use server nonce in key derivation for initial encryption, if available

handshake/crypto_setup_client.go

@@ -355,10 +355,17 @@ func (h *cryptoSetupClient) maybeUpgradeCrypto() error {
 
 	if h.secureAEAD == nil && (h.serverConfig != nil && len(h.serverConfig.sharedSecret) > 0 && len(h.nonc) > 0 && len(leafCert) > 0 && len(h.diversificationNonce) > 0 && len(h.lastSentCHLO) > 0) {
 		var err error
+		var nonce []byte
+		if h.sno == nil {
+			nonce = h.nonc
+		} else {
+			nonce = append(h.nonc, h.sno...)
+		}
+
 		h.secureAEAD, err = h.keyDerivation(
 			false,
 			h.serverConfig.sharedSecret,
-			h.nonc,
+			nonce,
 			h.connID,
 			h.lastSentCHLO,
 			h.serverConfig.Get(),

handshake/crypto_setup_client_test.go

@@ -511,6 +511,15 @@ var _ = Describe("Crypto setup", func() {
 			Expect(keyDerivationCalledWith.pers).To(Equal(protocol.PerspectiveClient))
 		})
 
+		It("uses the server nonce, if the server sent one", func() {
+			cs.serverVerified = true
+			cs.sno = []byte("server nonce")
+			err := cs.maybeUpgradeCrypto()
+			Expect(err).ToNot(HaveOccurred())
+			Expect(cs.secureAEAD).ToNot(BeNil())
+			Expect(keyDerivationCalledWith.nonces).To(Equal(append(cs.nonc, cs.sno...)))
+		})
+
 		It("doesn't create a secureAEAD if the certificate is not yet verified, even if it has all necessary values", func() {
 			err := cs.maybeUpgradeCrypto()
 			Expect(err).ToNot(HaveOccurred())