Fix/constant time compare

[naveedqadir]

Summary:
Replace the strcmp-style comparator with a constant-time byte-wise compare in src/bcrypt_node.cc to mitigate timing-based information leakage.

Why:

• Non-constant-time comparisons can leak information via timing side-channels when an attacker can control or influence the compared value. This patch removes that micro-timing leak in the native comparator.

Scope:

• Minimal change confined to CompareStrings in src/bcrypt_node.cc.
• No changes to bcrypt algorithm semantics or public API.

Tests:

• Local tests passed: npm install && npm test (all suites passed locally).
• CI should run the full build + tests; please confirm.

PoC:

• Proof-of-concept timing demos exist in my fork under issues/ but are intentionally excluded from this PR.

[recrsn]

https://github.com/kelektiv/node.bcrypt.js#a-note-on-timing-attacks

TLDR; timing attacks are not relevant for hash functions like bcrypt

[naveedqadir]

Thanks for the clarification — agreed that bcrypt’s hashing itself isn’t meaningfully affected by timing attacks.
This PR is limited to replacing an early-exit strcmp-style comparison in the native helper with a constant-time byte comparison as a small defensive hardening step, without changing semantics or API.
If this is outside the project’s threat model, I understand.> https://github.com/kelektiv/node.bcrypt.js#a-note-on-timing-attacks

TLDR; timing attacks are not relevant for hash functions like bcrypt