404881 Allow regexs for SslContextFactory.setIncludeCipherSuites() and .setExcludeCipherSuites()

jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java

@@ -41,6 +41,9 @@ import java.util.Collections;
 import java.util.LinkedHashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.concurrent.CopyOnWriteArraySet;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import javax.net.ssl.CertPathTrustManagerParameters;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
@@ -369,6 +372,7 @@ public class SslContextFactory extends AbstractLifeCycle
     }
 
     /**
+     * You can either use the exact cipher suite name or a a regular expression.
      * @param cipherSuites
      *            The array of cipher suite names to exclude from
      *            {@link SSLEngine#setEnabledCipherSuites(String[])}
@@ -399,6 +403,7 @@ public class SslContextFactory extends AbstractLifeCycle
     }
 
     /**
+     * You can either use the exact cipher suite name or a a regular expression.
      * @param cipherSuites
      *            The array of cipher suite names to include in
      *            {@link SSLEngine#setEnabledCipherSuites(String[])}
@@ -1035,25 +1040,47 @@ public class SslContextFactory extends AbstractLifeCycle
      */
     public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
     {
-        Set<String> selected_ciphers = new LinkedHashSet<>();
+        Set<String> selected_ciphers = new CopyOnWriteArraySet<>();
 
         // Set the starting ciphers - either from the included or enabled list
         if (_includeCipherSuites!=null)
-        {
-            // Use only the supported included ciphers
-            for (String cipherSuite : _includeCipherSuites)
-                if(Arrays.asList(supportedCipherSuites).contains(cipherSuite))
-                    selected_ciphers.add(cipherSuite);
-        }
+            processIncludeCipherSuites(supportedCipherSuites, selected_ciphers);
         else
             selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
 
+        removeExcludedCipherSuites(selected_ciphers);
 
-        // Remove any excluded ciphers
-        selected_ciphers.removeAll(_excludeCipherSuites);
         return selected_ciphers.toArray(new String[selected_ciphers.size()]);
     }
 
+    private void processIncludeCipherSuites(String[] supportedCipherSuites, Set<String> selected_ciphers)
+    {
+        for (String cipherSuite : _includeCipherSuites)
+        {
+            Pattern p = Pattern.compile(cipherSuite);
+            for (String supportedCipherSuite : supportedCipherSuites)
+            {
+                Matcher m = p.matcher(supportedCipherSuite);
+                if (m.matches())
+                    selected_ciphers.add(supportedCipherSuite);
+            }
+        }
+    }
+
+    private void removeExcludedCipherSuites(Set<String> selected_ciphers)
+    {
+        for (String excludeCipherSuite : _excludeCipherSuites)
+        {
+            Pattern excludeCipherPattern = Pattern.compile(excludeCipherSuite);
+            for (String selectedCipherSuite : selected_ciphers)
+            {
+                Matcher m = excludeCipherPattern.matcher(selectedCipherSuite);
+                if (m.matches())
+                    selected_ciphers.remove(selectedCipherSuite);
+            }
+        }
+    }
+
     /**
      * Check if the lifecycle has been started and throw runtime exception
      */

jetty-util/src/test/java/org/eclipse/jetty/util/ssl/SslContextFactoryTest.java

@@ -18,15 +18,12 @@
 
 package org.eclipse.jetty.util.ssl;
 
-import static org.hamcrest.Matchers.equalTo;
-import static org.hamcrest.Matchers.is;
-import static org.junit.Assert.assertThat;
-import static org.junit.Assert.assertTrue;
-
 import java.io.IOException;
 import java.io.InputStream;
 import java.security.KeyStore;
 
+import javax.net.ssl.SSLEngine;
+
 import org.eclipse.jetty.util.component.AbstractLifeCycle;
 import org.eclipse.jetty.util.log.Log;
 import org.eclipse.jetty.util.log.StdErrLog;
@@ -35,6 +32,12 @@ import org.junit.Assert;
 import org.junit.Before;
 import org.junit.Test;
 
+import static org.hamcrest.Matchers.equalTo;
+import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+
 
 public class SslContextFactoryTest
 {
@@ -189,6 +192,30 @@ public class SslContextFactoryTest
         }
     }
 
+    @Test
+    public void testSetExcludeCipherSuitesRegex() throws Exception
+    {
+        cf.setExcludeCipherSuites(".*RC4.*");
+        cf.start();
+        SSLEngine sslEngine = cf.newSSLEngine();
+        String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites();
+        assertThat("At least 1 cipherSuite is enabled", enabledCipherSuites.length, greaterThan(0));
+        for (String enabledCipherSuite : enabledCipherSuites)
+            assertThat("CipherSuite does not contain RC4", enabledCipherSuite.contains("RC4"), is(false));
+    }
+
+    @Test
+    public void testSetIncludeCipherSuitesRegex() throws Exception
+    {
+        cf.setIncludeCipherSuites(".*RC4.*");
+        cf.start();
+        SSLEngine sslEngine = cf.newSSLEngine();
+        String[] enabledCipherSuites = sslEngine.getEnabledCipherSuites();
+        assertThat("At least 1 cipherSuite is enabled", enabledCipherSuites.length, greaterThan(0));
+        for (String enabledCipherSuite : enabledCipherSuites)
+            assertThat("CipherSuite contains RC4", enabledCipherSuite.contains("RC4"), is(true));
+    }
+
     @Test
     public void testSetIncludeCipherSuitesPreservesOrder()
     {