diff --git a/kdc/gss_preauth.c b/kdc/gss_preauth.c
index 24663deb0..faac03832 100644
--- a/kdc/gss_preauth.c
+++ b/kdc/gss_preauth.c
@@ -988,7 +988,7 @@ pa_gss_display_status(astgs_request_t r,
 static const gss_buffer_desc
 gss_pa_unknown_display_name = {
     sizeof("<unknown name>") - 1,
-    "<unknown name>"
+    rk_UNCONST("<unknown name>")
 };
 
 static void
diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c
index 36b2a2063..45e587009 100644
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -692,9 +692,9 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
 	return ret;
     }
 
-    pepper1.data = "clientchallengearmor";
+    pepper1.data = rk_UNCONST("clientchallengearmor");
     pepper1.length = strlen(pepper1.data);
-    pepper2.data = "challengelongterm";
+    pepper2.data = rk_UNCONST("challengelongterm");
     pepper2.length = strlen(pepper2.data);
 
     krb5_crypto_getenctype(r->context, r->armor_crypto, &aenctype);
@@ -776,7 +776,7 @@ pa_enc_chal_validate(astgs_request_t r, const PA_DATA *pa)
 	 * challenge key (different pepper).
 	 */
 
-	pepper1.data = "kdcchallengearmor";
+	pepper1.data = rk_UNCONST("kdcchallengearmor");
 	pepper1.length = strlen(pepper1.data);
 
 	ret = krb5_crypto_fx_cf2(r->context, r->armor_crypto, longtermcrypto,
@@ -2446,6 +2446,7 @@ _kdc_as_rep(astgs_request_t r)
     if (!config->historical_anon_realm &&
         _kdc_is_anonymous(r->context, r->client_princ)) {
 	const Realm anon_realm = KRB5_ANON_REALM;
+
 	ret = copy_Realm(&anon_realm, &rep->crealm);
     } else if (f.canonicalize || r->client->flags.force_canonicalize)
 	ret = copy_Realm(&r->canon_client_princ->realm, &rep->crealm);
diff --git a/kdc/kx509.c b/kdc/kx509.c
index eab68d2c9..29c9d64e3 100644
--- a/kdc/kx509.c
+++ b/kdc/kx509.c
@@ -491,7 +491,8 @@ make_csr(krb5_context context, kx509_req_context reqctx, krb5_data *key)
     ret = der_copy_oid(&asn1_oid_id_pkcs1_rsaEncryption,
                        &spki.algorithm.algorithm);
 
-    any.data = "\x05\x00";
+    /* copied read-only by hx509_request_set_SubjectPublicKeyInfo */
+    any.data = rk_UNCONST("\x05\x00");
     any.length = 2;
     spki.algorithm.parameters = &any;
 
diff --git a/kdc/pkinit.c b/kdc/pkinit.c
index 861044bfe..d5c98c46f 100644
--- a/kdc/pkinit.c
+++ b/kdc/pkinit.c
@@ -1681,8 +1681,8 @@ _kdc_pk_mk_pa_reply(astgs_request_t r, pk_client_params *cp)
             krb5_keyblock kdc_contribution_key;
             krb5_crypto reply_crypto;
             krb5_crypto kdccont_crypto;
-            krb5_data p1 = { strlen("PKINIT"), "PKINIT"};
-            krb5_data p2 = { strlen("KEYEXCHANGE"), "KEYEXCHANGE"};
+            krb5_data p1 = { strlen("PKINIT"), rk_UNCONST("PKINIT")};
+            krb5_data p2 = { strlen("KEYEXCHANGE"), rk_UNCONST("KEYEXCHANGE")};
             void *kckdata;
             size_t kcklen;
             EncryptedData kx;
diff --git a/kdc/test_csr_authorizer.c b/kdc/test_csr_authorizer.c
index c9bae8297..f837f95a1 100644
--- a/kdc/test_csr_authorizer.c
+++ b/kdc/test_csr_authorizer.c
@@ -214,7 +214,7 @@ service(void *ctx,
         errx(1, "Out of memory");
 
     if (strncmp(cmd, "check ", sizeof("check ") - 1) != 0) {
-        rep.data = "Invalid request command (must be \"check ...\")";
+        rep.data = rk_UNCONST("Invalid request command (must be \"check ...\")");
         rep.length = sizeof("Invalid request command (must be \"check ...\")") - 1;
         (*complete_cb)(complete_cb_data, EINVAL, &rep);
         free(cmd);
@@ -248,7 +248,7 @@ service(void *ctx,
     if (ret == 0 && all_granted) {
         rk_strpoolfree(result);
 
-        rep.data = "granted";
+        rep.data = rk_UNCONST("granted");
         rep.length = sizeof("granted") - 1;
         (*complete_cb)(complete_cb_data, 0, &rep);
         return;
@@ -257,7 +257,7 @@ service(void *ctx,
     if (none_granted && ignore_flag) {
         rk_strpoolfree(result);
 
-        rep.data = "ignore";
+        rep.data = rk_UNCONST("ignore");
         rep.length = sizeof("ignore") - 1;
         (*complete_cb)(complete_cb_data, KRB5_PLUGIN_NO_HANDLE, &rep);
         return;
@@ -265,7 +265,7 @@ service(void *ctx,
 
     s = rk_strpoolcollect(result); /* frees `result' */
     if (s == NULL) {
-        rep.data = "denied out-of-memory";
+        rep.data = rk_UNCONST("denied out-of-memory");
         rep.length = sizeof("denied out-of-memory") - 1;
         (*complete_cb)(complete_cb_data, KRB5_PLUGIN_NO_HANDLE, &rep);
         return;
@@ -284,7 +284,7 @@ service(void *ctx,
     free(s);
 }
 
-static char *
+static const char *
 make_feature_argument(const char *kind,
                       hx509_san_type san_type,
                       const char *value)
@@ -293,6 +293,7 @@ make_feature_argument(const char *kind,
     char *s = NULL;
 
     if (strcmp(kind, "san") != 0) {
+	/* XXX leak */
         if (asprintf(&s, "%s=%s", kind, value) == -1 || s == NULL)
             errx(1, "Out of memory");
         return s;
@@ -326,6 +327,7 @@ make_feature_argument(const char *kind,
         return "";
     }
 
+    /* XXX leak */
     if (asprintf(&s, "san_%s=%s", san_type_str, value) == -1 || s == NULL)
         errx(1, "Out of memory");
     return s;
@@ -426,7 +428,7 @@ main(int argc, char **argv)
          */
         for (i = 0; ret2 == 0; i++) {
             hx509_san_type san_type;
-            char *feature = NULL;
+            const char *feature = NULL;
             char *san = NULL;
             int granted;
 
@@ -454,7 +456,7 @@ main(int argc, char **argv)
 
         /* Check partial approval of EKUs */
         for (i = 0; ret2 == 0; i++) {
-            char *feature = NULL;
+            const char *feature = NULL;
             char *eku = NULL;
             int granted;