diff --git a/hostapd/Android.bp b/hostapd/Android.bp
index d7cc39b..2a25208 100644
--- a/hostapd/Android.bp
+++ b/hostapd/Android.bp
@@ -287,7 +287,6 @@
         "src/crypto/fips_prf_openssl.c",
         "src/crypto/aes-siv.c",
         "src/crypto/aes-ctr.c",
-        "src/crypto/aes-omac1.c",
         "src/crypto/sha1-prf.c",
         "src/crypto/sha1-tlsprf.c",
         "src/crypto/sha256-prf.c",
diff --git a/hostapd/Android.mk b/hostapd/Android.mk
index 4c37b77..adb4c08 100644
--- a/hostapd/Android.mk
+++ b/hostapd/Android.mk
@@ -314,6 +314,12 @@
 L_CFLAGS += -DCONFIG_IEEE80211AC
 endif
 
+ifdef CONFIG_IEEE80211BE
+CONFIG_IEEE80211AX=y
+L_CFLAGS += -DCONFIG_IEEE80211BE
+OBJS += src/ap/ieee802_11_eht.c
+endif
+
 ifdef CONFIG_IEEE80211AX
 L_CFLAGS += -DCONFIG_IEEE80211AX
 endif
@@ -673,6 +679,7 @@
 endif
 
 ifeq ($(CONFIG_TLS), openssl)
+L_CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
 ifdef TLS_FUNCS
 OBJS += src/crypto/tls_openssl.c
 OBJS += src/crypto/tls_openssl_ocsp.c
@@ -845,7 +852,9 @@
 ifdef NEED_AES_ENCBLOCK
 AESOBJS += src/crypto/aes-encblock.c
 endif
+ifneq ($(CONFIG_TLS), openssl)
 AESOBJS += src/crypto/aes-omac1.c
+endif
 ifdef NEED_AES_UNWRAP
 ifneq ($(CONFIG_TLS), openssl)
 NEED_AES_DEC=y
diff --git a/hostapd/Makefile b/hostapd/Makefile
index 98a0102..5f06378 100644
--- a/hostapd/Makefile
+++ b/hostapd/Makefile
@@ -343,6 +343,12 @@
 CFLAGS += -DCONFIG_IEEE80211AC
 endif
 
+ifdef CONFIG_IEEE80211BE
+CONFIG_IEEE80211AX=y
+CFLAGS += -DCONFIG_IEEE80211BE
+OBJS += ../src/ap/ieee802_11_eht.o
+endif
+
 ifdef CONFIG_IEEE80211AX
 CFLAGS += -DCONFIG_IEEE80211AX
 OBJS += ../src/ap/ieee802_11_he.o
@@ -712,6 +718,7 @@
 endif
 
 ifeq ($(CONFIG_TLS), openssl)
+CFLAGS += -DCRYPTO_RSA_OAEP_SHA256
 CONFIG_CRYPTO=openssl
 ifdef TLS_FUNCS
 OBJS += ../src/crypto/tls_openssl.o
@@ -936,11 +943,13 @@
 ifdef NEED_AES_ENCBLOCK
 AESOBJS += ../src/crypto/aes-encblock.o
 endif
+ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
 ifneq ($(CONFIG_TLS), wolfssl)
 AESOBJS += ../src/crypto/aes-omac1.o
 endif
 endif
+endif
 ifdef NEED_AES_UNWRAP
 ifneq ($(CONFIG_TLS), openssl)
 ifneq ($(CONFIG_TLS), linux)
diff --git a/hostapd/config_file.c b/hostapd/config_file.c
index 7e605ff..2d5a510 100644
--- a/hostapd/config_file.c
+++ b/hostapd/config_file.c
@@ -118,52 +118,6 @@
 #endif /* CONFIG_NO_VLAN */
 
 
-int hostapd_acl_comp(const void *a, const void *b)
-{
-	const struct mac_acl_entry *aa = a;
-	const struct mac_acl_entry *bb = b;
-	return os_memcmp(aa->addr, bb->addr, sizeof(macaddr));
-}
-
-
-int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num,
-			    int vlan_id, const u8 *addr)
-{
-	struct mac_acl_entry *newacl;
-
-	newacl = os_realloc_array(*acl, *num + 1, sizeof(**acl));
-	if (!newacl) {
-		wpa_printf(MSG_ERROR, "MAC list reallocation failed");
-		return -1;
-	}
-
-	*acl = newacl;
-	os_memcpy((*acl)[*num].addr, addr, ETH_ALEN);
-	os_memset(&(*acl)[*num].vlan_id, 0, sizeof((*acl)[*num].vlan_id));
-	(*acl)[*num].vlan_id.untagged = vlan_id;
-	(*acl)[*num].vlan_id.notempty = !!vlan_id;
-	(*num)++;
-
-	return 0;
-}
-
-
-void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num,
-			    const u8 *addr)
-{
-	int i = 0;
-
-	while (i < *num) {
-		if (os_memcmp((*acl)[i].addr, addr, ETH_ALEN) == 0) {
-			os_remove_in_array(*acl, *num, sizeof(**acl), i);
-			(*num)--;
-		} else {
-			i++;
-		}
-	}
-}
-
-
 static int hostapd_config_read_maclist(const char *fname,
 				       struct mac_acl_entry **acl, int *num)
 {
@@ -2635,6 +2589,9 @@
 		bss->eap_sim_aka_result_ind = atoi(pos);
 	} else if (os_strcmp(buf, "eap_sim_id") == 0) {
 		bss->eap_sim_id = atoi(pos);
+	} else if (os_strcmp(buf, "imsi_privacy_key") == 0) {
+		os_free(bss->imsi_privacy_key);
+		bss->imsi_privacy_key = os_strdup(pos);
 #endif /* EAP_SERVER_SIM */
 #ifdef EAP_SERVER_TNC
 	} else if (os_strcmp(buf, "tnc") == 0) {
@@ -2975,7 +2932,8 @@
 		bss->wpa_psk_radius = atoi(pos);
 		if (bss->wpa_psk_radius != PSK_RADIUS_IGNORED &&
 		    bss->wpa_psk_radius != PSK_RADIUS_ACCEPTED &&
-		    bss->wpa_psk_radius != PSK_RADIUS_REQUIRED) {
+		    bss->wpa_psk_radius != PSK_RADIUS_REQUIRED &&
+		    bss->wpa_psk_radius != PSK_RADIUS_DURING_4WAY_HS) {
 			wpa_printf(MSG_ERROR,
 				   "Line %d: unknown wpa_psk_radius %d",
 				   line, bss->wpa_psk_radius);
@@ -3139,6 +3097,7 @@
 				   line, pos);
 			return 1;
 		}
+		conf->hw_mode_set = true;
 	} else if (os_strcmp(buf, "wps_rf_bands") == 0) {
 		if (os_strcmp(pos, "ad") == 0)
 			bss->wps_rf_bands = WPS_RF_60GHZ;
@@ -3193,6 +3152,8 @@
 		conf->acs_freq_list_present = 1;
 	} else if (os_strcmp(buf, "acs_exclude_6ghz_non_psc") == 0) {
 		conf->acs_exclude_6ghz_non_psc = atoi(pos);
+	} else if (os_strcmp(buf, "enable_background_radar") == 0) {
+		conf->enable_background_radar = atoi(pos);
 	} else if (os_strcmp(buf, "min_tx_power") == 0) {
 		int val = atoi(pos);
 
@@ -3642,6 +3603,8 @@
 				   line, pos);
 			return 1;
 		}
+	} else if (os_strcmp(buf, "he_6ghz_reg_pwr_type") == 0) {
+		conf->he_6ghz_reg_pwr_type = atoi(pos);
 	} else if (os_strcmp(buf, "he_oper_chwidth") == 0) {
 		conf->he_oper_chwidth = atoi(pos);
 	} else if (os_strcmp(buf, "he_oper_centr_freq_seg0_idx") == 0) {
@@ -4301,6 +4264,8 @@
 		conf->skip_send_eapol = atoi(pos);
 	} else if (os_strcmp(buf, "enable_eapol_large_timeout") == 0) {
 		conf->enable_eapol_large_timeout = atoi(pos);
+	} else if (os_strcmp(buf, "eap_skip_prot_success") == 0) {
+		bss->eap_skip_prot_success = atoi(pos);
 #endif /* CONFIG_TESTING_OPTIONS */
 #ifdef CONFIG_SAE
 	} else if (os_strcmp(buf, "sae_password") == 0) {
@@ -4665,6 +4630,16 @@
 			return 1;
 		}
 		bss->mka_priority = mka_priority;
+	} else if (os_strcmp(buf, "macsec_csindex") == 0) {
+		int macsec_csindex = atoi(pos);
+
+		if (macsec_csindex < 0 || macsec_csindex > 1) {
+			wpa_printf(MSG_ERROR,
+				   "Line %d: invalid macsec_csindex (%d): '%s'.",
+				   line, macsec_csindex, pos);
+			return 1;
+		}
+		bss->macsec_csindex = macsec_csindex;
 	} else if (os_strcmp(buf, "mka_cak") == 0) {
 		size_t len = os_strlen(pos);
 
@@ -4701,6 +4676,8 @@
 		bss->disable_11ac = !!atoi(pos);
 	} else if (os_strcmp(buf, "disable_11ax") == 0) {
 		bss->disable_11ax = !!atoi(pos);
+	} else if (os_strcmp(buf, "disable_11be") == 0) {
+		bss->disable_11be = !!atoi(pos);
 #ifdef CONFIG_PASN
 #ifdef CONFIG_TESTING_OPTIONS
 	} else if (os_strcmp(buf, "force_kdk_derivation") == 0) {
@@ -4728,6 +4705,20 @@
 			return 1;
 	} else if (os_strcmp(buf, "rnr") == 0) {
 		bss->rnr = atoi(pos);
+#ifdef CONFIG_IEEE80211BE
+	} else if (os_strcmp(buf, "ieee80211be") == 0) {
+		conf->ieee80211be = atoi(pos);
+	} else if (os_strcmp(buf, "eht_oper_chwidth") == 0) {
+		conf->eht_oper_chwidth = atoi(pos);
+	} else if (os_strcmp(buf, "eht_oper_centr_freq_seg0_idx") == 0) {
+		conf->eht_oper_centr_freq_seg0_idx = atoi(pos);
+	} else if (os_strcmp(buf, "eht_su_beamformer") == 0) {
+		conf->eht_phy_capab.su_beamformer = atoi(pos);
+	} else if (os_strcmp(buf, "eht_su_beamformee") == 0) {
+		conf->eht_phy_capab.su_beamformee = atoi(pos);
+	} else if (os_strcmp(buf, "eht_mu_beamformer") == 0) {
+		conf->eht_phy_capab.mu_beamformer = atoi(pos);
+#endif /* CONFIG_IEEE80211BE */
 	} else {
 		wpa_printf(MSG_ERROR,
 			   "Line %d: unknown configuration item '%s'",
diff --git a/hostapd/config_file.h b/hostapd/config_file.h
index 9830f5a..c98bdb6 100644
--- a/hostapd/config_file.h
+++ b/hostapd/config_file.h
@@ -13,10 +13,5 @@
 int hostapd_set_iface(struct hostapd_config *conf,
 		      struct hostapd_bss_config *bss, const char *field,
 		      char *value);
-int hostapd_acl_comp(const void *a, const void *b);
-int hostapd_add_acl_maclist(struct mac_acl_entry **acl, int *num,
-			    int vlan_id, const u8 *addr);
-void hostapd_remove_acl_mac(struct mac_acl_entry **acl, int *num,
-			    const u8 *addr);
 
 #endif /* CONFIG_FILE_H */
diff --git a/hostapd/ctrl_iface.c b/hostapd/ctrl_iface.c
index a62f3c7..ad994d4 100644
--- a/hostapd/ctrl_iface.c
+++ b/hostapd/ctrl_iface.c
@@ -772,235 +772,6 @@
 
 #ifdef CONFIG_WNM_AP
 
-static int hostapd_ctrl_iface_disassoc_imminent(struct hostapd_data *hapd,
-						const char *cmd)
-{
-	u8 addr[ETH_ALEN];
-	int disassoc_timer;
-	struct sta_info *sta;
-
-	if (hwaddr_aton(cmd, addr))
-		return -1;
-	if (cmd[17] != ' ')
-		return -1;
-	disassoc_timer = atoi(cmd + 17);
-
-	sta = ap_get_sta(hapd, addr);
-	if (sta == NULL) {
-		wpa_printf(MSG_DEBUG, "Station " MACSTR
-			   " not found for disassociation imminent message",
-			   MAC2STR(addr));
-		return -1;
-	}
-
-	return wnm_send_disassoc_imminent(hapd, sta, disassoc_timer);
-}
-
-
-static int hostapd_ctrl_iface_ess_disassoc(struct hostapd_data *hapd,
-					   const char *cmd)
-{
-	u8 addr[ETH_ALEN];
-	const char *url, *timerstr;
-	int disassoc_timer;
-	struct sta_info *sta;
-
-	if (hwaddr_aton(cmd, addr))
-		return -1;
-
-	sta = ap_get_sta(hapd, addr);
-	if (sta == NULL) {
-		wpa_printf(MSG_DEBUG, "Station " MACSTR
-			   " not found for ESS disassociation imminent message",
-			   MAC2STR(addr));
-		return -1;
-	}
-
-	timerstr = cmd + 17;
-	if (*timerstr != ' ')
-		return -1;
-	timerstr++;
-	disassoc_timer = atoi(timerstr);
-	if (disassoc_timer < 0 || disassoc_timer > 65535)
-		return -1;
-
-	url = os_strchr(timerstr, ' ');
-	if (url == NULL)
-		return -1;
-	url++;
-
-	return wnm_send_ess_disassoc_imminent(hapd, sta, url, disassoc_timer);
-}
-
-
-static int hostapd_ctrl_iface_bss_tm_req(struct hostapd_data *hapd,
-					 const char *cmd)
-{
-	u8 addr[ETH_ALEN];
-	const char *pos, *end;
-	int disassoc_timer = 0;
-	struct sta_info *sta;
-	u8 req_mode = 0, valid_int = 0x01, dialog_token = 0x01;
-	u8 bss_term_dur[12];
-	char *url = NULL;
-	int ret;
-	u8 nei_rep[1000];
-	int nei_len;
-	u8 mbo[10];
-	size_t mbo_len = 0;
-
-	if (hwaddr_aton(cmd, addr)) {
-		wpa_printf(MSG_DEBUG, "Invalid STA MAC address");
-		return -1;
-	}
-
-	sta = ap_get_sta(hapd, addr);
-	if (sta == NULL) {
-		wpa_printf(MSG_DEBUG, "Station " MACSTR
-			   " not found for BSS TM Request message",
-			   MAC2STR(addr));
-		return -1;
-	}
-
-	pos = os_strstr(cmd, " disassoc_timer=");
-	if (pos) {
-		pos += 16;
-		disassoc_timer = atoi(pos);
-		if (disassoc_timer < 0 || disassoc_timer > 65535) {
-			wpa_printf(MSG_DEBUG, "Invalid disassoc_timer");
-			return -1;
-		}
-	}
-
-	pos = os_strstr(cmd, " valid_int=");
-	if (pos) {
-		pos += 11;
-		valid_int = atoi(pos);
-	}
-
-	pos = os_strstr(cmd, " dialog_token=");
-	if (pos) {
-		pos += 14;
-		dialog_token = atoi(pos);
-	}
-
-	pos = os_strstr(cmd, " bss_term=");
-	if (pos) {
-		pos += 10;
-		req_mode |= WNM_BSS_TM_REQ_BSS_TERMINATION_INCLUDED;
-		/* TODO: TSF configurable/learnable */
-		bss_term_dur[0] = 4; /* Subelement ID */
-		bss_term_dur[1] = 10; /* Length */
-		os_memset(&bss_term_dur[2], 0, 8);
-		end = os_strchr(pos, ',');
-		if (end == NULL) {
-			wpa_printf(MSG_DEBUG, "Invalid bss_term data");
-			return -1;
-		}
-		end++;
-		WPA_PUT_LE16(&bss_term_dur[10], atoi(end));
-	}
-
-	nei_len = ieee802_11_parse_candidate_list(cmd, nei_rep,
-						  sizeof(nei_rep));
-	if (nei_len < 0)
-		return -1;
-
-	pos = os_strstr(cmd, " url=");
-	if (pos) {
-		size_t len;
-		pos += 5;
-		end = os_strchr(pos, ' ');
-		if (end)
-			len = end - pos;
-		else
-			len = os_strlen(pos);
-		url = os_malloc(len + 1);
-		if (url == NULL)
-			return -1;
-		os_memcpy(url, pos, len);
-		url[len] = '\0';
-		req_mode |= WNM_BSS_TM_REQ_ESS_DISASSOC_IMMINENT;
-	}
-
-	if (os_strstr(cmd, " pref=1"))
-		req_mode |= WNM_BSS_TM_REQ_PREF_CAND_LIST_INCLUDED;
-	if (os_strstr(cmd, " abridged=1"))
-		req_mode |= WNM_BSS_TM_REQ_ABRIDGED;
-	if (os_strstr(cmd, " disassoc_imminent=1"))
-		req_mode |= WNM_BSS_TM_REQ_DISASSOC_IMMINENT;
-
-#ifdef CONFIG_MBO
-	pos = os_strstr(cmd, "mbo=");
-	if (pos) {
-		unsigned int mbo_reason, cell_pref, reassoc_delay;
-		u8 *mbo_pos = mbo;
-
-		ret = sscanf(pos, "mbo=%u:%u:%u", &mbo_reason,
-			     &reassoc_delay, &cell_pref);
-		if (ret != 3) {
-			wpa_printf(MSG_DEBUG,
-				   "MBO requires three arguments: mbo=<reason>:<reassoc_delay>:<cell_pref>");
-			ret = -1;
-			goto fail;
-		}
-
-		if (mbo_reason > MBO_TRANSITION_REASON_PREMIUM_AP) {
-			wpa_printf(MSG_DEBUG,
-				   "Invalid MBO transition reason code %u",
-				   mbo_reason);
-			ret = -1;
-			goto fail;
-		}
-
-		/* Valid values for Cellular preference are: 0, 1, 255 */
-		if (cell_pref != 0 && cell_pref != 1 && cell_pref != 255) {
-			wpa_printf(MSG_DEBUG,
-				   "Invalid MBO cellular capability %u",
-				   cell_pref);
-			ret = -1;
-			goto fail;
-		}
-
-		if (reassoc_delay > 65535 ||
-		    (reassoc_delay &&
-		     !(req_mode & WNM_BSS_TM_REQ_DISASSOC_IMMINENT))) {
-			wpa_printf(MSG_DEBUG,
-				   "MBO: Assoc retry delay is only valid in disassoc imminent mode");
-			ret = -1;
-			goto fail;
-		}
-
-		*mbo_pos++ = MBO_ATTR_ID_TRANSITION_REASON;
-		*mbo_pos++ = 1;
-		*mbo_pos++ = mbo_reason;
-		*mbo_pos++ = MBO_ATTR_ID_CELL_DATA_PREF;
-		*mbo_pos++ = 1;
-		*mbo_pos++ = cell_pref;
-
-		if (reassoc_delay) {
-			*mbo_pos++ = MBO_ATTR_ID_ASSOC_RETRY_DELAY;
-			*mbo_pos++ = 2;
-			WPA_PUT_LE16(mbo_pos, reassoc_delay);
-			mbo_pos += 2;
-		}
-
-		mbo_len = mbo_pos - mbo;
-	}
-#endif /* CONFIG_MBO */
-
-	ret = wnm_send_bss_tm_req(hapd, sta, req_mode, disassoc_timer,
-				  valid_int, bss_term_dur, dialog_token, url,
-				  nei_len ? nei_rep : NULL, nei_len,
-				  mbo_len ? mbo : NULL, mbo_len);
-#ifdef CONFIG_MBO
-fail:
-#endif /* CONFIG_MBO */
-	os_free(url);
-	return ret;
-}
-
-
 static int hostapd_ctrl_iface_coloc_intf_req(struct hostapd_data *hapd,
 					     const char *cmd)
 {
@@ -1362,43 +1133,6 @@
 }
 
 
-static void hostapd_disassoc_accept_mac(struct hostapd_data *hapd)
-{
-	struct sta_info *sta;
-	struct vlan_description vlan_id;
-
-	if (hapd->conf->macaddr_acl != DENY_UNLESS_ACCEPTED)
-		return;
-
-	for (sta = hapd->sta_list; sta; sta = sta->next) {
-		if (!hostapd_maclist_found(hapd->conf->accept_mac,
-					   hapd->conf->num_accept_mac,
-					   sta->addr, &vlan_id) ||
-		    (vlan_id.notempty &&
-		     vlan_compare(&vlan_id, sta->vlan_desc)))
-			ap_sta_disconnect(hapd, sta, sta->addr,
-					  WLAN_REASON_UNSPECIFIED);
-	}
-}
-
-
-static void hostapd_disassoc_deny_mac(struct hostapd_data *hapd)
-{
-	struct sta_info *sta;
-	struct vlan_description vlan_id;
-
-	for (sta = hapd->sta_list; sta; sta = sta->next) {
-		if (hostapd_maclist_found(hapd->conf->deny_mac,
-					  hapd->conf->num_deny_mac, sta->addr,
-					  &vlan_id) &&
-		    (!vlan_id.notempty ||
-		     !vlan_compare(&vlan_id, sta->vlan_desc)))
-			ap_sta_disconnect(hapd, sta, sta->addr,
-					  WLAN_REASON_UNSPECIFIED);
-	}
-}
-
-
 static int hostapd_ctrl_iface_set_band(struct hostapd_data *hapd,
 				       const char *bands)
 {
@@ -1519,6 +1253,9 @@
 	} else if (os_strcasecmp(cmd, "dpp_configurator_params") == 0) {
 		os_free(hapd->dpp_configurator_params);
 		hapd->dpp_configurator_params = os_strdup(value);
+#ifdef CONFIG_DPP2
+		dpp_controller_set_params(hapd->iface->interfaces->dpp, value);
+#endif /* CONFIG_DPP2 */
 	} else if (os_strcasecmp(cmd, "dpp_init_max_tries") == 0) {
 		hapd->dpp_init_max_tries = atoi(value);
 	} else if (os_strcasecmp(cmd, "dpp_init_retry_time") == 0) {
@@ -2838,7 +2575,7 @@
 
 	for (i = 0; i < iface->num_bss; i++) {
 
-		/* Save CHAN_SWITCH VHT and HE config */
+		/* Save CHAN_SWITCH VHT, HE, and EHT config */
 		hostapd_chan_switch_config(iface->bss[i],
 					   &settings.freq_params);
 
@@ -3383,80 +3120,6 @@
 }
 
 
-static int hostapd_ctrl_iface_acl_del_mac(struct mac_acl_entry **acl, int *num,
-					  const char *txtaddr)
-{
-	u8 addr[ETH_ALEN];
-	struct vlan_description vlan_id;
-
-	if (!(*num))
-		return 0;
-
-	if (hwaddr_aton(txtaddr, addr))
-		return -1;
-
-	if (hostapd_maclist_found(*acl, *num, addr, &vlan_id))
-		hostapd_remove_acl_mac(acl, num, addr);
-
-	return 0;
-}
-
-
-static void hostapd_ctrl_iface_acl_clear_list(struct mac_acl_entry **acl,
-					      int *num)
-{
-	while (*num)
-		hostapd_remove_acl_mac(acl, num, (*acl)[0].addr);
-}
-
-
-static int hostapd_ctrl_iface_acl_show_mac(struct mac_acl_entry *acl, int num,
-					   char *buf, size_t buflen)
-{
-	int i = 0, len = 0, ret = 0;
-
-	if (!acl)
-		return 0;
-
-	while (i < num) {
-		ret = os_snprintf(buf + len, buflen - len,
-				  MACSTR " VLAN_ID=%d\n",
-				  MAC2STR(acl[i].addr),
-				  acl[i].vlan_id.untagged);
-		if (ret < 0 || (size_t) ret >= buflen - len)
-			return len;
-		i++;
-		len += ret;
-	}
-	return len;
-}
-
-
-static int hostapd_ctrl_iface_acl_add_mac(struct mac_acl_entry **acl, int *num,
-					  const char *cmd)
-{
-	u8 addr[ETH_ALEN];
-	struct vlan_description vlan_id;
-	int ret = 0, vlanid = 0;
-	const char *pos;
-
-	if (hwaddr_aton(cmd, addr))
-		return -1;
-
-	pos = os_strstr(cmd, "VLAN_ID=");
-	if (pos)
-		vlanid = atoi(pos + 8);
-
-	if (!hostapd_maclist_found(*acl, *num, addr, &vlan_id)) {
-		ret = hostapd_add_acl_maclist(acl, num, vlanid, addr);
-		if (ret != -1 && *acl)
-			qsort(*acl, *num, sizeof(**acl), hostapd_acl_comp);
-	}
-
-	return ret < 0 ? -1 : 0;
-}
-
-
 static int hostapd_ctrl_iface_get_capability(struct hostapd_data *hapd,
 					     const char *field, char *buf,
 					     size_t buflen)
@@ -3832,14 +3495,15 @@
 		if (os_strncmp(buf + 11, "ADD_MAC ", 8) == 0) {
 			if (hostapd_ctrl_iface_acl_add_mac(
 				    &hapd->conf->accept_mac,
-				    &hapd->conf->num_accept_mac, buf + 19))
+				    &hapd->conf->num_accept_mac, buf + 19) ||
+			    hostapd_set_acl(hapd))
 				reply_len = -1;
 		} else if (os_strncmp((buf + 11), "DEL_MAC ", 8) == 0) {
-			if (!hostapd_ctrl_iface_acl_del_mac(
+			if (hostapd_ctrl_iface_acl_del_mac(
 				    &hapd->conf->accept_mac,
-				    &hapd->conf->num_accept_mac, buf + 19))
-				hostapd_disassoc_accept_mac(hapd);
-			else
+				    &hapd->conf->num_accept_mac, buf + 19) ||
+			    hostapd_set_acl(hapd) ||
+			    hostapd_disassoc_accept_mac(hapd))
 				reply_len = -1;
 		} else if (os_strcmp(buf + 11, "SHOW") == 0) {
 			reply_len = hostapd_ctrl_iface_acl_show_mac(
@@ -3849,20 +3513,23 @@
 			hostapd_ctrl_iface_acl_clear_list(
 				&hapd->conf->accept_mac,
 				&hapd->conf->num_accept_mac);
-			hostapd_disassoc_accept_mac(hapd);
+			if (hostapd_set_acl(hapd) ||
+			    hostapd_disassoc_accept_mac(hapd))
+				reply_len = -1;
 		}
 	} else if (os_strncmp(buf, "DENY_ACL ", 9) == 0) {
 		if (os_strncmp(buf + 9, "ADD_MAC ", 8) == 0) {
-			if (!hostapd_ctrl_iface_acl_add_mac(
+			if (hostapd_ctrl_iface_acl_add_mac(
 				    &hapd->conf->deny_mac,
-				    &hapd->conf->num_deny_mac, buf + 17))
-				hostapd_disassoc_deny_mac(hapd);
-			else
+				    &hapd->conf->num_deny_mac, buf + 17) ||
+			    hostapd_set_acl(hapd) ||
+			    hostapd_disassoc_deny_mac(hapd))
 				reply_len = -1;
 		} else if (os_strncmp(buf + 9, "DEL_MAC ", 8) == 0) {
 			if (hostapd_ctrl_iface_acl_del_mac(
 				    &hapd->conf->deny_mac,
-				    &hapd->conf->num_deny_mac, buf + 17))
+				    &hapd->conf->num_deny_mac, buf + 17) ||
+			    hostapd_set_acl(hapd))
 				reply_len = -1;
 		} else if (os_strcmp(buf + 9, "SHOW") == 0) {
 			reply_len = hostapd_ctrl_iface_acl_show_mac(
@@ -3872,6 +3539,8 @@
 			hostapd_ctrl_iface_acl_clear_list(
 				&hapd->conf->deny_mac,
 				&hapd->conf->num_deny_mac);
+			if (hostapd_set_acl(hapd))
+				reply_len = -1;
 		}
 #ifdef CONFIG_DPP
 	} else if (os_strncmp(buf, "DPP_QR_CODE ", 12) == 0) {
@@ -3963,6 +3632,10 @@
 			if (os_snprintf_error(reply_size, reply_len))
 				reply_len = -1;
 		}
+	} else if (os_strncmp(buf, "DPP_CONFIGURATOR_SET ", 21) == 0) {
+		if (dpp_configurator_set(hapd->iface->interfaces->dpp,
+					 buf + 20) < 0)
+			reply_len = -1;
 	} else if (os_strncmp(buf, "DPP_CONFIGURATOR_REMOVE ", 24) == 0) {
 		if (dpp_configurator_remove(hapd->iface->interfaces->dpp,
 					    buf + 24) < 0)
diff --git a/hostapd/defconfig b/hostapd/defconfig
index 2855acd..6a41dcf 100644
--- a/hostapd/defconfig
+++ b/hostapd/defconfig
@@ -156,10 +156,20 @@
 #CONFIG_IEEE80211AC=y
 
 # IEEE 802.11ax HE support
+#CONFIG_IEEE80211AX=y
+
+# IEEE 802.11be EHT support
+# CONFIG_IEEE80211AX is mandatory for setting CONFIG_IEEE80211BE.
 # Note: This is experimental and work in progress. The definitions are still
 # subject to change and this should not be expected to interoperate with the
-# final IEEE 802.11ax version.
-#CONFIG_IEEE80211AX=y
+# final IEEE 802.11be version.
+#CONFIG_IEEE80211BE=y
+
+# Simultaneous Authentication of Equals (SAE), WPA3-Personal
+#CONFIG_SAE=y
+
+# SAE Public Key, WPA3-Personal
+#CONFIG_SAE_PK=y
 
 # Remove debugging code that is printing out debug messages to stdout.
 # This can be used to reduce the size of the hostapd considerably if debugging
diff --git a/hostapd/hostapd.conf b/hostapd/hostapd.conf
index 3c2019f..f37d563 100644
--- a/hostapd/hostapd.conf
+++ b/hostapd/hostapd.conf
@@ -225,6 +225,16 @@
 # Default behavior is to include all PSC and non-PSC channels.
 #acs_exclude_6ghz_non_psc=1
 
+# Enable background radar feature
+# This feature allows CAC to be run on dedicated radio RF chains while the
+# radio(s) are otherwise running normal AP activities on other channels.
+# This requires that the driver and the radio support it before feature will
+# actually be enabled, i.e., this parameter value is ignored with drivers that
+# do not advertise support for the capability.
+# 0: Leave disabled (default)
+# 1: Enable it.
+#enable_background_radar=1
+
 # Set minimum permitted max TX power (in dBm) for ACS and DFS channel selection.
 # (default 0, i.e., not constraint)
 #min_tx_power=20
@@ -965,6 +975,13 @@
 #     (default)
 #he_6ghz_tx_ant_pat=1
 
+# 6 GHz Access Point type
+# This config is to set the 6 GHz Access Point type. Possible options are:
+# 0 = Indoor AP (default)
+# 1 = Standard Power AP
+# This has no impact for operation on other bands.
+#he_6ghz_reg_pwr_type=0
+
 # Unsolicited broadcast Probe Response transmission settings
 # This is for the 6 GHz band only. If the interval is set to a non-zero value,
 # the AP schedules unsolicited broadcast Probe Response frames to be
@@ -973,6 +990,40 @@
 # Valid range: 0..20 TUs; default is 0 (disabled)
 #unsol_bcast_probe_resp_interval=0
 
+##### IEEE 802.11be related configuration #####################################
+
+#ieee80211be: Whether IEEE 802.11be (EHT) is enabled
+# 0 = disabled (default)
+# 1 = enabled
+#ieee80211be=1
+
+#disable_11be: Boolean (0/1) to disable EHT for a specific BSS
+#disable_11be=0
+
+#eht_su_beamformer: EHT single user beamformer support
+# 0 = not supported (default)
+# 1 = supported
+#eht_su_beamformer=1
+
+#eht_su_beamformee: EHT single user beamformee support
+# 0 = not supported (default)
+# 1 = supported
+#eht_su_beamformee=1
+
+#eht_mu_beamformer: EHT multiple user beamformer support
+# 0 = not supported (default)
+# 1 = supported
+#eht_mu_beamformer=1
+
+# EHT operating channel information; see matching he_* parameters for details.
+# The field eht_oper_centr_freq_seg0_idx field is used to indicate center
+# frequency of 40, 80, and 160 MHz bandwidth operation.
+# In the 6 GHz band, eht_oper_chwidth is ignored and the channel width is
+# derived from the configured operating class (IEEE P802.11be/D1.5,
+# Annex E.1 - Country information and operating classes).
+#eht_oper_chwidth
+#eht_oper_centr_freq_seg0_idx
+
 ##### IEEE 802.1X-2004 related configuration ##################################
 
 # Require IEEE 802.1X authorization
@@ -1070,6 +1121,10 @@
 # mka_priority (Priority of MKA Actor)
 # Range: 0..255 (default: 255)
 #
+# macsec_csindex: IEEE 802.1X/MACsec cipher suite
+# 0 = GCM-AES-128 (default)
+# 1 = GCM-AES-256 (default)
+#
 # mka_cak, mka_ckn, and mka_priority: IEEE 802.1X/MACsec pre-shared key mode
 # This allows to configure MACsec with a pre-shared key using a (CAK,CKN) pair.
 # In this mode, instances of hostapd can act as MACsec peers. The peer
@@ -1243,12 +1298,11 @@
 
 # dh_file: File path to DH/DSA parameters file (in PEM format)
 # This is an optional configuration file for setting parameters for an
-# ephemeral DH key exchange. In most cases, the default RSA authentication does
-# not use this configuration. However, it is possible setup RSA to use
-# ephemeral DH key exchange. In addition, ciphers with DSA keys always use
-# ephemeral DH keys. This can be used to achieve forward secrecy. If the file
-# is in DSA parameters format, it will be automatically converted into DH
-# params. This parameter is required if anonymous EAP-FAST is used.
+# ephemeral DH key exchange. If the file is in DSA parameters format, it will
+# be automatically converted into DH params. If the used TLS library supports
+# automatic DH parameter selection, that functionality will be used if this
+# parameter is not set. DH parameters are required if anonymous EAP-FAST is
+# used.
 # You can generate DH parameters file with OpenSSL, e.g.,
 # "openssl dhparam -out /etc/hostapd.dh.pem 2048"
 #dh_file=/etc/hostapd.dh.pem
@@ -1369,6 +1423,10 @@
 # 3 = use pseudonyms and use fast reauthentication (default)
 #eap_sim_id=3
 
+# IMSI privacy key (PEM encoded RSA 2048-bit private key) for decrypting
+# permanent identity when using EAP-SIM/AKA/AKA'.
+#imsi_privacy_key=imsi-privacy-key.pem
+
 # Trusted Network Connect (TNC)
 # If enabled, TNC validation will be required before the peer is allowed to
 # connect. Note: This is only used with EAP-TTLS and EAP-FAST. If any other
@@ -1651,12 +1709,15 @@
 #wpa_psk_file=/etc/hostapd.wpa_psk
 
 # Optionally, WPA passphrase can be received from RADIUS authentication server
-# This requires macaddr_acl to be set to 2 (RADIUS)
+# This requires macaddr_acl to be set to 2 (RADIUS) for wpa_psk_radius values
+# 1 and 2.
 # 0 = disabled (default)
 # 1 = optional; use default passphrase/psk if RADIUS server does not include
 #	Tunnel-Password
 # 2 = required; reject authentication if RADIUS server does not include
 #	Tunnel-Password
+# 3 = ask RADIUS server during 4-way handshake if there is no locally
+#	configured PSK/passphrase for the STA
 #wpa_psk_radius=0
 
 # Set of accepted key management algorithms (WPA-PSK, WPA-EAP, or both). The
diff --git a/hostapd/hostapd_cli.c b/hostapd/hostapd_cli.c
index 2609121..60396f3 100644
--- a/hostapd/hostapd_cli.c
+++ b/hostapd/hostapd_cli.c
@@ -1169,7 +1169,7 @@
 		       "arguments (count and freq)\n"
 		       "usage: <cs_count> <freq> [sec_channel_offset=] "
 		       "[center_freq1=] [center_freq2=] [bandwidth=] "
-		       "[blocktx] [ht|vht]\n");
+		       "[blocktx] [ht|vht|he|eht]\n");
 		return -1;
 	}
 
diff --git a/hostapd/main.c b/hostapd/main.c
index d028fb5..eab57b6 100644
--- a/hostapd/main.c
+++ b/hostapd/main.c
@@ -15,6 +15,7 @@
 #include "utils/common.h"
 #include "utils/eloop.h"
 #include "utils/uuid.h"
+#include "crypto/crypto.h"
 #include "crypto/random.h"
 #include "crypto/tls.h"
 #include "common/version.h"
@@ -725,7 +726,6 @@
 		case 'v':
 			show_version();
 			exit(1);
-			break;
 		case 'g':
 			if (hostapd_get_global_ctrl_iface(&interfaces, optarg))
 				return -1;
@@ -947,6 +947,7 @@
 
 	fst_global_deinit();
 
+	crypto_unload();
 	os_program_deinit();
 
 	return ret;