Fix strchr() and related functions for ISO C23 compliance

.sai.json

@@ -116,6 +116,10 @@
 			"cmake":	"-DLWS_WITH_GNUTLS=1",
 			"platforms":	"none, rocky9/aarch64-a72a55-rk3588/gcc"
 		},
+		"bearssl": {
+			"cmake":	"-DLWS_WITH_BEARSSL=1 -DLWS_BEARSSL_INCLUDE_DIRS=/opt/BearSSL/inc -DLWS_BEARSSL_LIBRARIES=/opt/BearSSL/build/libbearssl.so",
+			"platforms":	"none, rocky9/aarch64-a72a55-rk3588/gcc"
+		},
 		"default-examples-awslc": {
 			"cmake":	"-DLWS_WITH_AWSLC=1 -DLWS_OPENSSL_INCLUDE_DIRS=\"/usr/aws-lc/include\" -DLWS_OPENSSL_LIBRARIES=\"/usr/aws-lc/lib64/libssl.so;/usr/aws-lc/lib64/libcrypto.so\" -DLWS_WITH_MINIMAL_EXAMPLES=1",
 			"platforms":	"none, rocky9/aarch64-a72a55-rk3588/gcc"
@@ -260,15 +264,15 @@
 		"coverity": {
 			"cmake":	"-DLWS_WITHOUT_EXTENSIONS=0 -DLWS_WITH_CGI=1 -DLWS_IPV6=1 -DLWS_WITH_HTTP_PROXY=1 -DLWS_WITH_RANGES=1 -DLWS_WITH_THREADPOOL=1 -DLWS_WITH_CBOR=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_COSE=1 -DLWS_WITH_SYS_DHCP_CLIENT=1 -DLWS_WITH_FTS=1 -DLWS_WITH_STRUCT_SQLITE3=1 -DLWS_ROLE_DBUS=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_ASYNC_DNS_DNSSEC=1 -DLWS_WITH_WEBRTC=1 -DLWS_WITH_DHT=1 -DLWS_WITH_ASYNC_QUEUE=1  -DLWS_WITH_SYS_FAULT_INJECTION=1 -DLWS_WITH_TLS_JIT_TRUST=1 -DLWS_ROLE_MQTT=1 -DLWS_ROLE_RAW_PROXY=1 -DLWS_WITH_EVENT_LIBS=1 -DLWS_WITH_LIBUV=1 -DLWS_WITH_STRUCT_JSON=1 -DLWS_WITH_LWS_DSH=1 -DLWS_WITH_SECURE_STREAMS_PROXY_API=1 -DLWS_WITH_AUTHORITATIVE_DNS=1 -DLWS_WITH_DHT=1 -DLWS_WITH_DHT_BACKEND=1 -DLWS_WITH_PLUGINS=1",
 			"platforms":	"none, coverity/x86_64/gcc",
-			"cpack":	"export STAMP=`git log -1 --pretty=format:%h` && rm -f libwebsockets.tgz && tar czvf libwebsockets.tgz cov-int && script -q -c \"cat /etc/coverity/secrets.sh | lws-minimal-http-client-post-form https://scan.coverity.com:443/builds?project=warmcat%2Flibwebsockets --form file=@libwebsockets.tgz --form version=${STAMP} --form 'description=lws qa'\" /dev/null",
+			"cpack":	"export STAMP=`git log -1 --pretty=format:%h` && rm -f libwebsockets.tgz && tar czvf libwebsockets.tgz cov-int && script -e -q -c \"cat /etc/coverity/secrets.sh | lws-minimal-http-client-post-form --h1 https://scan.coverity.com:443/builds?project=warmcat%2Flibwebsockets --form file=@libwebsockets.tgz --form version=${STAMP} --form 'description=lws qa'\" /dev/null",
 			"branches":	"coverity"
 		}
 #		,
 		# awkward, we also want to test mbedtls, but coverity blocks on SSL build needing manual intervention
 #		"coverity-mbedtls": {
 #			"cmake":	"-DLWS_WITH_MBEDTLS=1 -DLWS_WITHOUT_EXTENSIONS=0 -DLWS_WITH_CGI=1 -DLWS_IPV6=1 -DLWS_WITH_HTTP_PROXY=1 -DLWS_WITH_RANGES=1 -DLWS_WITH_THREADPOOL=1 -DLWS_WITH_CBOR=1 -DLWS_WITH_JOSE=1 -DLWS_WITH_COSE=1 -DLWS_WITH_SYS_DHCP_CLIENT=1 -DLWS_WITH_FTS=1 -DLWS_WITH_STRUCT_SQLITE3=1 -DLWS_ROLE_DBUS=1 -DLWS_WITH_SYS_ASYNC_DNS=1 -DLWS_WITH_SYS_ASYNC_DNS_DNSSEC=1 -DLWS_WITH_WEBRTC=1 -DLWS_WITH_DHT=1  -DLWS_WITH_ASYNC_QUEUE=1 -DLWS_WITH_SYS_FAULT_INJECTION=1 -DLWS_WITH_TLS_JIT_TRUST=1 -DLWS_ROLE_MQTT=1 -DLWS_ROLE_RAW_PROXY=1 -DLWS_WITH_EVENT_LIBS=1 -DLWS_WITH_LIBUV=1 -DLWS_WITH_STRUCT_JSON=1 -DLWS_WITH_LWS_DSH=1 -DLWS_WITH_SECURE_STREAMS_PROXY_API=1",
 #			"platforms":	"none, coverity/x86_64/gcc",
-#			"cpack":	"export STAMP=`git log -1 --pretty=format:%h` && rm -f libwebsockets.tgz && tar czvf libwebsockets.tgz cov-int && script -q -c \"cat /etc/coverity/secrets.sh | lws-minimal-http-client-post-form https://scan.coverity.com:443/builds?project=warmcat%2Flibwebsockets --form file=@libwebsockets.tgz --form version=${STAMP} --form 'description=lws qa'\" /dev/null",
+#			"cpack":	"export STAMP=`git log -1 --pretty=format:%h` && rm -f libwebsockets.tgz && tar czvf libwebsockets.tgz cov-int && script -e -q -c \"cat /etc/coverity/secrets.sh | lws-minimal-http-client-post-form --h1 https://scan.coverity.com:443/builds?project=warmcat%2Flibwebsockets --form file=@libwebsockets.tgz --form version=${STAMP} --form 'description=lws qa'\" /dev/null",
 #			"branches":	"coverity"
 #		}
 

CMakeLists-implied-options.txt

@@ -27,7 +27,7 @@ if(IOS)
     set(LWS_DETECTED_PLAT_IOS 1)
 endif()
 
-if (LWS_WITH_SCHANNEL OR LWS_WITH_GNUTLS OR LWS_WITH_MBEDTLS)
+if (LWS_WITH_SCHANNEL OR LWS_WITH_GNUTLS OR LWS_WITH_MBEDTLS OR LWS_WITH_BEARSSL)
        set(LWS_WITH_SSL 1)
 endif()
 
@@ -130,6 +130,7 @@ if (LWS_WITH_SELFDNS)
 	set(LWS_WITH_SYS_ASYNC_DNS 1)
 	set(LWS_WITH_SYS_ASYNC_DNS_DNSSEC 1)
 	set(LWS_WITH_AUTH_SERVER 1)
+	set(LWS_WITH_SYS_WHOIS 1)
 endif()
 
 if (LWS_WITH_AUTH_SERVER)
@@ -169,12 +170,20 @@ if (LWS_WITH_TRANSPORT_SEQUENCER)
 	set(LWS_WITH_LWS_DSH 1)
 endif()
 
+if (LWS_WITH_WEBRTC_MIXER)
+	set(LWS_WITH_WEBRTC 1)
+	set(LWS_WITH_ALSA 1 CACHE BOOL "Enable alsa audio example" FORCE)
+	set(LWS_WITH_OPUS 1 CACHE BOOL "Enable opus audio codec" FORCE)
+	set(LWS_WITH_GSTREAMER 1 CACHE BOOL "Enable gstreamer" FORCE)
+endif()
+
 if (LWS_WITH_WEBRTC)
 	set(LWS_WITH_UDP 1)
 	set(LWS_WITH_DTLS 1)
-	set(LWS_WITH_ALSA 1 CACHE BOOL "Enable alsa audio example" FORCE)
-	set(LWS_WITH_OPUS 1 CACHE BOOL "Enable opus audio codec" FORCE)
 	set(LWS_WITH_PLUGINS 1 CACHE BOOL "Enable plugins" FORCE)
+	set(LWS_WITH_V4L2 1)
+	set(LWS_WITH_LIBV4L2 1)
+	set(LWS_WITH_DRM 1)
 	set(LWS_WITH_GENCRYPTO 1)
 	set(LWS_WITH_JOSE 1)
 	set(LWS_WITH_NETWORK 1)
@@ -474,7 +483,7 @@ if (LWS_SSL_SERVER_WITH_ECDH_CERT)
 endif()
 
 # LWS_OPENSSL_SUPPORT deprecated... use LWS_WITH_TLS
-if (LWS_WITH_SSL OR LWS_WITH_MBEDTLS)
+if (LWS_WITH_SSL OR LWS_WITH_MBEDTLS OR LWS_WITH_BEARSSL)
 	set(LWS_OPENSSL_SUPPORT 1)
 	set(LWS_WITH_TLS 1)
 endif()

CMakeLists.txt

@@ -179,6 +179,7 @@ option(LWS_WITH_SYS_ASYNC_DNS "Nonblocking internal IPv4 + IPv6 DNS resolver" OF
 option(LWS_WITH_SYS_ASYNC_DNS_DNSSEC "Include DNSSEC parsing/validation in async-dns (requires crypto)" OFF)
 option(LWS_WITH_AUTHORITATIVE_DNS "Authoritative DNS zone signer / server" OFF)
 option(LWS_WITH_SYS_NTPCLIENT "Build in tiny ntpclient good for tls date validation and run via lws_system" OFF)
+option(LWS_WITH_SYS_WHOIS "Build in tiny recursive whois client run via lws_system" OFF)
 option(LWS_WITH_SYS_DHCP_CLIENT "Build in tiny DHCP client" OFF)
 option(LWS_WITH_HTTP_BASIC_AUTH "Support Basic Auth" ON)
 option(LWS_WITH_HTTP_DIGEST_AUTH "Support Digest Auth (caution deprecated crypto)" ON)
@@ -193,6 +194,7 @@ option(LWS_WITH_GZINFLATE "Enable internal minimal gzip inflator" ON)
 option(LWS_WITH_JPEG "Enable stateful JPEG stream decoder" ON)
 option(LWS_WITH_DLO "Enable Display List Objects" ON)
 option(LWS_WITH_WEBRTC "Enable WebRTC" OFF)
+option(LWS_WITH_WEBRTC_MIXER "Enable WebRTC mixer (gstreamer)" OFF)
 option(LWS_WITH_TRANSCODE "Enable video transcoding support (requires ffmpeg)" OFF)
 option(LWS_WITH_V4L2 "Enable V4L2 support (Linux only)" OFF)
 option(LWS_WITH_LIBV4L2 "Link against libv4l2 if available" OFF)
@@ -231,6 +233,8 @@ option(LWS_CTEST_INTERNET_AVAILABLE "CTest will performs tests that need the Int
 #
 option(LWS_WITH_SSL "Include SSL support (defaults to OpenSSL or similar, mbedTLS if LWS_WITH_MBEDTLS is set)" ON)
 option(LWS_WITH_MBEDTLS "Use mbedTLS (>=2.0) replacement for OpenSSL. When setting this, you also may need to specify LWS_MBEDTLS_LIBRARIES and LWS_MBEDTLS_INCLUDE_DIRS" OFF)
+option(LWS_WITH_BEARSSL "Use BearSSL replacement for OpenSSL. When setting this, you also may need to specify LWS_BEARSSL_LIBRARIES and LWS_BEARSSL_INCLUDE_DIRS" OFF)
+set(LWS_BEARSSL_PROFILE "full" CACHE STRING "BearSSL profile to use (e.g. full, client, minimal)")
 option(LWS_WITH_SCHANNEL "Use Windows SChannel for SSL" OFF)
 option(LWS_WITH_BORINGSSL "Use BoringSSL replacement for OpenSSL" OFF)
 option(LWS_WITH_GNUTLS "Use GnuTLS for SSL" OFF)

READMEs/README.build-windows.md

@@ -122,6 +122,16 @@ additional CMake options on lws:
       -DLWS_WITH_MBEDTLS=TRUE
 ```
 
+### Alternative: BearSSL (or OpenSSL/MbedTLS, see above)
+
+BearSSL is a highly optimized, minimalistic alternative to OpenSSL and MbedTLS. It is easily cross-compiled or built on Windows. Note that BearSSL currently does not support DTLS. To use it, simply provide the include and library paths:
+
+```
+      -DLWS_WITH_BEARSSL=TRUE
+      -DLWS_BEARSSL_INCLUDE_DIRS=C:/path/to/bearssl/inc
+      -DLWS_BEARSSL_LIBRARIES=C:/path/to/bearssl/build/bearssl.lib
+```
+
 ### Powershell
 
 CMake wants it and the version that comes with windows is too old to have pwsh.exe.

READMEs/README.build.md

@@ -334,6 +334,8 @@ plugins and lwsws.
  - If you are really restricted on memory, code size, or don't care about TLS
    speed, mbedTLS is a good choice: `cmake .. -DLWS_WITH_MBEDTLS=1`
 
+ - If you want an extremely lightweight, highly optimized TLS library with a minimal memory footprint and fast execution speed, BearSSL is a strong alternative: `cmake .. -DLWS_WITH_BEARSSL=1`. Note that BearSSL currently does not support DTLS.
+
  - If cpu and memory is not super restricted and you care about TLS speed,
    OpenSSL or a directly compatible variant like Boring SSL is a good choice.
 
@@ -354,12 +356,18 @@ Lws supports both almost the same, so instead of taking my word for it you are
 invited to try it both ways and see which the results (including, eg, binary
 size and memory usage as well as speed) suggest you use.
 
-NOTE: one major difference with mbedTLS is it does not load the system trust
-store by default.  That has advantages and disadvantages, but the disadvantage
-is you must provide the CA cert to lws built against mbedTLS for it to be able
-to validate it, ie, use -A with the test client.  The minimal test clients
-have the CA cert for warmcat.com and libwebsockets.org and use it if they see
-they were built with mbedTLS.
+NOTE: one major difference with mbedTLS and BearSSL is they do not natively load the OS trust
+store by default in the same way OpenSSL does.
+
+For mbedTLS, you must provide the CA cert to lws for it to be able
+to validate it, ie, use `-A` with the test client.
+
+For BearSSL, LWS implements a multi-cert PEM parser and fallback sequence to emulate OpenSSL's behavior:
+1. It checks the `SSL_CERT_FILE` and `SSL_CERT_DIR` environment variables for runtime overrides.
+2. It falls back to probing standard OS locations (e.g. `/etc/ssl/certs/ca-certificates.crt`).
+3. It defaults to the CMake-configured `LWS_OPENSSL_CLIENT_CERTS` if all else fails.
+
+This allows BearSSL to validate most system certificates out of the box on Linux. The minimal test clients also automatically include the CA cert for warmcat.com if they see they were built with mbedTLS or BearSSL.
 
 @section optee Building for OP-TEE
 

READMEs/README.coding.md

@@ -1335,3 +1335,24 @@ the user-selected text message and attempts to pull in `/error.css` for styling.
 If this file exists, it can be used to style the error page.  See
 https://libwebsockets.org/git/badrepo for an example of what can be done (
 and https://libwebsockets.org/error.css for the corresponding css).
+
+@section spawn Process Spawning and PTY routing
+
+libwebsockets provides a cross-platform API for spawning child processes and
+redirecting their standard streams (stdin, stdout, stderr) into the lws event loop
+as wsi handles: `lws_spawn_piped`.
+
+It is controlled by `struct lws_spawn_piped_info`. By default, the streams are
+redirected via standard anonymous pipes.
+
+However, if you wish to run a process that expects a terminal (for example, to
+preserve ANSI color codes or other TTY-specific behaviors), you can set
+`info.pty_mode = 1` before calling `lws_spawn_piped()`.
+
+ - On POSIX systems, `pty_mode` will allocate a pseudoterminal via `posix_openpt()`
+   and securely fuse both the child's stdout and stderr into the single PTY
+   master file descriptor.
+ - On Windows (Windows 10+), `pty_mode` will attempt to dynamically instantiate a
+   `CreatePseudoConsole` (ConPTY) handle and route the standard pipes through it. If 
+   the host system does not support ConPTY, it will gracefully fall back to pipes
+   or fail cleanly.

READMEs/README.lwsws.md

@@ -454,6 +454,21 @@ a mount.
 After successful authentication, `WSI_TOKEN_HTTP_AUTHORIZATION` contains the
 authenticated username.
 
+8) You can also control the exact path matching and redirect behavior per-mount.
+
+```json
+{
+        "mountpoint": "/",
+        "origin": ">https://warmcat.com",
+        "exact-match": "1",
+        "append-path": "1"
+}
+```
+
+- `"exact-match": "1"` forces the mount to only match if the request URL is exactly the `mountpoint` (no directory prefix matching).
+- `"append-path": "1"` can be used with HTTP/HTTPS redirects (`>http://` or `>https://`). By default, redirects strictly redirect to the `origin` without appending the trailing path of the URL. Setting this flag will append the remainder of the request URL to the redirect destination.
+- `"no-ws-upgrades": "1"` instructs the router to ignore this mount if the incoming HTTP request is a WebSocket upgrade request (contains an `Upgrade:` header). This is useful to prevent WSS connections from being accidentally swallowed by a broad alias or redirect mount (e.g. `/`) when they were intended for a different, overlapping protocol.
+
 In the case you want to also protect being able to connect to a ws protocol on
 a particular vhost by requiring the http part can authenticate using Basic
 Auth before the ws upgrade, this is also possible.  In this case, the

READMEs/README.plugin-webrtc-mixer.md

@@ -6,6 +6,29 @@ This protocol implements a WebRTC video conferencing mixer. It works in conjunct
 
 The WebRTC mixer plugin relies heavily on `protocol_lws_webrtc`. While `protocol_lws_webrtc` handles the low-level SDP signaling, ICE candidate gathering, and fundamental RTP/RTCP transport, the `lws-webrtc-mixer` protocol handles the high-level logic of mixing multiple WebRTC streams together. The `lws-webrtc` protocol must be loaded alongside `lws-webrtc-mixer` to function properly.
 
+## GStreamer Video Composition
+
+Video decoding, composition, and encoding (H.264/AV1) are handled entirely by GStreamer. This enables hardware-accelerated media pipelines that drastically reduce CPU usage and memory footprint compared to software-based transcoding.
+
+### Build Requirements
+To compile the mixer plugin, you must enable `LWS_WITH_WEBRTC_MIXER=ON` in CMake and install the GStreamer development headers:
+- **Debian/Ubuntu**: `sudo apt install libgstreamer1.0-dev libgstreamer-plugins-base1.0-dev`
+- **Fedora/RHEL**: `sudo dnf install gstreamer1-devel gstreamer1-plugins-base-devel`
+
+### Runtime Requirements
+At runtime, GStreamer relies on platform-specific plugins to utilize hardware acceleration for compositing and encoding. Ensure you have the appropriate GStreamer packages installed for your system.
+
+* **Intel (VAAPI)**: Requires the VAAPI plugins.
+  - Debian/Ubuntu: `sudo apt install gstreamer1.0-vaapi intel-media-va-driver-non-free`
+  - *Example PVO*: `"vaapicompositor name=comp ! queue ! vaapih264enc byte-stream=true config-interval=1 ! appsink name=outsink sync=false"`
+
+* **Rockchip (MPP)**: Requires Rockchip MPP plugins.
+  - *Example PVO*: `"mppcompositor name=comp ! queue ! mpph264enc byte-stream=true config-interval=1 ! appsink name=outsink sync=false"`
+
+* **Software Fallback**: If no hardware acceleration is available, standard plugins are used.
+  - Debian/Ubuntu: `sudo apt install gstreamer1.0-plugins-good gstreamer1.0-plugins-bad gstreamer1.0-plugins-ugly`
+  - *Example PVO*: `"compositor name=comp background=black ! videoconvert ! videoscale ! video/x-raw,width=1280,height=720,framerate=25/1,format=I420 ! x264enc tune=zerolatency speed-preset=ultrafast ! h264parse config-interval=1 ! video/x-h264,stream-format=byte-stream,alignment=au ! appsink name=outsink sync=false async=false"`
+
 ## Asset and Sound Installation
 
 The user interface for the WebRTC mixer (HTML, CSS, JS) and the associated sound effects (WAV files) are located in the `assets/` and `sounds/` subdirectories of the plugin.
@@ -23,8 +46,9 @@ The WebRTC plugins support the following Per-Vhost Options (PVOs) to configure t
 | `lws-webrtc` | `external-ip` | The external IPv4 address of the server used for ICE candidates. This is required for clients outside the local network to establish WebRTC connections. | `"10.199.0.10"` |
 | `lws-webrtc` | `udp-port` | The UDP port used for the WebRTC transport. | `"1234"` |
 | `lws-webrtc` | `lws-webrtc-ops` | Handled internally via code to provide the operational struct linking the core WebRTC protocol to higher-level protocols. | - |
+| `lws-webrtc-mixer` | `gstreamer-pipeline` | The GStreamer pipeline string used to compose and encode the video. The pipeline *must* include a compositor element named `comp` and an appsink named `outsink` (or `outsink_h264` / `outsink_av1`). **IMPORTANT**: To ensure WebRTC compatibility and support for clients joining mid-session, your encoder should be configured for Annex-B (`byte-stream=true`) and periodic keyframe headers (`config-interval=1`). | `"vaapicompositor name=comp ! vaapih264enc byte-stream=true config-interval=1 ! appsink name=outsink sync=false"` |
 
-*(Note: The `lws-webrtc-mixer` and `lws-webrtc-udp` plugins currently do not require specific PVOs of their own, but expect the base `lws-webrtc` plugin to be configured).*
+*(Note: The `lws-webrtc-udp` plugin currently does not require specific PVOs of its own, but expects the base `lws-webrtc` plugin to be configured).*
 
 ## Example `lwsws` Configuration Fragment
 
@@ -40,7 +64,8 @@ The following is an example configuration fragment for `lwsws` that enables the
                                 "status": "ok"
                         },
                         "lws-webrtc-mixer": {
-                                "status": "ok"
+                                "status": "ok",
+                                "gstreamer-pipeline": "compositor name=comp background=black ! videoconvert ! videoscale ! video/x-raw,width=1280,height=720,framerate=25/1,format=I420 ! x264enc tune=zerolatency speed-preset=ultrafast ! h264parse config-interval=1 ! video/x-h264,stream-format=byte-stream,alignment=au ! appsink name=outsink sync=false async=false"
                         }
 }],
 "mounts": [{
@@ -49,7 +74,7 @@ The following is an example configuration fragment for `lwsws` that enables the
                         "origin":       "file://_lws_ddir_/libwebsockets-test-server/lws-webrtc-mixer",
                         "default": "index.html",
                         "headers": [{
-                                "content-security-policy": "default-src 'none'; img-src 'self' data: https://scan.coverity.com https://bestpractices.coreinfrastructure.org https://img.shields.io ; script-src 'self' 'unsafe-inline'; media-src 'unsafe-inline'; font-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://libwebsockets.org:443; frame-ancestors 'none'; base-uri 'none'; form-action 'self';",
+                                "content-security-policy": "default-src 'none'; img-src 'self' data: https://scan.coverity.com ; script-src 'self' 'unsafe-inline'; media-src 'unsafe-inline'; font-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' wss://libwebsockets.org:443; frame-ancestors 'none'; base-uri 'none'; form-action 'self';",
                                 "permissions-policy": "geolocation=(),microphone=(self),camera=(self),display-capture=(),document-domain=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),identity-credentials-get=(),local-fonts=(),payment=(),serial=(),usb=(),speaker-selection=()"
                         }],
                         "keepalive-timeout": "999"

changelog

@@ -4,6 +4,7 @@ Changelog
 Development
 ===========
 
+ - ACME: support DNS-01
  - Async DNS: support DNSSEC
  - Async DNS: support tcp fallback
  - Support authoritative DNS server, like nsd, using own-signed zone files

cmake/lws_config.h.in

@@ -208,6 +208,7 @@
 #cmakedefine LWS_WITH_LWSAC
 #cmakedefine LWS_LOGS_TIMESTAMP
 #cmakedefine LWS_WITH_MBEDTLS
+#cmakedefine LWS_WITH_BEARSSL
 #cmakedefine LWS_WITH_SCHANNEL
 #cmakedefine LWS_WITH_GNUTLS
 #cmakedefine LWS_WITH_MINIZ
@@ -257,6 +258,7 @@
 #cmakedefine LWS_WITH_SYS_FAULT_INJECTION
 #cmakedefine LWS_WITH_SYS_METRICS
 #cmakedefine LWS_WITH_SYS_NTPCLIENT
+#cmakedefine LWS_WITH_SYS_WHOIS
 #cmakedefine LWS_WITH_LATENCY
 #cmakedefine LWS_WITH_UPNG
 #cmakedefine LWS_WITH_SYS_STATE