I'd be worried about your use of GUIDs for nonces and challenges - they are not cryptographically secure.
Ah, thanks! What can I use instead?
Also, Diffie-Hellman is vulnerable against a man in the middle simply interspersing himself, and running one D-H exchange to the client, and another D-H exchange to the server, decrypting and re-encrypting everything in between. You need public/private keys to exchange AND SIGN the session key to defend against that. Which, btw, is included in TLS.
I thought EC DH solved this issue?
However, if you are doing that for multi-byte values anywhere (ReadPascalString, perhaps?) you might allow a malicious client to make you to do an awful lot of work just by sending packets with large usernames / GUID strings.
The internal packet buffer has an upper limit of 11kb, but point taken! ;)