Generate realmd VersionChallenge on the fly

[0blu]

This is just a thought, that I might test myself when I have time.

In realmd the VersionChallenge is used to check if any client modifications are made.
Since generating a hash for the gameclient data is compute expensive and requires the server to have the client data, a custom project is used to precompute this HMAC. (vmangos/LoginHashCalculator)
The key of this HMAC is hardcoded in this project.
https://github.com/vmangos/LoginHashCalculator/blob/3f9c1e97c0faebfd4dee8583df1ef6c479e6f16b/LoginHashCalculator/main.cpp#L20

The key is currently also hardcoded in AuthSocket of realmd.

core/src/realmd/AuthSocket.cpp

Line 184 in a1cd3ab

std::array<uint8, 16> VersionChallenge = { { 0xBA, 0xA3, 0x1E, 0x99, 0xA0, 0x0B, 0x21, 0x57, 0xFC, 0x37, 0x3F, 0xB3, 0x69, 0xCD, 0xD2, 0xF1 } };

It might be possible to generate a HMAC with a NULL key and store this result in the DB.
When a new user connects to realmd a new key is generated and applied to hash in the DB.

[Chaosvex]

As the original implementer for this functionality, doing this seems overkill. The hashing, if the implementation is reasonable, is actually quite cheap and having hard-coded values makes it even more so, although it does somewhat undermine it if the values are fixed. A simpler solution to that is to simply calculate it based on a new key/seed on each startup... or just accept the small performance hit.

Having said that, it should be treated purely as a 'nice to have' for users that might be unknowingly using a client that may not be compatible with the server. It should not be treated as a method of preventing logins from users that are intentionally using clients other than those approved, because bypassing it is trivial.

[ratkosrb]

We don't want to require having the client installed on the same machine as the server, hence why it's hardcoded.