Add support for PKCS#11

Adds support for new config options: pkcs11-id and pkcs11-provider,
which are then directly forwarded to OpenVPN.
`handle_auth` distinguishes PKCS#11 auth requests by the " token" suffix.
As other auth options currently supported don't seem to operate with
tokens, this should work.

Another PKCS#11-specific aspect is forgetting the user-provided password
after forwarding it to OpenVPN, as password being re-asked usually means
that the one provided was rejected by the token
(PKCS#11 providers are not very good at error-reporting, at least not OpenSC).