forgottenserver Avoid user timing attack

Pull Request Prelude

[x] I have followed proper The Forgotten Server code styling.
[x] I have read and understood the contribution guidelines before making this PR.
[x] I am aware that this PR may be closed if the above-mentioned criteria are not fulfilled.

Optional - Changes Proposes

SHA1 it's as fast as rocket, which makes this PR optional.

For curious ?

Auth response time varies depending on query and hash-gen.
If you consult the bank, returning without not gen the password-hash, the time is different if the user exists. Ex: if user not exists: return select time, if exists: return select time + password hash gen. With this, you can see if user exists in database.

Future is Argon2 ?

If the password hash is changed, test verification response time.

Jul 07 '22 01:07 ramon-bernardo

That code path is not used anymore, since the login server does not support the client protocol.

Jul 07 '22 15:07 ranisalt

That code path is not used anymore, since the login server does not support the client protocol.

OTC perhaps?

Jul 07 '22 19:07 EPuncker

@ranisalt Mehah OTC allows legacy login protocol, useful when you don't want to bother with setting up the webservice just to test a few things

https://github.com/mehah/otclient/commit/d9c9a9d913b7bceaf3cee2de7a9c351d4ecd339c#diff-9069838e67c3d247571f4c3e3d140550eb63b59bdb21eb26222ba79ba312b9f7R439

Jul 08 '22 03:07 Zbizu