OF-3258: Guard against user enumeration in ScramSha1SaslServer
This replaces the use of randomly generated salts for unknown users with a deterministic but cryptographically unpredictable value derived from the username and a server-side secret.
Prior to this change, a non-deterministic salt was used, which can be used (by retrieving it more than once) to determine if a user exists.
OF-3257/OF-3258 (code review): Guard against empty values for server secret constant
Having an empty value for the server secret value is unlikely to happen, but should be replaced. This is an easy hardening with no downside.
