26 files changed, 321 insertions, 139 deletions

diff --git a/src/lib/libcrypto/Makefile b/src/lib/libcrypto/Makefile
index 564dc01169..7b926db11c 100644
--- a/src/lib/libcrypto/Makefile
+++ b/src/lib/libcrypto/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.195 2024/05/24 19:16:53 tb Exp $
+# $OpenBSD: Makefile,v 1.196 2024/06/24 06:43:22 tb Exp $
 
 LIB=    crypto
 LIBREBUILD=y
@@ -36,6 +36,7 @@ CFLAGS+= -I${LCRYPTO_SRC}/dh
 CFLAGS+= -I${LCRYPTO_SRC}/dsa
 CFLAGS+= -I${LCRYPTO_SRC}/ec
 CFLAGS+= -I${LCRYPTO_SRC}/ecdsa
+CFLAGS+= -I${LCRYPTO_SRC}/err
 CFLAGS+= -I${LCRYPTO_SRC}/evp
 CFLAGS+= -I${LCRYPTO_SRC}/hidden
 CFLAGS+= -I${LCRYPTO_SRC}/hmac
diff --git a/src/lib/libcrypto/asn1/asn1_err.c b/src/lib/libcrypto/asn1/asn1_err.c
index 28570386f6..44809c76b1 100644
--- a/src/lib/libcrypto/asn1/asn1_err.c
+++ b/src/lib/libcrypto/asn1/asn1_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_err.c,v 1.26 2023/07/05 21:23:36 beck Exp $ */
+/* $OpenBSD: asn1_err.c,v 1.27 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/asn1.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_ASN1,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_ASN1,0,reason)
 
-static ERR_STRING_DATA ASN1_str_functs[] = {
+static const ERR_STRING_DATA ASN1_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA ASN1_str_reasons[] = {
+static const ERR_STRING_DATA ASN1_str_reasons[] = {
         {ERR_REASON(ASN1_R_ADDING_OBJECT)        , "adding object"},
         {ERR_REASON(ASN1_R_ASN1_PARSE_ERROR)     , "asn1 parse error"},
         {ERR_REASON(ASN1_R_ASN1_SIG_PARSE_ERROR) , "asn1 sig parse error"},
@@ -206,8 +208,8 @@ ERR_load_ASN1_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(ASN1_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, ASN1_str_functs);
-                ERR_load_strings(0, ASN1_str_reasons);
+                ERR_load_const_strings(ASN1_str_functs);
+                ERR_load_const_strings(ASN1_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/bio/bio_err.c b/src/lib/libcrypto/bio/bio_err.c
index 36fabca21c..4541adb240 100644
--- a/src/lib/libcrypto/bio/bio_err.c
+++ b/src/lib/libcrypto/bio/bio_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bio_err.c,v 1.20 2023/07/05 21:23:37 beck Exp $ */
+/* $OpenBSD: bio_err.c,v 1.21 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/bio.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_BIO,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_BIO,0,reason)
 
-static ERR_STRING_DATA BIO_str_functs[] = {
+static const ERR_STRING_DATA BIO_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA BIO_str_reasons[] = {
+static const ERR_STRING_DATA BIO_str_reasons[] = {
         {ERR_REASON(BIO_R_ACCEPT_ERROR)          , "accept error"},
         {ERR_REASON(BIO_R_BAD_FOPEN_MODE)        , "bad fopen mode"},
         {ERR_REASON(BIO_R_BAD_HOSTNAME_LOOKUP)   , "bad hostname lookup"},
@@ -112,8 +114,8 @@ ERR_load_BIO_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(BIO_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, BIO_str_functs);
-                ERR_load_strings(0, BIO_str_reasons);
+                ERR_load_const_strings(BIO_str_functs);
+                ERR_load_const_strings(BIO_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/bn/bn_err.c b/src/lib/libcrypto/bn/bn_err.c
index 6fd6030a0c..3ee6b4311f 100644
--- a/src/lib/libcrypto/bn/bn_err.c
+++ b/src/lib/libcrypto/bn/bn_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bn_err.c,v 1.17 2023/07/08 12:21:58 beck Exp $ */
+/* $OpenBSD: bn_err.c,v 1.18 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/bn.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_BN,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_BN,0,reason)
 
-static ERR_STRING_DATA BN_str_functs[]= {
+static const ERR_STRING_DATA BN_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA BN_str_reasons[]= {
+static const ERR_STRING_DATA BN_str_reasons[] = {
         {ERR_REASON(BN_R_ARG2_LT_ARG3)           , "arg2 lt arg3"},
         {ERR_REASON(BN_R_BAD_RECIPROCAL)         , "bad reciprocal"},
         {ERR_REASON(BN_R_BIGNUM_TOO_LONG)        , "bignum too long"},
@@ -100,8 +102,8 @@ ERR_load_BN_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(BN_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, BN_str_functs);
-                ERR_load_strings(0, BN_str_reasons);
+                ERR_load_const_strings(BN_str_functs);
+                ERR_load_const_strings(BN_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/buffer/buf_err.c b/src/lib/libcrypto/buffer/buf_err.c
index 3b045cf589..8637a06a76 100644
--- a/src/lib/libcrypto/buffer/buf_err.c
+++ b/src/lib/libcrypto/buffer/buf_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: buf_err.c,v 1.13 2023/07/08 08:26:26 beck Exp $ */
+/* $OpenBSD: buf_err.c,v 1.14 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/buffer.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_BUF,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_BUF,0,reason)
 
-static ERR_STRING_DATA BUF_str_functs[] = {
+static const ERR_STRING_DATA BUF_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA BUF_str_reasons[] = {
+static const ERR_STRING_DATA BUF_str_reasons[] = {
         {0, NULL}
 };
 
@@ -81,8 +83,8 @@ ERR_load_BUF_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(BUF_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, BUF_str_functs);
-                ERR_load_strings(0, BUF_str_reasons);
+                ERR_load_const_strings(BUF_str_functs);
+                ERR_load_const_strings(BUF_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/cms/cms_err.c b/src/lib/libcrypto/cms/cms_err.c
index 5758a26db5..5431ab4bb8 100644
--- a/src/lib/libcrypto/cms/cms_err.c
+++ b/src/lib/libcrypto/cms/cms_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cms_err.c,v 1.14 2023/07/08 08:26:26 beck Exp $ */
+/* $OpenBSD: cms_err.c,v 1.15 2024/06/24 06:43:22 tb Exp $ */
 /*
  * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
  *
@@ -11,17 +11,19 @@
 #include <openssl/cms.h>
 #include <openssl/err.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_CMS,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_CMS,0,reason)
 
-static ERR_STRING_DATA CMS_str_functs[] = {
+static const ERR_STRING_DATA CMS_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA CMS_str_reasons[] = {
+static const ERR_STRING_DATA CMS_str_reasons[] = {
         {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_ADD_SIGNER_ERROR), "add signer error"},
         {ERR_PACK(ERR_LIB_CMS, 0, CMS_R_CERTIFICATE_ALREADY_PRESENT),
         "certificate already present"},
@@ -155,8 +157,8 @@ ERR_load_CMS_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(CMS_str_functs[0].error) == NULL) {
-                ERR_load_strings(ERR_LIB_CMS, CMS_str_functs);
-                ERR_load_strings(ERR_LIB_CMS, CMS_str_reasons);
+                ERR_load_const_strings(CMS_str_functs);
+                ERR_load_const_strings(CMS_str_reasons);
         }
 #endif
         return 1;
diff --git a/src/lib/libcrypto/conf/conf_err.c b/src/lib/libcrypto/conf/conf_err.c
index 9a44f22fa2..5100847d89 100644
--- a/src/lib/libcrypto/conf/conf_err.c
+++ b/src/lib/libcrypto/conf/conf_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: conf_err.c,v 1.16 2024/04/09 13:56:30 beck Exp $ */
+/* $OpenBSD: conf_err.c,v 1.17 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/conf.h>
 #include <openssl/err.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_CONF,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_CONF,0,reason)
 
-static ERR_STRING_DATA CONF_str_functs[]= {
+static const ERR_STRING_DATA CONF_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA CONF_str_reasons[]= {
+static const ERR_STRING_DATA CONF_str_reasons[] = {
         {ERR_REASON(CONF_R_ERROR_LOADING_DSO)    , "error loading dso"},
         {ERR_REASON(CONF_R_LIST_CANNOT_BE_NULL)  , "list cannot be null"},
         {ERR_REASON(CONF_R_MISSING_CLOSE_SQUARE_BRACKET), "missing close square bracket"},
@@ -98,8 +100,8 @@ ERR_load_CONF_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(CONF_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, CONF_str_functs);
-                ERR_load_strings(0, CONF_str_reasons);
+                ERR_load_const_strings(CONF_str_functs);
+                ERR_load_const_strings(CONF_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/cpt_err.c b/src/lib/libcrypto/cpt_err.c
index ff4e5c4bc5..459b99d433 100644
--- a/src/lib/libcrypto/cpt_err.c
+++ b/src/lib/libcrypto/cpt_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cpt_err.c,v 1.15 2023/07/08 08:28:23 beck Exp $ */
+/* $OpenBSD: cpt_err.c,v 1.16 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -60,12 +60,14 @@
 #include <openssl/err.h>
 #include <openssl/crypto.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_CRYPTO,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_CRYPTO,0,reason)
 
-static ERR_STRING_DATA CRYPTO_str_functs[] = {
+static const ERR_STRING_DATA CRYPTO_str_functs[] = {
         {ERR_FUNC(CRYPTO_F_CRYPTO_GET_EX_NEW_INDEX),    "CRYPTO_get_ex_new_index"},
         {ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_DYNLOCKID),   "CRYPTO_get_new_dynlockid"},
         {ERR_FUNC(CRYPTO_F_CRYPTO_GET_NEW_LOCKID),      "CRYPTO_get_new_lockid"},
@@ -79,7 +81,7 @@ static ERR_STRING_DATA CRYPTO_str_functs[] = {
         {0, NULL}
 };
 
-static ERR_STRING_DATA CRYPTO_str_reasons[] = {
+static const ERR_STRING_DATA CRYPTO_str_reasons[] = {
         {ERR_REASON(CRYPTO_R_FIPS_MODE_NOT_SUPPORTED), "fips mode not supported"},
         {ERR_REASON(CRYPTO_R_NO_DYNLOCK_CREATE_CALLBACK), "no dynlock create callback"},
         {0, NULL}
@@ -92,8 +94,8 @@ ERR_load_CRYPTO_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(CRYPTO_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, CRYPTO_str_functs);
-                ERR_load_strings(0, CRYPTO_str_reasons);
+                ERR_load_const_strings(CRYPTO_str_functs);
+                ERR_load_const_strings(CRYPTO_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/ct/ct_err.c b/src/lib/libcrypto/ct/ct_err.c
index 2597874bd3..494f88b898 100644
--- a/src/lib/libcrypto/ct/ct_err.c
+++ b/src/lib/libcrypto/ct/ct_err.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: ct_err.c,v 1.7 2022/07/12 14:42:48 kn Exp $ */
+/*      $OpenBSD: ct_err.c,v 1.8 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -56,9 +56,11 @@
 #include <openssl/ct.h>
 #include <openssl/err.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
-static ERR_STRING_DATA CT_str_functs[] = {
+static const ERR_STRING_DATA CT_str_functs[] = {
         {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW, 0), "CTLOG_new"},
         {ERR_PACK(ERR_LIB_CT, CT_F_CTLOG_NEW_FROM_BASE64, 0),
          "CTLOG_new_from_base64"},
@@ -101,7 +103,7 @@ static ERR_STRING_DATA CT_str_functs[] = {
         {0, NULL}
 };
 
-static ERR_STRING_DATA CT_str_reasons[] = {
+static const ERR_STRING_DATA CT_str_reasons[] = {
         {ERR_PACK(ERR_LIB_CT, 0, CT_R_BASE64_DECODE_ERROR),
          "base64 decode error"},
         {ERR_PACK(ERR_LIB_CT, 0, CT_R_INVALID_LOG_ID_LENGTH),
@@ -140,8 +142,8 @@ int
 ERR_load_CT_strings(void)
 {
         if (ERR_func_error_string(CT_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, CT_str_functs);
-                ERR_load_strings(0, CT_str_reasons);
+                ERR_load_const_strings(CT_str_functs);
+                ERR_load_const_strings(CT_str_reasons);
         }
         return 1;
 }
diff --git a/src/lib/libcrypto/dh/dh_err.c b/src/lib/libcrypto/dh/dh_err.c
index 52fec7848b..568eff5752 100644
--- a/src/lib/libcrypto/dh/dh_err.c
+++ b/src/lib/libcrypto/dh/dh_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dh_err.c,v 1.21 2024/05/19 08:22:40 tb Exp $ */
+/* $OpenBSD: dh_err.c,v 1.22 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -57,20 +57,22 @@
 
 #include <openssl/opensslconf.h>
 
-#include <openssl/err.h>
 #include <openssl/dh.h>
+#include <openssl/err.h>
+
+#include "err_local.h"
 
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_DH,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_DH,0,reason)
 
-static ERR_STRING_DATA DH_str_functs[] = {
+static const ERR_STRING_DATA DH_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA DH_str_reasons[] = {
+static const ERR_STRING_DATA DH_str_reasons[] = {
         {ERR_REASON(DH_R_BAD_GENERATOR)          ,"bad generator"},
         {ERR_REASON(DH_R_BN_DECODE_ERROR)        ,"bn decode error"},
         {ERR_REASON(DH_R_BN_ERROR)               ,"bn error"},
@@ -104,8 +106,8 @@ ERR_load_DH_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(DH_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, DH_str_functs);
-                ERR_load_strings(0, DH_str_reasons);
+                ERR_load_const_strings(DH_str_functs);
+                ERR_load_const_strings(DH_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/dsa/dsa_err.c b/src/lib/libcrypto/dsa/dsa_err.c
index 048fa8df4b..b7670f895b 100644
--- a/src/lib/libcrypto/dsa/dsa_err.c
+++ b/src/lib/libcrypto/dsa/dsa_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_err.c,v 1.21 2024/05/19 08:22:40 tb Exp $ */
+/* $OpenBSD: dsa_err.c,v 1.22 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/dsa.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_DSA,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_DSA,0,reason)
 
-static ERR_STRING_DATA DSA_str_functs[] = {
+static const ERR_STRING_DATA DSA_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA DSA_str_reasons[] = {
+static const ERR_STRING_DATA DSA_str_reasons[] = {
         {ERR_REASON(DSA_R_BAD_Q_VALUE)           ,"bad q value"},
         {ERR_REASON(DSA_R_BN_DECODE_ERROR)       ,"bn decode error"},
         {ERR_REASON(DSA_R_BN_ERROR)              ,"bn error"},
@@ -94,8 +96,8 @@ ERR_load_DSA_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(DSA_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, DSA_str_functs);
-                ERR_load_strings(0, DSA_str_reasons);
+                ERR_load_const_strings(DSA_str_functs);
+                ERR_load_const_strings(DSA_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/ec/ec_err.c b/src/lib/libcrypto/ec/ec_err.c
index 7ecbb66569..2a6c419b57 100644
--- a/src/lib/libcrypto/ec/ec_err.c
+++ b/src/lib/libcrypto/ec/ec_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ec_err.c,v 1.19 2024/05/19 08:26:03 tb Exp $ */
+/* $OpenBSD: ec_err.c,v 1.20 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/ec.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_EC,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_EC,0,reason)
 
-static ERR_STRING_DATA EC_str_functs[] = {
+static const ERR_STRING_DATA EC_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA EC_str_reasons[] = {
+static const ERR_STRING_DATA EC_str_reasons[] = {
         {ERR_REASON(EC_R_ASN1_ERROR), "asn1 error"},
         {ERR_REASON(EC_R_ASN1_UNKNOWN_FIELD), "asn1 unknown field"},
         {ERR_REASON(EC_R_BAD_SIGNATURE), "bad signature"},
@@ -140,10 +142,9 @@ void
 ERR_load_EC_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
-
         if (ERR_func_error_string(EC_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, EC_str_functs);
-                ERR_load_strings(0, EC_str_reasons);
+                ERR_load_const_strings(EC_str_functs);
+                ERR_load_const_strings(EC_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/err/err.c b/src/lib/libcrypto/err/err.c
index a7b13a5404..583293e793 100644
--- a/src/lib/libcrypto/err/err.c
+++ b/src/lib/libcrypto/err/err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: err.c,v 1.60 2024/03/02 11:37:13 tb Exp $ */
+/* $OpenBSD: err.c,v 1.61 2024/06/24 06:43:22 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -244,9 +244,9 @@ struct st_ERR_FNS {
         /* Works on the "error_hash" string table */
         LHASH_OF(ERR_STRING_DATA) *(*cb_err_get)(int create);
         void (*cb_err_del)(void);
-        ERR_STRING_DATA *(*cb_err_get_item)(const ERR_STRING_DATA *);
-        ERR_STRING_DATA *(*cb_err_set_item)(ERR_STRING_DATA *);
-        ERR_STRING_DATA *(*cb_err_del_item)(ERR_STRING_DATA *);
+        const ERR_STRING_DATA *(*cb_err_get_item)(const ERR_STRING_DATA *);
+        const ERR_STRING_DATA *(*cb_err_set_item)(const ERR_STRING_DATA *);
+        const ERR_STRING_DATA *(*cb_err_del_item)(const ERR_STRING_DATA *);
         /* Works on the "thread_hash" error-state table */
         LHASH_OF(ERR_STATE) *(*cb_thread_get)(int create);
         void (*cb_thread_release)(LHASH_OF(ERR_STATE) **hash);
@@ -260,9 +260,9 @@ struct st_ERR_FNS {
 /* Predeclarations of the "err_defaults" functions */
 static LHASH_OF(ERR_STRING_DATA) *int_err_get(int create);
 static void int_err_del(void);
-static ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
-static ERR_STRING_DATA *int_err_set_item(ERR_STRING_DATA *);
-static ERR_STRING_DATA *int_err_del_item(ERR_STRING_DATA *);
+static const ERR_STRING_DATA *int_err_get_item(const ERR_STRING_DATA *);
+static const ERR_STRING_DATA *int_err_set_item(const ERR_STRING_DATA *);
+static const ERR_STRING_DATA *int_err_del_item(const ERR_STRING_DATA *);
 static LHASH_OF(ERR_STATE) *int_thread_get(int create);
 static void int_thread_release(LHASH_OF(ERR_STATE) **hash);
 static ERR_STATE *int_thread_get_item(const ERR_STATE *);
@@ -369,7 +369,7 @@ int_err_del(void)
         CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 }
 
-static ERR_STRING_DATA *
+static const ERR_STRING_DATA *
 int_err_get_item(const ERR_STRING_DATA *d)
 {
         ERR_STRING_DATA *p;
@@ -387,10 +387,10 @@ int_err_get_item(const ERR_STRING_DATA *d)
         return p;
 }
 
-static ERR_STRING_DATA *
-int_err_set_item(ERR_STRING_DATA *d)
+static const ERR_STRING_DATA *
+int_err_set_item(const ERR_STRING_DATA *d)
 {
-        ERR_STRING_DATA *p;
+        const ERR_STRING_DATA *p;
         LHASH_OF(ERR_STRING_DATA) *hash;
 
         err_fns_check();
@@ -399,14 +399,14 @@ int_err_set_item(ERR_STRING_DATA *d)
                 return NULL;
 
         CRYPTO_w_lock(CRYPTO_LOCK_ERR);
-        p = lh_ERR_STRING_DATA_insert(hash, d);
+        p = lh_ERR_STRING_DATA_insert(hash, (void *)d);
         CRYPTO_w_unlock(CRYPTO_LOCK_ERR);
 
         return p;
 }
 
-static ERR_STRING_DATA *
-int_err_del_item(ERR_STRING_DATA *d)
+static const ERR_STRING_DATA *
+int_err_del_item(const ERR_STRING_DATA *d)
 {
         ERR_STRING_DATA *p;
         LHASH_OF(ERR_STRING_DATA) *hash;
@@ -693,6 +693,16 @@ ERR_load_strings(int lib, ERR_STRING_DATA *str)
 LCRYPTO_ALIAS(ERR_load_strings);
 
 void
+ERR_load_const_strings(const ERR_STRING_DATA *str)
+{
+        ERR_load_ERR_strings();
+        while (str->error) {
+                ERRFN(err_set_item)(str);
+                str++;
+        }
+}
+
+void
 ERR_unload_strings(int lib, ERR_STRING_DATA *str)
 {
         /* Prayer and clean living lets you ignore errors, OpenSSL style */
@@ -964,7 +974,8 @@ LCRYPTO_ALIAS(ERR_error_string);
 const char *
 ERR_lib_error_string(unsigned long e)
 {
-        ERR_STRING_DATA d, *p;
+        const ERR_STRING_DATA *p;
+        ERR_STRING_DATA d;
         unsigned long l;
 
         if (!OPENSSL_init_crypto(0, NULL))
@@ -981,7 +992,8 @@ LCRYPTO_ALIAS(ERR_lib_error_string);
 const char *
 ERR_func_error_string(unsigned long e)
 {
-        ERR_STRING_DATA d, *p;
+        const ERR_STRING_DATA *p;
+        ERR_STRING_DATA d;
         unsigned long l, f;
 
         err_fns_check();
@@ -996,7 +1008,8 @@ LCRYPTO_ALIAS(ERR_func_error_string);
 const char *
 ERR_reason_error_string(unsigned long e)
 {
-        ERR_STRING_DATA d, *p = NULL;
+        const ERR_STRING_DATA *p = NULL;
+        ERR_STRING_DATA d;
         unsigned long l, r;
 
         err_fns_check();
diff --git a/src/lib/libcrypto/err/err_local.h b/src/lib/libcrypto/err/err_local.h
new file mode 100644
index 0000000000..d091b979cc
--- /dev/null
+++ b/src/lib/libcrypto/err/err_local.h
@@ -0,0 +1,123 @@
+/*      $OpenBSD: err_local.h,v 1.1 2024/06/24 06:43:22 tb Exp $ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+/* ====================================================================
+ * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+#include <openssl/err.h>
+
+#ifndef HEADER_ERR_LOCAL_H
+#define HEADER_ERR_LOCAL_H
+
+__BEGIN_HIDDEN_DECLS
+
+void ERR_load_const_strings(const ERR_STRING_DATA *str);
+
+__END_HIDDEN_DECLS
+
+#endif /* HEADER_ERR_LOCAL_H */
diff --git a/src/lib/libcrypto/evp/evp_err.c b/src/lib/libcrypto/evp/evp_err.c
index 07515f4d99..a41339c775 100644
--- a/src/lib/libcrypto/evp/evp_err.c
+++ b/src/lib/libcrypto/evp/evp_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: evp_err.c,v 1.33 2024/04/09 13:52:41 beck Exp $ */
+/* $OpenBSD: evp_err.c,v 1.34 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_EVP,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_EVP,0,reason)
 
-static ERR_STRING_DATA EVP_str_functs[] = {
+static const ERR_STRING_DATA EVP_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA EVP_str_reasons[] = {
+static const ERR_STRING_DATA EVP_str_reasons[] = {
         {ERR_REASON(EVP_R_AES_IV_SETUP_FAILED)   , "aes iv setup failed"},
         {ERR_REASON(EVP_R_AES_KEY_SETUP_FAILED)  , "aes key setup failed"},
         {ERR_REASON(EVP_R_ASN1_LIB)              , "asn1 lib"},
@@ -159,8 +161,8 @@ ERR_load_EVP_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(EVP_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, EVP_str_functs);
-                ERR_load_strings(0, EVP_str_reasons);
+                ERR_load_const_strings(EVP_str_functs);
+                ERR_load_const_strings(EVP_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/kdf/kdf_err.c b/src/lib/libcrypto/kdf/kdf_err.c
index 4dd323701a..fc38e08136 100644
--- a/src/lib/libcrypto/kdf/kdf_err.c
+++ b/src/lib/libcrypto/kdf/kdf_err.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: kdf_err.c,v 1.9 2022/07/12 14:42:49 kn Exp $ */
+/*      $OpenBSD: kdf_err.c,v 1.10 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2018 The OpenSSL Project.  All rights reserved.
  *
@@ -56,16 +56,18 @@
 #include <openssl/err.h>
 #include <openssl/kdf.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
-static ERR_STRING_DATA KDF_str_functs[] = {
+static const ERR_STRING_DATA KDF_str_functs[] = {
         {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"},
         {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"},
         {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_INIT, 0), "pkey_hkdf_init"},
         {0, NULL},
 };
 
-static ERR_STRING_DATA KDF_str_reasons[] = {
+static const ERR_STRING_DATA KDF_str_reasons[] = {
         {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"},
         {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_MESSAGE_DIGEST),
          "missing message digest"},
@@ -81,8 +83,8 @@ ERR_load_KDF_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(KDF_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, KDF_str_functs);
-                ERR_load_strings(0, KDF_str_reasons);
+                ERR_load_const_strings(KDF_str_functs);
+                ERR_load_const_strings(KDF_str_reasons);
         }
 #endif
         return 1;
diff --git a/src/lib/libcrypto/objects/obj_err.c b/src/lib/libcrypto/objects/obj_err.c
index 04cb4218c2..514fb0d4f0 100644
--- a/src/lib/libcrypto/objects/obj_err.c
+++ b/src/lib/libcrypto/objects/obj_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: obj_err.c,v 1.14 2023/07/08 12:27:51 beck Exp $ */
+/* $OpenBSD: obj_err.c,v 1.15 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/objects.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_OBJ,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_OBJ,0,reason)
 
-static ERR_STRING_DATA OBJ_str_functs[] = {
+static const ERR_STRING_DATA OBJ_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA OBJ_str_reasons[] = {
+static const ERR_STRING_DATA OBJ_str_reasons[] = {
         {ERR_REASON(OBJ_R_MALLOC_FAILURE)        , "malloc failure"},
         {ERR_REASON(OBJ_R_UNKNOWN_NID)           , "unknown nid"},
         {0, NULL}
@@ -83,8 +85,8 @@ ERR_load_OBJ_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(OBJ_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, OBJ_str_functs);
-                ERR_load_strings(0, OBJ_str_reasons);
+                ERR_load_const_strings(OBJ_str_functs);
+                ERR_load_const_strings(OBJ_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/ocsp/ocsp_err.c b/src/lib/libcrypto/ocsp/ocsp_err.c
index 865091f542..ca8f8f22b2 100644
--- a/src/lib/libcrypto/ocsp/ocsp_err.c
+++ b/src/lib/libcrypto/ocsp/ocsp_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_err.c,v 1.10 2023/07/08 10:44:00 beck Exp $ */
+/* $OpenBSD: ocsp_err.c,v 1.11 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/ocsp.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_OCSP,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_OCSP,0,reason)
 
-static ERR_STRING_DATA OCSP_str_functs[]= {
+static const ERR_STRING_DATA OCSP_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA OCSP_str_reasons[]= {
+static const ERR_STRING_DATA OCSP_str_reasons[] = {
         {ERR_REASON(OCSP_R_BAD_DATA)             , "bad data"},
         {ERR_REASON(OCSP_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
         {ERR_REASON(OCSP_R_DIGEST_ERR)           , "digest err"},
@@ -111,8 +113,8 @@ ERR_load_OCSP_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(OCSP_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, OCSP_str_functs);
-                ERR_load_strings(0, OCSP_str_reasons);
+                ERR_load_const_strings(OCSP_str_functs);
+                ERR_load_const_strings(OCSP_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/pem/pem_err.c b/src/lib/libcrypto/pem/pem_err.c
index a94e2d5ebb..05025c8ee0 100644
--- a/src/lib/libcrypto/pem/pem_err.c
+++ b/src/lib/libcrypto/pem/pem_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pem_err.c,v 1.14 2023/07/07 13:40:44 beck Exp $ */
+/* $OpenBSD: pem_err.c,v 1.15 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_PEM,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_PEM,0,reason)
 
-static ERR_STRING_DATA PEM_str_functs[] = {
+static const ERR_STRING_DATA PEM_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA PEM_str_reasons[] = {
+static const ERR_STRING_DATA PEM_str_reasons[] = {
         {ERR_REASON(PEM_R_BAD_BASE64_DECODE)     , "bad base64 decode"},
         {ERR_REASON(PEM_R_BAD_DECRYPT)           , "bad decrypt"},
         {ERR_REASON(PEM_R_BAD_END_LINE)          , "bad end line"},
@@ -109,8 +111,8 @@ ERR_load_PEM_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(PEM_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, PEM_str_functs);
-                ERR_load_strings(0, PEM_str_reasons);
+                ERR_load_const_strings(PEM_str_functs);
+                ERR_load_const_strings(PEM_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/pkcs12/pk12err.c b/src/lib/libcrypto/pkcs12/pk12err.c
index 3af03528a2..c04c83c4f1 100644
--- a/src/lib/libcrypto/pkcs12/pk12err.c
+++ b/src/lib/libcrypto/pkcs12/pk12err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pk12err.c,v 1.14 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: pk12err.c,v 1.15 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/pkcs12.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS12,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS12,0,reason)
 
-static ERR_STRING_DATA PKCS12_str_functs[]= {
+static const ERR_STRING_DATA PKCS12_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA PKCS12_str_reasons[]= {
+static const ERR_STRING_DATA PKCS12_str_reasons[] = {
         {ERR_REASON(PKCS12_R_CANT_PACK_STRUCTURE), "cant pack structure"},
         {ERR_REASON(PKCS12_R_CONTENT_TYPE_NOT_DATA), "content type not data"},
         {ERR_REASON(PKCS12_R_DECODE_ERROR)       , "decode error"},
@@ -103,8 +105,8 @@ ERR_load_PKCS12_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(PKCS12_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, PKCS12_str_functs);
-                ERR_load_strings(0, PKCS12_str_reasons);
+                ERR_load_const_strings(PKCS12_str_functs);
+                ERR_load_const_strings(PKCS12_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/pkcs7/pkcs7err.c b/src/lib/libcrypto/pkcs7/pkcs7err.c
index d3ca0ec6df..d4e6d7cf77 100644
--- a/src/lib/libcrypto/pkcs7/pkcs7err.c
+++ b/src/lib/libcrypto/pkcs7/pkcs7err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: pkcs7err.c,v 1.15 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: pkcs7err.c,v 1.16 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/pkcs7.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_PKCS7,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_PKCS7,0,reason)
 
-static ERR_STRING_DATA PKCS7_str_functs[]= {
+static const ERR_STRING_DATA PKCS7_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA PKCS7_str_reasons[]= {
+static const ERR_STRING_DATA PKCS7_str_reasons[] = {
         {ERR_REASON(PKCS7_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
         {ERR_REASON(PKCS7_R_CIPHER_HAS_NO_OBJECT_IDENTIFIER), "cipher has no object identifier"},
         {ERR_REASON(PKCS7_R_CIPHER_NOT_INITIALIZED), "cipher not initialized"},
@@ -135,8 +137,8 @@ ERR_load_PKCS7_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(PKCS7_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, PKCS7_str_functs);
-                ERR_load_strings(0, PKCS7_str_reasons);
+                ERR_load_const_strings(PKCS7_str_functs);
+                ERR_load_const_strings(PKCS7_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/rand/rand_err.c b/src/lib/libcrypto/rand/rand_err.c
index b156c0c87c..1f0e251207 100644
--- a/src/lib/libcrypto/rand/rand_err.c
+++ b/src/lib/libcrypto/rand/rand_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rand_err.c,v 1.17 2023/07/07 12:01:32 beck Exp $ */
+/* $OpenBSD: rand_err.c,v 1.18 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_RAND,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_RAND,0,reason)
 
-static ERR_STRING_DATA RAND_str_functs[] = {
+static const ERR_STRING_DATA RAND_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA RAND_str_reasons[] = {
+static const ERR_STRING_DATA RAND_str_reasons[] = {
         {ERR_REASON(RAND_R_DUAL_EC_DRBG_DISABLED), "dual ec drbg disabled"},
         {ERR_REASON(RAND_R_ERROR_INITIALISING_DRBG), "error initialising drbg"},
         {ERR_REASON(RAND_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"},
@@ -86,8 +88,8 @@ ERR_load_RAND_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(RAND_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, RAND_str_functs);
-                ERR_load_strings(0, RAND_str_reasons);
+                ERR_load_const_strings(RAND_str_functs);
+                ERR_load_const_strings(RAND_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/rsa/rsa_err.c b/src/lib/libcrypto/rsa/rsa_err.c
index 8b54168900..934a59f663 100644
--- a/src/lib/libcrypto/rsa/rsa_err.c
+++ b/src/lib/libcrypto/rsa/rsa_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa_err.c,v 1.22 2023/07/08 12:26:45 beck Exp $ */
+/* $OpenBSD: rsa_err.c,v 1.23 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/rsa.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_RSA,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_RSA,0,reason)
 
-static ERR_STRING_DATA RSA_str_functs[] = {
+static const ERR_STRING_DATA RSA_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA RSA_str_reasons[] = {
+static const ERR_STRING_DATA RSA_str_reasons[] = {
         {ERR_REASON(RSA_R_ALGORITHM_MISMATCH)    , "algorithm mismatch"},
         {ERR_REASON(RSA_R_BAD_E_VALUE)           , "bad e value"},
         {ERR_REASON(RSA_R_BAD_FIXED_HEADER_DECRYPT), "bad fixed header decrypt"},
@@ -150,8 +152,8 @@ ERR_load_RSA_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(RSA_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, RSA_str_functs);
-                ERR_load_strings(0, RSA_str_reasons);
+                ERR_load_const_strings(RSA_str_functs);
+                ERR_load_const_strings(RSA_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/ts/ts_err.c b/src/lib/libcrypto/ts/ts_err.c
index bb8209a85c..c0dcc73099 100644
--- a/src/lib/libcrypto/ts/ts_err.c
+++ b/src/lib/libcrypto/ts/ts_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_err.c,v 1.7 2023/07/07 07:25:21 beck Exp $ */
+/* $OpenBSD: ts_err.c,v 1.8 2024/06/24 06:43:22 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2007 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/ts.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_TS,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_TS,0,reason)
 
-static ERR_STRING_DATA TS_str_functs[] = {
+static const ERR_STRING_DATA TS_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA TS_str_reasons[]= {
+static const ERR_STRING_DATA TS_str_reasons[] = {
         {ERR_REASON(TS_R_BAD_PKCS7_TYPE)         , "bad pkcs7 type"},
         {ERR_REASON(TS_R_BAD_TYPE)               , "bad type"},
         {ERR_REASON(TS_R_CERTIFICATE_VERIFY_ERROR), "certificate verify error"},
@@ -116,8 +118,8 @@ ERR_load_TS_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(TS_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, TS_str_functs);
-                ERR_load_strings(0, TS_str_reasons);
+                ERR_load_const_strings(TS_str_functs);
+                ERR_load_const_strings(TS_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/ui/ui_err.c b/src/lib/libcrypto/ui/ui_err.c
index 3f875da776..656fa42887 100644
--- a/src/lib/libcrypto/ui/ui_err.c
+++ b/src/lib/libcrypto/ui/ui_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ui_err.c,v 1.12 2023/02/16 08:38:17 tb Exp $ */
+/* $OpenBSD: ui_err.c,v 1.13 2024/06/24 06:43:23 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -60,17 +60,19 @@
 #include <openssl/err.h>
 #include <openssl/ui.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_UI,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_UI,0,reason)
 
-static ERR_STRING_DATA UI_str_functs[] = {
+static const ERR_STRING_DATA UI_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA UI_str_reasons[] = {
+static const ERR_STRING_DATA UI_str_reasons[] = {
         {ERR_REASON(UI_R_COMMON_OK_AND_CANCEL_CHARACTERS), "common ok and cancel characters"},
         {ERR_REASON(UI_R_INDEX_TOO_LARGE), "index too large"},
         {ERR_REASON(UI_R_INDEX_TOO_SMALL), "index too small"},
@@ -88,8 +90,8 @@ ERR_load_UI_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(UI_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, UI_str_functs);
-                ERR_load_strings(0, UI_str_reasons);
+                ERR_load_const_strings(UI_str_functs);
+                ERR_load_const_strings(UI_str_reasons);
         }
 #endif
 }
diff --git a/src/lib/libcrypto/x509/x509_err.c b/src/lib/libcrypto/x509/x509_err.c
index 2cbd349350..cff045b105 100644
--- a/src/lib/libcrypto/x509/x509_err.c
+++ b/src/lib/libcrypto/x509/x509_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_err.c,v 1.22 2023/05/14 17:20:26 tb Exp $ */
+/* $OpenBSD: x509_err.c,v 1.23 2024/06/24 06:43:23 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2006 The OpenSSL Project.  All rights reserved.
  *
@@ -61,17 +61,19 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 
+#include "err_local.h"
+
 #ifndef OPENSSL_NO_ERR
 
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509,0,reason)
 
-static ERR_STRING_DATA X509_str_functs[] = {
+static const ERR_STRING_DATA X509_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA X509_str_reasons[] = {
+static const ERR_STRING_DATA X509_str_reasons[] = {
         {ERR_REASON(X509_R_BAD_X509_FILETYPE)    , "bad x509 filetype"},
         {ERR_REASON(X509_R_BASE64_DECODE_ERROR)  , "base64 decode error"},
         {ERR_REASON(X509_R_CANT_CHECK_DH_KEY)    , "cant check dh key"},
@@ -108,12 +110,12 @@ static ERR_STRING_DATA X509_str_reasons[] = {
 #define ERR_FUNC(func) ERR_PACK(ERR_LIB_X509V3,func,0)
 #define ERR_REASON(reason) ERR_PACK(ERR_LIB_X509V3,0,reason)
 
-static ERR_STRING_DATA X509V3_str_functs[] = {
+static const ERR_STRING_DATA X509V3_str_functs[] = {
         {ERR_FUNC(0xfff), "CRYPTO_internal"},
         {0, NULL}
 };
 
-static ERR_STRING_DATA X509V3_str_reasons[] = {
+static const ERR_STRING_DATA X509V3_str_reasons[] = {
         {ERR_REASON(X509V3_R_BAD_IP_ADDRESS)     , "bad ip address"},
         {ERR_REASON(X509V3_R_BAD_OBJECT)         , "bad object"},
         {ERR_REASON(X509V3_R_BN_DEC2BN_ERROR)    , "bn dec2bn error"},
@@ -192,8 +194,8 @@ ERR_load_X509_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(X509_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, X509_str_functs);
-                ERR_load_strings(0, X509_str_reasons);
+                ERR_load_const_strings(X509_str_functs);
+                ERR_load_const_strings(X509_str_reasons);
         }
 #endif
 }
@@ -205,8 +207,8 @@ ERR_load_X509V3_strings(void)
 {
 #ifndef OPENSSL_NO_ERR
         if (ERR_func_error_string(X509V3_str_functs[0].error) == NULL) {
-                ERR_load_strings(0, X509V3_str_functs);
-                ERR_load_strings(0, X509V3_str_reasons);
+                ERR_load_const_strings(X509V3_str_functs);
+                ERR_load_const_strings(X509V3_str_reasons);
         }
 #endif
 }