ITS#10310 pw-pbkdf2: make iterations configurable

contrib/slapd-modules/passwd/pbkdf2/README

@@ -28,7 +28,9 @@ First, You need to configure and build OpenLDAP.
 
 In slapd.conf:
 
-    moduleload pw-pbkdf2.so
+    moduleload pw-pbkdf2.so [iterations]
+
+Iterations defaults to 10000.
 
 You can also tell OpenLDAP to use the schemes when processing LDAP
 Password Modify Extended Operations, thanks to the password-hash

contrib/slapd-modules/passwd/pbkdf2/pw-pbkdf2.c

@@ -43,6 +43,8 @@ typedef void (*pbkdf2_hmac_digest)(void *, unsigned, uint8_t *);
 #define PBKDF2_SHA512_DK_SIZE 64
 #define PBKDF2_MAX_DK_SIZE 64
 
+static int pbkdf2_iteration = PBKDF2_ITERATION;
+
 const struct berval pbkdf2_scheme = BER_BVC("{PBKDF2}");
 const struct berval pbkdf2_sha1_scheme = BER_BVC("{PBKDF2-SHA1}");
 const struct berval pbkdf2_sha256_scheme = BER_BVC("{PBKDF2-SHA256}");
@@ -147,7 +149,7 @@ static int pbkdf2_encrypt(
 	struct berval salt;
 	unsigned char dk_value[PBKDF2_MAX_DK_SIZE];
 	struct berval dk;
-	int iteration = PBKDF2_ITERATION;
+	int iteration = pbkdf2_iteration;
 	int rc;
 #ifdef HAVE_OPENSSL
 	const EVP_MD *md;
@@ -426,6 +428,14 @@ static int pbkdf2_check(
 
 int init_module(int argc, char *argv[]) {
 	int rc;
+
+	if (argc == 2) {
+		int iter = atoi(argv[1]);
+		if (iter > 0)
+			pbkdf2_iteration = iter;
+		else
+			return -1;
+	}
 	rc = lutil_passwd_add((struct berval *)&pbkdf2_scheme,
 						  pbkdf2_check, pbkdf2_encrypt);
 	if(rc) return rc;

contrib/slapd-modules/passwd/pbkdf2/slapd-pw-pbkdf2.5

@@ -9,7 +9,7 @@ ETCDIR/slapd.conf
 .RS
 .LP
 .B moduleload
-.B pw-pbkdf2
+.B pw-pbkdf2 [iterations]
 .RE
 .SH DESCRIPTION
 .LP
@@ -40,7 +40,9 @@ PBKDF2 using HMAC-SHA-512 as the underlying pseudorandom function
 .SH CONFIGURATION
 The
 .B pw-pbkdf2
-module does not need any configuration.
+module does not need any configuration. If the optional
+.B iterations
+parameter is not specified, it defaults to 10000.
 .LP
 After loading the module, the password schemes
 {PBKDF2}, {PBKDF2-SHA1}, {PBKDF2-SHA256}, and {PBKDF2-SHA512}