handshake: lazily create the AEAD used for Retry (#4916)

* Change init to sync.Once to handle fips-only setup.

* review.

* use the mutex instead of the sync.Once

---------

Co-authored-by: Marten Seemann <martenseemann@gmail.com>

internal/handshake/retry.go

@@ -10,16 +10,13 @@ import (
 	"github.com/quic-go/quic-go/internal/protocol"
 )
 
+// Instead of using an init function, the AEADs are created lazily.
+// For more details see https://github.com/quic-go/quic-go/issues/4894.
 var (
 	retryAEADv1 cipher.AEAD // used for QUIC v1 (RFC 9000)
 	retryAEADv2 cipher.AEAD // used for QUIC v2 (RFC 9369)
 )
 
-func init() {
-	retryAEADv1 = initAEAD([16]byte{0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e})
-	retryAEADv2 = initAEAD([16]byte{0x8f, 0xb4, 0xb0, 0x1b, 0x56, 0xac, 0x48, 0xe2, 0x60, 0xfb, 0xcb, 0xce, 0xad, 0x7c, 0xcc, 0x92})
-}
-
 func initAEAD(key [16]byte) cipher.AEAD {
 	aes, err := aes.NewCipher(key[:])
 	if err != nil {
@@ -52,8 +49,14 @@ func GetRetryIntegrityTag(retry []byte, origDestConnID protocol.ConnectionID, ve
 	var tag [16]byte
 	var sealed []byte
 	if version == protocol.Version2 {
+		if retryAEADv2 == nil {
+			retryAEADv2 = initAEAD([16]byte{0x8f, 0xb4, 0xb0, 0x1b, 0x56, 0xac, 0x48, 0xe2, 0x60, 0xfb, 0xcb, 0xce, 0xad, 0x7c, 0xcc, 0x92})
+		}
 		sealed = retryAEADv2.Seal(tag[:0], retryNonceV2[:], nil, retryBuf.Bytes())
 	} else {
+		if retryAEADv1 == nil {
+			retryAEADv1 = initAEAD([16]byte{0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e})
+		}
 		sealed = retryAEADv1.Seal(tag[:0], retryNonceV1[:], nil, retryBuf.Bytes())
 	}
 	if len(sealed) != 16 {