diff -uPr cyrus-sasl-2.1.27/configure.ac cyrus-sasl-2.1.27.ossl3/configure.ac
--- cyrus-sasl-2.1.27/configure.ac	2021-10-06 11:29:53.274375206 -0400
+++ cyrus-sasl-2.1.27.ossl3/configure.ac	2021-10-06 11:31:19.966726775 -0400
@@ -1115,7 +1115,11 @@
 	with_rc4=yes)
 
 if test "$with_rc4" != no; then
-    AC_DEFINE(WITH_RC4,[],[Use RC4])
+    if test "$with_openssl" = no; then
+        AC_WARN([OpenSSL not found -- RC4 will be disabled])
+    else
+        AC_DEFINE(WITH_RC4,[],[Use RC4])
+    fi
 fi
 
 building_for_macosx=no
diff -uPr cyrus-sasl-2.1.27/plugins/scram.c cyrus-sasl-2.1.27.ossl3/plugins/scram.c
--- cyrus-sasl-2.1.27/plugins/scram.c	2018-11-08 12:29:57.000000000 -0500
+++ cyrus-sasl-2.1.27.ossl3/plugins/scram.c	2021-10-06 11:31:04.407484201 -0400
@@ -65,7 +65,9 @@
 
 #include <openssl/sha.h>
 #include <openssl/evp.h>
+#if OPENSSL_VERSION_NUMBER < 0x30000000L
 #include <openssl/hmac.h>
+#endif
 
 /*****************************  Common Section  *****************************/
 
@@ -267,6 +271,32 @@
 }
 #endif
 
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+/* Decalre as void given functions never use the result */
+void *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
+                     const unsigned char *data, size_t data_len,
+                     unsigned char *md, unsigned int *md_len)
+{
+    const char *digest;
+    size_t digest_size;
+    size_t out_len;
+    void *ret = NULL;
+
+    digest = EVP_MD_get0_name(evp_md);
+    if (digest == NULL) {
+        return NULL;
+    }
+    digest_size = EVP_MD_size(evp_md);
+
+    ret = EVP_Q_mac(NULL, "hmac", NULL, digest, NULL, key, key_len,
+                    data, data_len, md, digest_size, &out_len);
+    if (ret != NULL) {
+        *md_len = (unsigned int)out_len;
+    }
+    return ret;
+}
+#endif
 
 /* The result variable need to point to a buffer big enough for the [SHA-1] hash */
 static void
diff -uPr cyrus-sasl-2.1.27/saslauthd/lak.c cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c
--- cyrus-sasl-2.1.27/saslauthd/lak.c	2022-01-09 11:30:50.000000000 -0400
+++ cyrus-sasl-2.1.27.ossl3/saslauthd/lak.c	2022-01-09 11:30:50.000000001 -0400
@@ -1806,18 +1806,36 @@
 		return rc;
 	}
 
-	EVP_DigestInit(mdctx, md);
-	EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+	rc = EVP_DigestInit(mdctx, md);
+	if (rc != 1) {
+		rc = LAK_FAIL;
+		goto done;
+	}
+	rc = EVP_DigestUpdate(mdctx, passwd, strlen(passwd));
+	if (rc != 1) {
+		rc = LAK_FAIL;
+		goto done;
+	}
 	if (hrock->salted) {
-		EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
-				 clen - EVP_MD_size(md));
+		rc = EVP_DigestUpdate(mdctx, &cred[EVP_MD_size(md)],
+				      clen - EVP_MD_size(md));
+		if (rc != 1) {
+		    rc = LAK_FAIL;
+		    goto done;
+		}
+	}
+	rc = EVP_DigestFinal(mdctx, digest, NULL);
+	if (rc != 1) {
+		rc = LAK_FAIL;
+		goto done;
 	}
-	EVP_DigestFinal(mdctx, digest, NULL);
-	EVP_MD_CTX_free(mdctx);
 
 	rc = memcmp((char *)cred, (char *)digest, EVP_MD_size(md));
+	rc = rc ? LAK_INVALID_PASSWORD : LAK_OK;
+done:
+	EVP_MD_CTX_free(mdctx);
 	free(cred);
-	return rc ? LAK_INVALID_PASSWORD : LAK_OK;
+	return rc;
 }
 
 #endif /* HAVE_OPENSSL */