x509: Separate out IP handling functions

- Moved IP/CIDR to string conversion functions into separate
  header and export privately for the use in tests.
- Placed ip_in_cidr() into separate header for easy testing
- Add publicly available function to convert text CIDR to RFC5280
  format for the use in name constraints extension.
- certtool: Use GnuTLS exported CIDR functions instead of local ones.
- Export mask_to_prefix, mask_ip for internal GnuTLS use.
- Introduce new error value (malformed cidr) and add to description
  functions in errors.c.

Signed-off-by: Martin Ukrop <mukrop@redhat.com>

2 files changed, 3 insertions, 0 deletions

diff --git a/lib/includes/gnutls/gnutls.h.in b/lib/includes/gnutls/gnutls.h.in
index 73ac461cd7..65a9ca1bfc 100644
--- a/lib/includes/gnutls/gnutls.h.in
+++ b/lib/includes/gnutls/gnutls.h.in
@@ -2666,6 +2666,8 @@ unsigned gnutls_fips140_mode_enabled(void);
 #define GNUTLS_E_UNKNOWN_SRP_USERNAME -109
 #define GNUTLS_E_PREMATURE_TERMINATION -110
 
+#define GNUTLS_E_MALFORMED_CIDR -111
+
 #define GNUTLS_E_BASE64_ENCODING_ERROR -201
 #define GNUTLS_E_INCOMPATIBLE_GCRYPT_LIBRARY -202	/* obsolete */
 #define GNUTLS_E_INCOMPATIBLE_CRYPTO_LIBRARY -202
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h
index 038a342ae6..ac2c2bb241 100644
--- a/lib/includes/gnutls/x509.h
+++ b/lib/includes/gnutls/x509.h
@@ -321,6 +321,7 @@ int gnutls_x509_name_constraints_get_permitted(gnutls_x509_name_constraints_t nc
 int gnutls_x509_name_constraints_get_excluded(gnutls_x509_name_constraints_t nc,
 				     unsigned idx,
 				     unsigned *type, gnutls_datum_t * name);
+int gnutls_x509_cidr_to_rfc5280(const char *cidr, gnutls_datum_t *cidr_rfc5280);
 
 
 #define GNUTLS_CRL_REASON_SUPERSEEDED GNUTLS_CRL_REASON_SUPERSEDED,