git: 87b2a3073aaf - stable/13 - wpa: Import 2.11

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Tue, 01 Oct 2024 04:30:17 UTC
The branch stable/13 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=87b2a3073aafe52aeaa966abf12b79e8f029622d

commit 87b2a3073aafe52aeaa966abf12b79e8f029622d
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2024-07-21 18:59:44 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2024-10-01 04:29:48 +0000

    wpa: Import 2.11
    
    Following is a changelog of new features and fixes to wpa:
    
    hostapd:
    * Wi-Fi Easy Connect
      - add support for DPP release 3
      - allow Configurator parameters to be provided during config exchange
    * HE/IEEE 802.11ax/Wi-Fi 6
      - various fixes
    * EHT/IEEE 802.11be/Wi-Fi 7
      - add preliminary support
    * SAE: add support for fetching the password from a RADIUS server
    * support OpenSSL 3.0 API changes
    * support background radar detection and CAC with some additional
      drivers
    * support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
    * EAP-SIM/AKA: support IMSI privacy
    * improve 4-way handshake operations
      - use Secure=1 in message 3 during PTK rekeying
    * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
      to avoid interoperability issues
    * support new SAE AKM suites with variable length keys
    * support new AKM for 802.1X/EAP with SHA384
    * extend PASN support for secure ranging
    * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
      - this is based on additional details being added in the IEEE 802.11
        standard
      - the new implementation is not backwards compatible
    * improved ACS to cover additional channel types/bandwidths
    * extended Multiple BSSID support
    * fix beacon protection with FT protocol (incorrect BIGTK was provided)
    * support unsynchronized service discovery (USD)
    * add preliminary support for RADIUS/TLS
    * add support for explicit SSID protection in 4-way handshake
      (a mitigation for CVE-2023-52424; disabled by default for now, can be
      enabled with ssid_protection=1)
    * fix SAE H2E rejected groups validation to avoid downgrade attacks
    * use stricter validation for some RADIUS messages
    * a large number of other fixes, cleanup, and extensions
    
    wpa_supplicant:
    * Wi-Fi Easy Connect
      - add support for DPP release 3
      - allow Configurator parameters to be provided during config exchange
    * MACsec
      - add support for GCM-AES-256 cipher suite
      - remove incorrect EAP Session-Id length constraint
      - add hardware offload support for additional drivers
    * HE/IEEE 802.11ax/Wi-Fi 6
      - support BSS color updates
      - various fixes
    * EHT/IEEE 802.11be/Wi-Fi 7
      - add preliminary support
    * support OpenSSL 3.0 API changes
    * improve EAP-TLS support for TLSv1.3
    * EAP-SIM/AKA: support IMSI privacy
    * improve mitigation against DoS attacks when PMF is used
    * improve 4-way handshake operations
      - discard unencrypted EAPOL frames in additional cases
      - use Secure=1 in message 2 during PTK rekeying
    * OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
      to avoid interoperability issues
    * support new SAE AKM suites with variable length keys
    * support new AKM for 802.1X/EAP with SHA384
    * improve cross-AKM roaming with driver-based SME/BSS selection
    * PASN
      - extend support for secure ranging
      - allow PASN implementation to be used with external programs for
        Wi-Fi Aware
    * FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
      - this is based on additional details being added in the IEEE 802.11
        standard
      - the new implementation is not backwards compatible, but PMKSA
        caching with FT-EAP was, and still is, disabled by default
    * support a pregenerated MAC (mac_addr=3) as an alternative mechanism
      for using per-network random MAC addresses
    * EAP-PEAP: require Phase 2 authentication by default (phase2_auth=1)
      to improve security for still unfortunately common invalid
      configurations that do not set ca_cert
    * extend SCS support for QoS Characteristics
    * extend MSCS support
    * support unsynchronized service discovery (USD)
    * add support for explicit SSID protection in 4-way handshake
      (a mitigation for CVE-2023-52424; disabled by default for now, can be
      enabled with ssid_protection=1)
      - in addition, verify SSID after key setup when beacon protection is
        used
    * fix SAE H2E rejected groups validation to avoid downgrade attacks
    * a large number of other fixes, cleanup, and extensions
    
    Merge commit '6377230b3cf4f238dcd0dc2d76ff25943d3040e5'
    
    (cherry picked from commit a90b9d0159070121c221b966469c3e36d912bf82)
---
 contrib/wpa/CONTRIBUTIONS                          |    2 +-
 contrib/wpa/README                                 |    2 +-
 contrib/wpa/hostapd/Android.mk                     |   28 +-
 contrib/wpa/hostapd/ChangeLog                      |   37 +
 contrib/wpa/hostapd/Makefile                       |   30 +-
 contrib/wpa/hostapd/README                         |    2 +-
 contrib/wpa/hostapd/android.config                 |    6 +
 contrib/wpa/hostapd/config_file.c                  |  481 +-
 contrib/wpa/hostapd/config_file.h                  |    7 +-
 contrib/wpa/hostapd/ctrl_iface.c                   | 1460 +++--
 contrib/wpa/hostapd/defconfig                      |   21 +-
 contrib/wpa/hostapd/hostapd.conf                   |  356 +-
 contrib/wpa/hostapd/hostapd.eap_user               |    4 +-
 contrib/wpa/hostapd/hostapd_cli.c                  |  217 +-
 contrib/wpa/hostapd/logwatch/hostapd               |   65 -
 contrib/wpa/hostapd/main.c                         |  142 +-
 contrib/wpa/hs20/client/Android.mk                 |   10 +
 contrib/wpa/hs20/client/est.c                      |   37 +-
 contrib/wpa/hs20/client/osu_client.c               |  115 +-
 contrib/wpa/hs20/client/spp_client.c               |    1 -
 contrib/wpa/src/Makefile                           |    2 +-
 contrib/wpa/src/ap/acs.c                           |  568 +-
 contrib/wpa/src/ap/acs.h                           |    3 +
 contrib/wpa/src/ap/airtime_policy.c                |    2 +-
 contrib/wpa/src/ap/ap_config.c                     |  205 +-
 contrib/wpa/src/ap/ap_config.h                     |  226 +-
 contrib/wpa/src/ap/ap_drv_ops.c                    |  359 +-
 contrib/wpa/src/ap/ap_drv_ops.h                    |   84 +-
 contrib/wpa/src/ap/ap_list.c                       |    6 +-
 contrib/wpa/src/ap/ap_mlme.c                       |    4 +-
 contrib/wpa/src/ap/authsrv.c                       |   94 +
 contrib/wpa/src/ap/beacon.c                        | 1212 +++-
 contrib/wpa/src/ap/beacon.h                        |    4 +
 contrib/wpa/src/ap/bss_load.c                      |    2 +-
 contrib/wpa/src/ap/comeback_token.c                |  139 +
 contrib/wpa/src/ap/comeback_token.h                |   21 +
 contrib/wpa/src/ap/ctrl_iface_ap.c                 |  599 +-
 contrib/wpa/src/ap/ctrl_iface_ap.h                 |   17 +
 contrib/wpa/src/ap/dfs.c                           |  608 +-
 contrib/wpa/src/ap/dpp_hostapd.c                   | 1417 ++++-
 contrib/wpa/src/ap/dpp_hostapd.h                   |    5 +
 contrib/wpa/src/ap/drv_callbacks.c                 |  881 ++-
 contrib/wpa/src/ap/fils_hlp.c                      |   10 +-
 contrib/wpa/src/ap/gas_query_ap.c                  |   10 +-
 contrib/wpa/src/ap/gas_serv.c                      |   11 +-
 contrib/wpa/src/ap/gas_serv.h                      |    2 +-
 contrib/wpa/src/ap/hostapd.c                       | 1441 ++++-
 contrib/wpa/src/ap/hostapd.h                       |  169 +-
 contrib/wpa/src/ap/hw_features.c                   |  233 +-
 contrib/wpa/src/ap/hw_features.h                   |   12 +
 contrib/wpa/src/ap/ieee802_11.c                    | 4030 ++++++++-----
 contrib/wpa/src/ap/ieee802_11.h                    |   83 +-
 contrib/wpa/src/ap/ieee802_11_auth.c               |  162 +-
 contrib/wpa/src/ap/ieee802_11_auth.h               |    5 +-
 contrib/wpa/src/ap/ieee802_11_eht.c                | 1405 +++++
 contrib/wpa/src/ap/ieee802_11_he.c                 |   87 +-
 contrib/wpa/src/ap/ieee802_11_ht.c                 |    5 +-
 contrib/wpa/src/ap/ieee802_11_shared.c             |  215 +-
 contrib/wpa/src/ap/ieee802_11_vht.c                |   32 +-
 contrib/wpa/src/ap/ieee802_1x.c                    |  233 +-
 contrib/wpa/src/ap/ieee802_1x.h                    |    2 +-
 contrib/wpa/src/ap/nan_usd_ap.c                    |  267 +
 contrib/wpa/src/ap/nan_usd_ap.h                    |   46 +
 contrib/wpa/src/ap/ndisc_snoop.c                   |    1 +
 contrib/wpa/src/ap/neighbor_db.c                   |   74 +-
 contrib/wpa/src/ap/neighbor_db.h                   |    1 +
 contrib/wpa/src/ap/pmksa_cache_auth.c              |   32 +-
 contrib/wpa/src/ap/pmksa_cache_auth.h              |    4 +
 contrib/wpa/src/ap/preauth_auth.c                  |    4 +-
 contrib/wpa/src/ap/rrm.c                           |  121 +
 contrib/wpa/src/ap/rrm.h                           |    2 +
 contrib/wpa/src/ap/sta_info.c                      |  469 +-
 contrib/wpa/src/ap/sta_info.h                      |   96 +-
 contrib/wpa/src/ap/utils.c                         |   14 +-
 contrib/wpa/src/ap/wmm.c                           |    7 -
 contrib/wpa/src/ap/wnm_ap.c                        |  216 +-
 contrib/wpa/src/ap/wpa_auth.c                      | 2459 ++++++--
 contrib/wpa/src/ap/wpa_auth.h                      |  103 +-
 contrib/wpa/src/ap/wpa_auth_ft.c                   |  615 +-
 contrib/wpa/src/ap/wpa_auth_glue.c                 |  269 +-
 contrib/wpa/src/ap/wpa_auth_i.h                    |   47 +-
 contrib/wpa/src/ap/wpa_auth_ie.c                   |   95 +-
 contrib/wpa/src/ap/wpa_auth_kay.c                  |   45 +-
 contrib/wpa/src/ap/wps_hostapd.c                   |    5 +-
 contrib/wpa/src/ap/x_snoop.c                       |    5 +
 contrib/wpa/src/build.rules                        |    2 +-
 contrib/wpa/src/common/brcm_vendor.h               |    8 +-
 contrib/wpa/src/common/common_module_tests.c       |    2 +-
 contrib/wpa/src/common/defs.h                      |   67 +-
 contrib/wpa/src/common/dpp.c                       |  883 ++-
 contrib/wpa/src/common/dpp.h                       |  132 +-
 contrib/wpa/src/common/dpp_crypto.c                |  239 +-
 contrib/wpa/src/common/dpp_i.h                     |   19 +-
 contrib/wpa/src/common/dpp_pkex.c                  |   59 +-
 contrib/wpa/src/common/dpp_reconfig.c              |   18 +-
 contrib/wpa/src/common/dpp_tcp.c                   |  916 ++-
 contrib/wpa/src/common/dragonfly.c                 |    9 +-
 contrib/wpa/src/common/gas_server.c                |   79 +-
 contrib/wpa/src/common/gas_server.h                |    5 +-
 contrib/wpa/src/common/hw_features_common.c        |  303 +-
 contrib/wpa/src/common/hw_features_common.h        |   12 +-
 contrib/wpa/src/common/ieee802_11_common.c         | 1090 +++-
 contrib/wpa/src/common/ieee802_11_common.h         |   89 +-
 contrib/wpa/src/common/ieee802_11_defs.h           |  722 ++-
 contrib/wpa/src/common/nan.h                       |   98 +
 contrib/wpa/src/common/nan_de.c                    | 1395 +++++
 contrib/wpa/src/common/nan_de.h                    |  145 +
 contrib/wpa/src/common/ocv.c                       |    5 +-
 contrib/wpa/src/common/ptksa_cache.c               |   74 +-
 contrib/wpa/src/common/ptksa_cache.h               |   47 +-
 contrib/wpa/src/common/qca-vendor.h                | 6323 +++++++++++++++++++-
 contrib/wpa/src/common/sae.c                       |  139 +-
 contrib/wpa/src/common/sae.h                       |   14 +-
 contrib/wpa/src/common/version.h                   |    2 +-
 contrib/wpa/src/common/wpa_common.c                |  995 ++-
 contrib/wpa/src/common/wpa_common.h                |  134 +-
 contrib/wpa/src/common/wpa_ctrl.c                  |   16 +-
 contrib/wpa/src/common/wpa_ctrl.h                  |   36 +
 contrib/wpa/src/crypto/crypto.h                    |  117 +-
 contrib/wpa/src/crypto/crypto_gnutls.c             |    5 +
 contrib/wpa/src/crypto/crypto_internal.c           |    5 +
 contrib/wpa/src/crypto/crypto_libtomcrypt.c        |    5 +
 contrib/wpa/src/crypto/crypto_linux.c              |    5 +
 contrib/wpa/src/crypto/crypto_module_tests.c       |  281 +
 contrib/wpa/src/crypto/crypto_nettle.c             |    5 +
 contrib/wpa/src/crypto/crypto_none.c               |    5 +
 contrib/wpa/src/crypto/crypto_openssl.c            | 2622 +++++++-
 contrib/wpa/src/crypto/crypto_wolfssl.c            | 2043 ++++++-
 contrib/wpa/src/crypto/fips_prf_internal.c         |   11 +-
 contrib/wpa/src/crypto/fips_prf_openssl.c          |   15 +
 contrib/wpa/src/crypto/sha1-pbkdf2.c               |    3 +
 contrib/wpa/src/crypto/sha256-internal.c           |    3 -
 contrib/wpa/src/crypto/sha256.c                    |   21 +-
 contrib/wpa/src/crypto/sha384.c                    |    6 +-
 contrib/wpa/src/crypto/sha512-internal.c           |    3 -
 contrib/wpa/src/crypto/sha512.c                    |    6 +-
 contrib/wpa/src/crypto/tls.h                       |   18 +-
 contrib/wpa/src/crypto/tls_gnutls.c                |    1 +
 contrib/wpa/src/crypto/tls_internal.c              |   11 +-
 contrib/wpa/src/crypto/tls_none.c                  |    1 +
 contrib/wpa/src/crypto/tls_openssl.c               |  564 +-
 contrib/wpa/src/crypto/tls_openssl_ocsp.c          |   26 +-
 contrib/wpa/src/crypto/tls_wolfssl.c               |  284 +-
 contrib/wpa/src/drivers/driver.h                   |  964 ++-
 contrib/wpa/src/drivers/driver_atheros.c           |   31 +-
 contrib/wpa/src/drivers/driver_bsd.c               |   16 +-
 contrib/wpa/src/drivers/driver_common.c            |   44 +
 contrib/wpa/src/drivers/driver_hostap.c            |   20 +-
 contrib/wpa/src/drivers/driver_macsec_linux.c      |   76 +-
 contrib/wpa/src/drivers/driver_macsec_qca.c        |    4 +-
 contrib/wpa/src/drivers/driver_ndis.c              |    8 +-
 contrib/wpa/src/drivers/driver_nl80211.c           | 3443 ++++++++---
 contrib/wpa/src/drivers/driver_nl80211.h           |  113 +-
 contrib/wpa/src/drivers/driver_nl80211_capa.c      |  354 +-
 contrib/wpa/src/drivers/driver_nl80211_event.c     | 1291 +++-
 contrib/wpa/src/drivers/driver_nl80211_scan.c      |  127 +-
 contrib/wpa/src/drivers/driver_roboswitch.c        |    2 +-
 contrib/wpa/src/drivers/driver_wext.c              |   11 +-
 contrib/wpa/src/drivers/driver_wired.c             |    2 +-
 contrib/wpa/src/drivers/linux_ioctl.c              |   11 +-
 contrib/wpa/src/drivers/ndis_events.c              |    5 +-
 contrib/wpa/src/drivers/netlink.c                  |    6 +-
 contrib/wpa/src/drivers/nl80211_copy.h             |  626 +-
 contrib/wpa/src/eap_common/eap_defs.h              |    2 +-
 contrib/wpa/src/eap_common/eap_pwd_common.c        |   23 +-
 contrib/wpa/src/eap_common/eap_sake_common.c       |   19 +-
 contrib/wpa/src/eap_peer/eap.c                     |   44 +
 contrib/wpa/src/eap_peer/eap_aka.c                 |  198 +-
 contrib/wpa/src/eap_peer/eap_config.h              |   46 +-
 contrib/wpa/src/eap_peer/eap_fast.c                |   14 +-
 contrib/wpa/src/eap_peer/eap_i.h                   |    9 +
 contrib/wpa/src/eap_peer/eap_mschapv2.c            |   30 +-
 contrib/wpa/src/eap_peer/eap_peap.c                |   40 +-
 contrib/wpa/src/eap_peer/eap_pwd.c                 |   33 +-
 contrib/wpa/src/eap_peer/eap_sim.c                 |  202 +-
 contrib/wpa/src/eap_peer/eap_teap.c                |   61 +-
 contrib/wpa/src/eap_peer/eap_tls.c                 |   15 +-
 contrib/wpa/src/eap_peer/eap_tls_common.c          |   27 +-
 contrib/wpa/src/eap_peer/eap_tls_common.h          |    5 +
 contrib/wpa/src/eap_peer/eap_ttls.c                |   32 +-
 contrib/wpa/src/eap_peer/eap_wsc.c                 |   14 +-
 contrib/wpa/src/eap_server/eap.h                   |   12 +
 contrib/wpa/src/eap_server/eap_i.h                 |    7 +
 contrib/wpa/src/eap_server/eap_server_aka.c        |  126 +-
 contrib/wpa/src/eap_server/eap_server_eke.c        |    1 +
 contrib/wpa/src/eap_server/eap_server_fast.c       |   14 +-
 contrib/wpa/src/eap_server/eap_server_mschapv2.c   |   28 +-
 contrib/wpa/src/eap_server/eap_server_peap.c       |   18 +
 contrib/wpa/src/eap_server/eap_server_pwd.c        |   33 +-
 contrib/wpa/src/eap_server/eap_server_sim.c        |  133 +-
 contrib/wpa/src/eap_server/eap_server_teap.c       |   39 +-
 contrib/wpa/src/eap_server/eap_server_tls.c        |   10 +-
 contrib/wpa/src/eap_server/eap_server_tls_common.c |   18 +-
 contrib/wpa/src/eap_server/eap_server_ttls.c       |    3 +-
 contrib/wpa/src/eap_server/eap_tls_common.h        |    2 +
 contrib/wpa/src/eapol_auth/eapol_auth_sm.c         |   26 +-
 contrib/wpa/src/eapol_auth/eapol_auth_sm.h         |    5 +-
 contrib/wpa/src/eapol_auth/eapol_auth_sm_i.h       |    4 +
 contrib/wpa/src/eapol_supp/eapol_supp_sm.c         |   17 +-
 contrib/wpa/src/eapol_supp/eapol_supp_sm.h         |   18 +-
 contrib/wpa/src/fst/fst_group.c                    |   12 +-
 contrib/wpa/src/fst/fst_iface.c                    |    2 +-
 contrib/wpa/src/fst/fst_session.c                  |    6 +-
 contrib/wpa/src/l2_packet/l2_packet_freebsd.c      |    9 +-
 contrib/wpa/src/l2_packet/l2_packet_linux.c        |    4 +-
 contrib/wpa/src/p2p/p2p.c                          |  123 +-
 contrib/wpa/src/p2p/p2p.h                          |   12 +-
 contrib/wpa/src/p2p/p2p_build.c                    |   20 +-
 contrib/wpa/src/p2p/p2p_dev_disc.c                 |   10 +-
 contrib/wpa/src/p2p/p2p_go_neg.c                   |  121 +-
 contrib/wpa/src/p2p/p2p_group.c                    |   14 +-
 contrib/wpa/src/p2p/p2p_i.h                        |   19 +-
 contrib/wpa/src/p2p/p2p_invitation.c               |   31 +-
 contrib/wpa/src/p2p/p2p_parse.c                    |   27 +-
 contrib/wpa/src/p2p/p2p_pd.c                       |   43 +-
 contrib/wpa/src/p2p/p2p_sd.c                       |   23 +-
 contrib/wpa/src/p2p/p2p_utils.c                    |   84 +-
 contrib/wpa/src/pae/ieee802_1x_cp.c                |   15 +-
 contrib/wpa/src/pae/ieee802_1x_kay.c               |   74 +-
 contrib/wpa/src/pae/ieee802_1x_kay.h               |    5 +-
 contrib/wpa/src/pae/ieee802_1x_secy_ops.c          |   20 +
 contrib/wpa/src/pae/ieee802_1x_secy_ops.h          |    1 +
 contrib/wpa/src/pasn/Makefile                      |   16 +
 contrib/wpa/src/pasn/pasn_common.c                 |  232 +
 contrib/wpa/src/pasn/pasn_common.h                 |  228 +
 contrib/wpa/src/pasn/pasn_initiator.c              | 1406 +++++
 contrib/wpa/src/pasn/pasn_responder.c              | 1032 ++++
 contrib/wpa/src/radius/radius.c                    |  297 +-
 contrib/wpa/src/radius/radius.h                    |   35 +-
 contrib/wpa/src/radius/radius_client.c             |  789 ++-
 contrib/wpa/src/radius/radius_client.h             |   27 +-
 contrib/wpa/src/radius/radius_das.c                |   10 +
 contrib/wpa/src/radius/radius_server.c             |   15 +
 contrib/wpa/src/rsn_supp/pmksa_cache.c             |  260 +-
 contrib/wpa/src/rsn_supp/pmksa_cache.h             |  105 +-
 contrib/wpa/src/rsn_supp/preauth.c                 |   19 +-
 contrib/wpa/src/rsn_supp/tdls.c                    |  332 +-
 contrib/wpa/src/rsn_supp/wpa.c                     | 2190 +++++--
 contrib/wpa/src/rsn_supp/wpa.h                     |   88 +-
 contrib/wpa/src/rsn_supp/wpa_ft.c                  |  328 +-
 contrib/wpa/src/rsn_supp/wpa_i.h                   |   65 +-
 contrib/wpa/src/rsn_supp/wpa_ie.c                  |   36 +-
 contrib/wpa/src/tls/libtommath.c                   |    8 -
 contrib/wpa/src/tls/pkcs1.c                        |    6 +-
 contrib/wpa/src/tls/tlsv1_client_read.c            |    3 +-
 contrib/wpa/src/tls/tlsv1_common.c                 |    6 +-
 contrib/wpa/src/tls/tlsv1_common.h                 |    3 +-
 contrib/wpa/src/tls/tlsv1_server_write.c           |    2 +-
 contrib/wpa/src/utils/browser.c                    |   10 +
 contrib/wpa/src/utils/common.c                     |   15 +-
 contrib/wpa/src/utils/common.h                     |   38 +
 contrib/wpa/src/utils/crc32.c                      |    2 +-
 contrib/wpa/src/utils/crc32.h                      |    2 +-
 contrib/wpa/src/utils/http-utils.h                 |    1 +
 contrib/wpa/src/utils/http_curl.c                  |   73 +-
 contrib/wpa/src/utils/ip_addr.c                    |   19 +
 contrib/wpa/src/utils/ip_addr.h                    |    2 +
 contrib/wpa/src/utils/os.h                         |   42 +-
 contrib/wpa/src/utils/os_unix.c                    |  195 +-
 contrib/wpa/src/utils/trace.c                      |    6 +-
 contrib/wpa/src/utils/wpa_debug.c                  |   10 +-
 contrib/wpa/src/utils/wpa_debug.h                  |    1 +
 contrib/wpa/src/utils/wpabuf.h                     |    6 +
 contrib/wpa/src/wps/ndef.c                         |    6 +
 contrib/wpa/src/wps/wps.c                          |    5 +-
 contrib/wpa/src/wps/wps.h                          |    5 +
 contrib/wpa/src/wps/wps_attr_parse.c               |   13 +-
 contrib/wpa/src/wps/wps_enrollee.c                 |    6 +-
 contrib/wpa/src/wps/wps_er.c                       |    4 +-
 contrib/wpa/src/wps/wps_i.h                        |    1 +
 contrib/wpa/src/wps/wps_registrar.c                |   15 +-
 contrib/wpa/wpa_supplicant/Android.mk              |  228 +-
 contrib/wpa/wpa_supplicant/ChangeLog               |   50 +
 contrib/wpa/wpa_supplicant/Makefile                |  308 +-
 contrib/wpa/wpa_supplicant/README                  |    4 +-
 contrib/wpa/wpa_supplicant/README-HS20             |   33 +-
 contrib/wpa/wpa_supplicant/README-NAN-USD          |  147 +
 contrib/wpa/wpa_supplicant/README-WPS              |   24 +-
 contrib/wpa/wpa_supplicant/android.config          |   15 +
 contrib/wpa/wpa_supplicant/ap.c                    |  293 +-
 contrib/wpa/wpa_supplicant/ap.h                    |   24 +-
 contrib/wpa/wpa_supplicant/bgscan.h                |    2 +-
 contrib/wpa/wpa_supplicant/bgscan_learn.c          |   10 +-
 contrib/wpa/wpa_supplicant/bgscan_simple.c         |   64 +-
 contrib/wpa/wpa_supplicant/bss.c                   |  563 +-
 contrib/wpa/wpa_supplicant/bss.h                   |   29 +
 contrib/wpa/wpa_supplicant/bssid_ignore.c          |   30 +-
 contrib/wpa/wpa_supplicant/config.c                |  487 +-
 contrib/wpa/wpa_supplicant/config.h                |  150 +-
 contrib/wpa/wpa_supplicant/config_file.c           |  108 +-
 contrib/wpa/wpa_supplicant/config_none.c           |    3 +-
 contrib/wpa/wpa_supplicant/config_ssid.h           |  114 +-
 contrib/wpa/wpa_supplicant/config_winreg.c         |    5 +-
 contrib/wpa/wpa_supplicant/ctrl_iface.c            | 1707 +++++-
 contrib/wpa/wpa_supplicant/ctrl_iface.h            |    2 +
 contrib/wpa/wpa_supplicant/ctrl_iface_unix.c       |    3 +
 .../wpa/wpa_supplicant/dbus/dbus_dict_helpers.c    |  100 +
 .../wpa/wpa_supplicant/dbus/dbus_dict_helpers.h    |    9 +
 contrib/wpa/wpa_supplicant/dbus/dbus_new.c         |  142 +-
 contrib/wpa/wpa_supplicant/dbus/dbus_new.h         |   24 +
 .../wpa/wpa_supplicant/dbus/dbus_new_handlers.c    |  784 ++-
 .../wpa/wpa_supplicant/dbus/dbus_new_handlers.h    |    7 +
 .../wpa_supplicant/dbus/dbus_new_handlers_p2p.c    |   94 +-
 contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.c |  209 +-
 contrib/wpa/wpa_supplicant/dbus/dbus_new_helpers.h |    5 +
 .../wpa/wpa_supplicant/dbus/dbus_new_introspect.c  |    2 +-
 contrib/wpa/wpa_supplicant/defconfig               |   53 +
 .../wpa_supplicant/doc/docbook/wpa_supplicant.sgml |   48 +-
 contrib/wpa/wpa_supplicant/dpp_supplicant.c        | 2184 ++++++-
 contrib/wpa/wpa_supplicant/dpp_supplicant.h        |    5 +
 contrib/wpa/wpa_supplicant/driver_i.h              |  124 +-
 contrib/wpa/wpa_supplicant/eapol_test.c            |  146 +-
 contrib/wpa/wpa_supplicant/events.c                | 1741 +++++-
 contrib/wpa/wpa_supplicant/examples/dpp-nfc.py     |   10 +-
 contrib/wpa/wpa_supplicant/gas_query.c             |   56 +-
 contrib/wpa/wpa_supplicant/hs20_supplicant.c       |   17 +-
 contrib/wpa/wpa_supplicant/ibss_rsn.c              |   32 +-
 contrib/wpa/wpa_supplicant/ibss_rsn.h              |    3 +-
 contrib/wpa/wpa_supplicant/interworking.c          |  124 +-
 contrib/wpa/wpa_supplicant/main.c                  |    2 +
 contrib/wpa/wpa_supplicant/mbo.c                   |   25 +-
 contrib/wpa/wpa_supplicant/mesh.c                  |   16 +-
 contrib/wpa/wpa_supplicant/mesh_mpm.c              |   74 +-
 contrib/wpa/wpa_supplicant/mesh_rsn.c              |   27 +-
 contrib/wpa/wpa_supplicant/nan_usd.c               |  513 ++
 contrib/wpa/wpa_supplicant/nan_usd.h               |   46 +
 contrib/wpa/wpa_supplicant/notify.c                |  103 +-
 contrib/wpa/wpa_supplicant/notify.h                |   14 +-
 contrib/wpa/wpa_supplicant/offchannel.c            |   10 +-
 contrib/wpa/wpa_supplicant/op_classes.c            |  150 +-
 contrib/wpa/wpa_supplicant/p2p_supplicant.c        |  483 +-
 contrib/wpa/wpa_supplicant/p2p_supplicant.h        |   13 +-
 contrib/wpa/wpa_supplicant/p2p_supplicant_sd.c     |   14 +-
 contrib/wpa/wpa_supplicant/pasn_supplicant.c       | 1712 ++----
 contrib/wpa/wpa_supplicant/preauth_test.c          |    8 +-
 contrib/wpa/wpa_supplicant/robust_av.c             |  341 +-
 contrib/wpa/wpa_supplicant/rrm.c                   |  132 +-
 contrib/wpa/wpa_supplicant/scan.c                  |  774 ++-
 contrib/wpa/wpa_supplicant/scan.h                  |   30 +-
 contrib/wpa/wpa_supplicant/sme.c                   |  948 ++-
 contrib/wpa/wpa_supplicant/sme.h                   |   14 +-
 .../systemd/wpa_supplicant-nl80211.service.arg.in  |    2 +-
 .../systemd/wpa_supplicant.service.arg.in          |    2 +-
 contrib/wpa/wpa_supplicant/utils/log2pcap.py       |    9 +-
 contrib/wpa/wpa_supplicant/wmm_ac.c                |    6 +-
 contrib/wpa/wpa_supplicant/wnm_sta.c               |  532 +-
 contrib/wpa/wpa_supplicant/wnm_sta.h               |   30 +-
 contrib/wpa/wpa_supplicant/wpa_cli.c               |  144 +-
 contrib/wpa/wpa_supplicant/wpa_passphrase.c        |   25 +-
 contrib/wpa/wpa_supplicant/wpa_priv.c              |   11 +-
 contrib/wpa/wpa_supplicant/wpa_supplicant.c        | 1679 ++++--
 contrib/wpa/wpa_supplicant/wpa_supplicant.conf     |  109 +-
 contrib/wpa/wpa_supplicant/wpa_supplicant_i.h      |  286 +-
 .../wpa_supplicant/wpa_supplicant_template.conf    |    2 +
 contrib/wpa/wpa_supplicant/wpas_glue.c             |  159 +-
 contrib/wpa/wpa_supplicant/wpas_glue.h             |    2 +
 contrib/wpa/wpa_supplicant/wpas_kay.c              |   53 +-
 contrib/wpa/wpa_supplicant/wpas_module_tests.c     |    3 +
 contrib/wpa/wpa_supplicant/wps_supplicant.c        |  166 +-
 contrib/wpa/wpa_supplicant/wps_supplicant.h        |   13 +
 share/mk/src.libnames.mk                           |    4 +
 usr.sbin/wpa/Makefile.inc                          |    1 -
 usr.sbin/wpa/hostapd/Makefile                      |    3 +-
 usr.sbin/wpa/src/Makefile                          |    1 +
 usr.sbin/wpa/src/pasn/Makefile                     |   20 +
 usr.sbin/wpa/wpa_supplicant/Makefile               |    2 +-
 366 files changed, 66259 insertions(+), 12716 deletions(-)

diff --git a/contrib/wpa/CONTRIBUTIONS b/contrib/wpa/CONTRIBUTIONS
index b2064dc83443..6c8187cb190d 100644
--- a/contrib/wpa/CONTRIBUTIONS
+++ b/contrib/wpa/CONTRIBUTIONS
@@ -37,7 +37,7 @@ without moderation. You can subscribe to the list at this address:
 http://lists.infradead.org/mailman/listinfo/hostap
 
 The message should contain an inlined patch against the current
-development branch (i.e., the master branch of
+development branch (i.e., the main branch of
 git://w1.fi/hostap.git). Please make sure the software you use for
 sending the patch does not corrupt whitespace. If that cannot be fixed
 for some reason, it is better to include an attached version of the
diff --git a/contrib/wpa/README b/contrib/wpa/README
index 1470c4f23582..8392bb354fac 100644
--- a/contrib/wpa/README
+++ b/contrib/wpa/README
@@ -1,7 +1,7 @@
 wpa_supplicant and hostapd
 --------------------------
 
-Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors
+Copyright (c) 2002-2024, Jouni Malinen <j@w1.fi> and contributors
 All Rights Reserved.
 
 These programs are licensed under the BSD license (the one with
diff --git a/contrib/wpa/hostapd/Android.mk b/contrib/wpa/hostapd/Android.mk
index bf26e41c6b23..573564d5b0de 100644
--- a/contrib/wpa/hostapd/Android.mk
+++ b/contrib/wpa/hostapd/Android.mk
@@ -154,6 +154,7 @@ OBJS += src/utils/crc32.c
 OBJS += src/common/ieee802_11_common.c
 OBJS += src/common/wpa_common.c
 OBJS += src/common/hw_features_common.c
+OBJS += src/common/ptksa_cache.c
 
 OBJS += src/eapol_auth/eapol_auth_sm.c
 
@@ -237,6 +238,8 @@ L_CFLAGS += -DCONFIG_OCV
 OBJS += src/common/ocv.c
 endif
 
+NEED_AES_UNWRAP=y
+
 ifdef CONFIG_IEEE80211R
 L_CFLAGS += -DCONFIG_IEEE80211R -DCONFIG_IEEE80211R_AP
 OBJS += src/ap/wpa_auth_ft.c
@@ -256,6 +259,7 @@ L_CFLAGS += -DCONFIG_SAE
 OBJS += src/common/sae.c
 ifdef CONFIG_SAE_PK
 L_CFLAGS += -DCONFIG_SAE_PK
+NEED_AES_SIV=y
 OBJS += src/common/sae_pk.c
 endif
 NEED_ECC=y
@@ -294,6 +298,12 @@ ifdef CONFIG_IEEE80211AC
 L_CFLAGS += -DCONFIG_IEEE80211AC
 endif
 
+ifdef CONFIG_IEEE80211BE
+CONFIG_IEEE80211AX=y
+L_CFLAGS += -DCONFIG_IEEE80211BE
+OBJS += src/ap/ieee802_11_eht.c
+endif
+
 ifdef CONFIG_IEEE80211AX
 L_CFLAGS += -DCONFIG_IEEE80211AX
 endif
@@ -572,6 +582,12 @@ L_CFLAGS += -DCONFIG_DPP3
 endif
 endif
 
+ifdef CONFIG_NAN_USD
+OBJS += src/common/nan_de.c
+OBJS += src/ap/nan_usd_ap.c
+L_CFLAGS += -DCONFIG_NAN_USD
+endif
+
 ifdef CONFIG_PASN
 L_CFLAGS += -DCONFIG_PASN
 L_CFLAGS += -DCONFIG_PTKSA_CACHE
@@ -579,7 +595,6 @@ NEED_HMAC_SHA256_KDF=y
 NEED_HMAC_SHA384_KDF=y
 NEED_SHA256=y
 NEED_SHA384=y
-OBJS += src/common/ptksa_cache.c
 endif
 
 ifdef CONFIG_EAP_IKEV2
@@ -632,6 +647,11 @@ ifdef CHAP
 OBJS += src/eap_common/chap.c
 endif
 
+ifdef CONFIG_RADIUS_TLS
+TLS_FUNCS=y
+L_CFLAGS += -DCONFIG_RADIUS_TLS
+endif
+
 ifdef TLS_FUNCS
 NEED_DES=y
 # Shared TLS functions (needed for EAP_TLS, EAP_PEAP, and EAP_TTLS)
@@ -653,6 +673,7 @@ L_CFLAGS += -DCONFIG_TLSV12
 endif
 
 ifeq ($(CONFIG_TLS), openssl)
+L_CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
 ifdef TLS_FUNCS
 OBJS += src/crypto/tls_openssl.c
 OBJS += src/crypto/tls_openssl_ocsp.c
@@ -825,7 +846,9 @@ endif
 ifdef NEED_AES_ENCBLOCK
 AESOBJS += src/crypto/aes-encblock.c
 endif
+ifneq ($(CONFIG_TLS), openssl)
 AESOBJS += src/crypto/aes-omac1.c
+endif
 ifdef NEED_AES_UNWRAP
 ifneq ($(CONFIG_TLS), openssl)
 NEED_AES_DEC=y
@@ -1026,6 +1049,9 @@ endif
 ifdef NEED_AP_MLME
 OBJS += src/ap/wmm.c
 OBJS += src/ap/ap_list.c
+OBJS += src/ap/comeback_token.c
+OBJS += src/pasn/pasn_responder.c
+OBJS += src/pasn/pasn_common.c
 OBJS += src/ap/ieee802_11.c
 OBJS += src/ap/hw_features.c
 OBJS += src/ap/dfs.c
diff --git a/contrib/wpa/hostapd/ChangeLog b/contrib/wpa/hostapd/ChangeLog
index 279298e4d4d4..1c8240d333c4 100644
--- a/contrib/wpa/hostapd/ChangeLog
+++ b/contrib/wpa/hostapd/ChangeLog
@@ -1,5 +1,42 @@
 ChangeLog for hostapd
 
+2024-07-20 - v2.11
+	* Wi-Fi Easy Connect
+	  - add support for DPP release 3
+	  - allow Configurator parameters to be provided during config exchange
+	* HE/IEEE 802.11ax/Wi-Fi 6
+	  - various fixes
+	* EHT/IEEE 802.11be/Wi-Fi 7
+	  - add preliminary support
+	* SAE: add support for fetching the password from a RADIUS server
+	* support OpenSSL 3.0 API changes
+	* support background radar detection and CAC with some additional
+	  drivers
+	* support RADIUS ACL/PSK check during 4-way handshake (wpa_psk_radius=3)
+	* EAP-SIM/AKA: support IMSI privacy
+	* improve 4-way handshake operations
+	  - use Secure=1 in message 3 during PTK rekeying
+	* OCV: do not check Frequency Segment 1 Channel Number for 160 MHz cases
+	  to avoid interoperability issues
+	* support new SAE AKM suites with variable length keys
+	* support new AKM for 802.1X/EAP with SHA384
+	* extend PASN support for secure ranging
+	* FT: Use SHA256 to derive PMKID for AKM 00-0F-AC:3 (FT-EAP)
+	  - this is based on additional details being added in the IEEE 802.11
+	    standard
+	  - the new implementation is not backwards compatible
+	* improved ACS to cover additional channel types/bandwidths
+	* extended Multiple BSSID support
+	* fix beacon protection with FT protocol (incorrect BIGTK was provided)
+	* support unsynchronized service discovery (USD)
+	* add preliminary support for RADIUS/TLS
+	* add support for explicit SSID protection in 4-way handshake
+	  (a mitigation for CVE-2023-52424; disabled by default for now, can be
+	  enabled with ssid_protection=1)
+	* fix SAE H2E rejected groups validation to avoid downgrade attacks
+	* use stricter validation for some RADIUS messages
+	* a large number of other fixes, cleanup, and extensions
+
 2022-01-16 - v2.10
 	* SAE changes
 	  - improved protection against side channel attacks
diff --git a/contrib/wpa/hostapd/Makefile b/contrib/wpa/hostapd/Makefile
index e37c13b27a6e..ca4439234a11 100644
--- a/contrib/wpa/hostapd/Makefile
+++ b/contrib/wpa/hostapd/Makefile
@@ -84,6 +84,7 @@ OBJS += ../src/ap/beacon.o
 OBJS += ../src/ap/bss_load.o
 OBJS += ../src/ap/neighbor_db.o
 OBJS += ../src/ap/rrm.o
+OBJS += ../src/common/ptksa_cache.o
 
 OBJS_c = hostapd_cli.o
 OBJS_c += ../src/common/wpa_ctrl.o
@@ -167,7 +168,7 @@ OBJS += ../src/eapol_auth/eapol_auth_sm.o
 
 
 ifdef CONFIG_CODE_COVERAGE
-CFLAGS += -O0 -fprofile-arcs -ftest-coverage
+CFLAGS += -O0 -fprofile-arcs -ftest-coverage -U_FORTIFY_SOURCE
 LIBS += -lgcov
 LIBS_c += -lgcov
 LIBS_h += -lgcov
@@ -276,6 +277,8 @@ CFLAGS += -DCONFIG_OCV
 OBJS += ../src/common/ocv.o
 endif
 
+NEED_AES_UNWRAP=y
+
 ifdef CONFIG_IEEE80211R
 CFLAGS += -DCONFIG_IEEE80211R -DCONFIG_IEEE80211R_AP
 OBJS += ../src/ap/wpa_auth_ft.o
@@ -295,6 +298,7 @@ CFLAGS += -DCONFIG_SAE
 OBJS += ../src/common/sae.o
 ifdef CONFIG_SAE_PK
 CFLAGS += -DCONFIG_SAE_PK
+NEED_AES_SIV=y
 OBJS += ../src/common/sae_pk.o
 endif
 NEED_ECC=y
@@ -339,6 +343,12 @@ ifdef CONFIG_IEEE80211AC
 CFLAGS += -DCONFIG_IEEE80211AC
 endif
 
+ifdef CONFIG_IEEE80211BE
+CONFIG_IEEE80211AX=y
+CFLAGS += -DCONFIG_IEEE80211BE
+OBJS += ../src/ap/ieee802_11_eht.o
+endif
+
 ifdef CONFIG_IEEE80211AX
 CFLAGS += -DCONFIG_IEEE80211AX
 OBJS += ../src/ap/ieee802_11_he.o
@@ -598,6 +608,12 @@ CFLAGS += -DCONFIG_DPP3
 endif
 endif
 
+ifdef CONFIG_NAN_USD
+OBJS += ../src/common/nan_de.o
+OBJS += ../src/ap/nan_usd_ap.o
+CFLAGS += -DCONFIG_NAN_USD
+endif
+
 ifdef CONFIG_PASN
 CFLAGS += -DCONFIG_PASN
 CFLAGS += -DCONFIG_PTKSA_CACHE
@@ -605,7 +621,6 @@ NEED_HMAC_SHA256_KDF=y
 NEED_HMAC_SHA384_KDF=y
 NEED_SHA256=y
 NEED_SHA384=y
-OBJS += ../src/common/ptksa_cache.o
 endif
 
 ifdef CONFIG_EAP_IKEV2
@@ -667,6 +682,11 @@ ifdef CHAP
 OBJS += ../src/eap_common/chap.o
 endif
 
+ifdef CONFIG_RADIUS_TLS
+TLS_FUNCS=y
+CFLAGS += -DCONFIG_RADIUS_TLS
+endif
+
 ifdef TLS_FUNCS
 NEED_DES=y
 # Shared TLS functions (needed for EAP_TLS, EAP_PEAP, and EAP_TTLS)
@@ -708,6 +728,7 @@ endif
 endif
 
 ifeq ($(CONFIG_TLS), openssl)
+CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
 CONFIG_CRYPTO=openssl
 ifdef TLS_FUNCS
 OBJS += ../src/crypto/tls_openssl.o
@@ -932,11 +953,13 @@ endif
 ifdef NEED_AES_ENCBLOCK
 AESOBJS += ../src/crypto/aes-encblock.o
 endif
+ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
 ifneq ($(CONFIG_TLS), wolfssl)
 AESOBJS += ../src/crypto/aes-omac1.o
 endif
 endif
+endif
 ifdef NEED_AES_UNWRAP
 ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
@@ -1172,6 +1195,9 @@ endif
 ifdef NEED_AP_MLME
 OBJS += ../src/ap/wmm.o
 OBJS += ../src/ap/ap_list.o
+OBJS += ../src/ap/comeback_token.o
+OBJS += ../src/pasn/pasn_responder.o
+OBJS += ../src/pasn/pasn_common.o
 OBJS += ../src/ap/ieee802_11.o
 OBJS += ../src/ap/hw_features.o
 OBJS += ../src/ap/dfs.o
diff --git a/contrib/wpa/hostapd/README b/contrib/wpa/hostapd/README
index 739c964d44d8..1a0248fce422 100644
--- a/contrib/wpa/hostapd/README
+++ b/contrib/wpa/hostapd/README
@@ -2,7 +2,7 @@ hostapd - user space IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP
 	  Authenticator and RADIUS authentication server
 ================================================================
 
-Copyright (c) 2002-2022, Jouni Malinen <j@w1.fi> and contributors
+Copyright (c) 2002-2024, Jouni Malinen <j@w1.fi> and contributors
 All Rights Reserved.
 
 This program is licensed under the BSD license (the one with
diff --git a/contrib/wpa/hostapd/android.config b/contrib/wpa/hostapd/android.config
index c8b3afabef8d..522de87266d5 100644
--- a/contrib/wpa/hostapd/android.config
+++ b/contrib/wpa/hostapd/android.config
@@ -121,6 +121,9 @@ CONFIG_PKCS12=y
 # Build IPv6 support for RADIUS operations
 CONFIG_IPV6=y
 
+# Include support fo RADIUS/TLS into the RADIUS client
+#CONFIG_RADIUS_TLS=y
+
 # IEEE Std 802.11r-2008 (Fast BSS Transition)
 #CONFIG_IEEE80211R=y
 
@@ -212,3 +215,6 @@ CONFIG_NO_RANDOM_POOL=y
 # release under this optional build parameter. This functionality is subject to
 # be completely removed in a future release.
 CONFIG_WEP=y
+
+# Wi-Fi Aware unsynchronized service discovery (NAN USD)
+#CONFIG_NAN_USD=y
diff --git a/contrib/wpa/hostapd/config_file.c b/contrib/wpa/hostapd/config_file.c
index b14728d1b507..3fb059770d49 100644
--- a/contrib/wpa/hostapd/config_file.c
+++ b/contrib/wpa/hostapd/config_file.c
@@ -1,6 +1,6 @@
 /*
  * hostapd / Configuration file parser
- * Copyright (c) 2003-2018, Jouni Malinen <j@w1.fi>
+ * Copyright (c) 2003-2024, Jouni Malinen <j@w1.fi>
  *
  * This software may be distributed under the terms of the BSD license.
  * See README for more details.
@@ -118,52 +118,6 @@ static int hostapd_config_read_vlan_file(struct hostapd_bss_config *bss,
 #endif /* CONFIG_NO_VLAN */
 
 
-int hostapd_acl_comp(const void *a, const void *b)
-{
-	const struct mac_acl_entry *aa = a;
-	const struct mac_acl_entry *bb = b;
-	return os_memcmp(aa->addr, bb->addr, sizeof(macaddr));
-}
-
-
-int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num,
-			    int vlan_id, const u8 *addr)
-{
-	struct mac_acl_entry *newacl;
-
-	newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl));
-	if (!newacl) {
-		wpa_printf(MSG_ERROR, "MAC list reallocation failed");
-		return -1;
-	}
-
-	*acl = newacl;
-	os_memcpy((*acl)[*num].addr, addr, ETH_ALEN);
-	os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id));
-	(*acl)[*num].vlan_id.untagged = vlan_id;
-	(*acl)[*num].vlan_id.notempty = !!vlan_id;
-	(*num)++;
-
-	return 0;
-}
-
-
-void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num,
-			    const u8 *addr)
-{
-	int i = 0;
-
-	while (i < *num) {
-		if (os_memcmp((*acl)[i].addr, addr, ETH_ALEN) == 0) {
-			os_remove_in_array(*acl, *num, sizeof(**acl), i);
-			(*num)--;
-		} else {
-			i++;
-		}
-	}
-}
-
-
 static int hostapd_config_read_maclist(const char *fname,
 				       struct mac_acl_entry **acl, int *num)
 {
@@ -713,6 +667,10 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
 			val |= WPA_KEY_MGMT_FT_IEEE8021X_SHA384;
 #endif /* CONFIG_SHA384 */
 #endif /* CONFIG_IEEE80211R_AP */
+#ifdef CONFIG_SHA384
+		else if (os_strcmp(start, "WPA-EAP-SHA384") == 0)
+			val |= WPA_KEY_MGMT_IEEE8021X_SHA384;
+#endif /* CONFIG_SHA384 */
 		else if (os_strcmp(start, "WPA-PSK-SHA256") == 0)
 			val |= WPA_KEY_MGMT_PSK_SHA256;
 		else if (os_strcmp(start, "WPA-EAP-SHA256") == 0)
@@ -720,8 +678,12 @@ static int hostapd_config_parse_key_mgmt(int line, const char *value)
 #ifdef CONFIG_SAE
 		else if (os_strcmp(start, "SAE") == 0)
 			val |= WPA_KEY_MGMT_SAE;
+		else if (os_strcmp(start, "SAE-EXT-KEY") == 0)
+			val |= WPA_KEY_MGMT_SAE_EXT_KEY;
 		else if (os_strcmp(start, "FT-SAE") == 0)
 			val |= WPA_KEY_MGMT_FT_SAE;
+		else if (os_strcmp(start, "FT-SAE-EXT-KEY") == 0)
+			val |= WPA_KEY_MGMT_FT_SAE_EXT_KEY;
 #endif /* CONFIG_SAE */
 #ifdef CONFIG_SUITEB
 		else if (os_strcmp(start, "WPA-EAP-SUITE-B") == 0)
@@ -1058,6 +1020,78 @@ static int add_r1kh(struct hostapd_bss_config *bss, char *value)
 
 	return 0;
 }
+
+
+int hostapd_config_read_rxkh_file(struct hostapd_bss_config *conf,
+				  const char *fname)
+{
+	FILE *f;
+	char buf[256], *pos;
+	int line = 0, errors = 0;
+
+	if (!fname)
+		return 0;
+
+	f = fopen(fname, "r");
+	if (!f) {
+		wpa_printf(MSG_ERROR, "rxkh file '%s' not found.", fname);
+		return -1;
+	}
+
+	while (fgets(buf, sizeof(buf), f)) {
+		line++;
+
+		if (buf[0] == '#')
+			continue;
+		pos = buf;
+		while (*pos != '\0') {
+			if (*pos == '\n') {
+				*pos = '\0';
+				break;
+			}
+			pos++;
+		}
+		if (buf[0] == '\0')
+			continue;
+
+		pos = os_strchr(buf, '=');
+		if (!pos) {
+			wpa_printf(MSG_ERROR, "Line %d: Invalid line '%s'",
+				   line, buf);
+			errors++;
+			continue;
+		}
+		*pos = '\0';
+		pos++;
+
+		if (os_strcmp(buf, "r0kh") == 0) {
+			if (add_r0kh(conf, pos) < 0) {
+				wpa_printf(MSG_ERROR,
+					   "Line %d: Invalid r0kh '%s'",
+					   line, pos);
+				errors++;
+			}
+		} else if (os_strcmp(buf, "r1kh") == 0) {
+			if (add_r1kh(conf, pos) < 0) {
+				wpa_printf(MSG_ERROR,
+					   "Line %d: Invalid r1kh '%s'",
+					   line, pos);
+				errors++;
+			}
+		}
+	}
+
+	fclose(f);
+
+	if (errors) {
+		wpa_printf(MSG_ERROR,
+			   "%d errors in configuring RxKHs from '%s'",
+			   errors, fname);
+		return -1;
+	}
+	return 0;
+}
+
 #endif /* CONFIG_IEEE80211R_AP */
 
 
@@ -1644,6 +1678,8 @@ static int parse_anqp_elem(struct hostapd_bss_config *bss, char *buf, int line)
 	return 0;
 }
 
+#endif /* CONFIG_INTERWORKING */
+
 
 static int parse_qos_map_set(struct hostapd_bss_config *bss,
 			     char *buf, int line)
@@ -1685,8 +1721,6 @@ static int parse_qos_map_set(struct hostapd_bss_config *bss,
 	return 0;
 }
 
-#endif /* CONFIG_INTERWORKING */
-
 
 #ifdef CONFIG_HS20
 static int hs20_parse_conn_capab(struct hostapd_bss_config *bss, char *buf,
@@ -2197,6 +2231,7 @@ static int add_airtime_weight(struct hostapd_bss_config *bss, char *value)
 
*** 122364 LINES SKIPPED ***