diff -pud be-secure-gssapi.c~ be-secure-gssapi.c
--- be-secure-gssapi.c~	2025-05-29 13:56:23.359900699 -0400
+++ be-secure-gssapi.c	2025-05-29 13:59:54.931254443 -0400
@@ -49,16 +49,15 @@
  * Therefore, this #define is effectively part of the protocol
  * spec and can't ever be changed.
  */
-#define PQ_GSS_MAX_PACKET_SIZE 16384
+#define PQ_GSS_MAX_PACKET_SIZE 16384	/* includes uint32 header word */
 
 /*
  * However, during the authentication exchange we must cope with whatever
  * message size the GSSAPI library wants to send (because our protocol
  * doesn't support splitting those messages).  Depending on configuration
- * those messages might be as much as 64kB.  To provide some safety margin
- * we use 128kB buffers during transport negotiation.
+ * those messages might be as much as 64kB.
  */
-#define PQ_GSS_AUTH_BUFFER_SIZE 131072
+#define PQ_GSS_AUTH_BUFFER_SIZE 65536	/* includes uint32 header word */
 
 /*
  * Since we manage at most one GSS-encrypted connection per backend,
diff -pud fe-secure-gssapi.c~ fe-secure-gssapi.c
--- fe-secure-gssapi.c~	2025-05-29 13:56:23.359900699 -0400
+++ fe-secure-gssapi.c	2025-05-29 13:59:59.988262778 -0400
@@ -50,16 +50,15 @@
  * Therefore, this #define is effectively part of the protocol
  * spec and can't ever be changed.
  */
-#define PQ_GSS_MAX_PACKET_SIZE 16384
+#define PQ_GSS_MAX_PACKET_SIZE 16384	/* includes uint32 header word */
 
 /*
  * However, during the authentication exchange we must cope with whatever
  * message size the GSSAPI library wants to send (because our protocol
  * doesn't support splitting those messages).  Depending on configuration
- * those messages might be as much as 64kB.  To provide some safety margin
- * we use 128kB buffers during transport negotiation.
+ * those messages might be as much as 64kB.
  */
-#define PQ_GSS_AUTH_BUFFER_SIZE 131072
+#define PQ_GSS_AUTH_BUFFER_SIZE 65536	/* includes uint32 header word */
 
 /*
  * We need these state variables per-connection.  To allow the functions