diff --git a/lib/krb5/pac.c b/lib/krb5/pac.c
index ee426e74b..fb9ca7165 100644
--- a/lib/krb5/pac.c
+++ b/lib/krb5/pac.c
@@ -317,6 +317,20 @@ krb5_pac_add_buffer(krb5_context context, krb5_pac p,
     return 0;
 }
 
+/**
+ * Get the PAC buffer of specific type from the pac.
+ *
+ * @param context Kerberos 5 context.
+ * @param p the pac structure returned by krb5_pac_parse().
+ * @param type type of buffer to get
+ * @param data return data, free with krb5_data_free().
+ *
+ * @return Returns 0 to indicate success. Otherwise an kerberos et
+ * error code is returned, see krb5_get_error_message().
+ *
+ * @ingroup krb5_pac
+ */
+
 krb5_error_code
 krb5_pac_get_buffer(krb5_context context, krb5_pac p,
 		    uint32_t type, krb5_data *data)
@@ -324,23 +338,9 @@ krb5_pac_get_buffer(krb5_context context, krb5_pac p,
     krb5_error_code ret;
     uint32_t i;
 
-    /*
-     * Hide the checksums from external consumers
-     */
-
-    if (type == PAC_PRIVSVR_CHECKSUM || type == PAC_SERVER_CHECKSUM) {
-	ret = krb5_data_alloc(data, 16);
-	if (ret) {
-	    krb5_set_error_message(context, ret, "malloc: out of memory");
-	    return ret;
-	}
-	memset(data->data, 0, data->length);
-	return 0;
-    }
-
     for (i = 0; i < p->pac->numbuffers; i++) {
-	size_t len = p->pac->buffers[i].buffersize;
-	size_t offset = p->pac->buffers[i].offset_lo;
+	const size_t len = p->pac->buffers[i].buffersize;
+	const size_t offset = p->pac->buffers[i].offset_lo;
 
 	if (p->pac->buffers[i].type != type)
 	    continue;