delay diversification nonce generation until after the CHLO

fixes the first part of #136

handshake/crypto_setup.go

@@ -60,17 +60,12 @@ func NewCryptoSetup(
 	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
 		return nil, err
 	}
-	diversificationNonce := make([]byte, 32)
-	if _, err := io.ReadFull(rand.Reader, diversificationNonce); err != nil {
-		return nil, err
-	}
 	return &CryptoSetup{
 		connID:                      connID,
 		ip:                          ip,
 		version:                     version,
 		scfg:                        scfg,
 		nonce:                       nonce,
-		diversificationNonce:        diversificationNonce,
 		keyDerivation:               crypto.DeriveKeysAESGCM,
 		keyExchange:                 crypto.NewCurve25519KEX,
 		cryptoStream:                cryptoStream,
@@ -245,6 +240,11 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b
 		return nil, err
 	}
 
+	h.diversificationNonce = make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, h.diversificationNonce); err != nil {
+		return nil, err
+	}
+
 	h.secureAEAD, err = h.keyDerivation(
 		h.version,
 		false,

handshake/crypto_setup_test.go

@@ -181,6 +181,10 @@ var _ = Describe("Crypto setup", func() {
 			cs.version = protocol.Version33
 			cs.secureAEAD = &mockAEAD{}
 			cs.receivedForwardSecurePacket = false
+
+			Expect(cs.DiversificationNonce()).To(BeEmpty())
+			// Div nonce is created after CHLO
+			cs.handleCHLO("", nil, map[Tag][]byte{TagNONC: nonce32})
 		})
 
 		It("returns diversification nonces", func() {