Explicitly load the legacy provider instead of using EVP_CIPHER_fetch() which

leaks memory.

crypto/external/bsd/heimdal/dist/include/crypto-headers.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: crypto-headers.h,v 1.6 2023/06/19 23:10:48 christos Exp $	*/
+/*	$NetBSD: crypto-headers.h,v 1.7 2023/09/11 15:12:12 christos Exp $	*/
 
 #ifndef __crypto_header__
 #define __crypto_header__
@@ -33,9 +33,6 @@
 #  define BN_set_negative(bn, flag) ((bn)->neg=(flag)?1:0)
 #  define BN_is_negative(bn) ((bn)->neg != 0)
 # endif
-#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
-# define EVP_rc4() EVP_CIPHER_fetch(NULL, "rc4", "provider=legacy")
-#endif
 #endif
 
 #include <hcrypto/ui.h>

crypto/external/bsd/heimdal/dist/lib/krb5/context.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: context.c,v 1.7 2023/06/19 21:41:44 christos Exp $	*/
+/*	$NetBSD: context.c,v 1.8 2023/09/11 15:12:12 christos Exp $	*/
 
 /*
  * Copyright (c) 1997 - 2010 Kungliga Tekniska Högskolan
@@ -38,6 +38,9 @@
 #include "krb5_locl.h"
 #include <assert.h>
 #include <krb5/com_err.h>
+#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+#include <openssl/provider.h>
+#endif
 
 #define INIT_FIELD(C, T, E, D, F)					\
     (C)->E = krb5_config_get_ ## T ## _default ((C), NULL, (D), 	\
@@ -396,6 +399,9 @@ init_context_once(void *ctx)
 	krb5_config_free_strings(dirs);
 
     bindtextdomain(HEIMDAL_TEXTDOMAIN, HEIMDAL_LOCALEDIR);
+#if OPENSSL_VERSION_NUMBER >= 0x30000000UL
+    OSSL_PROVIDER_load(NULL, "legacy");
+#endif
 }