From e4dd62475a2acacd1a431cd1feff866231b225ee Mon Sep 17 00:00:00 2001
From: Winni Neessen <wn@neessen.net>
Date: Wed, 2 Oct 2024 18:02:34 +0200
Subject: [PATCH] Improve error handling in SCRAM-SHA-X-PLUS authentication

Refactor error return to include more specific information and add a check for TLS connection state in SCRAM-SHA-X-PLUS authentication flow. This ensures clearer error messages and verifies essential prerequisites for secure authentication.
---
 smtp/auth_scram.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/smtp/auth_scram.go b/smtp/auth_scram.go
index c70b210..a21aef5 100644
--- a/smtp/auth_scram.go
+++ b/smtp/auth_scram.go
@@ -112,7 +112,7 @@ func (a *scramAuth) Next(fromServer []byte, more bool) ([]byte, error) {
 			return resp, nil
 		default:
 			a.reset()
-			return nil, errors.New("unexpected server response")
+			return nil, fmt.Errorf("%w: %s", ErrUnexpectedServerResponse, string(fromServer))
 		}
 	}
 	return nil, nil
@@ -147,6 +147,9 @@ func (a *scramAuth) initialClientMessage() ([]byte, error) {
 
 	// SCRAM-SHA-X-PLUS auth requires channel binding
 	if a.isPlus {
+		if a.tlsConnState == nil {
+			return nil, errors.New("tls connection state is required for SCRAM-SHA-X-PLUS")
+		}
 		bindType := "tls-unique"
 		connState := a.tlsConnState
 		bindData := connState.TLSUnique