	case CRYPTO_3DES_CBC:
-		return (&enc_xform_3des);
 	case CRYPTO_RIJNDAEL128_CBC:
 		return (&enc_xform_rijndael128);
 	case CRYPTO_AES_XTS:
@@ -678,8 +674,6 @@ static enum alg_type {
 	ALG_COMPRESSION,
 	ALG_AEAD
 } alg_types[] = {
-	[CRYPTO_DES_CBC] = ALG_CIPHER,
-	[CRYPTO_3DES_CBC] = ALG_CIPHER,
 	[CRYPTO_MD5_HMAC] = ALG_KEYED_DIGEST,
 	[CRYPTO_SHA1_HMAC] = ALG_KEYED_DIGEST,
 	[CRYPTO_RIPEMD160_HMAC] = ALG_KEYED_DIGEST,
diff --git a/sys/opencrypto/cryptodev.h b/sys/opencrypto/cryptodev.h
index 461145350eac..195df24b45d4 100644
--- a/sys/opencrypto/cryptodev.h
+++ b/sys/opencrypto/cryptodev.h
@@ -113,8 +113,6 @@
 
 /* Encryption algorithm block sizes */
 #define	NULL_BLOCK_LEN		4	/* IPsec to maintain alignment */
-#define	DES_BLOCK_LEN		8
-#define	DES3_BLOCK_LEN		8
 #define	RIJNDAEL128_BLOCK_LEN	16
 #define	AES_BLOCK_LEN		16
 #define	AES_ICM_BLOCK_LEN	1
@@ -132,10 +130,6 @@
 /* Min and Max Encryption Key Sizes */
 #define	NULL_MIN_KEY		0
 #define	NULL_MAX_KEY		256 /* 2048 bits, max key */
-#define	DES_MIN_KEY		8
-#define	DES_MAX_KEY		DES_MIN_KEY
-#define	TRIPLE_DES_MIN_KEY	24
-#define	TRIPLE_DES_MAX_KEY	TRIPLE_DES_MIN_KEY
 #define	RIJNDAEL_MIN_KEY	16
 #define	RIJNDAEL_MAX_KEY	32
 #define	AES_MIN_KEY		RIJNDAEL_MIN_KEY
@@ -215,7 +209,7 @@
 
 /* NB: deprecated */
 struct session_op {
-	u_int32_t	cipher;		/* ie. CRYPTO_DES_CBC */
+	u_int32_t	cipher;		/* ie. CRYPTO_AES_CBC */
 	u_int32_t	mac;		/* ie. CRYPTO_MD5_HMAC */
 
 	u_int32_t	keylen;		/* cipher key */
@@ -232,7 +226,7 @@ struct session_op {
  * "cryptop" (no underscore).
  */
 struct session2_op {
-	u_int32_t	cipher;		/* ie. CRYPTO_DES_CBC */
+	u_int32_t	cipher;		/* ie. CRYPTO_AES_CBC */
 	u_int32_t	mac;		/* ie. CRYPTO_MD5_HMAC */
 
 	u_int32_t	keylen;		/* cipher key */
diff --git a/sys/opencrypto/xform.c b/sys/opencrypto/xform.c
index bfa97dca951e..117be15bf9f3 100644
--- a/sys/opencrypto/xform.c
+++ b/sys/opencrypto/xform.c
@@ -59,7 +59,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/kernel.h>
 #include <machine/cpu.h>
 
-#include <crypto/des/des.h>
 #include <crypto/rijndael/rijndael.h>
 #include <crypto/camellia/camellia.h>
 #include <crypto/sha1.h>
@@ -76,8 +75,6 @@ MALLOC_DEFINE(M_XDATA, "xform", "xform data buffers");
 
 /* Include the encryption algorithms */
 #include "xform_null.c"
-#include "xform_des1.c"
-#include "xform_des3.c"
 #include "xform_rijndael.c"
 #include "xform_aes_icm.c"
 #include "xform_aes_xts.c"
diff --git a/sys/opencrypto/xform_des1.c b/sys/opencrypto/xform_des1.c
deleted file mode 100644
index 0a778eefb076..000000000000
--- a/sys/opencrypto/xform_des1.c
+++ /dev/null
@@ -1,114 +0,0 @@
-/*	$OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $	*/
-/*-
- * The authors of this code are John Ioannidis (ji@tla.org),
- * Angelos D. Keromytis (kermit@csd.uch.gr),
- * Niels Provos (provos@physnet.uni-hamburg.de) and
- * Damien Miller (djm@mindrot.org).
- *
- * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
- * in November 1995.
- *
- * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
- * by Angelos D. Keromytis.
- *
- * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
- * and Niels Provos.
- *
- * Additional features in 1999 by Angelos D. Keromytis.
- *
- * AES XTS implementation in 2008 by Damien Miller
- *
- * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
- * Angelos D. Keromytis and Niels Provos.
- *
- * Copyright (C) 2001, Angelos D. Keromytis.
- *
- * Copyright (C) 2008, Damien Miller
- * Copyright (c) 2014 The FreeBSD Foundation
- * All rights reserved.
- *
- * Portions of this software were developed by John-Mark Gurney
- * under sponsorship of the FreeBSD Foundation and
- * Rubicon Communications, LLC (Netgate).
- *
- * Permission to use, copy, and modify this software with or without fee
- * is hereby granted, provided that this entire notice is included in
- * all copies of any software which is or includes a copy or
- * modification of this software.
- * You may use this code under the GNU public license if you so wish. Please
- * contribute changes back to the authors under this freer than GPL license
- * so that we may further the use of strong encryption without limitations to
- * all.
- *
- * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
- * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
- * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
- * PURPOSE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#include <crypto/des/des.h>
-#include <opencrypto/xform_enc.h>
-
-static	int des1_setkey(u_int8_t **, const u_int8_t *, int);
-static	void des1_encrypt(caddr_t, u_int8_t *);
-static	void des1_decrypt(caddr_t, u_int8_t *);
-static	void des1_zerokey(u_int8_t **);
-
-/* Encryption instances */
-struct enc_xform enc_xform_des = {
-	CRYPTO_DES_CBC, "DES",
-	DES_BLOCK_LEN, DES_BLOCK_LEN, DES_MIN_KEY, DES_MAX_KEY,
-	des1_encrypt,
-	des1_decrypt,
-	des1_setkey,
-	des1_zerokey,
-	NULL,
-};
-
-/*
- * Encryption wrapper routines.
- */
-static void
-des1_encrypt(caddr_t key, u_int8_t *blk)
-{
-	des_key_schedule *p = (des_key_schedule *) key;
-
-	des_ecb_encrypt(blk, blk, p[0], DES_ENCRYPT);
-}
-
-static void
-des1_decrypt(caddr_t key, u_int8_t *blk)
-{
-	des_key_schedule *p = (des_key_schedule *) key;
-
-	des_ecb_encrypt(blk, blk, p[0], DES_DECRYPT);
-}
-
-static int
-des1_setkey(u_int8_t **sched, const u_int8_t *key, int len)
-{
-	des_key_schedule *p;
-	int err;
-
-	p = KMALLOC(sizeof (des_key_schedule),
-		M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
-	if (p != NULL) {
-		des_set_key(key, p[0]);
-		err = 0;
-	} else
-		err = ENOMEM;
-	*sched = (u_int8_t *) p;
-	return err;
-}
-
-static void
-des1_zerokey(u_int8_t **sched)
-{
-	bzero(*sched, sizeof (des_key_schedule));
-	KFREE(*sched, M_CRYPTO_DATA);
-	*sched = NULL;
-}
diff --git a/sys/opencrypto/xform_des3.c b/sys/opencrypto/xform_des3.c
deleted file mode 100644
index ea32a1ab49ff..000000000000
--- a/sys/opencrypto/xform_des3.c
+++ /dev/null
@@ -1,117 +0,0 @@
-/*	$OpenBSD: xform.c,v 1.16 2001/08/28 12:20:43 ben Exp $	*/
-/*-
- * The authors of this code are John Ioannidis (ji@tla.org),
- * Angelos D. Keromytis (kermit@csd.uch.gr),
- * Niels Provos (provos@physnet.uni-hamburg.de) and
- * Damien Miller (djm@mindrot.org).
- *
- * This code was written by John Ioannidis for BSD/OS in Athens, Greece,
- * in November 1995.
- *
- * Ported to OpenBSD and NetBSD, with additional transforms, in December 1996,
- * by Angelos D. Keromytis.
- *
- * Additional transforms and features in 1997 and 1998 by Angelos D. Keromytis
- * and Niels Provos.
- *
- * Additional features in 1999 by Angelos D. Keromytis.
- *
- * AES XTS implementation in 2008 by Damien Miller
- *
- * Copyright (C) 1995, 1996, 1997, 1998, 1999 by John Ioannidis,
- * Angelos D. Keromytis and Niels Provos.
- *
- * Copyright (C) 2001, Angelos D. Keromytis.
- *
- * Copyright (C) 2008, Damien Miller
- * Copyright (c) 2014 The FreeBSD Foundation
- * All rights reserved.
- *
- * Portions of this software were developed by John-Mark Gurney
- * under sponsorship of the FreeBSD Foundation and
- * Rubicon Communications, LLC (Netgate).
- *
- * Permission to use, copy, and modify this software with or without fee
- * is hereby granted, provided that this entire notice is included in
- * all copies of any software which is or includes a copy or
- * modification of this software.
- * You may use this code under the GNU public license if you so wish. Please
- * contribute changes back to the authors under this freer than GPL license
- * so that we may further the use of strong encryption without limitations to
- * all.
- *
- * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
- * IMPLIED WARRANTY. IN PARTICULAR, NONE OF THE AUTHORS MAKES ANY
- * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
- * MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
- * PURPOSE.
- */
-
-#include <sys/cdefs.h>
-__FBSDID("$FreeBSD$");
-
-#include <crypto/des/des.h>
-#include <opencrypto/xform_enc.h>
-
-static	int des3_setkey(u_int8_t **, const u_int8_t *, int);
-static	void des3_encrypt(caddr_t, u_int8_t *);
-static	void des3_decrypt(caddr_t, u_int8_t *);
-static	void des3_zerokey(u_int8_t **);
-
-/* Encryption instances */
-struct enc_xform enc_xform_3des = {
-	CRYPTO_3DES_CBC, "3DES",
-	DES3_BLOCK_LEN, DES3_BLOCK_LEN, TRIPLE_DES_MIN_KEY,
-	TRIPLE_DES_MAX_KEY,
-	des3_encrypt,
-	des3_decrypt,
-	des3_setkey,
-	des3_zerokey,
-	NULL,
-};
-
-/*
- * Encryption wrapper routines.
- */
-static void
-des3_encrypt(caddr_t key, u_int8_t *blk)
-{
-	des_key_schedule *p = (des_key_schedule *) key;
-
-	des_ecb3_encrypt(blk, blk, p[0], p[1], p[2], DES_ENCRYPT);
-}
-
-static void
-des3_decrypt(caddr_t key, u_int8_t *blk)
-{
-	des_key_schedule *p = (des_key_schedule *) key;
-
-	des_ecb3_encrypt(blk, blk, p[0], p[1], p[2], DES_DECRYPT);
-}
-
-static int
-des3_setkey(u_int8_t **sched, const u_int8_t *key, int len)
-{
-	des_key_schedule *p;
-	int err;
-
-	p = KMALLOC(3*sizeof (des_key_schedule),
-		M_CRYPTO_DATA, M_NOWAIT|M_ZERO);
-	if (p != NULL) {
-		des_set_key(key +  0, p[0]);
-		des_set_key(key +  8, p[1]);
-		des_set_key(key + 16, p[2]);
-		err = 0;
-	} else
-		err = ENOMEM;
-	*sched = (u_int8_t *) p;
-	return err;
-}
-
-static void
-des3_zerokey(u_int8_t **sched)
-{
-	bzero(*sched, 3*sizeof (des_key_schedule));
-	KFREE(*sched, M_CRYPTO_DATA);
-	*sched = NULL;
-}
diff --git a/sys/opencrypto/xform_enc.h b/sys/opencrypto/xform_enc.h
index de47dc0a6998..6597ffb74205 100644
--- a/sys/opencrypto/xform_enc.h
+++ b/sys/opencrypto/xform_enc.h
@@ -68,8 +68,6 @@ struct enc_xform {
 
 
 extern struct enc_xform enc_xform_null;
-extern struct enc_xform enc_xform_des;
-extern struct enc_xform enc_xform_3des;
 extern struct enc_xform enc_xform_blf;
 extern struct enc_xform enc_xform_rijndael128;
 extern struct enc_xform enc_xform_aes_icm;