[gatekeeeper] fix error in timeout computation
Missed else caused failures less than 10 but not a
multiple of 5 (i.e. 1) to be given a full day timeout.
Added test to catch error.
Bug: 26268204
Change-Id: I56d6cfb213bde77ab03540a5f55ffc9d1ee8dc91
diff --git a/gatekeeper.cpp b/gatekeeper.cpp
index 998061d..44993cf 100644
--- a/gatekeeper.cpp
+++ b/gatekeeper.cpp
@@ -263,6 +263,8 @@
if (record->failure_counter > 0 && record->failure_counter <= 10) {
if (record->failure_counter % 5 == 0) {
return failure_timeout_ms;
+ } else {
+ return 0;
}
} else if (record->failure_counter < 30) {
return failure_timeout_ms;
diff --git a/tests/gatekeeper_device_test.cpp b/tests/gatekeeper_device_test.cpp
index eea523f..d2283ec 100644
--- a/tests/gatekeeper_device_test.cpp
+++ b/tests/gatekeeper_device_test.cpp
@@ -170,6 +170,35 @@
ASSERT_EQ(NULL, auth_token);
}
+TEST_F(GateKeeperDeviceTest, MinFailedAttemptsBeforeLockout) {
+ uint32_t password_len = 50;
+ uint8_t password_payload[password_len];
+ uint8_t *password_handle;
+ uint32_t password_handle_length;
+ uint8_t *auth_token = NULL;
+ uint32_t auth_token_len;
+ int ret;
+
+ ret = device->enroll(device, 400, NULL, 0, NULL, 0, password_payload, password_len,
+ &password_handle, &password_handle_length);
+
+ ASSERT_EQ(0, ret);
+
+ password_payload[0] = 4;
+
+ // User should have at least 4 attempts before being locked out
+ static const int MIN_FAILED_ATTEMPTS = 4;
+
+ bool should_reenroll;
+ for (int i = 0; i < MIN_FAILED_ATTEMPTS; i++) {
+ ret = device->verify(device, 400, 0, password_handle, password_handle_length,
+ password_payload, password_len, &auth_token, &auth_token_len,
+ &should_reenroll);
+ // shoudln't be a timeout
+ ASSERT_LT(0, ret);
+ }
+}
+
TEST_F(GateKeeperDeviceTest, UntrustedReEnroll) {
uint32_t password_len = 50;
uint8_t password_payload[password_len];
