Extend backoff period in noisydgram BIO users

Initially tests that were written which make use of the noisy dgram BIO,
were done under the assumption that, despite any packet mangling done by
the noisy dgram bio, the connection would still be established.  This
was initiall guaranteed by configuring the BIO to avoid
corrupting/dropping/duplicating/re-injecting the first packet received,
thus ensuring that the client and server hello frames would make it to
the peer successfully.

This implicitly made the assumption that the client and server hellos
were contained within a single datagram, which until recently was true.

However, with the introduction of ML-KEM keyshares, the above assumption
no longer holds.  Large ML-KEM keyshares generally expand these TLS
messages accross multiple datagrams, and so it is now possible that
those initial records can become corrupted/lost etc, leading to
unexpected connection failures.

Lets fix it by restoring the guarantee that these tests were written
under by making the backoff time configurable to a number of frames, and
configuring the quic connection objects used in the test to not drop the
first two initial frames, once again guaranteeing that the client and
server hello arrive at the peer uncorrupted, so that we get a good
connection established.

Fixes #27103

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27169)

test/helpers/noisydgrambio.c

@@ -56,7 +56,7 @@ static long noisy_dgram_ctrl(BIO *bio, int cmd, long num, void *ptr)
             data = BIO_get_data(bio);
             if (!TEST_ptr(data))
                 return 0;
-            data->backoff = 1;
+            data->backoff = (int)num;
             ret = 1;
             break;
         }
@@ -363,8 +363,8 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride,
          i++, thismsg++, data->this_dgram++) {
         uint64_t reinject;
         int should_drop;
-        uint16_t flip;
-        size_t flip_offset;
+        uint16_t flip = 0;
+        size_t flip_offset = 0;
 
         /* If we have a message to reinject then insert it now */
         if (data->reinject_dgram > 0
@@ -399,13 +399,15 @@ static int noisy_dgram_recvmmsg(BIO *bio, BIO_MSG *msg, size_t stride,
              * we always ensure that the next datagram does not get dropped so
              * that the connection always survives. After that we can resume
              * with normal noise
+             * Note that the backoff value is configurable via BIO ctrl,
+             * allowing for multiframe backoff.
              */
 #ifdef OSSL_NOISY_DGRAM_DEBUG
             printf("**Back off applied\n");
 #endif
             should_drop = 0;
             flip = 0;
-            data->backoff = 0;
+            data->backoff--;
         }
 
         flip_bits(thismsg->data, thismsg->data_len, flip, flip_offset);

test/helpers/quictestlib.c

@@ -109,8 +109,8 @@ static void noise_msg_callback(int write_p, int version, int content_type,
              * of our noise being too much such that the connection itself
              * fails. We back off on the noise for a bit to avoid that.
              */
-            (void)BIO_ctrl(noiseargs->cbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL);
-            (void)BIO_ctrl(noiseargs->sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL);
+            (void)BIO_ctrl(noiseargs->cbio, BIO_CTRL_NOISE_BACK_OFF, 1, NULL);
+            (void)BIO_ctrl(noiseargs->sbio, BIO_CTRL_NOISE_BACK_OFF, 1, NULL);
         }
     }
 
@@ -273,7 +273,7 @@ int qtest_create_quic_objects(OSSL_LIB_CTX *libctx, SSL_CTX *clientctx,
                 goto err;
         }
 
-        (void)BIO_ctrl(sbio, BIO_CTRL_NOISE_BACK_OFF, 0, NULL);
+        (void)BIO_ctrl(sbio, BIO_CTRL_NOISE_BACK_OFF, 2, NULL);
 
         (*fault)->noiseargs.cbio = cbio;
         (*fault)->noiseargs.sbio = sbio;