fix error in timeout computation

Missed else caused failures less than 10 but not a
multiple of 5 (i.e. 1) to be given a full day timeout.

Added test to catch error.

Bug: 26268204
Change-Id: I56d6cfb213bde77ab03540a5f55ffc9d1ee8dc91
diff --git a/gatekeeper.cpp b/gatekeeper.cpp
index 998061d..44993cf 100644
--- a/gatekeeper.cpp
+++ b/gatekeeper.cpp
@@ -263,6 +263,8 @@
     if (record->failure_counter > 0 && record->failure_counter <= 10) {
         if (record->failure_counter % 5 == 0) {
             return failure_timeout_ms;
+        }  else {
+            return 0;
         }
     } else if (record->failure_counter < 30) {
         return failure_timeout_ms;
diff --git a/tests/gatekeeper_device_test.cpp b/tests/gatekeeper_device_test.cpp
index eea523f..d2283ec 100644
--- a/tests/gatekeeper_device_test.cpp
+++ b/tests/gatekeeper_device_test.cpp
@@ -170,6 +170,35 @@
     ASSERT_EQ(NULL, auth_token);
 }
 
+TEST_F(GateKeeperDeviceTest, MinFailedAttemptsBeforeLockout) {
+    uint32_t password_len = 50;
+    uint8_t password_payload[password_len];
+    uint8_t *password_handle;
+    uint32_t password_handle_length;
+    uint8_t *auth_token = NULL;
+    uint32_t auth_token_len;
+    int ret;
+
+    ret = device->enroll(device, 400, NULL, 0, NULL, 0,  password_payload, password_len,
+             &password_handle, &password_handle_length);
+
+    ASSERT_EQ(0, ret);
+
+    password_payload[0] = 4;
+
+    // User should have at least 4 attempts before being locked out
+    static const int MIN_FAILED_ATTEMPTS = 4;
+
+    bool should_reenroll;
+    for (int i = 0; i < MIN_FAILED_ATTEMPTS; i++) {
+        ret = device->verify(device, 400, 0, password_handle, password_handle_length,
+                password_payload, password_len, &auth_token, &auth_token_len,
+                &should_reenroll);
+        // shoudln't be a timeout
+        ASSERT_LT(0, ret);
+    }
+}
+
 TEST_F(GateKeeperDeviceTest, UntrustedReEnroll) {
     uint32_t password_len = 50;
     uint8_t password_payload[password_len];