This looks like a jump to null in the RC4 logic using EVP_md4().
For EVP_rc4 we have a hack in Heimdal to do
EVP_CIPHER_fetch(NULL, "rc4", "provider=legacy")
but I'm not sure it actually works -- I can't get it to do anything in
a test program without also calling OSSL_PROVIDER_load("legacy"), at
which point it becomes unnecessary -- and we don't do it for MD4.
So if we can convince Heimdal to call OSSL_PROVIDER_load("legacy") at
some point on startup, I bet that will fix it.
It looks like the EVP_CIPHER_fetch hack (or EVP_MD_fetch hack) is also
a memory leak, according to
<https://www.openssl.org/docs/man3.0/man7/crypto.html>:
These functions usually have the name APINAME_fetch, where APINAME
is the name of the operation. For example EVP_MD_fetch(3) can be
used to explicitly fetch a digest algorithm implementation. The
user is responsible for freeing the object returned from the
APINAME_fetch function using APINAME_free when it is no longer
needed.
So I'm not sure we should be using it at all.