OpenSSL 1.1.0 and earlier provide 48 octet (master secret length) long buffer to ssleay_session_secret_cb_invoke for storing the new secret value. The more recent OpenSSL versions provide a longer buffer requiring ssleay_session_secret_cb_invoke to update the secret length too. This update fixes EAP-FAST with OpenSSL 1.1.1 and later.

AEAD ciphersuites supported by TLSv1.2 require an update in TLS keyblock calculation done by Net::SSLeay::get_keyblock_size(). Only part of Initialization Vector comes from the keyblock, therefore full IV length can not be used in keyblock size calculation with GCM and CCM ciphersuites.

SSLeay.xs also has some obsolete #ifdef fenced code related to the initial OpenSSL patches. This code became obsolete when functionality required by EAP-FAST was added to OpenSSL. Not all functionality in patches was added but the related parts remain in SSLeay.xs.