The Authentication Suite Server SDK offline authentication module (aal2off.lib) provides various functions for offline authentication.
VerifyPassword (function)
Function prototype
aat_int32 VerifyPassword (
TKernelParms* CallParms,
aat_ascii* aPassword,
aat_byte* bSalt,
aat_int32 SaltLength,
aat_byte* bStateDataBlock,
aat_int32 StateDataBlockLength,
aat_byte* bHashDataBlock,
aat_int32 HashDataBlockLength,
aat_byte* bKey,
aat_int32* KeyLength);Description
This function verifies an OTP against the hashes in the given package. If the password is successfully validated, the function will release the decryption key which can be used to decrypt static credentials on the client side such as the static Windows password. In case of time-based algorithms, the caller is responsible for providing the package containing OTP hashes for the current time.
Parameters
| Type | Name | Use | Description |
|---|---|---|---|
| TKernelParms* | CallParms | I | Structure of runtime parameters to use during this function call. |
| aat_ascii* | aPassword | I | Password to verify |
| aat_byte* | bSalt | I | This parameter is used to further randomize the produced hashes. The same salt value is used to generate hashes of all the OTP values in the package. |
| aat_int32 | SaltLength | I | Length of the salt string parameter. Possible values: 1–512 |
| aat_byte* | bStateDataBlock | I/O | Data string of 64 bytes containing the last authenticator status. |
| aat_int32 | StateDataBlockLength | I | Length of the allocated state data block. |
| aat_byte* | bHashDataBlock | I | Hash data block list. |
| aat_int32 | HashDataBlockLength | I | Hash data block list length. |
| aat_byte* | bKey | O | 16-byte key released in case of successful OTP validation |
| aat_int32* | KeyLength | O | Length of the key |
Return codes
| Code | Meaning |
|---|---|
| 0 | Success |
| 1 | Authentication failed. The response does not match with any hash in the acceptance window. |
| 130 | Invalid password pointer |
| 132 | Unsupported token type. Only time- or event-based authenticators are supported. |
| 156 | Obsolete hash data block. The last used value in the state data block is greater than the max hash value. |
| 157 | Authentication failed. The hash data block does not cover the full acceptance window. |
| 158 | Invalid salt pointer |
| 159 | Invalid state data block pointer |
| 160 | Invalid hash data block pointer |
| 161 | Invalid key pointer |
| 162 | Salt buffer too big. The maximum salt length is 512 bytes. |
| 202 | Identification error threshold reached |
| 208 | Application disabled |
| 412 | Invalid checksum (hash or state data block) |
| 807 | Hash data block does not match with the state data block |