From ca242ce8a4a5ff2588c64c5813e91e96d96d1aa7 Mon Sep 17 00:00:00 2001
From: Matthew Wild <mwild1@gmail.com>
Date: Tue, 9 Nov 2021 14:25:56 +0000
Subject: [PATCH] prosody: Add 16 bytes to upload limit to allow for appended
 GCM tag (XEP-0454)

---
 ansible/files/prosody.cfg.lua | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/ansible/files/prosody.cfg.lua b/ansible/files/prosody.cfg.lua
index 962a3e1..b55c6b9 100644
--- a/ansible/files/prosody.cfg.lua
+++ b/ansible/files/prosody.cfg.lua
@@ -263,8 +263,13 @@ Component ("share."..DOMAIN) "http_file_share"
 		http_host = "share."..DOMAIN
 		http_external_url = "https://share."..DOMAIN.."/"
 	end
-	http_file_share_size_limit = 1024 * 1024 * 100 -- 100MB
+
+	-- 128 bits (i.e. 16 bytes) is the maximum length of a GCM auth tag, which
+	-- is appended to encrypted uploads according to XEP-0454. This ensures we
+	-- allow files up to the size limit even if they are encrypted.
+	http_file_share_size_limit = (1024 * 1024 * 100) + 16 -- 100MB + 16 bytes
 	http_file_share_expire_after = 60 * 60 * 24 * RETENTION_DAYS -- N days
+
 	if UPLOAD_STORAGE_GB then
 		http_file_share_global_quota = 1024 * 1024 * 1024 * UPLOAD_STORAGE_GB
 	end