cipher/twofish-arm.S - nest-hello/510950009/libgcrypt - Git at Google

 /* twofish-arm.S  -  ARM assembly implementation of Twofish cipher
  *
  * Copyright © 2013 Jussi Kivilinna <jussi.kivilinna@iki.fi>
  *
  * This file is part of Libgcrypt.
  *
  * Libgcrypt is free software; you can redistribute it and/or modify
  * it under the terms of the GNU Lesser General Public License as
  * published by the Free Software Foundation; either version 2.1 of
  * the License, or (at your option) any later version.
  *
  * Libgcrypt is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Lesser General Public License for more details.
  *
  * You should have received a copy of the GNU Lesser General Public
  * License along with this program; if not, see <http://www.gnu.org/licenses/>.
  */

 #include <config.h>

 #if defined(__ARMEL__)
 #ifdef HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS

 .text

 .syntax unified
 .arm

 /* structure of TWOFISH_context: */
 #define s0 0
 #define s1 ((s0) + 4 * 256)
 #define s2 ((s1) + 4 * 256)
 #define s3 ((s2) + 4 * 256)
 #define w  ((s3) + 4 * 256)
 #define k  ((w) + 4 * 8)

 /* register macros */
 #define CTX %r0
 #define CTXs0 %r0
 #define CTXs1 %r1
 #define CTXs3 %r7

 #define RA %r3
 #define RB %r4
 #define RC %r5
 #define RD %r6

 #define RX %r2
 #define RY %ip

 #define RMASK %lr

 #define RT0 %r8
 #define RT1 %r9
 #define RT2 %r10
 #define RT3 %r11

 /* helper macros */
 #define ldr_unaligned_le(rout, rsrc, offs, rtmp) \
 	ldrb rout, [rsrc, #((offs) + 0)]; \
 	ldrb rtmp, [rsrc, #((offs) + 1)]; \
 	orr rout, rout, rtmp, lsl #8; \
 	ldrb rtmp, [rsrc, #((offs) + 2)]; \
 	orr rout, rout, rtmp, lsl #16; \
 	ldrb rtmp, [rsrc, #((offs) + 3)]; \
 	orr rout, rout, rtmp, lsl #24;

 #define str_unaligned_le(rin, rdst, offs, rtmp0, rtmp1) \
 	mov rtmp0, rin, lsr #8; \
 	strb rin, [rdst, #((offs) + 0)]; \
 	mov rtmp1, rin, lsr #16; \
 	strb rtmp0, [rdst, #((offs) + 1)]; \
 	mov rtmp0, rin, lsr #24; \
 	strb rtmp1, [rdst, #((offs) + 2)]; \
 	strb rtmp0, [rdst, #((offs) + 3)];

 #ifndef __ARMEL__
 	/* bswap on big-endian */
 	#define host_to_le(reg) \
 		rev reg, reg;
 	#define le_to_host(reg) \
 		rev reg, reg;
 #else
 	/* nop on little-endian */
 	#define host_to_le(reg) /*_*/
 	#define le_to_host(reg) /*_*/
 #endif

 #define ldr_input_aligned_le(rin, a, b, c, d) \
 	ldr a, [rin, #0]; \
 	ldr b, [rin, #4]; \
 	le_to_host(a); \
 	ldr c, [rin, #8]; \
 	le_to_host(b); \
 	ldr d, [rin, #12]; \
 	le_to_host(c); \
 	le_to_host(d);

 #define str_output_aligned_le(rout, a, b, c, d) \
 	le_to_host(a); \
 	le_to_host(b); \
 	str a, [rout, #0]; \
 	le_to_host(c); \
 	str b, [rout, #4]; \
 	le_to_host(d); \
 	str c, [rout, #8]; \
 	str d, [rout, #12];

 #ifdef __ARM_FEATURE_UNALIGNED
 	/* unaligned word reads/writes allowed */
 	#define ldr_input_le(rin, ra, rb, rc, rd, rtmp) \
 		ldr_input_aligned_le(rin, ra, rb, rc, rd)

 	#define str_output_le(rout, ra, rb, rc, rd, rtmp0, rtmp1) \
 		str_output_aligned_le(rout, ra, rb, rc, rd)
 #else
 	/* need to handle unaligned reads/writes by byte reads */
 	#define ldr_input_le(rin, ra, rb, rc, rd, rtmp0) \
 		tst rin, #3; \
 		beq 1f; \
 			ldr_unaligned_le(ra, rin, 0, rtmp0); \
 			ldr_unaligned_le(rb, rin, 4, rtmp0); \
 			ldr_unaligned_le(rc, rin, 8, rtmp0); \
 			ldr_unaligned_le(rd, rin, 12, rtmp0); \
 			b 2f; \
 		1:;\
 			ldr_input_aligned_le(rin, ra, rb, rc, rd); \
 		2:;

 	#define str_output_le(rout, ra, rb, rc, rd, rtmp0, rtmp1) \
 		tst rout, #3; \
 		beq 1f; \
 			str_unaligned_le(ra, rout, 0, rtmp0, rtmp1); \
 			str_unaligned_le(rb, rout, 4, rtmp0, rtmp1); \
 			str_unaligned_le(rc, rout, 8, rtmp0, rtmp1); \
 			str_unaligned_le(rd, rout, 12, rtmp0, rtmp1); \
 			b 2f; \
 		1:;\
 			str_output_aligned_le(rout, ra, rb, rc, rd); \
 		2:;
 #endif

 /**********************************************************************
   1-way twofish
  **********************************************************************/
 #define encrypt_round(a, b, rc, rd, n, ror_a, adj_a) \
 	and RT0, RMASK, b, lsr#(8 - 2); \
 	and RY, RMASK, b, lsr#(16 - 2); \
 	add RT0, RT0, #(s2 - s1); \
 	and RT1, RMASK, b, lsr#(24 - 2); \
 	ldr RY, [CTXs3, RY]; \
 	and RT2, RMASK, b, lsl#(2); \
 	ldr RT0, [CTXs1, RT0]; \
 	and RT3, RMASK, a, lsr#(16 - 2 + (adj_a)); \
 	ldr RT1, [CTXs0, RT1]; \
 	and RX, RMASK, a, lsr#(8 - 2 + (adj_a)); \
 	ldr RT2, [CTXs1, RT2]; \
 	add RT3, RT3, #(s2 - s1); \
 	ldr RX, [CTXs1, RX]; \
 	ror_a(a); \
 	\
 	eor RY, RY, RT0; \
 	ldr RT3, [CTXs1, RT3]; \
 	and RT0, RMASK, a, lsl#(2); \
 	eor RY, RY, RT1; \
 	and RT1, RMASK, a, lsr#(24 - 2); \
 	eor RY, RY, RT2; \
 	ldr RT0, [CTXs0, RT0]; \
 	eor RX, RX, RT3; \
 	ldr RT1, [CTXs3, RT1]; \
 	eor RX, RX, RT0; \
 	\
 	ldr RT3, [CTXs3, #(k - s3 + 8 * (n) + 4)]; \
 	eor RX, RX, RT1; \
 	ldr RT2, [CTXs3, #(k - s3 + 8 * (n))]; \
 	\
 	add RT0, RX, RY, lsl #1; \
 	add RX, RX, RY; \
 	add RT0, RT0, RT3; \
 	add RX, RX, RT2; \
 	eor rd, RT0, rd, ror #31; \
 	eor rc, rc, RX;

 #define dummy(x) /*_*/

 #define ror1(r) \
 	ror r, r, #1;

 #define decrypt_round(a, b, rc, rd, n, ror_b, adj_b) \
 	and RT3, RMASK, b, lsl#(2 - (adj_b)); \
 	and RT1, RMASK, b, lsr#(8 - 2 + (adj_b)); \
 	ror_b(b); \
 	and RT2, RMASK, a, lsl#(2); \
 	and RT0, RMASK, a, lsr#(8 - 2); \
 	\
 	ldr RY, [CTXs1, RT3]; \
 	add RT1, RT1, #(s2 - s1); \
 	ldr RX, [CTXs0, RT2]; \
 	and RT3, RMASK, b, lsr#(16 - 2); \
 	ldr RT1, [CTXs1, RT1]; \
 	and RT2, RMASK, a, lsr#(16 - 2); \
 	ldr RT0, [CTXs1, RT0]; \
 	\
 	add RT2, RT2, #(s2 - s1); \
 	ldr RT3, [CTXs3, RT3]; \
 	eor RY, RY, RT1; \
 	\
 	and RT1, RMASK, b, lsr#(24 - 2); \
 	eor RX, RX, RT0; \
 	ldr RT2, [CTXs1, RT2]; \
 	and RT0, RMASK, a, lsr#(24 - 2); \
 	\
 	ldr RT1, [CTXs0, RT1]; \
 	\
 	eor RY, RY, RT3; \
 	ldr RT0, [CTXs3, RT0]; \
 	eor RX, RX, RT2; \
 	eor RY, RY, RT1; \
 	\
 	ldr RT1, [CTXs3, #(k - s3 + 8 * (n) + 4)]; \
 	eor RX, RX, RT0; \
 	ldr RT2, [CTXs3, #(k - s3 + 8 * (n))]; \
 	\
 	add RT0, RX, RY, lsl #1; \
 	add RX, RX, RY; \
 	add RT0, RT0, RT1; \
 	add RX, RX, RT2; \
 	eor rd, rd, RT0; \
 	eor rc, RX, rc, ror #31;

 #define first_encrypt_cycle(nc) \
 	encrypt_round(RA, RB, RC, RD, (nc) * 2, dummy, 0); \
 	encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1);

 #define encrypt_cycle(nc) \
 	encrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
 	encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1);

 #define last_encrypt_cycle(nc) \
 	encrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
 	encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
 	ror1(RA);

 #define first_decrypt_cycle(nc) \
 	decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, dummy, 0); \
 	decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1);

 #define decrypt_cycle(nc) \
 	decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
 	decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1);

 #define last_decrypt_cycle(nc) \
 	decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
 	decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
 	ror1(RD);

 .align 3
 .globl _gcry_twofish_arm_encrypt_block
 .type   _gcry_twofish_arm_encrypt_block,%function;

 _gcry_twofish_arm_encrypt_block:
 	/* input:
 	 *	%r0: ctx
 	 *	%r1: dst
 	 *	%r2: src
 	 */
 	push {%r1, %r4-%r11, %ip, %lr};

 	add RY, CTXs0, #w;

 	ldr_input_le(%r2, RA, RB, RC, RD, RT0);

 	/* Input whitening */
 	ldm RY, {RT0, RT1, RT2, RT3};
 	add CTXs3, CTXs0, #(s3 - s0);
 	add CTXs1, CTXs0, #(s1 - s0);
 	mov RMASK, #(0xff << 2);
 	eor RA, RA, RT0;
 	eor RB, RB, RT1;
 	eor RC, RC, RT2;
 	eor RD, RD, RT3;

 	first_encrypt_cycle(0);
 	encrypt_cycle(1);
 	encrypt_cycle(2);
 	encrypt_cycle(3);
 	encrypt_cycle(4);
 	encrypt_cycle(5);
 	encrypt_cycle(6);
 	last_encrypt_cycle(7);

 	add RY, CTXs3, #(w + 4*4 - s3);
 	pop {%r1}; /* dst */

 	/* Output whitening */
 	ldm RY, {RT0, RT1, RT2, RT3};
 	eor RC, RC, RT0;
 	eor RD, RD, RT1;
 	eor RA, RA, RT2;
 	eor RB, RB, RT3;

 	str_output_le(%r1, RC, RD, RA, RB, RT0, RT1);

 	pop {%r4-%r11, %ip, %pc};
 .ltorg
 .size _gcry_twofish_arm_encrypt_block,.-_gcry_twofish_arm_encrypt_block;

 .align 3
 .globl _gcry_twofish_arm_decrypt_block
 .type   _gcry_twofish_arm_decrypt_block,%function;

 _gcry_twofish_arm_decrypt_block:
 	/* input:
 	 *	%r0: ctx
 	 *	%r1: dst
 	 *	%r2: src
 	 */
 	push {%r1, %r4-%r11, %ip, %lr};

 	add CTXs3, CTXs0, #(s3 - s0);

 	ldr_input_le(%r2, RC, RD, RA, RB, RT0);

 	add RY, CTXs3, #(w + 4*4 - s3);
 	add CTXs3, CTXs0, #(s3 - s0);

 	/* Input whitening */
 	ldm RY, {RT0, RT1, RT2, RT3};
 	add CTXs1, CTXs0, #(s1 - s0);
 	mov RMASK, #(0xff << 2);
 	eor RC, RC, RT0;
 	eor RD, RD, RT1;
 	eor RA, RA, RT2;
 	eor RB, RB, RT3;

 	first_decrypt_cycle(7);
 	decrypt_cycle(6);
 	decrypt_cycle(5);
 	decrypt_cycle(4);
 	decrypt_cycle(3);
 	decrypt_cycle(2);
 	decrypt_cycle(1);
 	last_decrypt_cycle(0);

 	add RY, CTXs0, #w;
 	pop {%r1}; /* dst */

 	/* Output whitening */
 	ldm RY, {RT0, RT1, RT2, RT3};
 	eor RA, RA, RT0;
 	eor RB, RB, RT1;
 	eor RC, RC, RT2;
 	eor RD, RD, RT3;

 	str_output_le(%r1, RA, RB, RC, RD, RT0, RT1);

 	pop {%r4-%r11, %ip, %pc};
 .size _gcry_twofish_arm_decrypt_block,.-_gcry_twofish_arm_decrypt_block;

 #endif /*HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS*/
 #endif /*__ARMEL__*/
	/* twofish-arm.S - ARM assembly implementation of Twofish cipher
	*
	* Copyright © 2013 Jussi Kivilinna <jussi.kivilinna@iki.fi>
	*
	* This file is part of Libgcrypt.
	*
	* Libgcrypt is free software; you can redistribute it and/or modify
	* it under the terms of the GNU Lesser General Public License as
	* published by the Free Software Foundation; either version 2.1 of
	* the License, or (at your option) any later version.
	*
	* Libgcrypt is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU Lesser General Public License for more details.
	*
	* You should have received a copy of the GNU Lesser General Public
	* License along with this program; if not, see <http://www.gnu.org/licenses/>.
	*/

	#include <config.h>

	#if defined(__ARMEL__)
	#ifdef HAVE_COMPATIBLE_GCC_ARM_PLATFORM_AS

	.text

	.syntax unified
	.arm

	/* structure of TWOFISH_context: */
	#define s0 0
	#define s1 ((s0) + 4 * 256)
	#define s2 ((s1) + 4 * 256)
	#define s3 ((s2) + 4 * 256)
	#define w ((s3) + 4 * 256)
	#define k ((w) + 4 * 8)

	/* register macros */
	#define CTX %r0
	#define CTXs0 %r0
	#define CTXs1 %r1
	#define CTXs3 %r7

	#define RA %r3
	#define RB %r4
	#define RC %r5
	#define RD %r6

	#define RX %r2
	#define RY %ip

	#define RMASK %lr

	#define RT0 %r8
	#define RT1 %r9
	#define RT2 %r10
	#define RT3 %r11

	/* helper macros */
	#define ldr_unaligned_le(rout, rsrc, offs, rtmp) \
	ldrb rout, [rsrc, #((offs) + 0)]; \
	ldrb rtmp, [rsrc, #((offs) + 1)]; \
	orr rout, rout, rtmp, lsl #8; \
	ldrb rtmp, [rsrc, #((offs) + 2)]; \
	orr rout, rout, rtmp, lsl #16; \
	ldrb rtmp, [rsrc, #((offs) + 3)]; \
	orr rout, rout, rtmp, lsl #24;

	#define str_unaligned_le(rin, rdst, offs, rtmp0, rtmp1) \
	mov rtmp0, rin, lsr #8; \
	strb rin, [rdst, #((offs) + 0)]; \
	mov rtmp1, rin, lsr #16; \
	strb rtmp0, [rdst, #((offs) + 1)]; \
	mov rtmp0, rin, lsr #24; \
	strb rtmp1, [rdst, #((offs) + 2)]; \
	strb rtmp0, [rdst, #((offs) + 3)];

	#ifndef __ARMEL__
	/* bswap on big-endian */
	#define host_to_le(reg) \
	rev reg, reg;
	#define le_to_host(reg) \
	rev reg, reg;
	#else
	/* nop on little-endian */
	#define host_to_le(reg) /_/
	#define le_to_host(reg) /_/
	#endif

	#define ldr_input_aligned_le(rin, a, b, c, d) \
	ldr a, [rin, #0]; \
	ldr b, [rin, #4]; \
	le_to_host(a); \
	ldr c, [rin, #8]; \
	le_to_host(b); \
	ldr d, [rin, #12]; \
	le_to_host(c); \
	le_to_host(d);

	#define str_output_aligned_le(rout, a, b, c, d) \
	le_to_host(a); \
	le_to_host(b); \
	str a, [rout, #0]; \
	le_to_host(c); \
	str b, [rout, #4]; \
	le_to_host(d); \
	str c, [rout, #8]; \
	str d, [rout, #12];

	#ifdef __ARM_FEATURE_UNALIGNED
	/* unaligned word reads/writes allowed */
	#define ldr_input_le(rin, ra, rb, rc, rd, rtmp) \
	ldr_input_aligned_le(rin, ra, rb, rc, rd)

	#define str_output_le(rout, ra, rb, rc, rd, rtmp0, rtmp1) \
	str_output_aligned_le(rout, ra, rb, rc, rd)
	#else
	/* need to handle unaligned reads/writes by byte reads */
	#define ldr_input_le(rin, ra, rb, rc, rd, rtmp0) \
	tst rin, #3; \
	beq 1f; \
	ldr_unaligned_le(ra, rin, 0, rtmp0); \
	ldr_unaligned_le(rb, rin, 4, rtmp0); \
	ldr_unaligned_le(rc, rin, 8, rtmp0); \
	ldr_unaligned_le(rd, rin, 12, rtmp0); \
	b 2f; \
	1:;\
	ldr_input_aligned_le(rin, ra, rb, rc, rd); \
	2:;

	#define str_output_le(rout, ra, rb, rc, rd, rtmp0, rtmp1) \
	tst rout, #3; \
	beq 1f; \
	str_unaligned_le(ra, rout, 0, rtmp0, rtmp1); \
	str_unaligned_le(rb, rout, 4, rtmp0, rtmp1); \
	str_unaligned_le(rc, rout, 8, rtmp0, rtmp1); \
	str_unaligned_le(rd, rout, 12, rtmp0, rtmp1); \
	b 2f; \
	1:;\
	str_output_aligned_le(rout, ra, rb, rc, rd); \
	2:;
	#endif

	/**********************************************************************
	1-way twofish
	**********************************************************************/
	#define encrypt_round(a, b, rc, rd, n, ror_a, adj_a) \
	and RT0, RMASK, b, lsr#(8 - 2); \
	and RY, RMASK, b, lsr#(16 - 2); \
	add RT0, RT0, #(s2 - s1); \
	and RT1, RMASK, b, lsr#(24 - 2); \
	ldr RY, [CTXs3, RY]; \
	and RT2, RMASK, b, lsl#(2); \
	ldr RT0, [CTXs1, RT0]; \
	and RT3, RMASK, a, lsr#(16 - 2 + (adj_a)); \
	ldr RT1, [CTXs0, RT1]; \
	and RX, RMASK, a, lsr#(8 - 2 + (adj_a)); \
	ldr RT2, [CTXs1, RT2]; \
	add RT3, RT3, #(s2 - s1); \
	ldr RX, [CTXs1, RX]; \
	ror_a(a); \
	\
	eor RY, RY, RT0; \
	ldr RT3, [CTXs1, RT3]; \
	and RT0, RMASK, a, lsl#(2); \
	eor RY, RY, RT1; \
	and RT1, RMASK, a, lsr#(24 - 2); \
	eor RY, RY, RT2; \
	ldr RT0, [CTXs0, RT0]; \
	eor RX, RX, RT3; \
	ldr RT1, [CTXs3, RT1]; \
	eor RX, RX, RT0; \
	\
	ldr RT3, [CTXs3, #(k - s3 + 8 * (n) + 4)]; \
	eor RX, RX, RT1; \
	ldr RT2, [CTXs3, #(k - s3 + 8 * (n))]; \
	\
	add RT0, RX, RY, lsl #1; \
	add RX, RX, RY; \
	add RT0, RT0, RT3; \
	add RX, RX, RT2; \
	eor rd, RT0, rd, ror #31; \
	eor rc, rc, RX;

	#define dummy(x) /_/

	#define ror1(r) \
	ror r, r, #1;

	#define decrypt_round(a, b, rc, rd, n, ror_b, adj_b) \
	and RT3, RMASK, b, lsl#(2 - (adj_b)); \
	and RT1, RMASK, b, lsr#(8 - 2 + (adj_b)); \
	ror_b(b); \
	and RT2, RMASK, a, lsl#(2); \
	and RT0, RMASK, a, lsr#(8 - 2); \
	\
	ldr RY, [CTXs1, RT3]; \
	add RT1, RT1, #(s2 - s1); \
	ldr RX, [CTXs0, RT2]; \
	and RT3, RMASK, b, lsr#(16 - 2); \
	ldr RT1, [CTXs1, RT1]; \
	and RT2, RMASK, a, lsr#(16 - 2); \
	ldr RT0, [CTXs1, RT0]; \
	\
	add RT2, RT2, #(s2 - s1); \
	ldr RT3, [CTXs3, RT3]; \
	eor RY, RY, RT1; \
	\
	and RT1, RMASK, b, lsr#(24 - 2); \
	eor RX, RX, RT0; \
	ldr RT2, [CTXs1, RT2]; \
	and RT0, RMASK, a, lsr#(24 - 2); \
	\
	ldr RT1, [CTXs0, RT1]; \
	\
	eor RY, RY, RT3; \
	ldr RT0, [CTXs3, RT0]; \
	eor RX, RX, RT2; \
	eor RY, RY, RT1; \
	\
	ldr RT1, [CTXs3, #(k - s3 + 8 * (n) + 4)]; \
	eor RX, RX, RT0; \
	ldr RT2, [CTXs3, #(k - s3 + 8 * (n))]; \
	\
	add RT0, RX, RY, lsl #1; \
	add RX, RX, RY; \
	add RT0, RT0, RT1; \
	add RX, RX, RT2; \
	eor rd, rd, RT0; \
	eor rc, RX, rc, ror #31;

	#define first_encrypt_cycle(nc) \
	encrypt_round(RA, RB, RC, RD, (nc) * 2, dummy, 0); \
	encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1);

	#define encrypt_cycle(nc) \
	encrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
	encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1);

	#define last_encrypt_cycle(nc) \
	encrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
	encrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
	ror1(RA);

	#define first_decrypt_cycle(nc) \
	decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, dummy, 0); \
	decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1);

	#define decrypt_cycle(nc) \
	decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
	decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1);

	#define last_decrypt_cycle(nc) \
	decrypt_round(RC, RD, RA, RB, (nc) * 2 + 1, ror1, 1); \
	decrypt_round(RA, RB, RC, RD, (nc) * 2, ror1, 1); \
	ror1(RD);

	.align 3
	.globl _gcry_twofish_arm_encrypt_block
	.type _gcry_twofish_arm_encrypt_block,%function;

	_gcry_twofish_arm_encrypt_block:
	/* input:
	* %r0: ctx
	* %r1: dst
	* %r2: src
	*/
	push {%r1, %r4-%r11, %ip, %lr};

	add RY, CTXs0, #w;

	ldr_input_le(%r2, RA, RB, RC, RD, RT0);

	/* Input whitening */
	ldm RY, {RT0, RT1, RT2, RT3};
	add CTXs3, CTXs0, #(s3 - s0);
	add CTXs1, CTXs0, #(s1 - s0);
	mov RMASK, #(0xff << 2);
	eor RA, RA, RT0;
	eor RB, RB, RT1;
	eor RC, RC, RT2;
	eor RD, RD, RT3;

	first_encrypt_cycle(0);
	encrypt_cycle(1);
	encrypt_cycle(2);
	encrypt_cycle(3);
	encrypt_cycle(4);
	encrypt_cycle(5);
	encrypt_cycle(6);
	last_encrypt_cycle(7);

	add RY, CTXs3, #(w + 4*4 - s3);
	pop {%r1}; /* dst */

	/* Output whitening */
	ldm RY, {RT0, RT1, RT2, RT3};
	eor RC, RC, RT0;
	eor RD, RD, RT1;
	eor RA, RA, RT2;
	eor RB, RB, RT3;

	str_output_le(%r1, RC, RD, RA, RB, RT0, RT1);

	pop {%r4-%r11, %ip, %pc};
	.ltorg
	.size _gcry_twofish_arm_encrypt_block,.-_gcry_twofish_arm_encrypt_block;

	.align 3
	.globl _gcry_twofish_arm_decrypt_block
	.type _gcry_twofish_arm_decrypt_block,%function;

	_gcry_twofish_arm_decrypt_block:
	/* input:
	* %r0: ctx
	* %r1: dst
	* %r2: src
	*/
	push {%r1, %r4-%r11, %ip, %lr};

	add CTXs3, CTXs0, #(s3 - s0);

	ldr_input_le(%r2, RC, RD, RA, RB, RT0);

	add RY, CTXs3, #(w + 4*4 - s3);
	add CTXs3, CTXs0, #(s3 - s0);

	/* Input whitening */
	ldm RY, {RT0, RT1, RT2, RT3};
	add CTXs1, CTXs0, #(s1 - s0);
	mov RMASK, #(0xff << 2);
	eor RC, RC, RT0;
	eor RD, RD, RT1;
	eor RA, RA, RT2;
	eor RB, RB, RT3;

	first_decrypt_cycle(7);
	decrypt_cycle(6);
	decrypt_cycle(5);
	decrypt_cycle(4);
	decrypt_cycle(3);
	decrypt_cycle(2);
	decrypt_cycle(1);
	last_decrypt_cycle(0);

	add RY, CTXs0, #w;
	pop {%r1}; /* dst */

	/* Output whitening */
	ldm RY, {RT0, RT1, RT2, RT3};
	eor RA, RA, RT0;
	eor RB, RB, RT1;
	eor RC, RC, RT2;
	eor RD, RD, RT3;

	str_output_le(%r1, RA, RB, RC, RD, RT0, RT1);

	pop {%r4-%r11, %ip, %pc};
	.size _gcry_twofish_arm_decrypt_block,.-_gcry_twofish_arm_decrypt_block;

	#endif /HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS/
	#endif /__ARMEL__/