Provision Discovery流程分析

本文为《深入理解Android Wi-Fi、NFC和GPS卷》读书笔记，Android源码为Android 5.1

P2pStateMachine的ProvisionDiscoveryState在其EA中将发送形如"P2P_PROV_DISC 8a:32:9b:6c:d1:80 pbc"的命令给WPAS去执行，其核心处理函数是p2p_ctrl_prov_disc：
android-5.1/external/wpa_supplicant_8/wpa_supplicant/ctrl_iface.c

static int p2p_ctrl_prov_disc(struct wpa_supplicant *wpa_s, char *cmd){u8 addr[ETH_ALEN];char *pos;enum wpas_p2p_prov_disc_use use = WPAS_P2P_PD_FOR_GO_NEG;/* <addr> <config method> [join|auto] */if (hwaddr_aton(cmd, addr))return -1;pos = cmd + 17;if (*pos != ' ')return -1;pos++;if (os_strstr(pos, " join") != NULL)use = WPAS_P2P_PD_FOR_JOIN;else if (os_strstr(pos, " auto") != NULL)use = WPAS_P2P_PD_AUTO;//wpas_p2p_prov_disc 内部将调用 p2p_prov_disc_reqreturn wpas_p2p_prov_disc(wpa_s, addr, pos, use);}

android-5.1/external/wpa_supplicant_8/src/p2p/p2p_pd.c

int p2p_prov_disc_req(struct p2p_data *p2p, const u8 *peer_addr,      u16 config_methods, int join, int force_freq,      int user_initiated_pd){struct p2p_device *dev;dev = p2p_get_device(p2p, peer_addr);//根据目标设备地址找到对应的p2p_device对象if (dev == NULL)dev = p2p_get_device_interface(p2p, peer_addr);if (dev == NULL || (dev->flags & P2P_DEV_PROBE_REQ_ONLY)) {p2p_dbg(p2p, "Provision Discovery Request destination " MACSTR" not yet known", MAC2STR(peer_addr));return -1;}p2p_dbg(p2p, "Provision Discovery Request with " MACSTR" (config methods 0x%x)",MAC2STR(peer_addr), config_methods);if (config_methods == 0)return -1;/* Reset provisioning info */dev->wps_prov_info = 0;dev->req_config_methods = config_methods;if (join)dev->flags |= P2P_DEV_PD_FOR_JOIN;elsedev->flags &= ~P2P_DEV_PD_FOR_JOIN;//取消dev->flags中的P2P_DEV_PD_FOR_JOIN标志if (p2p->state != P2P_IDLE && p2p->state != P2P_SEARCH &&    p2p->state != P2P_LISTEN_ONLY) {p2p_dbg(p2p, "Busy with other operations; postpone Provision Discovery Request with "MACSTR " (config methods 0x%x)",MAC2STR(peer_addr), config_methods);return 0;}p2p->user_initiated_pd = user_initiated_pd;p2p->pd_force_freq = force_freq;if (p2p->user_initiated_pd)p2p->pd_retries = MAX_PROV_DISC_REQ_RETRIES;/* * Assign dialog token here to use the same value in each retry within * the same PD exchange. */dev->dialog_token++;if (dev->dialog_token == 0)dev->dialog_token = 1;//最后调用p2p_send_prov_disc_req发送数据return p2p_send_prov_disc_req(p2p, dev, join, force_freq);}

android-5.1/external/wpa_supplicant_8/src/p2p/p2p_pd.c

int p2p_send_prov_disc_req(struct p2p_data *p2p, struct p2p_device *dev,   int join, int force_freq){struct wpabuf *req;int freq;//确定对端设备所在的工作频段if (force_freq > 0)freq = force_freq;elsefreq = dev->listen_freq > 0 ? dev->listen_freq :dev->oper_freq;if (freq <= 0) {p2p_dbg(p2p, "No Listen/Operating frequency known for the peer "MACSTR " to send Provision Discovery Request",MAC2STR(dev->info.p2p_device_addr));return -1;}if (dev->flags & P2P_DEV_GROUP_CLIENT_ONLY) {if (!(dev->info.dev_capab &      P2P_DEV_CAPAB_CLIENT_DISCOVERABILITY)) {p2p_dbg(p2p, "Cannot use PD with P2P Device " MACSTR" that is in a group and is not discoverable",MAC2STR(dev->info.p2p_device_addr));return -1;}/* TODO: use device discoverability request through GO */}//构造Provision Discovery Request帧内容req = p2p_build_prov_disc_req(p2p, dev->dialog_token,      dev->req_config_methods,      join ? dev : NULL);if (req == NULL)return -1;if (p2p->state != P2P_IDLE)p2p_stop_listen_for_freq(p2p, freq);p2p->pending_action_state = P2P_PENDING_PD; //该标志表明当前pending的Action是PD//p2p_send_action内部将调用 wpas_send_action 函数if (p2p_send_action(p2p, freq, dev->info.p2p_device_addr,    p2p->cfg->dev_addr, dev->info.p2p_device_addr,    wpabuf_head(req), wpabuf_len(req), 200) < 0) {p2p_dbg(p2p, "Failed to send Action frame");wpabuf_free(req);return -1;}//保存对端P2P设备地址os_memcpy(p2p->pending_pd_devaddr, dev->info.p2p_device_addr, ETH_ALEN);wpabuf_free(req);return 0;}

上述代码中，PD Request帧最终将通过p2p_send_action函数发送出去。不过p2p_send_action并不简单，它将涉及Off Channel发送以及处理对应netlink消息的过程。

下面来看PD Response帧的处理流程。由于PD Response属于Action帧，所有我么将介绍WPAS中Action帧的接收流程，然后再分析PD Response的处理流程
PD Response帧属于Public Action帧的一种，根据7.4.1节注册Action帧监听事件的分析可知，当收到对端设备发来的PD Response帧后，process_bss_event函数将被调用：
android-5.1/external/wpa_supplicant_8/src/drivers/driver_nl80211.c

static int process_bss_event(struct nl_msg *msg, void *arg){struct i802_bss *bss = arg;struct genlmsghdr *gnlh = nlmsg_data(nlmsg_hdr(msg));struct nlattr *tb[NL80211_ATTR_MAX + 1];nla_parse(tb, NL80211_ATTR_MAX, genlmsg_attrdata(gnlh, 0),  genlmsg_attrlen(gnlh, 0), NULL);wpa_printf(MSG_DEBUG, "nl80211: BSS Event %d (%s) received for %s",   gnlh->cmd, nl80211_command_to_string(gnlh->cmd),   bss->ifname);switch (gnlh->cmd) {case NL80211_CMD_FRAME://收到对端发送的帧case NL80211_CMD_FRAME_TX_STATUS://对应本机发送的管理帧的TX Reportmlme_event(bss, gnlh->cmd, tb[NL80211_ATTR_FRAME],   tb[NL80211_ATTR_MAC], tb[NL80211_ATTR_TIMED_OUT],   tb[NL80211_ATTR_WIPHY_FREQ], tb[NL80211_ATTR_ACK],   tb[NL80211_ATTR_COOKIE],   tb[NL80211_ATTR_RX_SIGNAL_DBM]);break;case NL80211_CMD_UNEXPECTED_FRAME:nl80211_spurious_frame(bss, tb, 0);break;case NL80211_CMD_UNEXPECTED_4ADDR_FRAME:nl80211_spurious_frame(bss, tb, 1);break;default:wpa_printf(MSG_DEBUG, "nl80211: Ignored unknown event "   "(cmd=%d)", gnlh->cmd);break;}return NL_SKIP;}

由上述代码可知，不论是代表由本机所发送的管理帧TX Report的 NL80211_CMD_FRAME_TX_STATUS消息，还是代表本机接收到对端发来的管理帧事件的 NL80211_CMD_FRAME 消息，最终都会调用 mlme_event函数：
android-5.1/external/wpa_supplicant_8/src/drivers/driver_nl80211.c

static void mlme_event(struct i802_bss *bss,       enum nl80211_commands cmd, struct nlattr *frame,       struct nlattr *addr, struct nlattr *timed_out,       struct nlattr *freq, struct nlattr *ack,       struct nlattr *cookie, struct nlattr *sig){struct wpa_driver_nl80211_data *drv = bss->drv;const u8 *data;size_t len;if (timed_out && addr) {mlme_timeout_event(drv, cmd, addr);return;}if (frame == NULL) {wpa_printf(MSG_DEBUG,   "nl80211: MLME event %d (%s) without frame data",   cmd, nl80211_command_to_string(cmd));return;}data = nla_data(frame);len = nla_len(frame);if (len < 4 + 2 * ETH_ALEN) {wpa_printf(MSG_MSGDUMP, "nl80211: MLME event %d (%s) on %s("   MACSTR ") - too short",   cmd, nl80211_command_to_string(cmd), bss->ifname,   MAC2STR(bss->addr));return;}wpa_printf(MSG_MSGDUMP, "nl80211: MLME event %d (%s) on %s(" MACSTR   ") A1=" MACSTR " A2=" MACSTR, cmd,   nl80211_command_to_string(cmd), bss->ifname,   MAC2STR(bss->addr), MAC2STR(data + 4),   MAC2STR(data + 4 + ETH_ALEN));if (cmd != NL80211_CMD_FRAME_TX_STATUS && !(data[4] & 0x01) &&    os_memcmp(bss->addr, data + 4, ETH_ALEN) != 0 &&    os_memcmp(bss->addr, data + 4 + ETH_ALEN, ETH_ALEN) != 0) {wpa_printf(MSG_MSGDUMP, "nl80211: %s: Ignore MLME frame event "   "for foreign address", bss->ifname);return;}wpa_hexdump(MSG_MSGDUMP, "nl80211: MLME event frame",    nla_data(frame), nla_len(frame));switch (cmd) {case NL80211_CMD_AUTHENTICATE:mlme_event_auth(drv, nla_data(frame), nla_len(frame));break;case NL80211_CMD_ASSOCIATE:mlme_event_assoc(drv, nla_data(frame), nla_len(frame));break;case NL80211_CMD_DEAUTHENTICATE:mlme_event_deauth_disassoc(drv, EVENT_DEAUTH,   nla_data(frame), nla_len(frame));break;case NL80211_CMD_DISASSOCIATE:mlme_event_deauth_disassoc(drv, EVENT_DISASSOC,   nla_data(frame), nla_len(frame));break;case NL80211_CMD_FRAME:mlme_event_mgmt(bss, freq, sig, nla_data(frame),nla_len(frame));break;case NL80211_CMD_FRAME_TX_STATUS:mlme_event_mgmt_tx_status(drv, cookie, nla_data(frame),  nla_len(frame), ack);break;case NL80211_CMD_UNPROT_DEAUTHENTICATE:mlme_event_unprot_disconnect(drv, EVENT_UNPROT_DEAUTH,     nla_data(frame), nla_len(frame));break;case NL80211_CMD_UNPROT_DISASSOCIATE:mlme_event_unprot_disconnect(drv, EVENT_UNPROT_DISASSOC,     nla_data(frame), nla_len(frame));break;default:break;}}

mlme_event 将处理各种类型的帧事件。对应本例而言，此时将调用 mlme_event_mgmt 函数：
android-5.1/external/wpa_supplicant_8/src/drivers/driver_nl80211.c

static void mlme_event_mgmt(struct i802_bss *bss,    struct nlattr *freq, struct nlattr *sig,    const u8 *frame, size_t len){struct wpa_driver_nl80211_data *drv = bss->drv;const struct ieee80211_mgmt *mgmt;union wpa_event_data event;u16 fc, stype;int ssi_signal = 0;int rx_freq = 0;wpa_printf(MSG_MSGDUMP, "nl80211: Frame event");mgmt = (const struct ieee80211_mgmt *) frame;if (len < 24) {wpa_printf(MSG_DEBUG, "nl80211: Too short management frame");return;}fc = le_to_host16(mgmt->frame_control);stype = WLAN_FC_GET_STYPE(fc);if (sig)ssi_signal = (s32) nla_get_u32(sig);os_memset(&event, 0, sizeof(event));if (freq) {event.rx_mgmt.freq = nla_get_u32(freq);rx_freq = drv->last_mgmt_freq = event.rx_mgmt.freq;}wpa_printf(MSG_DEBUG,   "nl80211: RX frame sa=" MACSTR   " freq=%d ssi_signal=%d stype=%u (%s) len=%u",   MAC2STR(mgmt->sa), rx_freq, ssi_signal, stype, fc2str(fc),   (unsigned int) len);event.rx_mgmt.frame = frame;event.rx_mgmt.frame_len = len;event.rx_mgmt.ssi_signal = ssi_signal;event.rx_mgmt.drv_priv = bss;//EVENT_RX_MGMT代表管理帧wpa_supplicant_event(drv->ctx, EVENT_RX_MGMT, &event);}

wpa_supplicant_event(android-5.1/external/wpa_supplicant_8/wpa_supplicant/event.c)处理 EVENT_RX_ACTION的内容比较丰富，不过对应P2P来说， wpa_supplicant_event将调用 wpas_event_rx_mgmt_action(event.c),wpas_event_rx_mgmt_action调用 wpas_p2p_rx_action(p2p_supplicant.c),wpas_p2p_rx_action 调用 p2p_rx_action()
android-5.1/external/wpa_supplicant_8/src/p2p/p2p.c

void p2p_rx_action(struct p2p_data *p2p, const u8 *da, const u8 *sa,   const u8 *bssid, u8 category,   const u8 *data, size_t len, int freq){if (category == WLAN_ACTION_PUBLIC) { //处理Public Action帧p2p_rx_action_public(p2p, da, sa, bssid, data, len, freq);return;}if (category != WLAN_ACTION_VENDOR_SPECIFIC)return;if (len < 4)return;if (WPA_GET_BE32(data) != P2P_IE_VENDOR_TYPE)return;data += 4;len -= 4;/* P2P action frame */p2p_dbg(p2p, "RX P2P Action from " MACSTR, MAC2STR(sa));wpa_hexdump(MSG_MSGDUMP, "P2P: P2P Action contents", data, len);if (len < 1)return;switch (data[0]) {//P2P规范使用的其他非Public类型的Action帧case P2P_NOA:p2p_dbg(p2p, "Received P2P Action - Notice of Absence");/* TODO */break;case P2P_PRESENCE_REQ:p2p_process_presence_req(p2p, da, sa, data + 1, len - 1, freq);break;case P2P_PRESENCE_RESP:p2p_process_presence_resp(p2p, da, sa, data + 1, len - 1);break;case P2P_GO_DISC_REQ:p2p_process_go_disc_req(p2p, da, sa, data + 1, len - 1, freq);break;default:p2p_dbg(p2p, "Received P2P Action - unknown type %u", data[0]);break;}}

上述代码中专门处理Public Action帧的p2p_rx_action_public函数代码如下所示：
android-5.1/external/wpa_supplicant_8/src/p2p/p2p.c

static void p2p_rx_action_public(struct p2p_data *p2p, const u8 *da, const u8 *sa, const u8 *bssid, const u8 *data, size_t len, int freq){if (len < 1)return;switch (data[0]) {case WLAN_PA_VENDOR_SPECIFIC:data++;len--;if (len < 4)return;if (WPA_GET_BE32(data) != P2P_IE_VENDOR_TYPE)return;data += 4;len -= 4;p2p_rx_p2p_action(p2p, sa, data, len, freq);break;case WLAN_PA_GAS_INITIAL_REQ:p2p_rx_gas_initial_req(p2p, sa, data + 1, len - 1, freq);break;case WLAN_PA_GAS_INITIAL_RESP:p2p_rx_gas_initial_resp(p2p, sa, data + 1, len - 1, freq);break;case WLAN_PA_GAS_COMEBACK_REQ:p2p_rx_gas_comeback_req(p2p, sa, data + 1, len - 1, freq);break;case WLAN_PA_GAS_COMEBACK_RESP:p2p_rx_gas_comeback_resp(p2p, sa, data + 1, len - 1, freq);break;}}

p2p_rx_p2p_action 函数是P2P模块中Public Action帧得到分类处理的最后一关：
android-5.1/external/wpa_supplicant_8/src/p2p/p2p.c

static void p2p_rx_p2p_action(struct p2p_data *p2p, const u8 *sa,      const u8 *data, size_t len, int rx_freq){p2p_dbg(p2p, "RX P2P Public Action from " MACSTR, MAC2STR(sa));wpa_hexdump(MSG_MSGDUMP, "P2P: P2P Public Action contents", data, len);if (len < 1)return;switch (data[0]) { //P2P支持的Public Action帧在此处得到分类和相应处理case P2P_GO_NEG_REQ://处理GON Request帧p2p_process_go_neg_req(p2p, sa, data + 1, len - 1, rx_freq);break;case P2P_GO_NEG_RESP://处理GON Response帧p2p_process_go_neg_resp(p2p, sa, data + 1, len - 1, rx_freq);break;case P2P_GO_NEG_CONF://处理GON Confirmation帧p2p_process_go_neg_conf(p2p, sa, data + 1, len - 1);break;case P2P_INVITATION_REQ://处理Invitation Request帧p2p_process_invitation_req(p2p, sa, data + 1, len - 1,   rx_freq);break;case P2P_INVITATION_RESP://处理Invitation Response帧p2p->cfg->send_action_done(p2p->cfg->cb_ctx);p2p_process_invitation_resp(p2p, sa, data + 1, len - 1);break;case P2P_PROV_DISC_REQ://处理PD Request帧p2p_process_prov_disc_req(p2p, sa, data + 1, len - 1, rx_freq);break;case P2P_PROV_DISC_RESP://处理PD Response帧p2p_process_prov_disc_resp(p2p, sa, data + 1, len - 1);break;case P2P_DEV_DISC_REQ://处理Device Discoverability Request帧p2p_process_dev_disc_req(p2p, sa, data + 1, len - 1, rx_freq);break;case P2P_DEV_DISC_RESP://处理Device Discoverability Response帧p2p_process_dev_disc_resp(p2p, sa, data + 1, len - 1);break;default:p2p_dbg(p2p, "Unsupported P2P Public Action frame type %d",data[0]);break;}}

p2p_rx_p2p_action为P2P Public Action帧处理逻辑的总入口，如果后文分析时碰到其他类型的P2P Public Action帧，我们将直接转入该函数来分析。

由上述的 p2p_rx_p2p_action可知，PD Response帧对应的处理函数是 p2p_process_prov_disc_resp ：
android-5.1/external/wpa_supplicant_8/src/p2p/p2p_pd.c

void p2p_process_prov_disc_resp(struct p2p_data *p2p, const u8 *sa,const u8 *data, size_t len){struct p2p_message msg;struct p2p_device *dev;u16 report_config_methods = 0, req_config_methods;int success = 0;//解析 PD Response帧if (p2p_parse(data, len, &msg))return;p2p_dbg(p2p, "Received Provision Discovery Response from " MACSTR" with config methods 0x%x",MAC2STR(sa), msg.wps_config_methods);//获取对应的P2P Device对象dev = p2p_get_device(p2p, sa);if (dev == NULL || !dev->req_config_methods) {p2p_dbg(p2p, "Ignore Provision Discovery Response from " MACSTR" with no pending request", MAC2STR(sa));p2p_parse_free(&msg);return;}if (dev->dialog_token != msg.dialog_token) {p2p_dbg(p2p, "Ignore Provision Discovery Response with unexpected Dialog Token %u (expected %u)",msg.dialog_token, dev->dialog_token);p2p_parse_free(&msg);return;}//当前我们pending的action是PD，由于已经收到了PD Response，所以可以置 pending_action_state变量为 P2P_NO_PENDING_ACTION 。if (p2p->pending_action_state == P2P_PENDING_PD) {os_memset(p2p->pending_pd_devaddr, 0, ETH_ALEN);p2p->pending_action_state = P2P_NO_PENDING_ACTION;}/* * Use a local copy of the requested config methods since * p2p_reset_pending_pd() can clear this in the peer entry. */req_config_methods = dev->req_config_methods;/* * If the response is from the peer to whom a user initiated request * was sent earlier, we reset that state info here. */if (p2p->user_initiated_pd &&    os_memcmp(p2p->pending_pd_devaddr, sa, ETH_ALEN) == 0)p2p_reset_pending_pd(p2p);//如果所要求的WSC方法和PD Response返回的WSC方法不一致，则表明对端P2P设备不支持所要求的WSC方法。if (msg.wps_config_methods != req_config_methods) {//调用 wpas_prov_disc_fail，以处理PD失败的情况//不过WPAS中，该函数没有干什么有意义的事情p2p_dbg(p2p, "Peer rejected our Provision Discovery Request (received config_methods 0x%x expected 0x%x",msg.wps_config_methods, req_config_methods);if (p2p->cfg->prov_disc_fail)p2p->cfg->prov_disc_fail(p2p->cfg->cb_ctx, sa, P2P_PROV_DISC_REJECTED);p2p_parse_free(&msg);goto out;}report_config_methods = req_config_methods;dev->flags &= ~(P2P_DEV_PD_PEER_DISPLAY |P2P_DEV_PD_PEER_KEYPAD);if (req_config_methods & WPS_CONFIG_DISPLAY) {p2p_dbg(p2p, "Peer " MACSTR" accepted to show a PIN on display", MAC2STR(sa));dev->flags |= P2P_DEV_PD_PEER_DISPLAY;} else if (msg.wps_config_methods & WPS_CONFIG_KEYPAD) {p2p_dbg(p2p, "Peer " MACSTR" accepted to write our PIN using keypad",MAC2STR(sa));dev->flags |= P2P_DEV_PD_PEER_KEYPAD;}/* Store the provisioning info */dev->wps_prov_info = msg.wps_config_methods;p2p_parse_free(&msg);success = 1;out:dev->req_config_methods = 0;p2p->cfg->send_action_done(p2p->cfg->cb_ctx);if (dev->flags & P2P_DEV_PD_BEFORE_GO_NEG) {p2p_dbg(p2p, "Start GO Neg after the PD-before-GO-Neg workaround with "MACSTR, MAC2STR(dev->info.p2p_device_addr));dev->flags &= ~P2P_DEV_PD_BEFORE_GO_NEG;p2p_connect_send(p2p, dev);return;}if (success && p2p->cfg->prov_disc_resp) //prov_disc_resp指向 wpas_prov_disc_respp2p->cfg->prov_disc_resp(p2p->cfg->cb_ctx, sa, report_config_methods);if (p2p->state == P2P_PD_DURING_FIND) {p2p_clear_timeout(p2p);p2p_continue_find(p2p);}}

android-5.1/external/wpa_supplicant_8/wpa_supplicant/p2p_supplicant.c

static void wpas_prov_disc_resp(void *ctx, const u8 *peer, u16 config_methods){struct wpa_supplicant *wpa_s = ctx;unsigned int generated_pin = 0;char params[20];//pending_pd_before_join变量对应于这样一种场景：即GON已经完成，但WSC配置方法还没有确定if (wpa_s->pending_pd_before_join &&    (os_memcmp(peer, wpa_s->pending_join_dev_addr, ETH_ALEN) == 0 ||     os_memcmp(peer, wpa_s->pending_join_iface_addr, ETH_ALEN) == 0)) {wpa_s->pending_pd_before_join = 0;wpa_printf(MSG_DEBUG, "P2P: Starting pending "   "join-existing-group operation");wpas_p2p_join_start(wpa_s, 0, NULL, 0);return;}if (wpa_s->pending_pd_use == AUTO_PD_JOIN ||    wpa_s->pending_pd_use == AUTO_PD_GO_NEG)os_snprintf(params, sizeof(params), " peer_go=%d",    wpa_s->pending_pd_use == AUTO_PD_JOIN);elseparams[0] = '\0';if (config_methods & WPS_CONFIG_DISPLAY)wpas_prov_disc_local_keypad(wpa_s, peer, params);else if (config_methods & WPS_CONFIG_KEYPAD) {generated_pin = wps_generate_pin();wpas_prov_disc_local_display(wpa_s, peer, params,     generated_pin);} else if (config_methods & WPS_CONFIG_PUSHBUTTON)wpa_msg_global(wpa_s, MSG_INFO, P2P_EVENT_PROV_DISC_PBC_RESP       MACSTR "%s", MAC2STR(peer), params);wpas_notify_p2p_provision_discovery(wpa_s, peer, 0 /* response */,    P2P_PROV_DISC_SUCCESS,    config_methods, generated_pin);}

对于WSC PBC方法而言，wpa_msg将发送 P2P_EVENT_PROV_DISC_PBC_RESP(字符串，值为"P2P-PROV-DISC-PBC-RESP")消息给客户端，这也触发了7.3.2节分析 P2P_PROV_DISC_PBC_RSP_EVENT处理流程中所描述的工作流程