>> + len -= 2;
> This doesn't seem right. By my reading the total bytes being written
> here are key_size (in cipher_sign) and 2 bytes just above.
This is accounting for the two bytes written to 'out' above, which
happens in that block of the 'if' statement but not the 'else' block.
Ah yes, you're right. We write key_size + 4 bytes in case of TLS 1.2.
> Why are you checking for len >= key_size + 2 below?
The key_size bytes written by cipher_sign and the 2 bytes written by
Yep, my bad.