Add conditional build and licensing terms for ja4+

configure.ac

@@ -171,7 +171,6 @@ AC_ARG_ENABLE(maxmind,
 [  --enable-maxmind        Build geolookup for MaxMind GeoDB; default is NO],
 build_maxmind="yes"
 AM_CONDITIONAL([MAXMIND], true)
-CFLAGS="$CFLAGS -DBUILDMAXMIND"
 ,
 build_maxmind="no"
 AM_CONDITIONAL([MAXMIND], false)
@@ -188,11 +187,14 @@ AM_CONDITIONAL(TORLOOKUP, false)
 )
 
 AC_ARG_ENABLE(ja4,
-[  --enable-ja4        Build with ja4 fingerprinting code; May require a license; default is NO])
-
-AS_IF([test "x$enable_ja4" = xyes], 
-	build_ja4="$enable_ja4", build_ja4="no")
-AM_CONDITIONAL([JA4], [test "x$build_ja4" = "xyes"])
+[  --enable-ja4        Build with ja4 fingerprinting code; May require a license; default is NO],
+build_ja4="yes"
+AM_CONDITIONAL(JA4, true)
+CFLAGS="$CFLAGS -DBUILDJA4"
+,
+build_ja4="no"
+AM_CONDITIONAL(JA4, false)
+)
 
 AC_ARG_ENABLE(nfprofile,
 [  --enable-nfprofile      Build nfprofile used by NfSen; default is NO])
@@ -688,6 +690,15 @@ echo "----------------------------------"
 echo ""
 echo " You can run ./make now." 
 echo ""
+if test "x$build_ja4" = "xyes"; then
+echo "* Ja4 code enabled."
+echo "* JA4: TLS Client Fingerprinting is open-source, BSD 3-Clause"
+echo "* All other JA4+ additions are licensed under the FoxIO License 1.1"
+echo "* See https://github.com/FoxIO-LLC/ja4/blob/main/LICENSE"
+echo "* as well as the license FAQ:"
+echo "* https://github.com/FoxIO-LLC/ja4/blob/main/License%20FAQ.md"
+fi
+echo ""
 echo "* Many thanks for using nfdump tools"
 echo "* See https://github.com/phaag/nfdump/issues"
 echo "* For bug open a ticket or send a bug report to [email protected]"

src/libnfdump/Makefile.am

@@ -11,7 +11,10 @@ LDADD =  $(DEPS_LIBS)
 filter = filter/grammar.y filter/scanner.l filter/filter.c filter/filter.h filter/ipconv.c filter/ipconv.h rbtree.h
 regex = sgregex/sgregex.c sgregex/sgregex.h
 decode  = dns/dns.c dns/dns.h
-decode += ssl/ssl.c ssl/ssl.h ja3/ja3.c ja3/ja3.h ja4/ja4.c ja4/ja4.h ja4/ja4s.c ja4/ja4s.h
+decode += ssl/ssl.c ssl/ssl.h ja3/ja3.c ja3/ja3.h ja4/ja4.c ja4/ja4.h ja4/ja4s.h
+if JA4
+decode += ja4/ja4s.c
+endif
 digest  = digest/md5.c digest/md5.h digest/sha256.c digest/sha256.h
 maxmind = maxmind/maxmind.c maxmind/maxmind.h maxmind/mmhash.c maxmind/mmhash.h
 tor = tor/tor.c tor/tor.h 

src/libnfdump/filter/grammar.y

@@ -1297,12 +1297,17 @@ static int AddPayload(char *type, char *arg, char *opt) {
 	} else if (strcasecmp(type, "ja4") == 0) {
 		return AddPayloadJA4(type, arg, opt);
 	} else if (strcasecmp(type, "ja4s") == 0) {
+#ifdef BUILDJA4
 		if ( ja4sCheck(arg) == 0 ){
 			yyerror("String %s is not a valid ja4s string", arg);
 			return -1;
 		}
 		data_t data = {.dataPtr=strdup(arg)};
 		return NewElement(JA4index, OFFja4String, SIZEja4sString, 0, CMP_STRING, FUNC_NONE, data);
+#else
+		yyerror("ja4s code not enabled", arg);
+		return -1;
+#endif
 	} else {
 		yyerror("Unknown PAYLOAD argument: %s\n", type);
 		return -1;

src/libnfdump/ja4/ja4.h

@@ -90,8 +90,16 @@ ja4_t *ja4Process(ssl_t *ssl, uint8_t proto);
 
 #define SIZEja4sString 25
 
+/*
+ * conditional compile ja4s code, if cofigured and ja4 license conditions are met
+ */
+#ifdef BUILDJA4
 int ja4sCheck(char *ja4sString);
 
-ja4_t *ja4sProcess(ssl_t *ssl, uint8_t proto);
+ja4_t *_ja4sProcess(ssl_t *ssl, uint8_t proto);
+#define ja4sProcess(s, p) _ja4sProcess(s, p)
+#else
+#define ja4sProcess(s, p) NULL
+#endif
 
 #endif

src/libnfdump/ja4/ja4s.c

@@ -45,7 +45,7 @@
 
 #define MAX(X, Y) (((X) > (Y)) ? (X) : (Y))
 
-ja4_t *ja4sProcess(ssl_t *ssl, uint8_t proto) {
+ja4_t *_ja4sProcess(ssl_t *ssl, uint8_t proto) {
     if (!ssl || ssl->type != SERVERssl) return NULL;
 
     ja4_t *ja4 = malloc(sizeof(ja4_t) + SIZEja4sString + 1);
@@ -129,7 +129,6 @@ ja4_t *ja4sProcess(ssl_t *ssl, uint8_t proto) {
 
     ja4->type = TYPE_JA4S;
     return ja4;
-
 }  // End of ja4Process
 
 // ex. ja4s: t130200_1301_234ea6891581

src/nfdump/nfstat.c

@@ -183,7 +183,9 @@ struct StatParameter_s {
     {"nbar", "Nbar", {EXnbarAppID, OFFnbarAppID, SIZEnbarAppID, 0}, IS_NBAR, NOPROC},
     {"ja3", "ja3                             ", {JA3index, OFFja3String, SIZEja3String + 1, 0}, IS_JA3, JA3},
     {"ja4", "ja4                                ", {JA4index, OFFja4String, SIZEja4String + 1, 0}, IS_JA4, JA4},
+#ifdef BUILDJA4
     {"ja4s", "ja4s                    ", {JA4index, OFFja4String, SIZEja4sString + 1, 0}, IS_JA4S, JA4S},
+#endif
     {"odid", "Obs DomainID", {EXobservationID, OFFdomainID, SIZEdomainID, 0}, IS_HEXNUMBER, NOPROC},
     {"opid", "Obs PointID", {EXobservationID, OFFpointID, SIZEpointID, 0}, IS_HEXNUMBER, NOPROC},
     {"event", " Event", {EXnselCommonID, OFFfwEvent, SIZEfwEvent, 0}, IS_EVENT, NOPROC},

src/test/nftest.c

@@ -871,6 +871,7 @@ static void runTest(void) {
     CheckFilter("payload ja4 defined", recordHandle, 1);
     recordHandle->extensionList[JA4index] = NULL;
     CheckFilter("payload ja4 defined", recordHandle, 0);
+#ifdef BUILDJA4
     // ja4s
     ja4->type = TYPE_JA4S;
     recordHandle->extensionList[JA4index] = (void *)ja4;
@@ -881,6 +882,7 @@ static void runTest(void) {
     CheckFilter("payload ja4 defined", recordHandle, 1);
     recordHandle->extensionList[JA4index] = NULL;
     CheckFilter("payload ja4 defined", recordHandle, 0);
+#endif
 
     // local (processed) extension
     // geo location