Fix potential time attack vulnerability in HMAC signature comparison for 2.x

Fixes a potential timing attack vulnerability in our HMAC signature comparison using a double HMAC approach. This fix has already been applied to v3.1.1, this is a backport for 2.x. Thanks to @afk11 for submitting this.