Fix errors and use correct error codes

1cc66789 · Bolke de Bruin · dfb82889 · 1cc66789 · 1cc66789
Commit 1cc66789 authored Aug 8, 2022 by Bolke de Bruin
--- a/cmd/rdpgw/protocol/errors.go
+++ b/cmd/rdpgw/protocol/errors.go
 package protocol

+/*
 const (
 	ERROR_NO                                       = 0x0000000
 	ERROR_CLIENT_DISCONNECT                        = 0x0000001
@@ -122,3 +123,33 @@ const (
 	ERROR_AZURE_TRIAL                              = 0x300004F
 	ERROR_AZURE_EXPIRED                            = 0x3000050
 )
+*/
+
+/* Common Error Code */
+const (
+	ERROR_SUCCESS								= 0x00000000
+	ERROR_ACCESS_DENIED							= 0x00000005
+	E_PROXY_INTERNALERROR                       = 0x800759D8
+	E_PROXY_RAP_ACCESSDENIED                    = 0x800759DA
+	E_PROXY_NAP_ACCESSDENIED                    = 0x800759DB
+	E_PROXY_ALREADYDISCONNECTED                 = 0x800759DF
+	E_PROXY_QUARANTINE_ACCESSDENIED             = 0x800759ED
+	E_PROXY_NOCERTAVAILABLE                     = 0x800759EE
+	E_PROXY_COOKIE_BADPACKET                    = 0x800759F7
+	E_PROXY_COOKIE_AUTHENTICATION_ACCESS_DENIED = 0x800759F8
+	E_PROXY_UNSUPPORTED_AUTHENTICATION_METHOD   = 0x800759F9
+	E_PROXY_CAPABILITYMISMATCH                  = 0x800759E9
+	E_PROXY_TS_CONNECTFAILED                    = 0x000059DD
+	E_PROXY_MAXCONNECTIONSREACHED               = 0x000059E6
+	// E_PROXY_INTERNALERROR                       = 0x000059D8
+	ERROR_GRACEFUL_DISCONNECT                   = 0x000004CA
+	E_PROXY_NOTSUPPORTED                        = 0x000059E8
+	SEC_E_LOGON_DENIED                          = 0x8009030C
+	E_PROXY_SESSIONTIMEOUT                      = 0x000059F6
+	E_PROXY_REAUTH_AUTHN_FAILED                 = 0x000059FA
+	E_PROXY_REAUTH_CAP_FAILED                   = 0x000059FB
+	E_PROXY_REAUTH_RAP_FAILED                   = 0x000059FC
+	E_PROXY_SDR_NOT_SUPPORTED_BY_TS             = 0x000059FD
+	E_PROXY_REAUTH_NAP_FAILED                   = 0x00005A00
+	E_PROXY_CONNECTIONABORTED                   = 0x000004D4
+)
--- a/cmd/rdpgw/protocol/server.go
+++ b/cmd/rdpgw/protocol/server.go
@@ -74,12 +74,12 @@ func (s *Server) Process(ctx context.Context) error {
 			log.Printf("Client handshakeRequest from %s", common.GetClientIp(ctx))
 			if s.State != SERVER_STATE_INITIALIZED {
 				log.Printf("Handshake attempted while in wrong state %d != %d", s.State, SERVER_STATE_INITIALIZED)
-				msg := s.handshakeResponse(0x0, 0x0, ERROR_GENERIC)
+				msg := s.handshakeResponse(0x0, 0x0, E_PROXY_INTERNALERROR)
 				s.Session.TransportOut.WritePacket(msg)
-				return fmt.Errorf("%x: wrong state", ERROR_GENERIC)
+				return fmt.Errorf("%x: wrong state", E_PROXY_INTERNALERROR)
 			}
 			major, minor, _, _ := s.handshakeRequest(pkt) // todo check if auth matches what the handler can do
-			msg := s.handshakeResponse(major, minor, ERROR_NO)
+			msg := s.handshakeResponse(major, minor, ERROR_SUCCESS)
 			s.Session.TransportOut.WritePacket(msg)
 			s.State = SERVER_STATE_HANDSHAKE
 		case PKT_TYPE_TUNNEL_CREATE:
@@ -87,20 +87,20 @@ func (s *Server) Process(ctx context.Context) error {
 			if s.State != SERVER_STATE_HANDSHAKE {
 				log.Printf("Tunnel create attempted while in wrong state %d != %d",
 					s.State, SERVER_STATE_HANDSHAKE)
-				msg := s.tunnelResponse(ERROR_SECURITY_GATEWAY_COOKIE_REJECTED)
+				msg := s.tunnelResponse(E_PROXY_INTERNALERROR)
 				s.Session.TransportOut.WritePacket(msg)
-				return fmt.Errorf("%x: PAA cookie rejected, wrong state", ERROR_SECURITY_GATEWAY_COOKIE_REJECTED)
+				return fmt.Errorf("%x: PAA cookie rejected, wrong state", E_PROXY_INTERNALERROR)
 			}
 			_, cookie := s.tunnelRequest(pkt)
 			if s.VerifyTunnelCreate != nil {
 				if ok, _ := s.VerifyTunnelCreate(ctx, cookie); !ok {
 					log.Printf("Invalid PAA cookie received from client %s", common.GetClientIp(ctx))
-					msg := s.tunnelResponse(ERROR_SECURITY_GATEWAY_COOKIE_INVALID)
+					msg := s.tunnelResponse(E_PROXY_COOKIE_AUTHENTICATION_ACCESS_DENIED)
 					s.Session.TransportOut.WritePacket(msg)
-					return fmt.Errorf("%x: invalid PAA cookie", ERROR_SECURITY_GATEWAY_COOKIE_INVALID)
+					return fmt.Errorf("%x: invalid PAA cookie", E_PROXY_COOKIE_AUTHENTICATION_ACCESS_DENIED)
 				}
 			}
-			msg := s.tunnelResponse(ERROR_NO)
+			msg := s.tunnelResponse(ERROR_SUCCESS)
 			s.Session.TransportOut.WritePacket(msg)
 			s.State = SERVER_STATE_TUNNEL_CREATE
 		case PKT_TYPE_TUNNEL_AUTH:
@@ -108,20 +108,20 @@ func (s *Server) Process(ctx context.Context) error {
 			if s.State != SERVER_STATE_TUNNEL_CREATE {
 				log.Printf("Tunnel auth attempted while in wrong state %d != %d",
 					s.State, SERVER_STATE_TUNNEL_CREATE)
-				msg := s.tunnelAuthResponse(ERROR_GENERIC)
+				msg := s.tunnelAuthResponse(E_PROXY_INTERNALERROR)
 				s.Session.TransportOut.WritePacket(msg)
-				return fmt.Errorf("%x: Tunnel auth rejected, wrong state", ERROR_GENERIC)
+				return fmt.Errorf("%x: Tunnel auth rejected, wrong state", E_PROXY_INTERNALERROR)
 			}
 			client := s.tunnelAuthRequest(pkt)
 			if s.VerifyTunnelAuthFunc != nil {
 				if ok, _ := s.VerifyTunnelAuthFunc(ctx, client); !ok {
 					log.Printf("Invalid client name: %s", client)
-					msg := s.tunnelAuthResponse(ERROR_SECURITY)
+					msg := s.tunnelAuthResponse(ERROR_ACCESS_DENIED)
 					s.Session.TransportOut.WritePacket(msg)
-					return fmt.Errorf("%x: Tunnel auth rejected, invalid client name", ERROR_SECURITY)
+					return fmt.Errorf("%x: Tunnel auth rejected, invalid client name", ERROR_ACCESS_DENIED)
 				}
 			}
-			msg := s.tunnelAuthResponse(ERROR_NO)
+			msg := s.tunnelAuthResponse(ERROR_SUCCESS)
 			s.Session.TransportOut.WritePacket(msg)
 			s.State = SERVER_STATE_TUNNEL_AUTHORIZE
 		case PKT_TYPE_CHANNEL_CREATE:
@@ -129,30 +129,30 @@ func (s *Server) Process(ctx context.Context) error {
 			if s.State != SERVER_STATE_TUNNEL_AUTHORIZE {
 				log.Printf("Channel create attempted while in wrong state %d != %d",
 					s.State, SERVER_STATE_TUNNEL_AUTHORIZE)
-				msg := s.channelResponse(ERROR_GENERIC)
+				msg := s.channelResponse(E_PROXY_INTERNALERROR)
 				s.Session.TransportOut.WritePacket(msg)
-				return fmt.Errorf("%x: Channel create rejected, wrong state", ERROR_GENERIC)
+				return fmt.Errorf("%x: Channel create rejected, wrong state", E_PROXY_INTERNALERROR)
 			}
 			server, port := s.channelRequest(pkt)
 			host := net.JoinHostPort(server, strconv.Itoa(int(port)))
 			if s.VerifyServerFunc != nil {
 				if ok, _ := s.VerifyServerFunc(ctx, host); !ok {
 					log.Printf("Not allowed to connect to %s by policy handler", host)
-					msg := s.channelResponse(ERROR_SECURITY_GATEWAY_POLICY)
+					msg := s.channelResponse(E_PROXY_RAP_ACCESSDENIED)
 					s.Session.TransportOut.WritePacket(msg)
-					return fmt.Errorf("%x: denied by security policy", ERROR_SECURITY_GATEWAY_POLICY)
+					return fmt.Errorf("%x: denied by security policy", E_PROXY_RAP_ACCESSDENIED)
 				}
 			}
 			log.Printf("Establishing connection to RDP server: %s", host)
 			s.Remote, err = net.DialTimeout("tcp", host, time.Second*15)
 			if err != nil {
 				log.Printf("Error connecting to %s, %s", host, err)
-				msg := s.channelResponse(ERROR_GENERIC)
+				msg := s.channelResponse(E_PROXY_INTERNALERROR)
 				s.Session.TransportOut.WritePacket(msg)
 				return err
 			}
 			log.Printf("Connection established")
-			msg := s.channelResponse(ERROR_NO)
+			msg := s.channelResponse(E_PROXY_INTERNALERROR)
 			s.Session.TransportOut.WritePacket(msg)

 			// Make sure to start the flow from the RDP server first otherwise connections
@@ -181,7 +181,7 @@ func (s *Server) Process(ctx context.Context) error {
 				log.Printf("Channel closed while in wrong state %d != %d", s.State, SERVER_STATE_OPENED)
 				return errors.New("wrong state")
 			}
-			msg := s.channelCloseResponse(ERROR_NO)
+			msg := s.channelCloseResponse(ERROR_SUCCESS)
 			s.Session.TransportOut.WritePacket(msg)
 			//s.Session.TransportIn.Close()
 			//s.Session.TransportOut.Close()