allow tokens to be replaced

Currently, token import and token add actions will fail if you use the
--token-id option to specify a token ID that is already in use, but there
are scenarios where you might genuinely want to replace an existing token
in a single atomic operation.

A use case for this might be for a keyslot that is protected by a
TPM, where you store the TPM sealed key and associated metadata as a
token and you want to update the PCR policy associated with the sealed
object or make other changes to it. Currently this requires importing a
new token and then removing the old token.

Instead, add a --token-replace option to allow token import and token
add to replace an existing token if you try to add or import one with an
ID that is already in use.

src/cryptsetup.c

@@ -2622,7 +2622,7 @@ static int _token_add(struct crypt_device *cd)
 		if (token_info < CRYPT_TOKEN_INACTIVE) {
 			log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
 			return -EINVAL;
-		} else if (token_info > CRYPT_TOKEN_INACTIVE) {
+		} else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) {
 			log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID));
 			return -EINVAL;
 		}
@@ -2679,7 +2679,7 @@ static int _token_import(struct crypt_device *cd)
 		if (token_info < CRYPT_TOKEN_INACTIVE) {
 			log_err(_("Token %d is invalid."), ARG_INT32(OPT_TOKEN_ID_ID));
 			return -EINVAL;
-		} else if (token_info > CRYPT_TOKEN_INACTIVE) {
+		} else if (token_info > CRYPT_TOKEN_INACTIVE && !ARG_SET(OPT_TOKEN_REPLACE_ID)) {
 			log_err(_("Token %d in use."), ARG_INT32(OPT_TOKEN_ID_ID));
 			return -EINVAL;
 		}