Always allow setting number of iterations for the first time.

Before this change it was impossible to set number of PKCS#5v2 iterations,
required to set passphrase, if it has two keys and never had any passphrase.
Due to present metadata format limitations there are still cases when number
of iterations can not be changed, but now it works in cases when it can.

PR:		218512
MFC after:	2 weeks
Sponsored by:	iXsystems, Inc.
Differential Revision:	https://reviews.freebsd.org/D10338

sbin/geom/class/eli/geom_eli.c

@@ -1118,7 +1118,9 @@ eli_setkey_detached(struct gctl_req *req, const char *prov,
 
 	val = gctl_get_intmax(req, "iterations");
 	/* Check if iterations number should and can be changed. */
-	if (val != -1) {
+	if (val != -1 && md->md_iterations == -1) {
+		md->md_iterations = val;
+	} else if (val != -1 && val != md->md_iterations) {
 		if (bitcount32(md->md_keys) != 1) {
 			gctl_error(req, "To be able to use '-i' option, only "
 			    "one key can be defined.");

sys/geom/eli/g_eli_ctl.c

@@ -618,7 +618,9 @@ g_eli_ctl_setkey(struct gctl_req *req, struct g_class *mp)
 		return;
 	}
 	/* Check if iterations number should and can be changed. */
-	if (*valp != -1) {
+	if (*valp != -1 && md.md_iterations == -1) {
+		md.md_iterations = *valp;
+	} else if (*valp != -1 && *valp != md.md_iterations) {
 		if (bitcount32(md.md_keys) != 1) {
 			gctl_error(req, "To be able to use '-i' option, only "
 			    "one key can be defined.");