External Token API does not ask for PIN except in --token-only mode.
I've been writing my own token to use the new external token API, but I've been surprised at a few quirks which I'll file here for your consideration...
When I return -ENOANO cryptsetup will ask for the PIN, and retry the library call with cryptsetup_token_open_pin,.. but only when cryptsetup open is invoked in --token-only mode..
Otherwise it goes straight to asking the user for the unlock passphrase and never tries again.
It seems to me like it would be nice to ask for a token PIN if the library suggested it.
It might be nice to pass the passphrase into the library as a PIN if it didn't unlock anything successfully, but I can see that has potentially its own security risks or problems with tokens that have try counters.
Is it appropriate for the token library to prompt for a PIN on the console rather than return -ENOANO if it will be ignored?