haproxy: Update HAProxy to v1.8.23

- Update haproxy download URL and hash
- This fixes CVE-2019-19330 (See: https://nvd.nist.gov/vuln/detail/CVE-2019-19330)

Signed-off-by: Christian Lachner <gladiac@gmail.com>

net/haproxy/patches/000-deprecated-openssl.patch

@@ -0,0 +1,112 @@
+--- a/src/ssl_sock.c
++++ b/src/ssl_sock.c
+@@ -39,6 +39,7 @@
+ #include <netdb.h>
+ #include <netinet/tcp.h>
+ 
++#include <openssl/bn.h>
+ #include <openssl/crypto.h>
+ #include <openssl/ssl.h>
+ #include <openssl/x509.h>
+@@ -60,6 +61,17 @@
+ #include <openssl/async.h>
+ #endif
+ 
++#ifndef OPENSSL_VERSION
++#define OPENSSL_VERSION		SSLEAY_VERSION
++#define OpenSSL_version(x)	SSLeay_version(x)
++#define OpenSSL_version_num	SSLeay
++#endif
++
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#define X509_getm_notBefore X509_get_notBefore
++#define X509_getm_notAfter X509_get_notAfter
++#endif
++
+ #include <import/lru.h>
+ #include <import/xxhash.h>
+ 
+@@ -217,7 +229,7 @@ static struct {
+ 	.capture_cipherlist = 0,
+ };
+ 
+-#ifdef USE_THREAD
++#if defined(USE_THREAD) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ 
+ static HA_RWLOCK_T *ssl_rwlocks;
+ 
+@@ -1716,8 +1728,8 @@ ssl_sock_do_create_cert(const char *servername, struct bind_conf *bind_conf, SSL
+ 	ASN1_INTEGER_set(X509_get_serialNumber(newcrt), HA_ATOMIC_ADD(&ssl_ctx_serial, 1));
+ 
+ 	/* Set duration for the certificate */
+-	if (!X509_gmtime_adj(X509_get_notBefore(newcrt), (long)-60*60*24) ||
+-	    !X509_gmtime_adj(X509_get_notAfter(newcrt),(long)60*60*24*365))
++	if (!X509_gmtime_adj(X509_getm_notBefore(newcrt), (long)-60*60*24) ||
++	    !X509_gmtime_adj(X509_getm_notAfter(newcrt),(long)60*60*24*365))
+ 		goto mkcert_error;
+ 
+ 	/* set public key in the certificate */
+@@ -6399,7 +6411,7 @@ smp_fetch_ssl_x_notafter(const struct arg *args, struct sample *smp, const char
+ 		goto out;
+ 
+ 	smp_trash = get_trash_chunk();
+-	if (ssl_sock_get_time(X509_get_notAfter(crt), smp_trash) <= 0)
++	if (ssl_sock_get_time(X509_getm_notAfter(crt), smp_trash) <= 0)
+ 		goto out;
+ 
+ 	smp->data.u.str = *smp_trash;
+@@ -6499,7 +6511,7 @@ smp_fetch_ssl_x_notbefore(const struct a
+ 		goto out;
+ 
+ 	smp_trash = get_trash_chunk();
+-	if (ssl_sock_get_time(X509_get_notBefore(crt), smp_trash) <= 0)
++	if (ssl_sock_get_time(X509_getm_notBefore(crt), smp_trash) <= 0)
+ 		goto out;
+ 
+ 	smp->data.u.str = *smp_trash;
+@@ -9070,7 +9082,9 @@ static void __ssl_sock_init(void)
+ #endif
+ 
+ 	xprt_register(XPRT_SSL, &ssl_sock);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	SSL_library_init();
++#endif
+ #if (!defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION))
+ 	cm = SSL_COMP_get_compression_methods();
+ 	i = sk_SSL_COMP_num(cm);
+@@ -9079,7 +9093,7 @@ static void __ssl_sock_init(void)
+ 	}
+ #endif
+ 
+-#ifdef USE_THREAD
++#if defined(USE_THREAD) && (OPENSSL_VERSION_NUMBER < 0x10100000L)
+ 	ssl_locking_init();
+ #endif
+ #if (OPENSSL_VERSION_NUMBER >= 0x1000200fL && !defined OPENSSL_NO_TLSEXT && !defined OPENSSL_IS_BORINGSSL && !defined LIBRESSL_VERSION_NUMBER)
+@@ -9108,8 +9122,8 @@ static void __ssl_sock_init(void)
+ #else /* OPENSSL_IS_BORINGSSL */
+ 	        OPENSSL_VERSION_TEXT
+ 		"\nRunning on OpenSSL version : %s%s",
+-	       SSLeay_version(SSLEAY_VERSION),
+-	       ((OPENSSL_VERSION_NUMBER ^ SSLeay()) >> 8) ? " (VERSIONS DIFFER!)" : "");
++	       OpenSSL_version(OPENSSL_VERSION),
++	       ((OPENSSL_VERSION_NUMBER ^ OpenSSL_version_num()) >> 8) ? " (VERSIONS DIFFER!)" : "");
+ #endif
+ 	memprintf(&ptr, "%s\nOpenSSL library supports TLS extensions : "
+ #if OPENSSL_VERSION_NUMBER < 0x00907000L
+@@ -9200,12 +9214,14 @@ static void __ssl_sock_deinit(void)
+ 	}
+ #endif
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+         ERR_remove_state(0);
+         ERR_free_strings();
+ 
+         EVP_cleanup();
++#endif
+ 
+-#if OPENSSL_VERSION_NUMBER >= 0x00907000L
++#if OPENSSL_VERSION_NUMBER >= 0x00907000L && OPENSSL_VERSION_NUMBER < 0x10100000L
+         CRYPTO_cleanup_all_ex_data();
+ #endif
+ }