cryptsetup: pass AskPasswordFlags down into pkcs11 module

The pkcs11 cryptsetup token module is a bit different from the tpm2 +
fido2 ones: it asks for the PIN itself, rather than bubbling up a
request to get a PIN. That's because it might need multiple, and because
we don't want to destroy a the pkcs11 session half-way and thus risk
increasing pin counters.

Hence, we sometimes ask for PINs from our code, rather than let the
libcryptsetup caller do that. So far we didn't pass the AskPasswordFlags
field down into the module though. Fix that.

Fixes: #28665

src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c

@@ -158,6 +158,7 @@ static int acquire_luks2_key_systemd(
 
         data.friendly_name = params->friendly_name;
         data.headless = params->headless;
+        data.askpw_flags = params->askpw_flags;
         data.until = params->until;
 
         /* The functions called here log about all errors, except for EAGAIN which means "token not found right now" */

src/cryptsetup/cryptsetup.c

@@ -1399,7 +1399,8 @@ static int attach_luks2_by_pkcs11_via_plugin(
         systemd_pkcs11_plugin_params params = {
                 .friendly_name = friendly_name,
                 .until = until,
-                .headless = headless
+                .headless = headless,
+                .askpw_flags = arg_ask_password_flags,
         };
 
         r = crypt_activate_by_token_pin(cd, name, "systemd-pkcs11", CRYPT_ANY_TOKEN, NULL, 0, &params, flags);

src/shared/pkcs11-util.c

@@ -291,6 +291,7 @@ int pkcs11_token_login(
                 const char *key_name,
                 const char *credential_name,
                 usec_t until,
+                AskPasswordFlags ask_password_flags,
                 bool headless,
                 char **ret_used_pin) {
 
@@ -371,7 +372,7 @@ int pkcs11_token_login(
                                 return log_oom();
 
                         /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
-                        r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, 0, &passwords);
+                        r = ask_password_auto(text, icon_name, id, key_name, credential_name, until, ask_password_flags, &passwords);
                         if (r < 0)
                                 return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label);
                 }
@@ -1058,6 +1059,8 @@ struct pkcs11_acquire_certificate_callback_data {
         char *pin_used;
         X509 *cert;
         const char *askpw_friendly_name, *askpw_icon_name;
+        AskPasswordFlags askpw_flags;
+        bool headless;
 };
 
 static void pkcs11_acquire_certificate_callback_data_release(struct pkcs11_acquire_certificate_callback_data *data) {
@@ -1086,7 +1089,19 @@ static int pkcs11_acquire_certificate_callback(
 
         /* Called for every token matching our URI */
 
-        r = pkcs11_token_login(m, session, slot_id, token_info, data->askpw_friendly_name, data->askpw_icon_name, "pkcs11-pin", "pkcs11-pin", UINT64_MAX, false, &pin_used);
+        r = pkcs11_token_login(
+                        m,
+                        session,
+                        slot_id,
+                        token_info,
+                        data->askpw_friendly_name,
+                        data->askpw_icon_name,
+                        "pkcs11-pin",
+                        "pkcs11-pin",
+                        UINT64_MAX,
+                        data->askpw_flags,
+                        data->headless,
+                        &pin_used);
         if (r < 0)
                 return r;
 
@@ -1325,6 +1340,7 @@ int pkcs11_crypt_device_callback(
                         "pkcs11-pin",
                         "cryptsetup.pkcs11-pin",
                         data->until,
+                        data->askpw_flags,
                         data->headless,
                         NULL);
         if (r < 0)

src/shared/pkcs11-util.h

@@ -8,6 +8,7 @@
 #  include <p11-kit/uri.h>
 #endif
 
+#include "ask-password-api.h"
 #include "macro.h"
 #include "openssl-util.h"
 #include "time-util.h"
@@ -47,7 +48,7 @@ char *pkcs11_token_manufacturer_id(const CK_TOKEN_INFO *token_info);
 char *pkcs11_token_model(const CK_TOKEN_INFO *token_info);
 
 int pkcs11_token_login_by_pin(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, const CK_TOKEN_INFO *token_info, const char *token_label, const void *pin, size_t pin_size);
-int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, bool headless, char **ret_used_pin);
+int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, bool headless, char **ret_used_pin);
 
 int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
 #if HAVE_OPENSSL
@@ -75,6 +76,7 @@ typedef struct {
         size_t decrypted_key_size;
         bool free_encrypted_key;
         bool headless;
+        AskPasswordFlags askpw_flags;
 } pkcs11_crypt_device_callback_data;
 
 void pkcs11_crypt_device_callback_data_release(pkcs11_crypt_device_callback_data *data);
@@ -102,6 +104,7 @@ typedef struct {
         const char *friendly_name;
         usec_t until;
         bool headless;
+        AskPasswordFlags askpw_flags;
 } systemd_pkcs11_plugin_params;
 
 int pkcs11_list_tokens(void);