[PATCH] wpa_supplicant: add option to suppress deauth on PMKSA expiry

[Jouni Malinen]

On Fri, May 15, 2026 at 10:49:56AM +0800, Jason Huang wrote:
> Some certification-oriented test setups use very short PMKSA lifetime
> (for example, dot11RSNAConfigPMKLifetime=1) to effectively disable PMKSA
> caching behavior.

That sounds like a really bad way of disabling PMKSA caching.. The
appropriate way of doing that would be by either explicitly flushing the
PMKSA cache before the connection that would use it or adding a new
configuration parameter for disabling PMKSA caching (like
disable_pmksa_caching=1 in hostapd.conf).

> In this mode, PMKSA entry removal can trigger local deauthentication in
> the supplicant PMKSA free path, which may cause repeated disconnect/reconnect
> cycles and interfere with the intended test behavior.

That is what the standard requires for PMKSA expiration and I would
rather not change that without a very good justification.

> Add a per-network configuration parameter, suppress_deauth_no_pmksa, to
> allow suppressing deauthentication when PMKSA entries are removed.
> 
> Behavior by configuration:
> - suppress_deauth_no_pmksa=0 (default): keep existing behavior
> - suppress_deauth_no_pmksa=1: suppress deauthentication on PMKSA removal
> 
> This keeps default behavior unchanged while providing explicit control for
> test scenarios that require short PMKSA lifetime operation.

At minimum, this would need to be within CONFIG_TESTING_OPTIONS to
prevent use in production devices, but I would strongly prefer adding a
configuration parameter that allows PMKSA caching to be disabled.

-- 
Jouni Malinen                                            PGP id EFC895FA