modules/crypto/pbkdf2v2: fix regression from v7.2.9
Interoperability tests were performed between 7.2.9 and master,
and 7.2.10 and master, but not 7.2.9 and 7.2.10. 7.2.10 and
master use base64-encoded salts for new hashes, and master has
a verify function which doesn't require string-equal output.
However, 7.2 doesn't have that feature, so crypt() must output
a string-equal hash to all of the previous outputs over all
versions. What I failed to notice was that crypt() was assuming
the salt was base64-encoded, so if it wasn't, password
verification would fail; the hash is the same byte-wise, but it
is encoded as a string differently.
While we're at it, make sure the parameter upgrade system takes
account of various salt lengths, allow the user to configure a
different salt length (as if on master), and make sure we erase
the password from the stack after we're done with it.