components/efuse/esp32c2/esp_efuse_rtc_calib.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -107,18 +107,7 @@ esp_err_t esp_efuse_rtc_calib_get_cal_voltage(int version, uint32_t adc_unit, in
 
 esp_err_t esp_efuse_rtc_calib_get_tsens_val(float* tsens_cal)
 {
-    const esp_efuse_desc_t** cal_temp_efuse;
-    cal_temp_efuse = ESP_EFUSE_TEMP_CALIB;
-    int cal_temp_size = esp_efuse_get_field_size(cal_temp_efuse);
-    assert(cal_temp_size == 9);
-
-    uint32_t cal_temp = 0;
-    esp_err_t err = esp_efuse_read_field_blob(cal_temp_efuse, &cal_temp, cal_temp_size);
-    if (err != ESP_OK) {
-        *tsens_cal = 0.0;
-        return err;
-    }
-    // BIT(8) stands for sign: 1: negative, 0: positive
-    *tsens_cal = ((cal_temp & BIT(8)) != 0)? -(uint8_t)cal_temp: (uint8_t)cal_temp;
+    // Currently calibration is not supported on ESP32-C2, IDF-5236
+    *tsens_cal = 0.0;
     return ESP_OK;
 }

components/efuse/esp32c6/esp_efuse_rtc_calib.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -132,18 +132,7 @@ esp_err_t esp_efuse_rtc_calib_get_cal_voltage(int version, uint32_t adc_unit, in
 
 esp_err_t esp_efuse_rtc_calib_get_tsens_val(float* tsens_cal)
 {
-    const esp_efuse_desc_t** cal_temp_efuse;
-    cal_temp_efuse = ESP_EFUSE_TEMP_CALIB;
-    int cal_temp_size = esp_efuse_get_field_size(cal_temp_efuse);
-    assert(cal_temp_size == 9);
-
-    uint32_t cal_temp = 0;
-    esp_err_t err = esp_efuse_read_field_blob(cal_temp_efuse, &cal_temp, cal_temp_size);
-    if (err != ESP_OK) {
-        *tsens_cal = 0.0;
-        return err;
-    }
-    // BIT(8) stands for sign: 1: negative, 0: positive
-    *tsens_cal = ((cal_temp & BIT(8)) != 0)? -(uint8_t)cal_temp: (uint8_t)cal_temp;
+    // Currently calibration is not supported on ESP32-C6, IDF-5236
+    *tsens_cal = 0;
     return ESP_OK;
 }

components/efuse/esp32h2/esp_efuse_rtc_calib.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2022-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2022-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -124,18 +124,7 @@ esp_err_t esp_efuse_rtc_calib_get_cal_voltage(int version, uint32_t adc_unit, in
 
 esp_err_t esp_efuse_rtc_calib_get_tsens_val(float* tsens_cal)
 {
-    const esp_efuse_desc_t** cal_temp_efuse;
-    cal_temp_efuse = ESP_EFUSE_TEMP_CALIB;
-    int cal_temp_size = esp_efuse_get_field_size(cal_temp_efuse);
-    assert(cal_temp_size == 9);
-
-    uint32_t cal_temp = 0;
-    esp_err_t err = esp_efuse_read_field_blob(cal_temp_efuse, &cal_temp, cal_temp_size);
-    if (err != ESP_OK) {
-        *tsens_cal = 0.0;
-        return err;
-    }
-    // BIT(8) stands for sign: 1: negative, 0: positive
-    *tsens_cal = ((cal_temp & BIT(8)) != 0)? -(uint8_t)cal_temp: (uint8_t)cal_temp;
+    // Currently calibration is not supported on ESP32-H2, IDF-5236
+    *tsens_cal = 0;
     return ESP_OK;
 }

components/esp_hw_support/include/esp_sleep.h

@@ -415,10 +415,8 @@ esp_err_t esp_sleep_enable_ext1_wakeup_with_level_mask(uint64_t io_mask, uint64_
  *
  * This function enables an IO pin to wake up the chip from deep sleep.
  *
- * @note 1.This function does not modify pin configuration. The pins are configured
- *          inside `esp_deep_sleep_start`, immediately before entering sleep mode.
- *       2.This function is also applicable to waking up the lightsleep when the peripheral
- *         power domain is powered off, see PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP in menuconfig.
+ * @note This function does not modify pin configuration. The pins are
+ *       configured inside esp_deep_sleep_start, immediately before entering sleep mode.
  *
  * @note You don't need to worry about pull-up or pull-down resistors before
  *       using this function because the ESP_SLEEP_GPIO_ENABLE_INTERNAL_RESISTORS
@@ -453,12 +451,7 @@ esp_err_t esp_deep_sleep_enable_gpio_wakeup(uint64_t gpio_pin_mask, esp_deepslee
  * wakeup level, for each GPIO which is used for wakeup.
  * Then call this function to enable wakeup feature.
  *
- * @note 1. On ESP32, GPIO wakeup source can not be used together with touch or ULP wakeup sources.
- *       2. If PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP is enabled (if target supported),
- *          this API is unavailable since the GPIO module is powered down during sleep.
- *          You can use `esp_deep_sleep_enable_gpio_wakeup` instead, or use EXT1 wakeup source
- *          by `esp_sleep_enable_ext1_wakeup_io` to achieve the same function.
- *          (Only GPIOs which have RTC functionality can be used)
+ * @note On ESP32, GPIO wakeup source can not be used together with touch or ULP wakeup sources.
  *
  * @return
  *      - ESP_OK on success
@@ -474,9 +467,7 @@ esp_err_t esp_sleep_enable_gpio_wakeup(void);
  * Wakeup from light sleep takes some time, so not every character sent
  * to the UART can be received by the application.
  *
- * @note 1. ESP32 does not support wakeup from UART2.
- *       2. If PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP is enabled (if target supported),
- *          this API is unavailable since the UART module is powered down during sleep.
+ * @note ESP32 does not support wakeup from UART2.
  *
  * @param uart_num  UART port to wake up from
  * @return

components/esp_hw_support/sleep_modes.c

@@ -1844,9 +1844,6 @@ esp_err_t esp_deep_sleep_enable_gpio_wakeup(uint64_t gpio_pin_mask, esp_deepslee
 
 esp_err_t esp_sleep_enable_gpio_wakeup(void)
 {
-#if CONFIG_PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP
-    ESP_LOGW(TAG, "%s wakeup source is not available if the peripheral power domain is powered down in sleep", "GPIO");
-#endif
 #if CONFIG_IDF_TARGET_ESP32
     if (s_config.wakeup_triggers & (RTC_TOUCH_TRIG_EN | RTC_ULP_TRIG_EN)) {
         ESP_LOGE(TAG, "Conflicting wake-up triggers: touch / ULP");
@@ -1859,9 +1856,6 @@ esp_err_t esp_sleep_enable_gpio_wakeup(void)
 
 esp_err_t esp_sleep_enable_uart_wakeup(int uart_num)
 {
-#if CONFIG_PM_POWER_DOWN_PERIPHERAL_IN_LIGHT_SLEEP
-    ESP_LOGW(TAG, "%s wakeup source is not available if the peripheral power domain is powered down in sleep", "UART");
-#endif
     if (uart_num == UART_NUM_0) {
         s_config.wakeup_triggers |= RTC_UART0_TRIG_EN;
     } else if (uart_num == UART_NUM_1) {

components/esp_pm/Kconfig

@@ -124,17 +124,12 @@ menu "Power Management"
         depends on SOC_PAU_SUPPORTED
         default n #TODO: enable by default if periph init/deinit management supported (WIFI-5252)
         help
-            If enabled, digital peripherals will try to powered down in light sleep, then all related peripherals will
-            not be available during sleep, including wake-up sources from the peripherals (For detailed availability
-            information, see the note of the corresponding wakeup source enable function).
-            The chip will automatically save/restore register context during sleep/wakeup to make the upper layer
-            user unaware of the peripheral powerdown during sleep. Enabling this option will increase static RAM and
-            heap usage but will also significantly reduce power.
-            consumption during lightsleep, the actual memory cost depends on the peripherals you have initialized,
-            for specific power consumption data in this mode, please refer to Electrical Characteristics section
-            in the chip datasheet.
-            (In order to save/restore the context of the necessary hardware for FreeRTOS to run, it will need
-            at least 4.55 KB free heap at sleep time. Otherwise sleep will not power down the peripherals.)
+            If enabled, digital peripherals will be powered down in light sleep, it will reduce sleep
+            current consumption by about 100 uA. Chip will save/restore register context at sleep/wake
+            time to keep the system running. Enabling this option will increase static RAM and heap usage,
+            the actual cost depends on the peripherals you have initialized. In order to save/restore the
+            context of the necessary hardware for FreeRTOS to run, it will need at least 4.55 KB free heap
+            at sleep time. Otherwise sleep will not power down the peripherals.
 
             Note1: Please use this option with caution, the current IDF does not support the retention of
             all peripherals. When the digital peripherals are powered off and a sleep and wake-up is completed,
@@ -149,14 +144,6 @@ menu "Power Management"
             of freertos to not be compensated correctly when returning from sleep and cause the system to crash.
             To avoid this, you can increase FREERTOS_IDLE_TIME_BEFORE_SLEEP threshold in menuconfig.
 
-            Note3: Enabling this option does not necessarily mean that the peripheral power domain will be
-            turned down during sleep. The control priority of `esp_sleep_pd_config` is higher than this option,
-            user code can still prevent the peripheral power domain from powering down during sleep by
-            `esp_sleep_pd_config(ESP_PD_DOMAIN_TOP, ESP_PD_OPTION_ON)`. In addition, whether the peripheral power
-            domain is powered down during sleep also depends on the sleep working strategy selected by the driver.
-            If any module belonging to the peripheral power domain chooses not to be powered down during sleep,
-            then the peripheral power domain will not be powered off either.
-
     config PM_UPDATE_CCOMPARE_HLI_WORKAROUND
         bool
         default y if PM_ENABLE && BTDM_CTRL_HLI

components/esp_rom/patches/esp_rom_cache_esp32s2_esp32s3.c

@@ -21,13 +21,14 @@
 extern uint32_t rom_Cache_Count_Flash_Pages(uint32_t bus, uint32_t * page0_mapped);
 uint32_t Cache_Count_Flash_Pages(uint32_t bus, uint32_t * page0_mapped)
 {
+    uint32_t page0_before_count = *page0_mapped;
     uint32_t flash_pages = 0;
     flash_pages = rom_Cache_Count_Flash_Pages(bus, page0_mapped);
 
-/* No page mapped to page0 yet, in this condition, the rom api will return
+/* No page mapped to page0, in this condition, the rom api will return
  * unexpected value + 1.
  */
-    if (*page0_mapped == 0) {
+    if (page0_before_count == *page0_mapped) {
         flash_pages--;
     }
     return flash_pages;

components/esp_wifi/lib

@@ -1 +1 @@
-Subproject commit 0290111589d4b2efb2b99c30c9b6382fa13b2001
+Subproject commit 0a4813bef6753fd3d8ebf90b42e88aaa0a19ecab

components/wpa_supplicant/esp_supplicant/src/esp_common.c

@@ -782,16 +782,15 @@ int wpa_drv_send_action(struct wpa_supplicant *wpa_s,
 			const u8 *data, size_t data_len,
 			int no_cck)
 {
-	int ret = -1;
-	wifi_mgmt_frm_req_t *req;
+	int ret = 0;
+	wifi_mgmt_frm_req_t *req = os_zalloc(sizeof(*req) + data_len);;
+	if (!req)
+		return -1;
 
 	if (!wpa_s->current_bss) {
-		return ret;
-	}
-
-	req = os_zalloc(sizeof(*req) + data_len);
-	if (!req) {
-		return ret;
+		wpa_printf(MSG_ERROR, "STA not associated, return");
+		ret = -1;
+		goto cleanup;
 	}
 
 	req->ifx = WIFI_IF_STA;
@@ -799,14 +798,14 @@ int wpa_drv_send_action(struct wpa_supplicant *wpa_s,
 	req->data_len = data_len;
 	os_memcpy(req->data, data, req->data_len);
 
-	ret = esp_wifi_send_mgmt_frm_internal(req);
-
-	if (ret != 0) {
+	if (esp_wifi_send_mgmt_frm_internal(req) != 0) {
 		wpa_printf(MSG_ERROR, "action frame sending failed");
-	} else {
-		wpa_printf(MSG_INFO, "action frame sent");
+		ret = -1;
+		goto cleanup;
 	}
+	wpa_printf(MSG_INFO, "action frame sent");
 
+cleanup:
 	os_free(req);
 	return ret;
 }

components/wpa_supplicant/esp_supplicant/src/esp_hostap.c

@@ -308,7 +308,8 @@ u16 esp_send_assoc_resp(struct hostapd_data *hapd, const u8 *addr,
     reply = os_zalloc(sizeof(wifi_mgmt_frm_req_t) + sizeof(uint16_t));
     if (!reply) {
         wpa_printf(MSG_ERROR, "failed to allocate memory for assoc response");
-        return WLAN_STATUS_UNSPECIFIED_FAILURE;
+        res = WLAN_STATUS_UNSPECIFIED_FAILURE;
+        goto done;
     }
     reply->ifx = WIFI_IF_AP;
     reply->subtype = subtype;
@@ -321,6 +322,7 @@ u16 esp_send_assoc_resp(struct hostapd_data *hapd, const u8 *addr,
         wpa_printf(MSG_INFO, "esp_send_assoc_resp_failed: send failed");
     }
 #undef ASSOC_RESP_LENGTH
+done:
     os_free(reply);
     return res;
 }

components/wpa_supplicant/esp_supplicant/src/esp_wpa3.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2025 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -667,39 +667,32 @@ int esp_send_sae_auth_reply(struct hostapd_data *hapd,
                             u16 auth_alg, u16 auth_transaction, u16 resp,
                             const u8 *ies, size_t ies_len)
 {
-    int status = ESP_FAIL;
-    /* Calculate total frame data length (auth_alg + transaction + resp + IEs) */
-    size_t data_len = ies_len + 3 * sizeof(uint16_t);
+    int reply_res = ESP_FAIL;
+    ies_len += 3 * sizeof(uint16_t);
 
-    wifi_mgmt_frm_req_t *req = os_zalloc(sizeof(*req) + data_len);
+    wifi_mgmt_frm_req_t *req = os_zalloc(sizeof(*req) + ies_len);
     if (!req) {
-        wpa_printf(MSG_ERROR, "Failed to allocate SAE authentication reply");
-        return status;
-    }
-
-    /* Populate the frame data */
-    ((uint16_t *)req->data)[0] = htole16(auth_alg); /* Authentication algorithm */
-    ((uint16_t *)req->data)[1] = htole16(auth_transaction); /* Transaction number */
-    ((uint16_t *)req->data)[2] = htole16(resp); /* Response code */
-
-    if (ies && ies_len) {
-        os_memcpy(&((uint16_t *)req->data)[3], ies, ies_len);
+        wpa_printf(MSG_ERROR, "failed to send sae auth reply");
+        return reply_res;
     }
+    ((uint16_t *)req->data)[0] = htole16(auth_alg);
+    ((uint16_t *)req->data)[1] = htole16(auth_transaction);
+    ((uint16_t *)req->data)[2] = htole16(resp);
+    os_memcpy(&((uint16_t *)req->data)[3], ies, ies_len - 3 * sizeof(uint16_t));
 
     req->ifx = WIFI_IF_AP;
     req->subtype = (WLAN_FC_STYPE_AUTH << 4);
-    req->data_len = data_len;
+    req->data_len = ies_len;
     os_memcpy(req->da, bssid, ETH_ALEN);
 
     if (esp_wifi_send_mgmt_frm_internal(req) != 0) {
-        wpa_printf(MSG_INFO, "%s: SAE authentication reply send failed", __func__);
+        wpa_printf(MSG_INFO, "%s: send failed", __func__);
     } else {
-        status = ESP_OK;
+        reply_res = ESP_OK;
     }
 
     os_free(req);
-
-    return status;
+    return reply_res;
 }
 
 void esp_wifi_register_wpa3_ap_cb(struct wpa_funcs *wpa_cb)

components/wpa_supplicant/src/common/sae_pk.c

@@ -620,7 +620,6 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	int group;
 	struct wpa_supplicant *wpa_s = &g_wpa_supp;
 	struct sae_pk_elems elems;
-	int ret = 0;
 
 	if (!tmp) {
 		return -1;
@@ -651,8 +650,7 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (!elems.fils_pk || !elems.fils_key_confirm || !elems.sae_pk) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Not all mandatory IEs included in confirm");
-		ret = -1;
-		goto done;
+		return -1;
 	}
 
 	/* TODO: Fragment reassembly */
@@ -660,8 +658,7 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (elems.sae_pk_len < SAE_PK_M_LEN + AES_BLOCK_SIZE) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: No room for EncryptedModifier in SAE-PK element");
-		ret = -1;
-		goto done;
+		return -1;
 	}
 
 	wpa_hexdump(MSG_DEBUG, "SAE-PK: EncryptedModifier",
@@ -672,16 +669,14 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 						0, NULL, NULL, m) < 0) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Failed to decrypt EncryptedModifier");
-		ret = -1;
-		goto done;
+		return -1;
 	}
 	wpa_hexdump_key(MSG_DEBUG, "SAE-PK: Modifier M", m, SAE_PK_M_LEN);
 
 	if (elems.fils_pk[0] != 2) {
 		wpa_printf(MSG_INFO, "SAE-PK: Unsupported public key type %u",
 				   elems.fils_pk[0]);
-		ret = -1;
-		goto done;
+		return -1;
 	}
 	k_ap_len = elems.fils_pk_len - 1;
 	k_ap = elems.fils_pk + 1;
@@ -691,15 +686,13 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	key = crypto_ec_key_parse_pub(k_ap, k_ap_len);
 	if (!key) {
 		wpa_printf(MSG_INFO, "SAE-PK: Failed to parse K_AP");
-		ret = -1;
-		goto done;
+		return -1;
 	}
 	group = crypto_ec_key_group(key);
 	if (!sae_pk_valid_fingerprint(sae, m, SAE_PK_M_LEN, k_ap, k_ap_len,
 								  group)) {
 		crypto_ec_key_deinit(key);
-		ret = -1;
-		goto done;
+		return -1;
 	}
 
 	wpa_hexdump(MSG_DEBUG, "SAE-PK: Received KeyAuth",
@@ -709,8 +702,7 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (sae_pk_hash_sig_data(sae, hash_len, false, m, SAE_PK_M_LEN,
 							 k_ap, k_ap_len, hash) < 0) {
 		crypto_ec_key_deinit(key);
-		ret = -1;
-		goto done;
+		return -1;
 	}
 
 	res = crypto_ec_key_verify_signature(key, hash, hash_len,
@@ -721,25 +713,12 @@ int sae_check_confirm_pk(struct sae_data *sae, const u8 *ies, size_t ies_len)
 	if (res != 1) {
 		wpa_printf(MSG_INFO,
 				   "SAE-PK: Invalid or incorrect signature in KeyAuth");
-		ret = -1;
-		goto done;
+		return -1;
 	}
 
 	wpa_printf(MSG_DEBUG, "SAE-PK: Valid KeyAuth signature received");
 
 	/* TODO: Store validated public key into network profile */
-done:
-	if (wpa_s->sae_pk_elems.fils_pk) {
-		os_free(wpa_s->sae_pk_elems.fils_pk);
-	}
-	if (wpa_s->sae_pk_elems.sae_pk) {
-		os_free(wpa_s->sae_pk_elems.sae_pk);
-	}
-	if (wpa_s->sae_pk_elems.fils_key_confirm) {
-		os_free(wpa_s->sae_pk_elems.fils_key_confirm);
-	}
-	os_memset(&wpa_s->sae_pk_elems, 0, sizeof(wpa_s->sae_pk_elems));
-
-	return ret;
+	return 0;
 }
 #endif /* CONFIG_SAE_PK */

components/wpa_supplicant/src/rsn_supp/wpa.c

@@ -188,9 +188,21 @@ static bool is_wpa2_enterprise_connection(void)
 }
 #endif
 
-const u8 * wpa_sm_get_auth_addr(struct wpa_sm *sm)
+/**
+ * get_bssid - Get the current BSSID
+ * @priv: private driver interface data
+ * @bssid: buffer for BSSID (ETH_ALEN = 6 bytes)
+ *
+ * Returns: 0 on success, -1 on failure
+ *
+ * Query kernel driver for the current BSSID and copy it to bssid.
+ * Setting bssid to 00:00:00:00:00:00 is recommended if the STA is not
+ * associated.
+ */
+static inline int   wpa_sm_get_bssid(struct wpa_sm *sm, u8 *bssid)
 {
-    return sm->bssid;
+    memcpy(bssid, sm->bssid, ETH_ALEN);
+    return 0;
 }
 
  /*
@@ -220,13 +232,11 @@ static inline int wpa_sm_ether_send(struct wpa_sm *sm, const u8 *dest, u16 proto
  * @msg_len: Length of message
  * @key_mic: Pointer to the buffer to which the EAPOL-Key MIC is written
  */
-int  wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
+void wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
                         int ver, const u8 *dest, u16 proto,
                         u8 *msg, size_t msg_len, u8 *key_mic)
 {
-    int ret = -1;
     if (is_zero_ether_addr(dest) && is_zero_ether_addr(sm->bssid)) {
-#ifndef ESP_SUPPLICANT
         /*
          * Association event was not yet received; try to fetch
          * BSSID from the driver.
@@ -240,9 +250,6 @@ int  wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
                    ") as the destination for EAPOL-Key",
                    MAC2STR(dest));
         }
-#else
-        return ret;
-#endif
     }
     if (key_mic &&
         wpa_eapol_key_mic(kck, kck_len, sm->key_mgmt, ver, msg, msg_len,
@@ -255,9 +262,9 @@ int  wpa_eapol_key_send(struct wpa_sm *sm, const u8 *kck, size_t kck_len,
     wpa_hexdump_key(MSG_DEBUG, "WPA: KCK", kck, kck_len);
     wpa_hexdump(MSG_DEBUG, "WPA: Derived Key MIC", key_mic, wpa_mic_len(sm->key_mgmt, sm->pmk_len));
     wpa_hexdump(MSG_MSGDUMP, "WPA: TX EAPOL-Key", msg, msg_len);
-    return wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
+    wpa_sm_ether_send(sm, dest, proto, msg, msg_len);
 out:
-    return ret;
+    return;
 }
 
 /**
@@ -276,7 +283,7 @@ static void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
     struct wpa_eapol_key *reply;
     struct wpa_eapol_key_192 *reply192;
     int key_info, ver;
-    u8 *rbuf, *key_mic;
+    u8 bssid[ETH_ALEN], *rbuf, *key_mic;
 
     if (sm->key_mgmt == WPA_KEY_MGMT_OSEN || wpa_key_mgmt_suite_b(sm->key_mgmt))
         ver = WPA_KEY_INFO_TYPE_AKM_DEFINED;
@@ -289,6 +296,12 @@ static void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
     else
         ver = WPA_KEY_INFO_TYPE_HMAC_MD5_RC4;
 
+    if (wpa_sm_get_bssid(sm, bssid) < 0) {
+        wpa_printf(MSG_DEBUG, "Failed to read BSSID for EAPOL-Key "
+               "request");
+        return;
+    }
+
     mic_len = wpa_mic_len(sm->key_mgmt, sm->pmk_len);
     hdrlen = mic_len == 24 ? sizeof(*reply192) : sizeof(*reply);
     rbuf = wpa_sm_alloc_eapol(sm, IEEE802_1X_TYPE_EAPOL_KEY, NULL,
@@ -330,7 +343,7 @@ static void wpa_sm_key_request(struct wpa_sm *sm, int error, int pairwise)
     wpa_printf(MSG_DEBUG, "WPA: Sending EAPOL-Key Request (error=%d "
            "pairwise=%d ptk_set=%d len=%lu)",
            error, pairwise, sm->ptk_set, (unsigned long) rlen);
-    wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, wpa_sm_get_auth_addr(sm),
+    wpa_eapol_key_send(sm, sm->ptk.kck, sm->ptk.kck_len, ver, bssid,
                        ETH_P_EAPOL, rbuf, rlen, key_mic);
     wpa_sm_free_eapol(rbuf);
 }