Don't reserve an unused cid for NEW_TOKENS

Don't reserve an unused cid for NEW_TOKENS

Just realized that NEW_TOKEN tokens don't need a reserved rscid.

Because a client might use a received NEW_TOKEN for multiple subsequent
connections, we allocate a cid when we validate the token on new
connection establishment (in fact we just use the one that the client
sends).  As such the allocated rscid never gets used, and just sits
there until it ages out.

Instead, fill the rscid with random data to mutate subsequently
generated NEW_TOKENS's, since it won't ever be part of the validation
process anyway.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Saša Nedvědický <sashan@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/26517)