check that the peer updated its keys when acknowledging a key update

[marten-seemann]

The spec says:

An endpoint that receives an acknowledgement that is carried in a packet protected with old keys where any acknowledged packet was protected with newer keys MAY treat that as a connection error of type KEY_UPDATE_ERROR. This indicates that a peer has received and acknowledged a packet that initiates a key update, but has not updated keys in response.

As I claimed in quicwg/base-drafts#4087 (comment), this should be easy to implement.

[codecov]

Codecov Report

Merging #2781 into master will increase coverage by 0.02%.
The diff coverage is 70.00%.

@@            Coverage Diff             @@
##           master    #2781      +/-   ##
==========================================
+ Coverage   86.90%   86.92%   +0.02%     
==========================================
  Files         133      133              
  Lines       10102    10106       +4     
==========================================
+ Hits         8779     8784       +5     
  Misses        990      990              
+ Partials      333      332       -1     

Impacted Files	Coverage Δ
internal/handshake/crypto_setup.go	68.14% <0.00%> (ø)
session.go	77.65% <66.67%> (+0.10%)	⬆️
internal/handshake/updatable_aead.go	96.23% <100.00%> (+0.10%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 272a2c8...9d4b4f6. Read the comment docs.