I cleaned up some leftover OpenBSD-versus-FreeBSD variable naming cruft,
confirmed that the three-way logic described for crypto_devallowsoft a
couple of messages back really works (using gdb on /dev/mem[*]), and
committed a reworked version of the change.  

I'm very open to feedback on whether to make crypto_devallowsoft a
boolean, nuking the 'force software crypto' flag.

I'll add #ifdef DIAGNOSTIC around the warning for sessions denied by
crypto_userallowsoft settings: the message noise is more of a problem
than the "attempts".

Otherwise, I think we're now good to apply the OpenSSL patch.

[*] I had planned to wait for dynamic-sysctl before adding a sysctl
tree for crypto; if dynamic sysctl is deferred I may revisit that.