Merge branch 'bugfix/analyzer_issues_supplicant_v5.1' into 'release/v5.1'

fix(esp_wifi): fix some analyzer issues (v5.1)

See merge request espressif/esp-idf!36833

components/efuse/esp32c2/esp_efuse_rtc_calib.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -107,7 +107,18 @@ esp_err_t esp_efuse_rtc_calib_get_cal_voltage(int version, uint32_t adc_unit, in
 
 esp_err_t esp_efuse_rtc_calib_get_tsens_val(float* tsens_cal)
 {
-    // Currently calibration is not supported on ESP32-C2, IDF-5236
-    *tsens_cal = 0.0;
+    const esp_efuse_desc_t** cal_temp_efuse;
+    cal_temp_efuse = ESP_EFUSE_TEMP_CALIB;
+    int cal_temp_size = esp_efuse_get_field_size(cal_temp_efuse);
+    assert(cal_temp_size == 9);
+
+    uint32_t cal_temp = 0;
+    esp_err_t err = esp_efuse_read_field_blob(cal_temp_efuse, &cal_temp, cal_temp_size);
+    if (err != ESP_OK) {
+        *tsens_cal = 0.0;
+        return err;
+    }
+    // BIT(8) stands for sign: 1: negative, 0: positive
+    *tsens_cal = ((cal_temp & BIT(8)) != 0)? -(uint8_t)cal_temp: (uint8_t)cal_temp;
     return ESP_OK;
 }

components/efuse/esp32c6/esp_efuse_rtc_calib.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -132,7 +132,18 @@ esp_err_t esp_efuse_rtc_calib_get_cal_voltage(int version, uint32_t adc_unit, in
 
 esp_err_t esp_efuse_rtc_calib_get_tsens_val(float* tsens_cal)
 {
-    // Currently calibration is not supported on ESP32-C6, IDF-5236
-    *tsens_cal = 0;
+    const esp_efuse_desc_t** cal_temp_efuse;
+    cal_temp_efuse = ESP_EFUSE_TEMP_CALIB;
+    int cal_temp_size = esp_efuse_get_field_size(cal_temp_efuse);
+    assert(cal_temp_size == 9);
+
+    uint32_t cal_temp = 0;
+    esp_err_t err = esp_efuse_read_field_blob(cal_temp_efuse, &cal_temp, cal_temp_size);
+    if (err != ESP_OK) {
+        *tsens_cal = 0.0;
+        return err;
+    }
+    // BIT(8) stands for sign: 1: negative, 0: positive
+    *tsens_cal = ((cal_temp & BIT(8)) != 0)? -(uint8_t)cal_temp: (uint8_t)cal_temp;
     return ESP_OK;
 }

components/efuse/esp32h2/esp_efuse_rtc_calib.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -124,7 +124,18 @@ esp_err_t esp_efuse_rtc_calib_get_cal_voltage(int version, uint32_t adc_unit, in
 
 esp_err_t esp_efuse_rtc_calib_get_tsens_val(float* tsens_cal)
 {
-    // Currently calibration is not supported on ESP32-H2, IDF-5236
-    *tsens_cal = 0;
+    const esp_efuse_desc_t** cal_temp_efuse;
+    cal_temp_efuse = ESP_EFUSE_TEMP_CALIB;
+    int cal_temp_size = esp_efuse_get_field_size(cal_temp_efuse);
+    assert(cal_temp_size == 9);
+
+    uint32_t cal_temp = 0;
+    esp_err_t err = esp_efuse_read_field_blob(cal_temp_efuse, &cal_temp, cal_temp_size);
+    if (err != ESP_OK) {
+        *tsens_cal = 0.0;
+        return err;
+    }
+    // BIT(8) stands for sign: 1: negative, 0: positive
+    *tsens_cal = ((cal_temp & BIT(8)) != 0)? -(uint8_t)cal_temp: (uint8_t)cal_temp;
     return ESP_OK;
 }

components/esp_hw_support/include/esp_sleep.h

@@ -415,8 +415,10 @@ esp_err_t esp_sleep_enable_ext1_wakeup_with_level_mask(uint64_t io_mask, uint64_
  *
  * This function enables an IO pin to wake up the chip from deep sleep.
  *
- * @note This function does not modify pin configuration. The pins are
- *       configured inside esp_deep_sleep_start, immediately before entering sleep mode.
+ * @note 1.This function does not modify pin configuration. The pins are configured
+ *          inside `esp_deep_sleep_start`, immediately before entering sleep mode.
+ *       2.This function is also applicable to waking up the lightsleep when the peripheral
+ *         power domain is powered off, see PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP in menuconfig.
  *
  * @note You don't need to worry about pull-up or pull-down resistors before
  *       using this function because the ESP_SLEEP_GPIO_ENABLE_INTERNAL_RESISTORS
@@ -451,7 +453,12 @@ esp_err_t esp_deep_sleep_enable_gpio_wakeup(uint64_t gpio_pin_mask, esp_deepslee
  * wakeup level, for each GPIO which is used for wakeup.
  * Then call this function to enable wakeup feature.
  *
- * @note On ESP32, GPIO wakeup source can not be used together with touch or ULP wakeup sources.
+ * @note 1. On ESP32, GPIO wakeup source can not be used together with touch or ULP wakeup sources.
+ *       2. If PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP is enabled (if target supported),
+ *          this API is unavailable since the GPIO module is powered down during sleep.
+ *          You can use `esp_deep_sleep_enable_gpio_wakeup` instead, or use EXT1 wakeup source
+ *          by `esp_sleep_enable_ext1_wakeup_io` to achieve the same function.
+ *          (Only GPIOs which have RTC functionality can be used)
  *
  * @return
  *      - ESP_OK on success
@@ -467,7 +474,9 @@ esp_err_t esp_sleep_enable_gpio_wakeup(void);
  * Wakeup from light sleep takes some time, so not every character sent
  * to the UART can be received by the application.
  *
- * @note ESP32 does not support wakeup from UART2.
+ * @note 1. ESP32 does not support wakeup from UART2.
+ *       2. If PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP is enabled (if target supported),
+ *          this API is unavailable since the UART module is powered down during sleep.
  *
  * @param uart_num  UART port to wake up from
  * @return

components/esp_hw_support/sleep_modes.c

@@ -1844,6 +1844,9 @@ esp_err_t esp_deep_sleep_enable_gpio_wakeup(uint64_t gpio_pin_mask, esp_deepslee
 
 esp_err_t esp_sleep_enable_gpio_wakeup(void)
 {
+#if CONFIG_PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP
+    ESP_LOGW(TAG, "%s wakeup source is not available if the peripheral power domain is powered down in sleep", "GPIO");
+#endif
 #if CONFIG_IDF_TARGET_ESP32
     if (s_config.wakeup_triggers & (RTC_TOUCH_TRIG_EN | RTC_ULP_TRIG_EN)) {
         ESP_LOGE(TAG, "Conflicting wake-up triggers: touch / ULP");
@@ -1856,6 +1859,9 @@ esp_err_t esp_sleep_enable_gpio_wakeup(void)
 
 esp_err_t esp_sleep_enable_uart_wakeup(int uart_num)
 {
+#if CONFIG_PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP
+    ESP_LOGW(TAG, "%s wakeup source is not available if the peripheral power domain is powered down in sleep", "UART");
+#endif
     if (uart_num == UART_NUM_0) {
         s_config.wakeup_triggers |= RTC_UART0_TRIG_EN;
     } else if (uart_num == UART_NUM_1) {

components/esp_pm/Kconfig

@@ -124,12 +124,17 @@ menu "Power Management"
         depends on SOC_PAU_SUPPORTED
         default n #TODO: enable by default if periph init/deinit management supported (WIFI-5252)
         help
-            If enabled, digital peripherals will be powered down in light sleep, it will reduce sleep
-            current consumption by about 100 uA. Chip will save/restore register context at sleep/wake
-            time to keep the system running. Enabling this option will increase static RAM and heap usage,
-            the actual cost depends on the peripherals you have initialized. In order to save/restore the
-            context of the necessary hardware for FreeRTOS to run, it will need at least 4.55 KB free heap
-            at sleep time. Otherwise sleep will not power down the peripherals.
+            If enabled, digital peripherals will try to powered down in light sleep, then all related peripherals will
+            not be available during sleep, including wake-up sources from the peripherals (For detailed availability
+            information, see the note of the corresponding wakeup source enable function).
+            The chip will automatically save/restore register context during sleep/wakeup to make the upper layer
+            user unaware of the peripheral powerdown during sleep. Enabling this option will increase static RAM and
+            heap usage but will also significantly reduce power.
+            consumption during lightsleep, the actual memory cost depends on the peripherals you have initialized,
+            for specific power consumption data in this mode, please refer to Electrical Characteristics section
+            in the chip datasheet.
+            (In order to save/restore the context of the necessary hardware for FreeRTOS to run, it will need
+            at least 4.55 KB free heap at sleep time. Otherwise sleep will not power down the peripherals.)
 
             Note1: Please use this option with caution, the current IDF does not support the retention of
             all peripherals. When the digital peripherals are powered off and a sleep and wake-up is completed,
@@ -144,6 +149,14 @@ menu "Power Management"
             of freertos to not be compensated correctly when returning from sleep and cause the system to crash.
             To avoid this, you can increase FREERTOS_IDLE_TIME_BEFORE_SLEEP threshold in menuconfig.
 
+            Note3: Enabling this option does not necessarily mean that the peripheral power domain will be
+            turned down during sleep. The control priority of `esp_sleep_pd_config` is higher than this option,
+            user code can still prevent the peripheral power domain from powering down during sleep by
+            `esp_sleep_pd_config(ESP_PD_DOMAIN_TOP, ESP_PD_OPTION_ON)`. In addition, whether the peripheral power
+            domain is powered down during sleep also depends on the sleep working strategy selected by the driver.
+            If any module belonging to the peripheral power domain chooses not to be powered down during sleep,
+            then the peripheral power domain will not be powered off either.
+
     config PM_UPDATE_CCOMPARE_HLI_WORKAROUND
         bool
         default y if PM_ENABLE && BTDM_CTRL_HLI

components/esp_rom/patches/esp_rom_cache_esp32s2_esp32s3.c

@@ -21,14 +21,13 @@
 extern uint32_t rom_Cache_Count_Flash_Pages(uint32_t bus, uint32_t * page0_mapped);
 uint32_t Cache_Count_Flash_Pages(uint32_t bus, uint32_t * page0_mapped)
 {
-    uint32_t page0_before_count = *page0_mapped;
     uint32_t flash_pages = 0;
     flash_pages = rom_Cache_Count_Flash_Pages(bus, page0_mapped);
 
-/* No page mapped to page0, in this condition, the rom api will return
+/* No page mapped to page0 yet, in this condition, the rom api will return
  * unexpected value + 1.
  */
-    if (page0_before_count == *page0_mapped) {
+    if (*page0_mapped == 0) {
         flash_pages--;
     }
     return flash_pages;

components/esp_wifi/lib

@@ -1 +1 @@
-Subproject commit 0a4813bef6753fd3d8ebf90b42e88aaa0a19ecab
+Subproject commit 0290111589d4b2efb2b99c30c9b6382fa13b2001

components/wpa_supplicant/esp_supplicant/src/esp_common.c

@@ -782,15 +782,16 @@ int wpa_drv_send_action(struct wpa_supplicant *wpa_s,
 			const u8 *data, size_t data_len,
 			int no_cck)
 {
-	int ret = 0;
-	wifi_mgmt_frm_req_t *req = os_zalloc(sizeof(*req) + data_len);;
-	if (!req)
-		return -1;
+	int ret = -1;
+	wifi_mgmt_frm_req_t *req;
 
 	if (!wpa_s->current_bss) {
-		wpa_printf(MSG_ERROR, "STA not associated, return");
-		ret = -1;
-		goto cleanup;
+		return ret;
+	}
+
+	req = os_zalloc(sizeof(*req) + data_len);
+	if (!req) {
+		return ret;
 	}
 
 	req->ifx = WIFI_IF_STA;
@@ -798,14 +799,14 @@ int wpa_drv_send_action(struct wpa_supplicant *wpa_s,
 	req->data_len = data_len;
 	os_memcpy(req->data, data, req->data_len);
 
-	if (esp_wifi_send_mgmt_frm_internal(req) != 0) {
-		wpa_printf(MSG_ERROR, "action frame sending failed");
-		ret = -1;
-		goto cleanup;
-	}
-	wpa_printf(MSG_INFO, "action frame sent");
+	ret = esp_wifi_send_mgmt_frm_internal(req);
+
+	if (ret != 0) {
+		wpa_printf(MSG_ERROR, "action frame sending failed");
+	} else {
+		wpa_printf(MSG_INFO, "action frame sent");
+	}
 
-cleanup:
 	os_free(req);
 	return ret;
 }

components/wpa_supplicant/esp_supplicant/src/esp_hostap.c

@@ -308,8 +308,7 @@ u16 esp_send_assoc_resp(struct hostapd_data *hapd, const u8 *addr,
     reply = os_zalloc(sizeof(wifi_mgmt_frm_req_t) + sizeof(uint16_t));
     if (!reply) {
         wpa_printf(MSG_ERROR, "failed to allocate memory for assoc response");
-        res = WLAN_STATUS_UNSPECIFIED_FAILURE;
-        goto done;
+        return WLAN_STATUS_UNSPECIFIED_FAILURE;
     }
     reply->ifx = WIFI_IF_AP;
     reply->subtype = subtype;
@@ -322,7 +321,6 @@ u16 esp_send_assoc_resp(struct hostapd_data *hapd, const u8 *addr,
         wpa_printf(MSG_INFO, "esp_send_assoc_resp_failed: send failed");
     }
 #undef ASSOC_RESP_LENGTH
-done:
     os_free(reply);
     return res;
 }

components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -667,32 +667,39 @@ int esp_send_sae_auth_reply(struct hostapd_data *hapd,
                             u16 auth_alg, u16 auth_transaction, u16 resp,
                             const u8 *ies, size_t ies_len)
 {
-    int reply_res = ESP_FAIL;
-    ies_len += 3 * sizeof(uint16_t);
+    int status = ESP_FAIL;
+    /* Calculate total frame data length (auth_alg + transaction + resp + IEs) */
+    size_t data_len = ies_len + 3 * sizeof(uint16_t);
 
-    wifi_mgmt_frm_req_t *req = os_zalloc(sizeof(*req) + ies_len);
+    wifi_mgmt_frm_req_t *req = os_zalloc(sizeof(*req) + data_len);
     if (!req) {
-        wpa_printf(MSG_ERROR, "failed to send sae auth reply");
-        return reply_res;
+        wpa_printf(MSG_ERROR, "Failed to allocate SAE authentication reply");
+        return status;
+    }
+
+    /* Populate the frame data */
+    ((uint16_t *)req->data)[0] = htole16(auth_alg); /* Authentication algorithm */
+    ((uint16_t *)req->data)[1] = htole16(auth_transaction); /* Transaction number */
+    ((uint16_t *)req->data)[2] = htole16(resp); /* Response code */
+
+    if (ies && ies_len) {
+        os_memcpy(&((uint16_t *)req->data)[3], ies, ies_len);
     }
-    ((uint16_t *)req->data)[0] = htole16(auth_alg);
-    ((uint16_t *)req->data)[1] = htole16(auth_transaction);
-    ((uint16_t *)req->data)[2] = htole16(resp);
-    os_memcpy(&((uint16_t *)req->data)[3], ies, ies_len - 3 * sizeof(uint16_t));
 
     req->ifx = WIFI_IF_AP;
     req->subtype = (WLAN_FC_STYPE_AUTH << 4);
-    req->data_len = ies_len;
+    req->data_len = data_len;
     os_memcpy(req->da, bssid, ETH_ALEN);
 
     if (esp_wifi_send_mgmt_frm_internal(req) != 0) {
-        wpa_printf(MSG_INFO, "%s: send failed", __func__);
+        wpa_printf(MSG_INFO, "%s: SAE authentication reply send failed", __func__);
     } else {
-        reply_res = ESP_OK;
+        status = ESP_OK;
     }
 
     os_free(req);
-    return reply_res;
+
+    return status;
 }
 
 void esp_wifi_register_wpa3_ap_cb(struct wpa_funcs *wpa_cb)

components/wpa_supplicant/src/common/sae_pk.c

@@ -620,6 +620,7 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	int group;
 	struct wpa_supplicant *wpa_s = &g_wpa_supp;
 	struct sae_pk_elems elems;
+	int ret = 0;
 
 	if (!tmp) {
 		return -1;
@@ -650,7 +651,8 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (!elems.fils_pk || !elems.fils_key_confirm || !elems.sae_pk) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Not all mandatory IEs included in confirm");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	/* TODO: Fragment reassembly */
@@ -658,7 +660,8 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (elems.sae_pk_len < SAE_PK_M_LEN + AES_BLOCK_SIZE) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: No room for EncryptedModifier in SAE-PK element");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	wpa_hexdump(MSG_DEBUG, "SAE-PK: EncryptedModifier",
@@ -669,14 +672,16 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 						0, NULL, NULL, m) < 0) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Failed to decrypt EncryptedModifier");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	wpa_hexdump_key(MSG_DEBUG, "SAE-PK: Modifier M", m, SAE_PK_M_LEN);
 
 	if (elems.fils_pk[0] != 2) {
 		wpa_printf(MSG_INFO, "SAE-PK: Unsupported public key type %u",
 				   elems.fils_pk[0]);
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	k_ap_len = elems.fils_pk_len - 1;
 	k_ap = elems.fils_pk + 1;
@@ -686,13 +691,15 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	key = crypto_ec_key_parse_pub(k_ap, k_ap_len);
 	if (!key) {
 		wpa_printf(MSG_INFO, "SAE-PK: Failed to parse K_AP");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 	group = crypto_ec_key_group(key);
 	if (!sae_pk_valid_fingerprint(sae, m, SAE_PK_M_LEN, k_ap, k_ap_len,
 								  group)) {
 		crypto_ec_key_deinit(key);
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
@@ -702,7 +709,8 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (sae_pk_hash_sig_data(sae, hash_len, false, m, SAE_PK_M_LEN,
 							 k_ap, k_ap_len, hash) < 0) {
 		crypto_ec_key_deinit(key);
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	res = crypto_ec_key_verify_signature(key, hash, hash_len,
@@ -713,12 +721,25 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (res != 1) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Invalid or incorrect signature in KeyAuth");
-		return -1;
+		ret = -1;
+		goto done;
 	}
 
 	wpa_printf(MSG_DEBUG, "SAE-PK: Valid KeyAuth signature received");
 
 	/* TODO: Store validated public key into network profile */
-	return 0;
+done:
+	if (wpa_s->sae_pk_elems.fils_pk) {
+		os_free(wpa_s->sae_pk_elems.fils_pk);
+	}
+	if (wpa_s->sae_pk_elems.sae_pk) {
+		os_free(wpa_s->sae_pk_elems.sae_pk);
+	}
+	if (wpa_s->sae_pk_elems.fils_key_confirm) {
+		os_free(wpa_s->sae_pk_elems.fils_key_confirm);
+	}
+	os_memset(&wpa_s->sae_pk_elems, 0, sizeof(wpa_s->sae_pk_elems));
+
+	return ret;
 }
 #endif /* CONFIG_SAE_PK */

components/wpa_supplicant/src/rsn_supp/wpa.c

@@ -188,21 +188,9 @@ static bool is_wpa2_enterprise_connection(void)
 }
 #endif
 
-/**
- * get_bssid - Get the current BSSID
- * @priv: private driver interface data
- * @bssid: buffer for BSSID (ETH_ALEN = 6 bytes)
- *
- * Returns: 0 on success, -1 on failure
- *
- * Query kernel driver for the current BSSID and copy it to bssid.
- * Setting bssid to 00:00:00:00:00:00 is recommended if the STA is not
- * associated.
- */
-static inline int   wpa_sm_get_bssid(struct wpa_sm *sm, u8 *bssid)
+const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm)
 {
-    memcpy(bssid, sm->bssid, ETH_ALEN);
-    return 0;
+    return sm->bssid;
 }
 
  /*
@@ -232,11 +220,13 @@ static inline int wpa_sm_ether_send(struct wpa_sm *sm, const u8 *dest, u16 proto
  * @msg_len: Length of message
  * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
  */
-void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
+int  wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
                         int ver, const u8 *dest, u16 proto,
                         u8 *msg, size_t msg_len, u8 *key_mic)
 {
+    int ret = -1;
     if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
+#ifndef ESP_SUPPLICANT
         /*
          * Association event was not yet received; try to fetch
          * BSSID from the driver.
@@ -250,6 +240,9 @@ void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
                    ") as the destination for EAPOL-Key",
                    MAC2STR(dest));
         }
+#else
+        return ret;
+#endif
     }
     if (key_mic &&
         wpa_eapol_key_mic(kck, kck_len, sm->key_mgmt, ver, msg, msg_len,
@@ -262,9 +255,9 @@ void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
     wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", kck, kck_len);
     wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC", key_mic, wpa_mic_len(sm->key_mgmt, sm->pmk_len));
     wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
-    wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
+    return wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
 out:
-    return;
+    return ret;
 }
 
 /**
@@ -283,7 +276,7 @@ static void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
     struct wpa_eapol_key *reply;
     struct wpa_eapol_key_192 *reply192;
     int key_info, ver;
-    u8 bssid[ETH_ALEN], *rbuf, *key_mic;
+    u8 *rbuf, *key_mic;
 
     if (sm->key_mgmt == WPA_KEY_MGMT_OSEN || wpa_key_mgmt_suite_b(sm->key_mgmt))
         ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
@@ -296,12 +289,6 @@ static void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
     else
         ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
 
-    if (wpa_sm_get_bssid(sm, bssid) < 0) {
-        wpa_printf(MSG_DEBUG, "Failed to read BSSID for EAPOL-Key "
-               "request");
-        return;
-    }
-
     mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
     hdrlen = mic_len == 24 ? sizeof(*reply192) : sizeof(*reply);
     rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
@@ -343,7 +330,7 @@ static void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
     wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key Request (error=%d "
            "pairwise=%d ptk_set=%d len=%lu)",
            error, pairwise, sm->ptk_set, (unsigned long) rlen);
-    wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, bssid,
+    wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, wpa_sm_get_auth_addr(sm),
                        ETH_P_EAPOL, rbuf, rlen, key_mic);
     wpa_sm_free_eapol(rbuf);
 }