Reading DTLS datagrams with a too small buffer splits datagrams

[DrTobe]

Summary

When mbedtls_ssl_read is used for a DTLS connection with a buffer which is too small to hold the full received datagram, the datagram is split and the read happens (without error) over multiple mbedtls_ssl_read invocations. For TLS, which is stream-based, such a behaviour is correct. But as far as I know, for DTLS, which works over UDP and is datagram-based, message boundaries need to be preserved. Splitting the reception over multiple reads slightly changes the meaning of what was received, which probably leads to subsequent errors on the receiver side.

In my opinion, this situation would need to result in an overflow error for DTLS connections.

System information

(I have skipped collecting the configuration and compiler info because I strongly believe it does not matter here. If that assumption is wrong, please let me know.)

Mbed TLS version (number or commit id): 3.6.0
Operating system and version: macOS Sonoma 14.5
Configuration (if not default, please attach mbedtls_config.h):
Compiler and options (if you used a pre-built binary, please indicate how you obtained it):
Additional environment information:

Expected behavior

In my opinion, this situation would need to result in an overflow error for DTLS connections.

Actual behavior

The reception of a single DTLS message is split over multiple mbedtls_ssl_read calls.

Steps to reproduce

Call mbedtls_ssl_read twice on a DTLS connection with an RX buffer which is too small to hold the full received message.

Additional information

[tom-cosgrove-arm]

Yes, this is known behaviour. We think it would be better to provide a alternative function to mbedtls_ssl_read() that would preserve datagram boundaries, but with the current implementation of the code that's actually quite a lot of work, and it hasn't been planned yet. The existing API works for some people, but agreed there are use-cases where it doesn't.

[DrTobe]

Admittedly, this will probably not come up too often in practice because people will probably use buffers large enough for the input they expect or buffers which match the MTU of their network stack.

Nevertheless, this implementation violates one of the guarantees DTLS gives so I wonder if this should be documented prominently. For example, Using DTLS explicitly mentions the differences between stream-oriented and datagram-oriented transmissions. After having read this article, I assumed Mbed TLS would properly support it. But actually, the API documentation of mbedtls_ssl_read would probably be the right spot although it is already quite lengthy.