From a35699cb5cfef3773afebf51c2dd38530db43bf0 Mon Sep 17 00:00:00 2001
From: David Drysdale <drysdale@google.com>
Date: Thu, 14 Sep 2023 11:16:27 +0100
Subject: [PATCH] KeyMint VTS: re-order auth failure arms

Allow for devices that claim to need external timestamps, but don't.

Test: VtsAidlKeyMintTargetTest
Bug: 300211206
Change-Id: Ie450d9969c337d5274502f3600e14c0b481e8b34
---
 .../keymint/aidl/vts/functional/AuthTest.cpp  | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/security/keymint/aidl/vts/functional/AuthTest.cpp b/security/keymint/aidl/vts/functional/AuthTest.cpp
index d5c6d2aed2..eb5db68a5c 100644
--- a/security/keymint/aidl/vts/functional/AuthTest.cpp
+++ b/security/keymint/aidl/vts/functional/AuthTest.cpp
@@ -350,14 +350,14 @@ TEST_P(AuthTest, TimeoutAuthentication) {
 
     // Wait for long enough that the hardware auth token expires.
     sleep(timeout_secs + 1);
-    if (!timestamp_token_required_) {
-        // KeyMint implementation has its own clock, and can immediately detect timeout.
-        EXPECT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED,
-                  Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat));
-    } else {
-        // KeyMint implementation has no clock, so only detects timeout via timestamp token provided
-        // on update()/finish().
-        ASSERT_EQ(ErrorCode::OK, Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat));
+
+    auto begin_result = Begin(KeyPurpose::ENCRYPT, keyblob, params, &out_params, hat);
+    if (begin_result == ErrorCode::OK) {
+        // If begin() succeeds despite the out-of-date HAT, that must mean that the KeyMint
+        // device doesn't have its own clock.  In that case, it only detects timeout via a
+        // timestamp token provided on update()/finish()
+        ASSERT_TRUE(timestamp_token_required_);
+
         secureclock::TimeStampToken time_token;
         EXPECT_EQ(ErrorCode::OK,
                   GetReturnErrorCode(clock_->generateTimeStamp(challenge_, &time_token)));
@@ -365,6 +365,9 @@ TEST_P(AuthTest, TimeoutAuthentication) {
         string output;
         EXPECT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED,
                   Finish(message, {} /* signature */, &output, hat, time_token));
+    } else {
+        // The KeyMint implementation may have its own clock that can immediately detect timeout.
+        ASSERT_EQ(ErrorCode::KEY_USER_NOT_AUTHENTICATED, begin_result);
     }
 }