libssl: const correct the ssl_session_dup() helper

This allows a const correct SSL_SESSION_dup() implementation at the cost
of casting away const due to the const incorrect CRYPTO_dup_ex_data()...
(I should look into fixing that, but things like rust-openssl make that
hard at this point in the release cycle.)

ok kenjiro (as part of a larger diff)

lib/libssl/ssl_local.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_local.h,v 1.33 2025/05/10 06:04:36 tb Exp $ */
+/* $OpenBSD: ssl_local.h,v 1.34 2025/10/24 09:23:06 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1240,7 +1240,7 @@ int ssl_security_cert_chain(const SSL *ssl, STACK_OF(X509) *sk,
 int ssl_security_shared_group(const SSL *ssl, uint16_t group_id);
 int ssl_security_supported_group(const SSL *ssl, uint16_t group_id);
 
-SSL_SESSION *ssl_session_dup(SSL_SESSION *src, int include_ticket);
+SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int include_ticket);
 int ssl_get_new_session(SSL *s, int session);
 int ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block,
     int *alert);

lib/libssl/ssl_sess.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_sess.c,v 1.129 2025/03/09 15:53:36 tb Exp $ */
+/* $OpenBSD: ssl_sess.c,v 1.130 2025/10/24 09:23:06 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -247,7 +247,7 @@ SSL_SESSION_new(void)
 LSSL_ALIAS(SSL_SESSION_new);
 
 SSL_SESSION *
-ssl_session_dup(SSL_SESSION *sess, int include_ticket)
+ssl_session_dup(const SSL_SESSION *sess, int include_ticket)
 {
 	SSL_SESSION *copy;
 	CBS cbs;
@@ -313,7 +313,7 @@ ssl_session_dup(SSL_SESSION *sess, int include_ticket)
 		goto err;
 
 	if (!CRYPTO_dup_ex_data(CRYPTO_EX_INDEX_SSL_SESSION, &copy->ex_data,
-	    &sess->ex_data))
+	    (CRYPTO_EX_DATA *)&sess->ex_data))
 		goto err;
 
 	/* Omit prev/next: the new session gets its own slot in the cache. */