Detect sequential key updates and abort connection on this condition

[stammw]

When the KEY_PHASE is flipped twice in two consecutive received packet, the connection must be aborted. From draft-ietf-quic-tls-16:

An endpoint does not always need to send packets when it detects that
its peer has updated keys. The next packet that it sends will simply
use the new keys. If an endpoint detects a second update before it
has sent any packets with updated keys, it indicates that its peer
has updated keys twice without awaiting a reciprocal update. An
endpoint MUST treat consecutive key updates as a fatal error and
abort the connection.

[Ralith]

When the KEY_PHASE is flipped twice in two consecutive received packet

That's not quite right: it is an error for KEY_PHASE to be flipped in any packet that is numbered after a prior KEY_PHASE flip and received before the local endpoint has sent a packet using the new keys. In other words, an endpoint may not initiate a key update until it has received a packet encrypted using the current keys.