OpenSSL includes a replaceable memory allocator. If we decide to simulate failures using an instrumented allocator for #9, it makes sense to use OpenSSL's functions so that we don't need to write our own version of CRYPTO_set_mem_functions.

On the other hand, this makes things harder for callers, who would need to import openssl/crypto.h to free buffer contents. I'm also not sure how well this would work if we add an NSS backend later.

This is easy to do now that we're not going to return allocated buffers.

We only use malloc in the header parser, which we'll remove in #28, and calloc in ece_compute_secret. I don't think this is worth doing.