Bug 1339720 - remove DISABLE_ECC, r=ttaubert,rrelyea
authorFranziskus Kiefer <franziskuskiefer@gmail.com>
Thu, 07 Sep 2017 09:33:28 +0200
changeset 13569 69242366eb810294a1d8e512e60732d832fd3c8a
parent 13568 b33b24d6eebb5be149b76b4c0feee3f662b0413d
child 13570 d839b28bc4fee96b48cace984dad4d137d802c01
push id2357
push userfranziskuskiefer@gmail.com
push dateThu, 07 Sep 2017 08:29:29 +0000
reviewersttaubert, rrelyea
bugs1339720
Bug 1339720 - remove DISABLE_ECC, r=ttaubert,rrelyea Differential Revision: https://nss-review.dev.mozaws.net/D264
cmd/bltest/blapitest.c
cmd/certutil/certutil.c
cmd/certutil/keystuff.c
cmd/fipstest/fipstest.c
cmd/lib/secutil.c
cmd/selfserv/selfserv.c
coreconf/config.mk
lib/freebl/ec.c
lib/freebl/ecdecode.c
lib/freebl/manifest.mn
lib/pk11wrap/pk11pk12.c
lib/softoken/legacydb/keydb.c
lib/softoken/legacydb/lgattr.c
lib/softoken/legacydb/lgcreate.c
lib/softoken/legacydb/lowcert.c
lib/softoken/legacydb/lowkey.c
lib/softoken/legacydb/lowkeyi.h
lib/softoken/legacydb/lowkeyti.h
lib/softoken/lowkey.c
lib/softoken/lowkeyi.h
lib/softoken/lowkeyti.h
lib/softoken/pkcs11.c
lib/softoken/pkcs11c.c
lib/softoken/pkcs11u.c
lib/softoken/softkver.h
tests/all.sh
tests/cert/cert.sh
tests/remote/Makefile
tests/smime/smime.sh
tests/ssl/ssl.sh
tests/tools/tools.sh
--- a/cmd/bltest/blapitest.c
+++ b/cmd/bltest/blapitest.c
@@ -15,26 +15,24 @@
 #include "nssb64.h"
 #include "basicutil.h"
 #include "plgetopt.h"
 #include "softoken.h"
 #include "nspr.h"
 #include "secport.h"
 #include "secoid.h"
 #include "nssutil.h"
+#include "ecl-curve.h"
 
 #include "pkcs1_vectors.h"
 
-#ifndef NSS_DISABLE_ECC
-#include "ecl-curve.h"
 SECStatus EC_DecodeParams(const SECItem *encodedParams,
                           ECParams **ecparams);
 SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
                         const ECParams *srcParams);
-#endif
 
 char *progName;
 char *testdir = NULL;
 
 #define BLTEST_DEFAULT_CHUNKSIZE 4096
 
 #define WORDSIZE sizeof(unsigned long)
 
@@ -130,28 +128,24 @@ Usage()
     PRINTUSAGE("", "-b", "size of input buffer");
     PRINTUSAGE("", "-p", "do performance test");
     PRINTUSAGE("", "-4", "run test in multithread mode. th_num number of parallel threads");
     PRINTUSAGE("", "-5", "run test for specified time interval(in seconds)");
     fprintf(stderr, "\n");
     PRINTUSAGE(progName, "-S -m mode", "Sign a buffer");
     PRINTUSAGE("", "", "[-i plaintext] [-o signature] [-k key]");
     PRINTUSAGE("", "", "[-b bufsize]");
-#ifndef NSS_DISABLE_ECC
     PRINTUSAGE("", "", "[-n curvename]");
-#endif
     PRINTUSAGE("", "", "[-p repetitions | -5 time_interval] [-4 th_num]");
     PRINTUSAGE("", "-m", "cipher mode to use");
     PRINTUSAGE("", "-i", "file which contains input buffer");
     PRINTUSAGE("", "-o", "file for signature");
     PRINTUSAGE("", "-k", "file which contains key");
-#ifndef NSS_DISABLE_ECC
     PRINTUSAGE("", "-n", "name of curve for EC key generation; one of:");
     PRINTUSAGE("", "", "  nistp256, nistp384, nistp521");
-#endif
     PRINTUSAGE("", "-p", "do performance test");
     PRINTUSAGE("", "-4", "run test in multithread mode. th_num number of parallel threads");
     PRINTUSAGE("", "-5", "run test for specified time interval(in seconds)");
     fprintf(stderr, "\n");
     PRINTUSAGE(progName, "-V -m mode", "Verify a signed buffer");
     PRINTUSAGE("", "", "[-i plaintext] [-s signature] [-k key]");
     PRINTUSAGE("", "", "[-p repetitions | -5 time_interval] [-4 th_num]");
     PRINTUSAGE("", "-m", "cipher mode to use");
@@ -364,17 +358,16 @@ dsakey_from_filedata(PLArenaPool *arena,
 {
     DSAPrivateKey *key;
     key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
     key->params.arena = arena;
     key_from_filedata(arena, &key->params.prime, 0, 5, filedata);
     return key;
 }
 
-#ifndef NSS_DISABLE_ECC
 static ECPrivateKey *
 eckey_from_filedata(PLArenaPool *arena, SECItem *filedata)
 {
     ECPrivateKey *key;
     SECStatus rv;
     ECParams *tmpECParams = NULL;
     key = (ECPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(ECPrivateKey));
     /* read and convert params */
@@ -514,17 +507,16 @@ getECParams(const char *curve)
      * oidData->oid.data so we simply prepend 0x06 and OID length
      */
     ecparams->data[0] = SEC_ASN1_OBJECT_ID;
     ecparams->data[1] = oidData->oid.len;
     memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
 
     return ecparams;
 }
-#endif /* NSS_DISABLE_ECC */
 
 static void
 dump_pqg(PQGParams *pqg)
 {
     SECU_PrintInteger(stdout, &pqg->prime, "PRIME:", 0);
     SECU_PrintInteger(stdout, &pqg->subPrime, "SUBPRIME:", 0);
     SECU_PrintInteger(stdout, &pqg->base, "BASE:", 0);
 }
@@ -532,32 +524,30 @@ dump_pqg(PQGParams *pqg)
 static void
 dump_dsakey(DSAPrivateKey *key)
 {
     dump_pqg(&key->params);
     SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
     SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
 }
 
-#ifndef NSS_DISABLE_ECC
 static void
 dump_ecp(ECParams *ecp)
 {
     /* TODO other fields */
     SECU_PrintInteger(stdout, &ecp->base, "BASE POINT:", 0);
 }
 
 static void
 dump_eckey(ECPrivateKey *key)
 {
     dump_ecp(&key->ecParams);
     SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
     SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
 }
-#endif
 
 static void
 dump_rsakey(RSAPrivateKey *key)
 {
     SECU_PrintInteger(stdout, &key->version, "VERSION:", 0);
     SECU_PrintInteger(stdout, &key->modulus, "MODULUS:", 0);
     SECU_PrintInteger(stdout, &key->publicExponent, "PUBLIC EXP:", 0);
     SECU_PrintInteger(stdout, &key->privateExponent, "PRIVATE EXP:", 0);
@@ -633,27 +623,25 @@ typedef enum {
     bltestCAMELLIA_ECB, /* .                     */
     bltestCAMELLIA_CBC, /* .                     */
     bltestSEED_ECB,     /* SEED algorithm      */
     bltestSEED_CBC,     /* SEED algorithm      */
     bltestCHACHA20,     /* ChaCha20 + Poly1305   */
     bltestRSA,          /* Public Key Ciphers    */
     bltestRSA_OAEP,     /* . (Public Key Enc.)   */
     bltestRSA_PSS,      /* . (Public Key Sig.)   */
-#ifndef NSS_DISABLE_ECC
-    bltestECDSA, /* . (Public Key Sig.)   */
-#endif
-    bltestDSA,    /* . (Public Key Sig.)   */
-    bltestMD2,    /* Hash algorithms       */
-    bltestMD5,    /* .             */
-    bltestSHA1,   /* .             */
-    bltestSHA224, /* .             */
-    bltestSHA256, /* .             */
-    bltestSHA384, /* .             */
-    bltestSHA512, /* .             */
+    bltestECDSA,        /* . (Public Key Sig.)   */
+    bltestDSA,          /* . (Public Key Sig.)   */
+    bltestMD2,          /* Hash algorithms       */
+    bltestMD5,          /* .             */
+    bltestSHA1,         /* .             */
+    bltestSHA224,       /* .             */
+    bltestSHA256,       /* .             */
+    bltestSHA384,       /* .             */
+    bltestSHA512,       /* .             */
     NUMMODES
 } bltestCipherMode;
 
 static char *mode_strings[] =
     {
       "des_ecb",
       "des_cbc",
       "des3_ecb",
@@ -673,19 +661,17 @@ static char *mode_strings[] =
       "camellia_ecb",
       "camellia_cbc",
       "seed_ecb",
       "seed_cbc",
       "chacha20_poly1305",
       "rsa",
       "rsa_oaep",
       "rsa_pss",
-#ifndef NSS_DISABLE_ECC
       "ecdsa",
-#endif
       /*"pqg",*/
       "dsa",
       "md2",
       "md5",
       "sha1",
       "sha224",
       "sha256",
       "sha384",
@@ -727,38 +713,34 @@ typedef struct
 {
     bltestIO pqgdata;
     unsigned int keysize;
     bltestIO keyseed;
     bltestIO sigseed;
     PQGParams *pqg;
 } bltestDSAParams;
 
-#ifndef NSS_DISABLE_ECC
 typedef struct
 {
     char *curveName;
     bltestIO sigseed;
 } bltestECDSAParams;
-#endif
 
 typedef struct
 {
     bltestIO key;
     void *privKey;
     void *pubKey;
     bltestIO sig; /* if doing verify, the signature (which may come
                    * from sigfile. */
 
     union {
         bltestRSAParams rsa;
         bltestDSAParams dsa;
-#ifndef NSS_DISABLE_ECC
         bltestECDSAParams ecdsa;
-#endif
     } cipherParams;
 } bltestAsymKeyParams;
 
 typedef struct
 {
     bltestIO key; /* unused */
     PRBool restart;
 } bltestHashParams;
@@ -1305,17 +1287,16 @@ dsa_signDigest(void *cx, SECItem *output
 
 SECStatus
 dsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
 {
     bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
     return DSA_VerifyDigest((DSAPublicKey *)params->pubKey, output, input);
 }
 
-#ifndef NSS_DISABLE_ECC
 SECStatus
 ecdsa_signDigest(void *cx, SECItem *output, const SECItem *input)
 {
     bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
     if (params->cipherParams.ecdsa.sigseed.buf.len > 0) {
         return ECDSA_SignDigestWithSeed(
             (ECPrivateKey *)params->privKey,
             output, input,
@@ -1326,17 +1307,16 @@ ecdsa_signDigest(void *cx, SECItem *outp
 }
 
 SECStatus
 ecdsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
 {
     bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
     return ECDSA_VerifyDigest((ECPublicKey *)params->pubKey, output, input);
 }
-#endif
 
 SECStatus
 bltest_des_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
     PRIntervalTime time1, time2;
     bltestSymmKeyParams *desp = &cipherInfo->params.sk;
     int minorMode;
     int i;
@@ -1806,17 +1786,16 @@ bltest_dsa_init(bltestCipherInfo *cipher
         pubkey->publicValue.len = key->publicValue.len;
         pubkey->publicValue.data = key->publicValue.data;
         asymk->pubKey = pubkey;
         cipherInfo->cipher.pubkeyCipher = dsa_verifyDigest;
     }
     return SECSuccess;
 }
 
-#ifndef NSS_DISABLE_ECC
 SECStatus
 bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
     int i;
     ECPrivateKey **dummyKey;
     PRIntervalTime time1, time2;
     bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
     cipherInfo->cx = asymk;
@@ -1872,17 +1851,16 @@ bltest_ecdsa_init(bltestCipherInfo *ciph
         pubkey->ecParams.name = key->ecParams.name;
         pubkey->publicValue.len = key->publicValue.len;
         pubkey->publicValue.data = key->publicValue.data;
         asymk->pubKey = pubkey;
         cipherInfo->cipher.pubkeyCipher = ecdsa_verifyDigest;
     }
     return SECSuccess;
 }
-#endif
 
 /* XXX unfortunately, this is not defined in blapi.h */
 SECStatus
 md2_HashBuf(unsigned char *dest, const unsigned char *src, PRUint32 src_length)
 {
     unsigned int len;
     MD2Context *cx = MD2_NewContext();
     if (cx == NULL)
@@ -2164,35 +2142,29 @@ SHA512_restart(unsigned char *dest, cons
     SHA512_End(cx, dest, &len, MD5_LENGTH);
 finish:
     SHA512_DestroyContext(cx, PR_TRUE);
     return rv;
 }
 
 SECStatus
 pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
-#ifndef NSS_DISABLE_ECC
               int keysize, int exponent, char *curveName)
-#else
-              int keysize, int exponent)
-#endif
 {
     int i;
     SECStatus rv = SECSuccess;
     bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
     bltestRSAParams *rsap;
     RSAPrivateKey **rsaKey = NULL;
     bltestDSAParams *dsap;
     DSAPrivateKey **dsaKey = NULL;
-#ifndef NSS_DISABLE_ECC
     SECItem *tmpECParamsDER;
     ECParams *tmpECParams = NULL;
     SECItem ecSerialize[3];
     ECPrivateKey **ecKey = NULL;
-#endif
     switch (cipherInfo->mode) {
         case bltestRSA:
         case bltestRSA_PSS:
         case bltestRSA_OAEP:
             rsap = &asymk->cipherParams.rsa;
             rsaKey = (RSAPrivateKey **)&asymk->privKey;
             if (keysize > 0) {
                 SECItem expitem = { 0, 0, 0 };
@@ -2219,17 +2191,16 @@ pubkeyInitKey(bltestCipherInfo *cipherIn
                 CHECKERROR(rv, __LINE__);
                 serialize_key(&(*dsaKey)->params.prime, 5, file);
             } else {
                 setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
                 *dsaKey = dsakey_from_filedata(cipherInfo->arena, &asymk->key.buf);
                 dsap->keysize = (*dsaKey)->params.prime.len * 8;
             }
             break;
-#ifndef NSS_DISABLE_ECC
         case bltestECDSA:
             ecKey = (ECPrivateKey **)&asymk->privKey;
             if (curveName != NULL) {
                 tmpECParamsDER = getECParams(curveName);
                 rv = SECOID_Init();
                 CHECKERROR(rv, __LINE__);
                 rv = EC_DecodeParams(tmpECParamsDER, &tmpECParams) == SECFailure;
                 CHECKERROR(rv, __LINE__);
@@ -2249,17 +2220,16 @@ pubkeyInitKey(bltestCipherInfo *cipherIn
                 PORT_FreeArena(tmpECParams->arena, PR_TRUE);
                 rv = SECOID_Shutdown();
                 CHECKERROR(rv, __LINE__);
             } else {
                 setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
                 *ecKey = eckey_from_filedata(cipherInfo->arena, &asymk->key.buf);
             }
             break;
-#endif
         default:
             return SECFailure;
     }
     return SECSuccess;
 }
 
 SECStatus
 cipherInit(bltestCipherInfo *cipherInfo, PRBool encrypt)
@@ -2336,25 +2306,23 @@ cipherInit(bltestCipherInfo *cipherInfo,
             break;
         case bltestDSA:
             if (encrypt) {
                 SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
                                   DSA_MAX_SIGNATURE_LEN);
             }
             return bltest_dsa_init(cipherInfo, encrypt);
             break;
-#ifndef NSS_DISABLE_ECC
         case bltestECDSA:
             if (encrypt) {
                 SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
                                   2 * MAX_ECKEY_LEN);
             }
             return bltest_ecdsa_init(cipherInfo, encrypt);
             break;
-#endif
         case bltestMD2:
             restart = cipherInfo->params.hash.restart;
             SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
                               MD2_LENGTH);
             cipherInfo->cipher.hashCipher = (restart) ? md2_restart : md2_HashBuf;
             return SECSuccess;
             break;
         case bltestMD5:
@@ -2639,19 +2607,17 @@ cipherFinish(bltestCipherInfo *cipherInf
         case bltestRC5_CBC:
             RC5_DestroyContext((RC5Context *)cipherInfo->cx, PR_TRUE);
             break;
 #endif
         case bltestRSA:     /* keys are alloc'ed within cipherInfo's arena, */
         case bltestRSA_PSS: /* will be freed with it. */
         case bltestRSA_OAEP:
         case bltestDSA:
-#ifndef NSS_DISABLE_ECC
         case bltestECDSA:
-#endif
         case bltestMD2: /* hash contexts are ephemeral */
         case bltestMD5:
         case bltestSHA1:
         case bltestSHA224:
         case bltestSHA256:
         case bltestSHA384:
         case bltestSHA512:
             return SECSuccess;
@@ -2817,28 +2783,26 @@ print_td:
             break;
         case bltestDSA:
             if (td) {
                 fprintf(stdout, "%8s", "pqg_mod");
             } else {
                 fprintf(stdout, "%8d", info->params.asymk.cipherParams.dsa.keysize);
             }
             break;
-#ifndef NSS_DISABLE_ECC
         case bltestECDSA:
             if (td) {
                 fprintf(stdout, "%12s", "ec_curve");
             } else {
                 ECPrivateKey *key = (ECPrivateKey *)info->params.asymk.privKey;
                 ECCurveName curveName = key->ecParams.name;
                 fprintf(stdout, "%12s",
                         ecCurve_map[curveName] ? ecCurve_map[curveName]->text : "Unsupported curve");
             }
             break;
-#endif
         case bltestMD2:
         case bltestMD5:
         case bltestSHA1:
         case bltestSHA256:
         case bltestSHA384:
         case bltestSHA512:
         default:
             break;
@@ -3058,29 +3022,27 @@ get_params(PLArenaPool *arena, bltestPar
             load_file_data(arena, &params->asymk.cipherParams.dsa.keyseed, filename,
                            bltestBase64Encoded);
             sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
             load_file_data(arena, &params->asymk.cipherParams.dsa.sigseed, filename,
                            bltestBase64Encoded);
             sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j);
             load_file_data(arena, &params->asymk.sig, filename, bltestBase64Encoded);
             break;
-#ifndef NSS_DISABLE_ECC
         case bltestECDSA:
             sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
             load_file_data(arena, &params->asymk.key, filename, bltestBase64Encoded);
             params->asymk.privKey =
                 (void *)eckey_from_filedata(arena, &params->asymk.key.buf);
             sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
             load_file_data(arena, &params->asymk.cipherParams.ecdsa.sigseed,
                            filename, bltestBase64Encoded);
             sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext", j);
             load_file_data(arena, &params->asymk.sig, filename, bltestBase64Encoded);
             break;
-#endif
         case bltestMD2:
         case bltestMD5:
         case bltestSHA1:
         case bltestSHA224:
         case bltestSHA256:
         case bltestSHA384:
         case bltestSHA512:
             /*params->hash.restart = PR_TRUE;*/
@@ -3292,23 +3254,21 @@ dump_file(bltestCipherMode mode, char *f
     get_file_data(filename, &item, PR_TRUE);
     pqg = pqg_from_filedata(&item);
     dump_pqg(pqg);
 #endif
         DSAPrivateKey *key;
         load_file_data(arena, &keydata, filename, bltestBase64Encoded);
         key = dsakey_from_filedata(arena, &keydata.buf);
         dump_dsakey(key);
-#ifndef NSS_DISABLE_ECC
     } else if (mode == bltestECDSA) {
         ECPrivateKey *key;
         load_file_data(arena, &keydata, filename, bltestBase64Encoded);
         key = eckey_from_filedata(arena, &keydata.buf);
         dump_eckey(key);
-#endif
     }
     PORT_FreeArena(arena, PR_FALSE);
     return SECFailure;
 }
 
 void
 ThreadExecTest(void *data)
 {
@@ -3585,19 +3545,17 @@ enum {
     opt_SigFile,
     opt_KeySize,
     opt_Hex,
     opt_Input,
     opt_PQGFile,
     opt_Key,
     opt_HexWSpc,
     opt_Mode,
-#ifndef NSS_DISABLE_ECC
     opt_CurveName,
-#endif
     opt_Output,
     opt_Repetitions,
     opt_ZeroBuf,
     opt_Rounds,
     opt_Seed,
     opt_SigSeedFile,
     opt_CXReps,
     opt_IV,
@@ -3639,19 +3597,17 @@ static secuCommandFlag bltest_options[] 
       { /* opt_SigFile */ 'f', PR_TRUE, 0, PR_FALSE },
       { /* opt_KeySize */ 'g', PR_TRUE, 0, PR_FALSE },
       { /* opt_Hex */ 'h', PR_FALSE, 0, PR_FALSE },
       { /* opt_Input */ 'i', PR_TRUE, 0, PR_FALSE },
       { /* opt_PQGFile */ 'j', PR_TRUE, 0, PR_FALSE },
       { /* opt_Key */ 'k', PR_TRUE, 0, PR_FALSE },
       { /* opt_HexWSpc */ 'l', PR_FALSE, 0, PR_FALSE },
       { /* opt_Mode */ 'm', PR_TRUE, 0, PR_FALSE },
-#ifndef NSS_DISABLE_ECC
       { /* opt_CurveName */ 'n', PR_TRUE, 0, PR_FALSE },
-#endif
       { /* opt_Output */ 'o', PR_TRUE, 0, PR_FALSE },
       { /* opt_Repetitions */ 'p', PR_TRUE, 0, PR_FALSE },
       { /* opt_ZeroBuf */ 'q', PR_FALSE, 0, PR_FALSE },
       { /* opt_Rounds */ 'r', PR_TRUE, 0, PR_FALSE },
       { /* opt_Seed */ 's', PR_TRUE, 0, PR_FALSE },
       { /* opt_SigSeedFile */ 't', PR_TRUE, 0, PR_FALSE },
       { /* opt_CXReps */ 'u', PR_TRUE, 0, PR_FALSE },
       { /* opt_IV */ 'v', PR_TRUE, 0, PR_FALSE },
@@ -3674,19 +3630,17 @@ main(int argc, char **argv)
     SECStatus rv = SECFailure;
 
     double totalTime = 0.0;
     PRIntervalTime time1, time2;
     PRFileDesc *outfile = NULL;
     bltestCipherInfo *cipherInfoListHead, *cipherInfo = NULL;
     bltestIOMode ioMode;
     int bufsize, exponent, curThrdNum;
-#ifndef NSS_DISABLE_ECC
     char *curveName = NULL;
-#endif
     int i, commandsEntered;
     int inoff, outoff;
     int threads = 1;
 
     secuCommand bltest;
     bltest.numCommands = sizeof(bltest_commands) / sizeof(secuCommandFlag);
     bltest.numOptions = sizeof(bltest_options) / sizeof(secuCommandFlag);
     bltest.commands = bltest_commands;
@@ -3912,22 +3866,20 @@ main(int argc, char **argv)
                        : (bltest.options[opt_HexWSpc].activated) ? bltestHexSpaceDelim
                                                                  : bltestBinary;
 
     if (bltest.options[opt_Exponent].activated)
         exponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
     else
         exponent = 65537;
 
-#ifndef NSS_DISABLE_ECC
     if (bltest.options[opt_CurveName].activated)
         curveName = PORT_Strdup(bltest.options[opt_CurveName].arg);
     else
         curveName = NULL;
-#endif
 
     if (bltest.commands[cmd_Verify].activated &&
         !bltest.options[opt_SigFile].activated) {
         fprintf(stderr, "%s: You must specify a signature file with -f.\n",
                 progName);
 
     print_usage:
         if (cipherInfo) {
@@ -4003,21 +3955,17 @@ main(int argc, char **argv)
             } else {
                 if (bltest.options[opt_KeySize].activated)
                     keysize = PORT_Atoi(bltest.options[opt_KeySize].arg);
                 else
                     keysize = 64; /* use 512-bit default */
                 file = PR_Open("tmp.key", PR_WRONLY | PR_CREATE_FILE, 00660);
             }
             params->key.mode = bltestBase64Encoded;
-#ifndef NSS_DISABLE_ECC
             pubkeyInitKey(cipherInfo, file, keysize, exponent, curveName);
-#else
-            pubkeyInitKey(cipherInfo, file, keysize, exponent);
-#endif
             PR_Close(file);
         }
 
         /* set up an initialization vector. */
         if (cipher_requires_IV(cipherInfo->mode)) {
             char *ivstr = NULL;
             bltestSymmKeyParams *skp;
             file = NULL;
--- a/cmd/certutil/certutil.c
+++ b/cmd/certutil/certutil.c
@@ -1043,25 +1043,20 @@ PrintSyntax(char *progName)
     FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n",
         progName);
     FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n",
         progName);
     FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n"
         "\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
         "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
-#ifndef NSS_DISABLE_ECC
     FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
         "\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n",
         progName);
-#else
-    FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n",
-        progName);
-#endif /* NSS_DISABLE_ECC */
     FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n");
     FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n",
         progName);
     FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
     FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
     FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
     FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
         progName);
@@ -1243,36 +1238,28 @@ luG(enum usage_level ul, const char *com
     int is_my_command = (command && 0 == strcmp(command, "G"));
     if (ul == usage_all || !command || is_my_command)
     FPS "%-15s Generate a new key pair\n",
         "-G");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "%-20s Name of token in which to generate key (default is internal)\n",
         "   -h token-name");
-#ifndef NSS_DISABLE_ECC
     FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
         "   -k key-type");
     FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#else
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-        "   -k key-type");
-    FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n",
-        "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#endif /* NSS_DISABLE_ECC */
     FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n",
         "   -y exp");
     FPS "%-20s Specify the password file\n",
         "   -f password-file");
     FPS "%-20s Specify the noise file to be used\n",
         "   -z noisefile");
     FPS "%-20s read PQG value from pqgfile (dsa only)\n",
         "   -q pqgfile");
-#ifndef NSS_DISABLE_ECC
     FPS "%-20s Elliptic curve name (ec only)\n",
         "   -q curve-name");
     FPS "%-20s One of nistp256, nistp384, nistp521, curve25519.\n", "");
     FPS "%-20s If a custom token is present, the following curves are also supported:\n", "");
     FPS "%-20s sect163k1, nistk163, sect163r1, sect163r2,\n", "");
     FPS "%-20s nistb163, sect193r1, sect193r2, sect233k1, nistk233,\n", "");
     FPS "%-20s sect233r1, nistb233, sect239k1, sect283k1, nistk283,\n", "");
     FPS "%-20s sect283r1, nistb283, sect409k1, nistk409, sect409r1,\n", "");
@@ -1284,17 +1271,16 @@ luG(enum usage_level ul, const char *com
     FPS "%-20s prime239v1, prime239v2, prime239v3, c2pnb163v1, \n", "");
     FPS "%-20s c2pnb163v2, c2pnb163v3, c2pnb176v1, c2tnb191v1, \n", "");
     FPS "%-20s c2tnb191v2, c2tnb191v3,  \n", "");
     FPS "%-20s c2pnb208w1, c2tnb239v1, c2tnb239v2, c2tnb239v3, \n", "");
     FPS "%-20s c2pnb272w1, c2pnb304w1, \n", "");
     FPS "%-20s c2tnb359w1, c2pnb368w1, c2tnb431r1, secp112r1, \n", "");
     FPS "%-20s secp112r2, secp128r1, secp128r2, sect113r1, sect113r2\n", "");
     FPS "%-20s sect131r1, sect131r2\n", "");
-#endif
     FPS "%-20s Key database directory (default is ~/.netscape)\n",
         "   -d keydir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s\n"
         "%-20s PKCS #11 key Attributes.\n",
         "   --keyAttrFlags attrflags", "");
     FPS "%-20s Comma separated list of key attribute attribute flags,\n", "");
@@ -1374,19 +1360,17 @@ luK(enum usage_level ul, const char *com
     FPS "%-15s List all private keys\n",
         "-K");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
         "   -h token-name ");
 
     FPS "%-20s Key type (\"all\" (default), \"dsa\","
-#ifndef NSS_DISABLE_ECC
                                                     " \"ec\","
-#endif
                                                     " \"rsa\")\n",
         "   -k key-type");
     FPS "%-20s The nickname of the key or associated certificate\n",
         "   -n name");
     FPS "%-20s Specify the password file\n",
         "   -f password-file");
     FPS "%-20s Key database directory (default is ~/.netscape)\n",
         "   -d keydir");
@@ -1519,36 +1503,30 @@ luR(enum usage_level ul, const char *com
     FPS "%-15s Generate a certificate request (stdout)\n",
         "-R");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "%-20s Specify the subject name (using RFC1485)\n",
         "   -s subject");
     FPS "%-20s Output the cert request to this file\n",
         "   -o output-req");
-#ifndef NSS_DISABLE_ECC
     FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-#else
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_DISABLE_ECC */
         "   -k key-type-or-id");
     FPS "%-20s or nickname of the cert key to use \n",
         "");
     FPS "%-20s Name of token in which to generate key (default is internal)\n",
         "   -h token-name");
     FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
     FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
         "   -q pqgfile");
-#ifndef NSS_DISABLE_ECC
     FPS "%-20s Elliptic curve name (ec only)\n",
         "   -q curve-name");
     FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
         "");
-#endif /* NSS_DISABLE_ECC */
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
     FPS "%-20s Key database directory (default is ~/.netscape)\n",
         "   -d keydir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
         "   -p phone");
@@ -1704,34 +1682,28 @@ luS(enum usage_level ul, const char *com
     FPS "%-20s Specify the nickname of the cert\n",
         "   -n key-name");
     FPS "%-20s Specify the subject name (using RFC1485)\n",
         "   -s subject");
     FPS "%-20s The nickname of the issuer cert\n",
         "   -c issuer-name");
     FPS "%-20s Set the certificate trust attributes (see -A above)\n",
         "   -t trustargs");
-#ifndef NSS_DISABLE_ECC
     FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
-#else
-    FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_DISABLE_ECC */
         "   -k key-type-or-id");
     FPS "%-20s Name of token in which to generate key (default is internal)\n",
         "   -h token-name");
     FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
     FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
         "   -q pqgfile");
-#ifndef NSS_DISABLE_ECC
     FPS "%-20s Elliptic curve name (ec only)\n",
         "   -q curve-name");
     FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
         "");
-#endif /* NSS_DISABLE_ECC */
     FPS "%-20s Self sign\n",
         "   -x");
     FPS "%-20s Cert serial number\n",
         "   -m serial-number");
     FPS "%-20s Time Warp\n",
         "   -w warp-months");
     FPS "%-20s Months valid (default is 3)\n",
         "   -v months-valid");
@@ -2620,22 +2592,20 @@ certutil_main(int argc, char **argv, PRB
     if (certutil.options[opt_KeySize].activated) {
         keysize = PORT_Atoi(certutil.options[opt_KeySize].arg);
         if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) {
             PR_fprintf(PR_STDERR,
                        "%s -g:  Keysize must be between %d and %d.\n",
                        progName, MIN_KEY_BITS, MAX_KEY_BITS);
             return 255;
         }
-#ifndef NSS_DISABLE_ECC
         if (keytype == ecKey) {
             PR_fprintf(PR_STDERR, "%s -g:  Not for ec keys.\n", progName);
             return 255;
         }
-#endif /* NSS_DISABLE_ECC */
     }
 
     /*  -h specify token name  */
     if (certutil.options[opt_TokenName].activated) {
         if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0)
             slotname = NULL;
         else
             slotname = certutil.options[opt_TokenName].arg;
@@ -2654,20 +2624,18 @@ certutil_main(int argc, char **argv, PRB
 
     /*  -k key type  */
     if (certutil.options[opt_KeyType].activated) {
         char *arg = certutil.options[opt_KeyType].arg;
         if (PL_strcmp(arg, "rsa") == 0) {
             keytype = rsaKey;
         } else if (PL_strcmp(arg, "dsa") == 0) {
             keytype = dsaKey;
-#ifndef NSS_DISABLE_ECC
         } else if (PL_strcmp(arg, "ec") == 0) {
             keytype = ecKey;
-#endif /* NSS_DISABLE_ECC */
         } else if (PL_strcmp(arg, "all") == 0) {
             keytype = nullKey;
         } else {
             /* use an existing private/public key pair */
             keysource = arg;
         }
     } else if (certutil.commands[cmd_ListKeys].activated) {
         keytype = nullKey;
@@ -2710,26 +2678,20 @@ certutil_main(int argc, char **argv, PRB
             srcCertPrefix = certutil.options[opt_SourcePrefix].arg;
         } else {
             Usage(progName);
         }
     }
 
     /*  -q PQG file or curve name */
     if (certutil.options[opt_PQGFile].activated) {
-#ifndef NSS_DISABLE_ECC
         if ((keytype != dsaKey) && (keytype != ecKey)) {
             PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys"
                                   " (-k dsa) or a named curve for EC keys (-k ec)\n)",
                        progName);
-#else  /* } */
-        if (keytype != dsaKey) {
-            PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
-                       progName);
-#endif /* NSS_DISABLE_ECC */
             return 255;
         }
     }
 
     /*  -s subject name  */
     if (certutil.options[opt_Subject].activated) {
         subject = CERT_AsciiToName(certutil.options[opt_Subject].arg);
         if (!subject) {
--- a/cmd/certutil/keystuff.c
+++ b/cmd/certutil/keystuff.c
@@ -375,17 +375,16 @@ CERTUTIL_FileForRNG(const char *noise)
             PK11_RandomUpdate(buf, count);
         }
     } while (count > 0);
 
     PR_Close(fd);
     return SECSuccess;
 }
 
-#ifndef NSS_DISABLE_ECC
 typedef struct curveNameTagPairStr {
     char *curveName;
     SECOidTag curveOidTag;
 } CurveNameTagPair;
 
 static CurveNameTagPair nameTagPair[] =
     {
       { "sect163k1", SEC_OID_SECG_EC_SECT163K1 },
@@ -490,28 +489,27 @@ getECParams(const char *curve)
     if ((curveOidTag == SEC_OID_UNKNOWN) ||
         (oidData = SECOID_FindOIDByTag(curveOidTag)) == NULL) {
         fprintf(stderr, "Unrecognized elliptic curve %s\n", curve);
         return NULL;
     }
 
     ecparams = SECITEM_AllocItem(NULL, NULL, (2 + oidData->oid.len));
 
-    /* 
+    /*
      * ecparams->data needs to contain the ASN encoding of an object ID (OID)
-     * representing the named curve. The actual OID is in 
+     * representing the named curve. The actual OID is in
      * oidData->oid.data so we simply prepend 0x06 and OID length
      */
     ecparams->data[0] = SEC_ASN1_OBJECT_ID;
     ecparams->data[1] = oidData->oid.len;
     memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
 
     return ecparams;
 }
-#endif /* NSS_DISABLE_ECC */
 
 SECKEYPrivateKey *
 CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
                             int publicExponent, const char *noise,
                             SECKEYPublicKey **pubkeyp, const char *pqgFile,
                             PK11AttrFlags attrFlags, CK_FLAGS opFlagsOn,
                             CK_FLAGS opFlagsOff, secuPWData *pwdata)
 {
@@ -559,24 +557,22 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
                 if (dsaparams == NULL)
                     return NULL;
                 params = dsaparams;
             } else {
                 /* cast away const, and don't set dsaparams */
                 params = (void *)&default_pqg_params;
             }
             break;
-#ifndef NSS_DISABLE_ECC
         case ecKey:
             mechanism = CKM_EC_KEY_PAIR_GEN;
             /* For EC keys, PQGFile determines EC parameters */
             if ((params = (void *)getECParams(pqgFile)) == NULL)
                 return NULL;
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             return NULL;
     }
 
     fprintf(stderr, "\n\n");
     fprintf(stderr, "Generating key.  This may take a few moments...\n\n");
 
     privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp,
@@ -584,18 +580,16 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
                                                                         opFlagsOff,
                                               pwdata /*wincx*/);
     /* free up the params */
     switch (keytype) {
         case dsaKey:
             if (dsaparams)
                 CERTUTIL_DestroyParamsPQG(dsaparams);
             break;
-#ifndef NSS_DISABLE_ECC
         case ecKey:
             SECITEM_FreeItem((SECItem *)params, PR_TRUE);
             break;
-#endif
         default: /* nothing to free */
             break;
     }
     return privKey;
 }
--- a/cmd/fipstest/fipstest.c
+++ b/cmd/fipstest/fipstest.c
@@ -30,23 +30,21 @@
 #undef CK_NEED_ARG_LIST
 #undef __PASTE
 #define SSL3_RANDOM_LENGTH 32
 
 #if 0
 #include "../../lib/freebl/mpi/mpi.h"
 #endif
 
-#ifndef NSS_DISABLE_ECC
 extern SECStatus
 EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
 extern SECStatus
 EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
               const ECParams *srcParams);
-#endif
 
 #define ENCRYPT 1
 #define DECRYPT 0
 #define BYTE unsigned char
 #define DEFAULT_RSA_PUBLIC_EXPONENT 0x10001
 #define RSA_MAX_TEST_MODULUS_BITS 4096
 #define RSA_MAX_TEST_MODULUS_BYTES RSA_MAX_TEST_MODULUS_BITS / 8
 #define RSA_MAX_TEST_EXPONENT_BYTES 8
@@ -2089,17 +2087,16 @@ get_next_line(FILE *req, char *key, char
         } else {
             writeto[w++] = c;
         }
     }
     writeto[w] = '\0';
     return (c == EOF) ? -1 : ignore;
 }
 
-#ifndef NSS_DISABLE_ECC
 typedef struct curveNameTagPairStr {
     char *curveName;
     SECOidTag curveOidTag;
 } CurveNameTagPair;
 
 #define DEFAULT_CURVE_OID_TAG SEC_OID_SECG_EC_SECP192R1
 /* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
 
@@ -2953,17 +2950,16 @@ ecdsa_sigver_test(char *reqfn)
         }
     }
 loser:
     if (ecpub.ecParams.arena != NULL) {
         PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
     }
     fclose(ecdsareq);
 }
-#endif /* NSS_DISABLE_ECC */
 
 PRBool
 isblankline(char *b)
 {
     while (isspace(*b))
         b++;
     if ((*b == '\n') || (*b == 0)) {
         return PR_TRUE;
@@ -6089,17 +6085,16 @@ main(int argc, char **argv)
             dsa_pqgver_test(argv[3]);
         } else if (strcmp(argv[2], "siggen") == 0) {
             /* Signature Generation Test */
             dsa_siggen_test(argv[3]);
         } else if (strcmp(argv[2], "sigver") == 0) {
             /* Signature Verification Test */
             dsa_sigver_test(argv[3]);
         }
-#ifndef NSS_DISABLE_ECC
         /*************/
         /*   ECDSA   */
         /*************/
     } else if (strcmp(argv[1], "ecdsa") == 0) {
         /* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */
         if (strcmp(argv[2], "keypair") == 0) {
             /* Key Pair Generation Test */
             ecdsa_keypair_test(argv[3]);
@@ -6108,17 +6103,16 @@ main(int argc, char **argv)
             ecdsa_pkv_test(argv[3]);
         } else if (strcmp(argv[2], "siggen") == 0) {
             /* Signature Generation Test */
             ecdsa_siggen_test(argv[3]);
         } else if (strcmp(argv[2], "sigver") == 0) {
             /* Signature Verification Test */
             ecdsa_sigver_test(argv[3]);
         }
-#endif /* NSS_DISABLE_ECC */
         /*************/
         /*   RNG     */
         /*************/
     } else if (strcmp(argv[1], "rng") == 0) {
         /* argv[2]=vst|mct argv[3]=<test name>.req */
         if (strcmp(argv[2], "vst") == 0) {
             /* Variable Seed Test */
             rng_vst(argv[3]);
--- a/cmd/lib/secutil.c
+++ b/cmd/lib/secutil.c
@@ -1404,17 +1404,16 @@ secu_PrintAttribute(FILE *out, SEC_PKCS7
                         SECU_PrintTimeChoice(out, value, om, level + 1);
                         break;
                 }
             }
         }
     }
 }
 
-#ifndef NSS_DISABLE_ECC
 static void
 secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
 {
     SECItem curveOID = { siBuffer, NULL, 0 };
 
     SECU_Indent(out, level);
     fprintf(out, "%s:\n", m);
     SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level + 1);
@@ -1423,17 +1422,16 @@ secu_PrintECPublicKey(FILE *out, SECKEYP
      */
     if ((pk->u.ec.DEREncodedParams.len > 2) &&
         (pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
         curveOID.len = pk->u.ec.DEREncodedParams.data[1];
         curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
         SECU_PrintObjectID(out, &curveOID, "Curve", level + 1);
     }
 }
-#endif /* NSS_DISABLE_ECC */
 
 void
 SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
 {
     SECU_Indent(out, level);
     fprintf(out, "%s:\n", m);
     SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level + 1);
     SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level + 1);
@@ -1471,21 +1469,19 @@ secu_PrintSubjectPublicKeyInfo(FILE *out
             case rsaKey:
                 SECU_PrintRSAPublicKey(out, pk, "RSA Public Key", level + 1);
                 break;
 
             case dsaKey:
                 SECU_PrintDSAPublicKey(out, pk, "DSA Public Key", level + 1);
                 break;
 
-#ifndef NSS_DISABLE_ECC
             case ecKey:
                 secu_PrintECPublicKey(out, pk, "EC Public Key", level + 1);
                 break;
-#endif
 
             case dhKey:
             case fortezzaKey:
             case keaKey:
                 SECU_Indent(out, level);
                 fprintf(out, "unable to format this SPKI algorithm type\n");
                 goto loser;
             default:
--- a/cmd/selfserv/selfserv.c
+++ b/cmd/selfserv/selfserv.c
@@ -160,19 +160,17 @@ PrintUsageHeader(const char *progName)
 {
     fprintf(stderr,
             "Usage: %s -n rsa_nickname -p port [-BDENRZbjlmrsuvx] [-w password]\n"
             "         [-t threads] [-i pid_file] [-c ciphers] [-Y] [-d dbdir] [-g numblocks]\n"
             "         [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
             "         [-V [min-version]:[max-version]] [-a sni_name]\n"
             "         [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
             "         [-C SSLCacheEntries] [-S dsa_nickname] -Q [-I groups]"
-#ifndef NSS_DISABLE_ECC
             " [-e ec_nickname]"
-#endif /* NSS_DISABLE_ECC */
             "\n"
             "         -U [0|1] -H [0|1|2] -W [0|1]\n"
             "\n",
             progName);
 }
 
 static void
 PrintParameterUsage()
@@ -2338,25 +2336,23 @@ main(int argc, char **argv)
             case 'c':
                 cipherString = PORT_Strdup(optstate->value);
                 break;
 
             case 'd':
                 dir = optstate->value;
                 break;
 
-#ifndef NSS_DISABLE_ECC
             case 'e':
                 if (certNicknameIndex >= MAX_CERT_NICKNAME_ARRAY_INDEX) {
                     Usage(progName);
                     break;
                 }
                 certNicknameArray[certNicknameIndex++] = PORT_Strdup(optstate->value);
                 break;
-#endif /* NSS_DISABLE_ECC */
 
             case 'f':
                 pwdata.source = PW_FROMFILE;
                 pwdata.data = pwfile = PORT_Strdup(optstate->value);
                 break;
 
             case 'g':
                 testBulk = PR_TRUE;
@@ -2676,19 +2672,17 @@ main(int argc, char **argv)
             exit(10);
         }
         privKey[i] = PK11_FindKeyByAnyCert(cert[i], &pwdata);
         if (privKey[i] == NULL) {
             fprintf(stderr, "selfserv: Can't find Private Key for cert %s\n",
                     certNicknameArray[i]);
             exit(11);
         }
-#ifdef NSS_DISABLE_ECC
         if (privKey[i]->keyType != ecKey)
-#endif
             setupCertStatus(certStatusArena, ocspStaplingMode, cert[i], i, &pwdata);
     }
 
     if (configureWeakDHE > 0) {
         fprintf(stderr, "selfserv: Creating dynamic weak DH parameters\n");
         rv = SSL_EnableWeakDHEPrimeGroup(NULL, PR_TRUE);
         if (rv != SECSuccess) {
             goto cleanup;
--- a/coreconf/config.mk
+++ b/coreconf/config.mk
@@ -141,20 +141,16 @@ endif
 #######################################################################
 
 -include $(MKDEPENDENCIES)
 
 #######################################################################
 # [16.0] Global environ ment defines
 #######################################################################
 
-ifdef NSS_DISABLE_ECC
-DEFINES += -DNSS_DISABLE_ECC
-endif
-
 ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL
 DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL
 endif
 
 ifdef BUILD_LIBPKIX_TESTS
 DEFINES += -DBUILD_LIBPKIX_TESTS
 endif
 
--- a/lib/freebl/ec.c
+++ b/lib/freebl/ec.c
@@ -10,18 +10,16 @@
 #include "prerr.h"
 #include "secerr.h"
 #include "secmpi.h"
 #include "secitem.h"
 #include "mplogic.h"
 #include "ec.h"
 #include "ecl.h"
 
-#ifndef NSS_DISABLE_ECC
-
 static const ECMethod kMethods[] = {
     { ECCurve25519,
       ec_Curve25519_pt_mul,
       ec_Curve25519_pt_validate }
 };
 
 static const ECMethod *
 ec_get_method_from_name(ECCurveName name)
@@ -178,28 +176,26 @@ cleanup:
     mp_clear(&b);
     if (err) {
         MP_TO_SEC_ERROR(err);
         rv = SECFailure;
     }
 
     return rv;
 }
-#endif /* NSS_DISABLE_ECC */
 
 /* Generates a new EC key pair. The private key is a supplied
  * value and the public key is the result of performing a scalar
  * point multiplication of that value with the curve's base point.
  */
 SECStatus
 ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
           const unsigned char *privKeyBytes, int privKeyLen)
 {
     SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
     PLArenaPool *arena;
     ECPrivateKey *key;
     mp_int k;
     mp_err err = MP_OKAY;
     int len;
 
 #if EC_DEBUG
     printf("ec_NewKey called\n");
@@ -304,42 +300,34 @@ cleanup:
     if (rv) {
         PORT_FreeArena(arena, PR_TRUE);
     }
 
 #if EC_DEBUG
     printf("ec_NewKey returning %s\n",
            (rv == SECSuccess) ? "success" : "failure");
 #endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
 
 /* Generates a new EC key pair. The private key is a supplied
  * random value (in seed) and the public key is the result of
  * performing a scalar point multiplication of that value with
  * the curve's base point.
  */
 SECStatus
 EC_NewKeyFromSeed(ECParams *ecParams, ECPrivateKey **privKey,
                   const unsigned char *seed, int seedlen)
 {
     SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
     rv = ec_NewKey(ecParams, privKey, seed, seedlen);
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
     return rv;
 }
 
-#ifndef NSS_DISABLE_ECC
 /* Generate a random private key using the algorithm A.4.1 of ANSI X9.62,
  * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
  * random number generator.
  *
  * Parameters
  * - order: a buffer that holds the curve's group order
  * - len: the length in octets of the order buffer
  *
@@ -386,27 +374,25 @@ cleanup:
         rv = SECFailure;
     }
     if (rv != SECSuccess && privKeyBytes) {
         PORT_ZFree(privKeyBytes, 2 * len);
         privKeyBytes = NULL;
     }
     return privKeyBytes;
 }
-#endif /* NSS_DISABLE_ECC */
 
 /* Generates a new EC key pair. The private key is a random value and
  * the public key is the result of performing a scalar point multiplication
  * of that value with the curve's base point.
  */
 SECStatus
 EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
 {
     SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
     int len;
     unsigned char *privKeyBytes = NULL;
 
     if (!ecParams) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
@@ -420,33 +406,29 @@ EC_NewKey(ECParams *ecParams, ECPrivateK
 cleanup:
     if (privKeyBytes) {
         PORT_ZFree(privKeyBytes, len);
     }
 #if EC_DEBUG
     printf("EC_NewKey returning %s\n",
            (rv == SECSuccess) ? "success" : "failure");
 #endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
 
 /* Validates an EC public key as described in Section 5.2.2 of
  * X9.62. The ECDH primitive when used without the cofactor does
  * not address small subgroup attacks, which may occur when the
  * public key is not valid. These attacks can be prevented by
  * validating the public key before using ECDH.
  */
 SECStatus
 EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
 {
-#ifndef NSS_DISABLE_ECC
     mp_int Px, Py;
     ECGroup *group = NULL;
     SECStatus rv = SECFailure;
     mp_err err = MP_OKAY;
     int len;
 
     if (!ecParams || !publicValue || !ecParams->name) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -520,20 +502,16 @@ cleanup:
     ECGroup_free(group);
     mp_clear(&Px);
     mp_clear(&Py);
     if (err) {
         MP_TO_SEC_ERROR(err);
         rv = SECFailure;
     }
     return rv;
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-    return SECFailure;
-#endif /* NSS_DISABLE_ECC */
 }
 
 /*
 ** Performs an ECDH key derivation by computing the scalar point
 ** multiplication of privateValue and publicValue (with or without the
 ** cofactor) and returns the x-coordinate of the resulting elliptic
 ** curve point in derived secret.  If successful, derivedSecret->data
 ** is set to the address of the newly allocated buffer containing the
@@ -544,17 +522,16 @@ cleanup:
 SECStatus
 ECDH_Derive(SECItem *publicValue,
             ECParams *ecParams,
             SECItem *privateValue,
             PRBool withCofactor,
             SECItem *derivedSecret)
 {
     SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
     unsigned int len = 0;
     SECItem pointQ = { siBuffer, NULL, 0 };
     mp_int k; /* to hold the private value */
     mp_int cofactor;
     mp_err err = MP_OKAY;
 #if EC_DEBUG
     int i;
 #endif
@@ -649,33 +626,29 @@ cleanup:
 
     if (err) {
         MP_TO_SEC_ERROR(err);
     }
 
     if (pointQ.data) {
         PORT_ZFree(pointQ.data, pointQ.len);
     }
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
 
 /* Computes the ECDSA signature (a concatenation of two values r and s)
  * on the digest using the given key and the random value kb (used in
  * computing s).
  */
 SECStatus
 ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
                          const SECItem *digest, const unsigned char *kb, const int kblen)
 {
     SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
     mp_int x1;
     mp_int d, k; /* private key, random integer */
     mp_int r, s; /* tuple (r, s) is the signature */
     mp_int t;    /* holding tmp values */
     mp_int n;
     mp_err err = MP_OKAY;
     ECParams *ecParams = NULL;
     SECItem kGpoint = { siBuffer, NULL, 0 };
@@ -894,32 +867,28 @@ cleanup:
         MP_TO_SEC_ERROR(err);
         rv = SECFailure;
     }
 
 #if EC_DEBUG
     printf("ECDSA signing with seed %s\n",
            (rv == SECSuccess) ? "succeeded" : "failed");
 #endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
 
 /*
 ** Computes the ECDSA signature on the digest using the given key
 ** and a random seed.
 */
 SECStatus
 ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
 {
     SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
     int len;
     unsigned char *kBytes = NULL;
 
     if (!key) {
         PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
 
@@ -936,19 +905,16 @@ cleanup:
     if (kBytes) {
         PORT_ZFree(kBytes, len);
     }
 
 #if EC_DEBUG
     printf("ECDSA signing %s\n",
            (rv == SECSuccess) ? "succeeded" : "failed");
 #endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
 
 /*
 ** Checks the signature on the given digest using the key provided.
 **
 ** The key argument must represent a valid EC public key (a point on
@@ -956,17 +922,16 @@ cleanup:
 ** of this function is undefined.  In cases where a public key might
 ** not be valid, use EC_ValidatePublicKey to check.
 */
 SECStatus
 ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature,
                    const SECItem *digest)
 {
     SECStatus rv = SECFailure;
-#ifndef NSS_DISABLE_ECC
     mp_int r_, s_;       /* tuple (r', s') is received signature) */
     mp_int c, u1, u2, v; /* intermediate values used in verification */
     mp_int x1;
     mp_int n;
     mp_err err = MP_OKAY;
     ECParams *ecParams = NULL;
     SECItem pointC = { siBuffer, NULL, 0 };
     int slen;       /* length in bytes of a half signature (r or s) */
@@ -1156,14 +1121,11 @@ cleanup:
         MP_TO_SEC_ERROR(err);
         rv = SECFailure;
     }
 
 #if EC_DEBUG
     printf("ECDSA verification %s\n",
            (rv == SECSuccess) ? "succeeded" : "failed");
 #endif
-#else
-    PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
--- a/lib/freebl/ecdecode.c
+++ b/lib/freebl/ecdecode.c
@@ -1,14 +1,12 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifndef NSS_DISABLE_ECC
-
 #ifdef FREEBL_NO_DEPEND
 #include "stubs.h"
 #endif
 
 #include "blapi.h"
 #include "secoid.h"
 #include "secitem.h"
 #include "secerr.h"
@@ -247,10 +245,8 @@ EC_GetPointSize(const ECParams *params)
         return sizeInBytes * 2 + 1;
     }
     if (name == ECCurve25519) {
         /* Only X here */
         return curveParams->scalarSize;
     }
     return curveParams->pointSize - 1;
 }
-
-#endif /* NSS_DISABLE_ECC */
--- a/lib/freebl/manifest.mn
+++ b/lib/freebl/manifest.mn
@@ -98,24 +98,20 @@ PRIVATE_EXPORTS = \
 	eclt.h \
 	$(NULL)
 
 MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
 MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c
 
 
 ECL_HDRS = ecl-exp.h ecl.h ecp.h ecl-priv.h
-ifndef NSS_DISABLE_ECC
 ECL_SRCS = ecl.c ecl_mult.c ecl_gf.c \
 	ecp_aff.c ecp_jac.c ecp_mont.c \
 	ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \
 	ecp_256_32.c ecp_25519.c
-else
-ECL_SRCS = $(NULL)
-endif
 SHA_SRCS = sha_fast.c
 MPCPU_SRCS = mpcpucache.c
 VERIFIED_SRCS = $(NULL)
 
 CSRCS = \
 	freeblver.c \
 	ldvector.c \
 	sysrand.c \
--- a/lib/pk11wrap/pk11pk12.c
+++ b/lib/pk11wrap/pk11pk12.c
@@ -148,17 +148,16 @@ const SEC_ASN1Template SECKEY_DSAPrivate
 };
 
 const SEC_ASN1Template SECKEY_DHPrivateKeyExportTemplate[] = {
     { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.privateValue) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.base) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.dh.prime) },
 };
 
-#ifndef NSS_DISABLE_ECC
 SEC_ASN1_MKSUB(SEC_BitStringTemplate)
 SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
 
 const SEC_ASN1Template SECKEY_ECPrivateKeyExportTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(SECKEYRawPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(SECKEYRawPrivateKey, u.ec.version) },
     { SEC_ASN1_OCTET_STRING,
       offsetof(SECKEYRawPrivateKey, u.ec.privateValue) },
@@ -173,17 +172,16 @@ const SEC_ASN1Template SECKEY_ECPrivateK
      * can't do scalar mult on ECs to get a raw point with PK11 APIs. */
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
           SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
           SEC_ASN1_XTRN | 1,
       offsetof(SECKEYRawPrivateKey, u.ec.publicValue),
       SEC_ASN1_SUB(SEC_BitStringTemplate) },
     { 0 }
 };
-#endif /* NSS_DISABLE_ECC */
 
 const SEC_ASN1Template SECKEY_EncryptedPrivateKeyInfoTemplate[] = {
     { SEC_ASN1_SEQUENCE,
       0, NULL, sizeof(SECKEYEncryptedPrivateKeyInfo) },
     { SEC_ASN1_INLINE | SEC_ASN1_XTRN,
       offsetof(SECKEYEncryptedPrivateKeyInfo, algorithm),
       SEC_ASN1_SUB(SECOID_AlgorithmIDTemplate) },
     { SEC_ASN1_OCTET_STRING,
@@ -477,17 +475,16 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
             attrs++;
             PK11_SETATTRS(attrs, CKA_BASE, lpk->u.dh.base.data,
                           lpk->u.dh.base.len);
             attrs++;
             PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.dh.privateValue.data,
                           lpk->u.dh.privateValue.len);
             attrs++;
             break;
-#ifndef NSS_DISABLE_ECC
         case ecKey:
             keyType = CKK_EC;
             if (lpk->u.ec.publicValue.len == 0) {
                 goto loser;
             }
             if (PK11_IsInternal(slot)) {
                 PK11_SETATTRS(attrs, CKA_NETSCAPE_DB,
                               lpk->u.ec.publicValue.data,
@@ -520,17 +517,16 @@ PK11_ImportAndReturnPrivateKey(PK11SlotI
             attrs++;
             PK11_SETATTRS(attrs, CKA_VALUE, lpk->u.ec.privateValue.data,
                           lpk->u.ec.privateValue.len);
             attrs++;
             PK11_SETATTRS(attrs, CKA_EC_POINT, lpk->u.ec.publicValue.data,
                           lpk->u.ec.publicValue.len);
             attrs++;
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             PORT_SetError(SEC_ERROR_BAD_KEY);
             goto loser;
     }
     templateCount = attrs - theTemplate;
     PORT_Assert(templateCount <= sizeof(theTemplate) / sizeof(CK_ATTRIBUTE));
     PORT_Assert(signedattr != NULL);
     signedcount = attrs - signedattr;
@@ -601,25 +597,23 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK
                 goto loser;
             }
             prepare_dh_priv_key_export_for_asn1(lpk);
             keyTemplate = SECKEY_DHPrivateKeyExportTemplate;
             paramTemplate = NULL;
             paramDest = NULL;
             lpk->keyType = dhKey;
             break;
-#ifndef NSS_DISABLE_ECC
         case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
             prepare_ec_priv_key_export_for_asn1(lpk);
             keyTemplate = SECKEY_ECPrivateKeyExportTemplate;
             paramTemplate = NULL;
             paramDest = NULL;
             lpk->keyType = ecKey;
             break;
-#endif /* NSS_DISABLE_ECC */
 
         default:
             keyTemplate = NULL;
             paramTemplate = NULL;
             paramDest = NULL;
             break;
     }
 
@@ -628,29 +622,27 @@ PK11_ImportPrivateKeyInfoAndReturnKey(PK
     }
 
     /* decode the private key and any algorithm parameters */
     rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
     if (rv != SECSuccess) {
         goto loser;
     }
 
-#ifndef NSS_DISABLE_ECC
     if (lpk->keyType == ecKey) {
         /* Convert length in bits to length in bytes. */
         lpk->u.ec.publicValue.len >>= 3;
 
         /* Always override curveOID, we're ignoring any given value. */
         rv = SECITEM_CopyItem(arena, &lpk->u.ec.curveOID,
                               &pki->algorithm.parameters);
         if (rv != SECSuccess) {
             goto loser;
         }
     }
-#endif /* NSS_DISABLE_ECC */
 
     if (paramDest && paramTemplate) {
         rv = SEC_ASN1DecodeItem(arena, paramDest, paramTemplate,
                                 &(pki->algorithm.parameters));
         if (rv != SECSuccess) {
             goto loser;
         }
     }
--- a/lib/softoken/legacydb/keydb.c
+++ b/lib/softoken/legacydb/keydb.c
@@ -1132,22 +1132,20 @@ nsslowkey_KeyForCertExists(NSSLOWKEYDBHa
         case NSSLOWKEYDSAKey:
             namekey.data = pubkey->u.dsa.publicValue.data;
             namekey.size = pubkey->u.dsa.publicValue.len;
             break;
         case NSSLOWKEYDHKey:
             namekey.data = pubkey->u.dh.publicValue.data;
             namekey.size = pubkey->u.dh.publicValue.len;
             break;
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             namekey.data = pubkey->u.ec.publicValue.data;
             namekey.size = pubkey->u.ec.publicValue.len;
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             /* XXX We don't do Fortezza or DH yet. */
             return PR_FALSE;
     }
 
     if (handle->version != 3) {
         unsigned char buf[SHA1_LENGTH];
         SHA1_HashBuf(buf, namekey.data, namekey.size);
@@ -1462,22 +1460,20 @@ seckey_encrypt_private_key(PLArenaPool *
                            SDB *sdbpw, SECItem *result)
 {
     NSSLOWKEYPrivateKeyInfo *pki = NULL;
     SECStatus rv = SECFailure;
     PLArenaPool *temparena = NULL;
     SECItem *der_item = NULL;
     SECItem *cipherText = NULL;
     SECItem *dummy = NULL;
-#ifndef NSS_DISABLE_ECC
 #ifdef EC_DEBUG
     SECItem *fordebug = NULL;
 #endif
     int savelen;
-#endif
 
     temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if (temparena == NULL)
         goto loser;
 
     /* allocate structures */
     pki = (NSSLOWKEYPrivateKeyInfo *)PORT_ArenaZAlloc(temparena,
                                                       sizeof(NSSLOWKEYPrivateKeyInfo));
@@ -1543,17 +1539,16 @@ seckey_encrypt_private_key(PLArenaPool *
             }
 
             rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
                                        SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy);
             if (rv == SECFailure) {
                 goto loser;
             }
             break;
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             lg_prepare_low_ec_priv_key_for_asn1(pk);
             /* Public value is encoded as a bit string so adjust length
              * to be in bits before ASN encoding and readjust
              * immediately after.
              *
              * Since the SECG specification recommends not including the
              * parameters as part of ECPrivateKey, we zero out the curveOID
@@ -1584,17 +1579,16 @@ seckey_encrypt_private_key(PLArenaPool *
 
 #ifdef EC_DEBUG
             fordebug = &(pki->privateKey);
             SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey",
                       pk->keyType, fordebug);
 #endif
 
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             /* We don't support DH or Fortezza private keys yet */
             PORT_Assert(PR_FALSE);
             break;
     }
 
     /* setup encrypted private key info */
     dummy = SEC_ASN1EncodeItem(temparena, der_item, pki,
@@ -1804,17 +1798,16 @@ seckey_decrypt_private_key(SECItem *epki
                     lg_prepare_low_dh_priv_key_for_asn1(pk);
                     if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
                                                        &pki->privateKey))
                         break;
                     rv = SEC_QuickDERDecodeItem(permarena, pk,
                                                 lg_nsslowkey_DHPrivateKeyTemplate,
                                                 &newPrivateKey);
                     break;
-#ifndef NSS_DISABLE_ECC
                 case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
                     pk->keyType = NSSLOWKEYECKey;
                     lg_prepare_low_ec_priv_key_for_asn1(pk);
 
 #ifdef EC_DEBUG
                     fordebug = &pki->privateKey;
                     SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey",
                               pk->keyType, fordebug);
@@ -1844,17 +1837,16 @@ seckey_decrypt_private_key(SECItem *epki
                     if (rv != SECSuccess)
                         goto loser;
 
                     if (pk->u.ec.publicValue.len != 0) {
                         pk->u.ec.publicValue.len >>= 3;
                     }
 
                     break;
-#endif /* NSS_DISABLE_ECC */
                 default:
                     rv = SECFailure;
                     break;
             }
         } else if (PORT_GetError() == SEC_ERROR_BAD_DER) {
             PORT_SetError(SEC_ERROR_BAD_PASSWORD);
             goto loser;
         }
--- a/lib/softoken/legacydb/lgattr.c
+++ b/lib/softoken/legacydb/lgattr.c
@@ -416,21 +416,19 @@ lg_GetPubItem(NSSLOWKEYPublicKey *pubKey
             pubItem = &pubKey->u.rsa.modulus;
             break;
         case NSSLOWKEYDSAKey:
             pubItem = &pubKey->u.dsa.publicValue;
             break;
         case NSSLOWKEYDHKey:
             pubItem = &pubKey->u.dh.publicValue;
             break;
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             pubItem = &pubKey->u.ec.publicValue;
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             break;
     }
     return pubItem;
 }
 
 static CK_RV
 lg_FindRSAPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
@@ -539,17 +537,16 @@ lg_FindDHPublicKeyAttribute(NSSLOWKEYPub
             return lg_CopyAttributeSigned(attribute, type, key->u.dh.base.data,
                                           key->u.dh.base.len);
         default:
             break;
     }
     return lg_invalidAttribute(attribute);
 }
 
-#ifndef NSS_DISABLE_ECC
 static CK_RV
 lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
                             CK_ATTRIBUTE *attribute)
 {
     unsigned char hash[SHA1_LENGTH];
     CK_KEY_TYPE keyType = CKK_EC;
 
     switch (type) {
@@ -589,17 +586,16 @@ lg_FindECPublicKeyAttribute(NSSLOWKEYPub
                 SECITEM_FreeItem(pubValue, PR_TRUE);
                 return crv;
             }
         default:
             break;
     }
     return lg_invalidAttribute(attribute);
 }
-#endif /* NSS_DISABLE_ECC */
 
 static CK_RV
 lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
                           CK_ATTRIBUTE *attribute)
 {
     NSSLOWKEYPublicKey *key;
     CK_RV crv;
     char *label;
@@ -640,20 +636,18 @@ lg_FindPublicKeyAttribute(LGObjectCache 
 
     switch (key->keyType) {
         case NSSLOWKEYRSAKey:
             return lg_FindRSAPublicKeyAttribute(key, type, attribute);
         case NSSLOWKEYDSAKey:
             return lg_FindDSAPublicKeyAttribute(key, type, attribute);
         case NSSLOWKEYDHKey:
             return lg_FindDHPublicKeyAttribute(key, type, attribute);
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             return lg_FindECPublicKeyAttribute(key, type, attribute);
-#endif /* NSS_DISABLE_ECC */
         default:
             break;
     }
 
     return lg_invalidAttribute(attribute);
 }
 
 static CK_RV
@@ -930,17 +924,16 @@ lg_FindDHPrivateKeyAttribute(NSSLOWKEYPr
                                           key->u.dh.publicValue.data,
                                           key->u.dh.publicValue.len);
         default:
             break;
     }
     return lg_invalidAttribute(attribute);
 }
 
-#ifndef NSS_DISABLE_ECC
 static CK_RV
 lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
                              CK_ATTRIBUTE *attribute, SDB *sdbpw)
 {
     unsigned char hash[SHA1_LENGTH];
     CK_KEY_TYPE keyType = CKK_EC;
 
     switch (type) {
@@ -968,17 +961,16 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPr
             return lg_CopyAttributeSigned(attribute, type,
                                           key->u.ec.publicValue.data,
                                           key->u.ec.publicValue.len);
         default:
             break;
     }
     return lg_invalidAttribute(attribute);
 }
-#endif /* NSS_DISABLE_ECC */
 
 static CK_RV
 lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
                            CK_ATTRIBUTE *attribute)
 {
     NSSLOWKEYPrivateKey *key;
     char *label;
     CK_RV crv;
@@ -1015,20 +1007,18 @@ lg_FindPrivateKeyAttribute(LGObjectCache
     }
     switch (key->keyType) {
         case NSSLOWKEYRSAKey:
             return lg_FindRSAPrivateKeyAttribute(key, type, attribute, obj->sdb);
         case NSSLOWKEYDSAKey:
             return lg_FindDSAPrivateKeyAttribute(key, type, attribute, obj->sdb);
         case NSSLOWKEYDHKey:
             return lg_FindDHPrivateKeyAttribute(key, type, attribute, obj->sdb);
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             return lg_FindECPrivateKeyAttribute(key, type, attribute, obj->sdb);
-#endif /* NSS_DISABLE_ECC */
         default:
             break;
     }
 
     return lg_invalidAttribute(attribute);
 }
 
 static CK_RV
--- a/lib/softoken/legacydb/lgcreate.c
+++ b/lib/softoken/legacydb/lgcreate.c
@@ -393,44 +393,39 @@ static CK_RV
 lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
                          CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
 {
     CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
     CK_RV crv = CKR_OK;
     NSSLOWKEYPrivateKey *priv;
     SECItem pubKeySpace = { siBuffer, NULL, 0 };
     SECItem *pubKey;
-#ifndef NSS_DISABLE_ECC
     SECItem pubKey2Space = { siBuffer, NULL, 0 };
     PLArenaPool *arena = NULL;
-#endif /* NSS_DISABLE_ECC */
     NSSLOWKEYDBHandle *keyHandle = NULL;
 
     switch (key_type) {
         case CKK_RSA:
             pubKeyAttr = CKA_MODULUS;
             break;
-#ifndef NSS_DISABLE_ECC
         case CKK_EC:
             pubKeyAttr = CKA_EC_POINT;
             break;
-#endif /* NSS_DISABLE_ECC */
         case CKK_DSA:
         case CKK_DH:
             break;
         default:
             return CKR_ATTRIBUTE_VALUE_INVALID;
     }
 
     pubKey = &pubKeySpace;
     crv = lg_Attribute2SSecItem(NULL, pubKeyAttr, templ, count, pubKey);
     if (crv != CKR_OK)
         return crv;
 
-#ifndef NSS_DISABLE_ECC
     if (key_type == CKK_EC) {
         SECStatus rv;
         /*
          * for ECC, use the decoded key first.
          */
         arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
         if (arena == NULL) {
             crv = CKR_HOST_MEMORY;
@@ -443,17 +438,16 @@ lg_createPublicKeyObject(SDB *sdb, CK_KE
             /* decode didn't work, just try the pubKey */
             PORT_FreeArena(arena, PR_FALSE);
             arena = NULL;
         } else {
             /* try the decoded pub key first */
             pubKey = &pubKey2Space;
         }
     }
-#endif /* NSS_DISABLE_ECC */
 
     PORT_Assert(pubKey->data);
     if (pubKey->data == NULL) {
         crv = CKR_ATTRIBUTE_VALUE_INVALID;
         goto done;
     }
     keyHandle = lg_getKeyDB(sdb);
     if (keyHandle == NULL) {
@@ -464,41 +458,38 @@ lg_createPublicKeyObject(SDB *sdb, CK_KE
         unsigned char buf[SHA1_LENGTH];
         SHA1_HashBuf(buf, pubKey->data, pubKey->len);
         PORT_Memcpy(pubKey->data, buf, sizeof(buf));
         pubKey->len = sizeof(buf);
     }
     /* make sure the associated private key already exists */
     /* only works if we are logged in */
     priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey, sdb /*password*/);
-#ifndef NSS_DISABLE_ECC
     if (priv == NULL && pubKey == &pubKey2Space) {
         /* no match on the decoded key, match the original pubkey */
         pubKey = &pubKeySpace;
         priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey,
                                             sdb /*password*/);
     }
-#endif
     if (priv == NULL) {
         /* the legacy database can only 'store' public keys which already
          * have their corresponding private keys in the database */
         crv = CKR_ATTRIBUTE_VALUE_INVALID;
         goto done;
     }
     lg_nsslowkey_DestroyPrivateKey(priv);
     crv = CKR_OK;
 
     *handle = lg_mkHandle(sdb, pubKey, LG_TOKEN_TYPE_PUB);
 
 done:
     PORT_Free(pubKeySpace.data);
-#ifndef NSS_DISABLE_ECC
-    if (arena)
+    if (arena) {
         PORT_FreeArena(arena, PR_FALSE);
-#endif
+    }
 
     return crv;
 }
 
 /* make a private key from a verified object */
 static NSSLOWKEYPrivateKey *
 lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUTE *templ, CK_ULONG count,
              CK_KEY_TYPE key_type, CK_RV *crvp)
@@ -608,17 +599,16 @@ lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUT
             if (lg_hasAttribute(CKA_NETSCAPE_DB, templ, count)) {
                 crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB, templ, count,
                                             &privKey->u.dh.publicValue);
                 /* privKey was zero'd so public value is already set to NULL, 0
                  * if we don't set it explicitly */
             }
             break;
 
-#ifndef NSS_DISABLE_ECC
         case CKK_EC:
             privKey->keyType = NSSLOWKEYECKey;
             crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS, templ, count,
                                         &privKey->u.ec.ecParams.DEREncoding);
             if (crv != CKR_OK)
                 break;
 
             /* Fill out the rest of the ecParams structure
@@ -641,17 +631,16 @@ lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUT
                 /* privKey was zero'd so public value is already set to NULL, 0
                  * if we don't set it explicitly */
             }
             rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
                                  NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
             if (rv != SECSuccess)
                 crv = CKR_HOST_MEMORY;
             break;
-#endif /* NSS_DISABLE_ECC */
 
         default:
             crv = CKR_KEY_TYPE_INCONSISTENT;
             break;
     }
     *crvp = crv;
     if (crv != CKR_OK) {
         PORT_FreeArena(arena, PR_FALSE);
--- a/lib/softoken/legacydb/lowcert.c
+++ b/lib/softoken/legacydb/lowcert.c
@@ -818,17 +818,16 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCe
         case SEC_OID_X942_DIFFIE_HELMAN_KEY:
             pubk->keyType = NSSLOWKEYDHKey;
             prepare_low_dh_pub_key_for_asn1(pubk);
             rv = SEC_QuickDERDecodeItem(arena, pubk,
                                         nsslowcert_DHPublicKeyTemplate, &os);
             if (rv == SECSuccess)
                 return pubk;
             break;
-#ifndef NSS_DISABLE_ECC
         case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
             pubk->keyType = NSSLOWKEYECKey;
             /* Since PKCS#11 directly takes the DER encoding of EC params
              * and public value, we don't need any decoding here.
              */
             rv = SECITEM_CopyItem(arena, &pubk->u.ec.ecParams.DEREncoding,
                                   &spki.algorithm.parameters);
             if (rv != SECSuccess)
@@ -840,17 +839,16 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCe
             if (LGEC_FillParams(arena, &pubk->u.ec.ecParams.DEREncoding,
                                 &pubk->u.ec.ecParams) != SECSuccess)
                 break;
 
             rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &os);
             if (rv == SECSuccess)
                 return pubk;
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             rv = SECFailure;
             break;
     }
 
     lg_nsslowkey_DestroyPublicKey(pubk);
     return NULL;
 }
--- a/lib/softoken/legacydb/lowkey.c
+++ b/lib/softoken/legacydb/lowkey.c
@@ -94,18 +94,16 @@ const SEC_ASN1Template lg_nsslowkey_DHPr
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.publicValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.privateValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.base) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.prime) },
     { 0 }
 };
 
-#ifndef NSS_DISABLE_ECC
-
 /* NOTE: The SECG specification allows the private key structure
  * to contain curve parameters but recommends that they be stored
  * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
  * instead.
  */
 const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.ec.version) },
@@ -188,17 +186,16 @@ LGEC_CopyParams(PLArenaPool *arena, ECPa
         goto loser;
     }
 
     return SECSuccess;
 
 loser:
     return SECFailure;
 }
-#endif /* NSS_DISABLE_ECC */
 /*
  * See bugzilla bug 125359
  * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
  * all of the templates above that en/decode into integers must be converted
  * from ASN.1's signed integer type.  This is done by marking either the
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
@@ -238,34 +235,32 @@ void
 lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.dh.prime.type = siUnsignedInteger;
     key->u.dh.base.type = siUnsignedInteger;
     key->u.dh.publicValue.type = siUnsignedInteger;
     key->u.dh.privateValue.type = siUnsignedInteger;
 }
 
-#ifndef NSS_DISABLE_ECC
 void
 lg_prepare_low_ecparams_for_asn1(ECParams *params)
 {
     params->DEREncoding.type = siUnsignedInteger;
     params->curveOID.type = siUnsignedInteger;
 }
 
 void
 lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.ec.version.type = siUnsignedInteger;
     key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
     key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
     key->u.ec.privateValue.type = siUnsignedInteger;
     key->u.ec.publicValue.type = siUnsignedInteger;
 }
-#endif /* NSS_DISABLE_ECC */
 
 void
 lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
 {
     if (privk && privk->arena) {
         PORT_FreeArena(privk->arena, PR_TRUE);
     }
 }
@@ -357,17 +352,16 @@ lg_nsslowkey_ConvertToPublicKey(NSSLOWKE
                 if (rv != SECSuccess)
                     break;
                 rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
                                       &privk->u.dh.base);
                 if (rv == SECSuccess)
                     return pubk;
             }
             break;
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
                                                           sizeof(NSSLOWKEYPublicKey));
             if (pubk != NULL) {
                 SECStatus rv;
 
                 pubk->arena = arena;
                 pubk->keyType = privk->keyType;
@@ -378,17 +372,16 @@ lg_nsslowkey_ConvertToPublicKey(NSSLOWKE
                 pubk->u.ec.ecParams.arena = arena;
                 /* Copy the rest of the params */
                 rv = LGEC_CopyParams(arena, &(pubk->u.ec.ecParams),
                                      &(privk->u.ec.ecParams));
                 if (rv == SECSuccess)
                     return pubk;
             }
             break;
-#endif /* NSS_DISABLE_ECC */
         /* No Fortezza in Low Key implementations (Fortezza keys aren't
          * stored in our data base */
         default:
             break;
     }
 
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
--- a/lib/softoken/legacydb/lowkeyi.h
+++ b/lib/softoken/legacydb/lowkeyi.h
@@ -21,20 +21,18 @@ SEC_BEGIN_PROTOS
  * from ASN.1's signed integer type.  This is done by marking either the
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
 extern void lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void lg_prepare_low_pqg_params_for_asn1(PQGParams *params);
 extern void lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-#ifndef NSS_DISABLE_ECC
 extern void lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void lg_prepare_low_ecparams_for_asn1(ECParams *params);
-#endif /* NSS_DISABLE_ECC */
 
 typedef char *(*NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
 
 /*
 ** Open a key database.
 */
 extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly,
                                               const char *domain,
@@ -129,23 +127,22 @@ nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWK
 extern NSSLOWKEYPrivateKey *
 nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus,
                              SDB *sdb);
 
 extern char *
 nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
                                      SECItem *modulus, SDB *sdb);
 
-#ifndef NSS_DISABLE_ECC
 /*
  * smaller version of EC_FillParams. In this code, we only need
  * oid and DER data.
  */
 SECStatus LGEC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
                           ECParams *params);
 
 /* Copy all of the fields from srcParams into dstParams */
 SECStatus LGEC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
                           const ECParams *srcParams);
-#endif
+
 SEC_END_PROTOS
 
 #endif /* _LOWKEYI_H_ */
--- a/lib/softoken/legacydb/lowkeyti.h
+++ b/lib/softoken/legacydb/lowkeyti.h
@@ -37,20 +37,18 @@ typedef struct NSSLOWKEYDBHandleStr NSSL
 ** Typedef for callback to get a password "key".
 */
 extern const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate2[];
 extern const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyExportTemplate[];
-#ifndef NSS_DISABLE_ECC
 #define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
 extern const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[];
-#endif /* NSS_DISABLE_ECC */
 
 extern const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[];
 extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
 
 /*
  * PKCS #8 attributes
  */
 struct NSSLOWKEYAttributeStr {
--- a/lib/softoken/lowkey.c
+++ b/lib/softoken/lowkey.c
@@ -3,20 +3,17 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "lowkeyi.h"
 #include "secoid.h"
 #include "secitem.h"
 #include "secder.h"
 #include "base64.h"
 #include "secasn1.h"
 #include "secerr.h"
-
-#ifndef NSS_DISABLE_ECC
 #include "softoken.h"
-#endif
 
 SEC_ASN1_MKSUB(SEC_AnyTemplate)
 SEC_ASN1_MKSUB(SEC_BitStringTemplate)
 SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 
 const SEC_ASN1Template nsslowkey_AttributeTemplate[] = {
     { SEC_ASN1_SEQUENCE,
@@ -85,18 +82,16 @@ const SEC_ASN1Template nsslowkey_DHPriva
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.publicValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.privateValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.base) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.dh.prime) },
     { 0 }
 };
 
-#ifndef NSS_DISABLE_ECC
-
 /* NOTE: The SECG specification allows the private key structure
  * to contain curve parameters but recommends that they be stored
  * in the PrivateKeyAlgorithmIdentifier field of the PrivateKeyInfo
  * instead.
  */
 const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[] = {
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey, u.ec.version) },
@@ -112,17 +107,16 @@ const SEC_ASN1Template nsslowkey_ECPriva
       SEC_ASN1_SUB(SEC_ObjectIDTemplate) },
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
           SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
           SEC_ASN1_XTRN | 1,
       offsetof(NSSLOWKEYPrivateKey, u.ec.publicValue),
       SEC_ASN1_SUB(SEC_BitStringTemplate) },
     { 0 }
 };
-#endif /* NSS_DISABLE_ECC */
 /*
  * See bugzilla bug 125359
  * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
  * all of the templates above that en/decode into integers must be converted
  * from ASN.1's signed integer type.  This is done by marking either the
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
@@ -168,34 +162,32 @@ void
 prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.dh.prime.type = siUnsignedInteger;
     key->u.dh.base.type = siUnsignedInteger;
     key->u.dh.publicValue.type = siUnsignedInteger;
     key->u.dh.privateValue.type = siUnsignedInteger;
 }
 
-#ifndef NSS_DISABLE_ECC
 void
 prepare_low_ecparams_for_asn1(ECParams *params)
 {
     params->DEREncoding.type = siUnsignedInteger;
     params->curveOID.type = siUnsignedInteger;
 }
 
 void
 prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.ec.version.type = siUnsignedInteger;
     key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
     key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
     key->u.ec.privateValue.type = siUnsignedInteger;
     key->u.ec.publicValue.type = siUnsignedInteger;
 }
-#endif /* NSS_DISABLE_ECC */
 
 void
 nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
 {
     if (privk && privk->arena) {
         PORT_FreeArena(privk->arena, PR_TRUE);
     }
 }
@@ -320,17 +312,16 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
                 if (rv != SECSuccess)
                     break;
                 rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
                                       &privk->u.dh.base);
                 if (rv == SECSuccess)
                     return pubk;
             }
             break;
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
                                                           sizeof(NSSLOWKEYPublicKey));
             if (pubk != NULL) {
                 SECStatus rv;
 
                 pubk->arena = arena;
                 pubk->keyType = privk->keyType;
@@ -341,17 +332,16 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
                 pubk->u.ec.ecParams.arena = arena;
                 /* Copy the rest of the params */
                 rv = EC_CopyParams(arena, &(pubk->u.ec.ecParams),
                                    &(privk->u.ec.ecParams));
                 if (rv == SECSuccess)
                     return pubk;
             }
             break;
-#endif /* NSS_DISABLE_ECC */
         /* No Fortezza in Low Key implementations (Fortezza keys aren't
          * stored in our data base */
         default:
             break;
     }
 
     PORT_FreeArena(arena, PR_FALSE);
     return NULL;
@@ -458,17 +448,16 @@ nsslowkey_CopyPrivateKey(NSSLOWKEYPrivat
                                   &(privKey->u.dh.prime));
             if (rv != SECSuccess)
                 break;
             rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
                                   &(privKey->u.dh.base));
             if (rv != SECSuccess)
                 break;
             break;
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
                                   &(privKey->u.ec.version));
             if (rv != SECSuccess)
                 break;
             rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
                                   &(privKey->u.ec.publicValue));
             if (rv != SECSuccess)
@@ -479,17 +468,16 @@ nsslowkey_CopyPrivateKey(NSSLOWKEYPrivat
                 break;
             returnKey->u.ec.ecParams.arena = poolp;
             /* Copy the rest of the params */
             rv = EC_CopyParams(poolp, &(returnKey->u.ec.ecParams),
                                &(privKey->u.ec.ecParams));
             if (rv != SECSuccess)
                 break;
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             rv = SECFailure;
     }
 
 loser:
 
     if (rv != SECSuccess) {
         PORT_FreeArena(poolp, PR_TRUE);
--- a/lib/softoken/lowkeyi.h
+++ b/lib/softoken/lowkeyi.h
@@ -20,20 +20,18 @@ SEC_BEGIN_PROTOS
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
 extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
 extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-#ifndef NSS_DISABLE_ECC
 extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void prepare_low_ecparams_for_asn1(ECParams *params);
-#endif /* NSS_DISABLE_ECC */
 
 /*
 ** Destroy a private key object.
 **  "key" the object
 **  "freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
 
--- a/lib/softoken/lowkeyti.h
+++ b/lib/softoken/lowkeyti.h
@@ -15,20 +15,18 @@
 ** Typedef for callback to get a password "key".
 */
 extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
 extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
 extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
 extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
 extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
 extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
-#ifndef NSS_DISABLE_ECC
 #define NSSLOWKEY_EC_PRIVATE_KEY_VERSION 1 /* as per SECG 1 C.4 */
 extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
-#endif /* NSS_DISABLE_ECC */
 
 extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
 extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
 
 /*
  * PKCS #8 attributes
  */
 struct NSSLOWKEYAttributeStr {
--- a/lib/softoken/pkcs11.c
+++ b/lib/softoken/pkcs11.c
@@ -277,23 +277,21 @@ static const struct mechanismList mechan
     { CKM_DSA_KEY_PAIR_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
     { CKM_DSA, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
     { CKM_DSA_PARAMETER_GEN, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_GENERATE }, PR_TRUE },
     { CKM_DSA_SHA1, { DSA_MIN_P_BITS, DSA_MAX_P_BITS, CKF_SN_VR }, PR_TRUE },
     /* -------------------- Diffie Hellman Operations --------------------- */
     /* no diffie hellman yet */
     { CKM_DH_PKCS_KEY_PAIR_GEN, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_GENERATE_KEY_PAIR }, PR_TRUE },
     { CKM_DH_PKCS_DERIVE, { DH_MIN_P_BITS, DH_MAX_P_BITS, CKF_DERIVE }, PR_TRUE },
-#ifndef NSS_DISABLE_ECC
     /* -------------------- Elliptic Curve Operations --------------------- */
     { CKM_EC_KEY_PAIR_GEN, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_GENERATE_KEY_PAIR | CKF_EC_BPNU }, PR_TRUE },
     { CKM_ECDH1_DERIVE, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_DERIVE | CKF_EC_BPNU }, PR_TRUE },
     { CKM_ECDSA, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
     { CKM_ECDSA_SHA1, { EC_MIN_KEY_BITS, EC_MAX_KEY_BITS, CKF_SN_VR | CKF_EC_BPNU }, PR_TRUE },
-#endif /* NSS_DISABLE_ECC */
     /* ------------------------- RC2 Operations --------------------------- */
     { CKM_RC2_KEY_GEN, { 1, 128, CKF_GENERATE }, PR_TRUE },
     { CKM_RC2_ECB, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
     { CKM_RC2_CBC, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
     { CKM_RC2_MAC, { 1, 128, CKF_SN_VR }, PR_TRUE },
     { CKM_RC2_MAC_GENERAL, { 1, 128, CKF_SN_VR }, PR_TRUE },
     { CKM_RC2_CBC_PAD, { 1, 128, CKF_EN_DE_WR_UN }, PR_TRUE },
     /* ------------------------- RC4 Operations --------------------------- */
@@ -926,31 +924,29 @@ sftk_handlePublicKeyObject(SFTKSession *
                 return crv;
             }
             verify = CK_FALSE;
             derive = CK_TRUE;
             encrypt = CK_FALSE;
             recover = CK_FALSE;
             wrap = CK_FALSE;
             break;
-#ifndef NSS_DISABLE_ECC
         case CKK_EC:
             if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
                 return CKR_TEMPLATE_INCOMPLETE;
             }
             if (!sftk_hasAttribute(object, CKA_EC_POINT)) {
                 return CKR_TEMPLATE_INCOMPLETE;
             }
             derive = CK_TRUE; /* for ECDH */
             verify = CK_TRUE; /* for ECDSA */
             encrypt = CK_FALSE;
             recover = CK_FALSE;
             wrap = CK_FALSE;
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             return CKR_ATTRIBUTE_VALUE_INVALID;
     }
 
     /* make sure the required fields exist */
     crv = sftk_defaultAttribute(object, CKA_SUBJECT, NULL, 0);
     if (crv != CKR_OK)
         return crv;
@@ -1109,30 +1105,28 @@ sftk_handlePrivateKeyObject(SFTKSession 
             }
             if (!sftk_hasAttribute(object, CKA_VALUE)) {
                 return CKR_TEMPLATE_INCOMPLETE;
             }
             encrypt = CK_FALSE;
             recover = CK_FALSE;
             wrap = CK_FALSE;
             break;
-#ifndef NSS_DISABLE_ECC
         case CKK_EC:
             if (!sftk_hasAttribute(object, CKA_EC_PARAMS)) {
                 return CKR_TEMPLATE_INCOMPLETE;
             }
             if (!sftk_hasAttribute(object, CKA_VALUE)) {
                 return CKR_TEMPLATE_INCOMPLETE;
             }
             encrypt = CK_FALSE;
             sign = CK_TRUE;
             recover = CK_FALSE;
             wrap = CK_FALSE;
             break;
-#endif /* NSS_DISABLE_ECC */
         case CKK_NSS_JPAKE_ROUND1:
             if (!sftk_hasAttribute(object, CKA_PRIME) ||
                 !sftk_hasAttribute(object, CKA_SUBPRIME) ||
                 !sftk_hasAttribute(object, CKA_BASE)) {
                 return CKR_TEMPLATE_INCOMPLETE;
             }
         /* fall through */
         case CKK_NSS_JPAKE_ROUND2:
@@ -1773,17 +1767,16 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
                 break;
             crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.base,
                                           object, CKA_BASE);
             if (crv != CKR_OK)
                 break;
             crv = sftk_Attribute2SSecItem(arena, &pubKey->u.dh.publicValue,
                                           object, CKA_VALUE);
             break;
-#ifndef NSS_DISABLE_ECC
         case CKK_EC:
             pubKey->keyType = NSSLOWKEYECKey;
             crv = sftk_Attribute2SSecItem(arena,
                                           &pubKey->u.ec.ecParams.DEREncoding,
                                           object, CKA_EC_PARAMS);
             if (crv != CKR_OK)
                 break;
 
@@ -1832,17 +1825,16 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
                     }
                     /* replace our previous with the decoded key */
                     pubKey->u.ec.publicValue = publicValue;
                     break;
                 }
                 crv = CKR_ATTRIBUTE_VALUE_INVALID;
             }
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             crv = CKR_KEY_TYPE_INCONSISTENT;
             break;
     }
     *crvp = crv;
     if (crv != CKR_OK) {
         PORT_FreeArena(arena, PR_FALSE);
         return NULL;
@@ -1942,17 +1934,16 @@ sftk_mkPrivKey(SFTKObject *object, CK_KE
             itemTemplateCount++;
             SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
                                    &privKey->u.dh.privateValue, CKA_VALUE);
             itemTemplateCount++;
             /* privKey was zero'd so public value is already set to NULL, 0
              * if we don't set it explicitly */
             break;
 
-#ifndef NSS_DISABLE_ECC
         case CKK_EC:
             privKey->keyType = NSSLOWKEYECKey;
             crv = sftk_Attribute2SSecItem(arena,
                                           &privKey->u.ec.ecParams.DEREncoding,
                                           object, CKA_EC_PARAMS);
             if (crv != CKR_OK)
                 break;
 
@@ -1987,17 +1978,16 @@ sftk_mkPrivKey(SFTKObject *object, CK_KE
  * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56561
  */
 #if defined(__arm__) && !defined(__thumb__) && defined(__GNUC__)
                 *crvp = CKR_HOST_MEMORY;
                 break;
 #endif
             }
             break;
-#endif /* NSS_DISABLE_ECC */
 
         default:
             crv = CKR_KEY_TYPE_INCONSISTENT;
             break;
     }
     if (crv == CKR_OK && itemTemplateCount != 0) {
         PORT_Assert(itemTemplateCount > 0);
         PORT_Assert(itemTemplateCount <= SFTK_MAX_ITEM_TEMPLATE);
--- a/lib/softoken/pkcs11c.c
+++ b/lib/softoken/pkcs11c.c
@@ -60,30 +60,28 @@ typedef struct {
 } SSL3RSAPreMasterSecret;
 
 static void
 sftk_Null(void *data, PRBool freeit)
 {
     return;
 }
 
-#ifndef NSS_DISABLE_ECC
 #ifdef EC_DEBUG
 #define SEC_PRINT(str1, str2, num, sitem)             \
     printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
            str1, str2, num, sitem->len);              \
     for (i = 0; i < sitem->len; i++) {                \
         printf("%02x:", sitem->data[i]);              \
     }                                                 \
     printf("\n")
 #else
 #undef EC_DEBUG
 #define SEC_PRINT(a, b, c, d)
 #endif
-#endif /* NSS_DISABLE_ECC */
 
 /*
  * free routines.... Free local type  allocated data, and convert
  * other free routines to the destroy signature.
  */
 static void
 sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)
 {
@@ -119,17 +117,16 @@ sftk_MapCryptError(int error)
         case SEC_ERROR_BAD_SIGNATURE:
             return CKR_SIGNATURE_INVALID;
         case SEC_ERROR_INVALID_KEY:
             return CKR_KEY_SIZE_RANGE;
         case SEC_ERROR_BAD_KEY:        /* an EC public key that fails validation */
             return CKR_KEY_SIZE_RANGE; /* the closest error code */
         case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM:
             return CKR_TEMPLATE_INCONSISTENT;
-        /* EC functions set this error if NSS_DISABLE_ECC is defined */
         case SEC_ERROR_UNSUPPORTED_KEYALG:
             return CKR_MECHANISM_INVALID;
         case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE:
             return CKR_DOMAIN_PARAMS_INVALID;
         /* key pair generation failed after max number of attempts */
         case SEC_ERROR_NEED_RANDOM:
             return CKR_FUNCTION_FAILED;
     }
@@ -2412,17 +2409,16 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
     rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
     if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
         sftk_fatalError = PR_TRUE;
     }
     *sigLen = signature.len;
     return rv;
 }
 
-#ifndef NSS_DISABLE_ECC
 static SECStatus
 nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
                     void *dataBuf, unsigned int dataLen)
 {
     SECItem signature, digest;
     NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
 
     signature.data = (unsigned char *)sigBuf;
@@ -2447,17 +2443,16 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
     digest.len = dataLen;
     rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
     if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
         sftk_fatalError = PR_TRUE;
     }
     *sigLen = signature.len;
     return rv;
 }
-#endif /* NSS_DISABLE_ECC */
 
 /* NSC_SignInit setups up the signing operations. There are three basic
  * types of signing:
  *      (1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
  *  to data in a single Sign operation (which often looks a lot like an
  *  encrypt, with data coming in and data going out).
  *      (2) Hash based signing, where we continually hash the data, then apply
  *  some sort of signature to the end.
@@ -2607,17 +2602,16 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
             }
             context->cipherInfo = privKey;
             context->update = (SFTKCipher)nsc_DSA_Sign_Stub;
             context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey;
             context->maxLen = DSA_MAX_SIGNATURE_LEN;
 
             break;
 
-#ifndef NSS_DISABLE_ECC
         case CKM_ECDSA_SHA1:
             context->multi = PR_TRUE;
             crv = sftk_doSubSHA1(context);
             if (crv != CKR_OK)
                 break;
         /* fall through */
         case CKM_ECDSA:
             if (key_type != CKK_EC) {
@@ -2630,17 +2624,16 @@ NSC_SignInit(CK_SESSION_HANDLE hSession,
                 break;
             }
             context->cipherInfo = privKey;
             context->update = (SFTKCipher)nsc_ECDSASignStub;
             context->destroy = (privKey == key->objectInfo) ? (SFTKDestroy)sftk_Null : (SFTKDestroy)sftk_FreePrivKey;
             context->maxLen = MAX_ECKEY_LEN * 2;
 
             break;
-#endif /* NSS_DISABLE_ECC */
 
 #define INIT_HMAC_MECH(mmm)                                               \
     case CKM_##mmm##_HMAC_GENERAL:                                        \
         PORT_Assert(pMechanism->pParameter);                              \
         if (!pMechanism->pParameter) {                                    \
             crv = CKR_MECHANISM_PARAM_INVALID;                            \
             break;                                                        \
         }                                                                 \
@@ -3298,17 +3291,16 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
             pubKey = sftk_GetPubKey(key, CKK_DSA, &crv);
             if (pubKey == NULL) {
                 break;
             }
             context->cipherInfo = pubKey;
             context->verify = (SFTKVerify)nsc_DSA_Verify_Stub;
             context->destroy = sftk_Null;
             break;
-#ifndef NSS_DISABLE_ECC
         case CKM_ECDSA_SHA1:
             context->multi = PR_TRUE;
             crv = sftk_doSubSHA1(context);
             if (crv != CKR_OK)
                 break;
         /* fall through */
         case CKM_ECDSA:
             if (key_type != CKK_EC) {
@@ -3319,17 +3311,16 @@ NSC_VerifyInit(CK_SESSION_HANDLE hSessio
             if (pubKey == NULL) {
                 crv = CKR_HOST_MEMORY;
                 break;
             }
             context->cipherInfo = pubKey;
             context->verify = (SFTKVerify)nsc_ECDSAVerifyStub;
             context->destroy = sftk_Null;
             break;
-#endif /* NSS_DISABLE_ECC */
 
             INIT_HMAC_MECH(MD2)
             INIT_HMAC_MECH(MD5)
             INIT_HMAC_MECH(SHA224)
             INIT_HMAC_MECH(SHA256)
             INIT_HMAC_MECH(SHA384)
             INIT_HMAC_MECH(SHA512)
 
@@ -4619,22 +4610,20 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
                 signature_length = modulusLen;
                 mech.mechanism = CKM_RSA_PKCS;
                 break;
             case CKK_DSA:
                 signature_length = DSA_MAX_SIGNATURE_LEN;
                 pairwise_digest_length = subPrimeLen;
                 mech.mechanism = CKM_DSA;
                 break;
-#ifndef NSS_DISABLE_ECC
             case CKK_EC:
                 signature_length = MAX_ECKEY_LEN * 2;
                 mech.mechanism = CKM_ECDSA;
                 break;
-#endif
             default:
                 return CKR_DEVICE_ERROR;
         }
 
         /* Allocate space for signature data. */
         signature = (unsigned char *)PORT_ZAlloc(signature_length);
         if (signature == NULL) {
             return CKR_HOST_MEMORY;
@@ -4741,22 +4730,20 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
     /* DSA */
     PQGParams pqgParam;
     DHParams dhParam;
     DSAPrivateKey *dsaPriv;
 
     /* Diffie Hellman */
     DHPrivateKey *dhPriv;
 
-#ifndef NSS_DISABLE_ECC
     /* Elliptic Curve Cryptography */
     SECItem ecEncodedParams; /* DER Encoded parameters */
     ECPrivateKey *ecPriv;
     ECParams *ecParams;
-#endif /* NSS_DISABLE_ECC */
 
     CHECK_FORK();
 
     if (!slot) {
         return CKR_SESSION_HANDLE_INVALID;
     }
     /*
      * now lets create an object to hang the attributes off of
@@ -5092,17 +5079,16 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
             crv = sftk_AddAttributeType(privateKey, CKA_VALUE,
                                         sftk_item_expand(&dhPriv->privateValue));
 
         dhgn_done:
             /* should zeroize, since this function doesn't. */
             PORT_FreeArena(dhPriv->arena, PR_TRUE);
             break;
 
-#ifndef NSS_DISABLE_ECC
         case CKM_EC_KEY_PAIR_GEN:
             sftk_DeleteAttributeType(privateKey, CKA_EC_PARAMS);
             sftk_DeleteAttributeType(privateKey, CKA_VALUE);
             sftk_DeleteAttributeType(privateKey, CKA_NETSCAPE_DB);
             key_type = CKK_EC;
 
             /* extract the necessary parameters and copy them to private keys */
             crv = sftk_Attribute2SSecItem(NULL, &ecEncodedParams, publicKey,
@@ -5161,17 +5147,16 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
                 goto ecgn_done;
 
             crv = sftk_AddAttributeType(privateKey, CKA_NETSCAPE_DB,
                                         sftk_item_expand(&ecPriv->publicValue));
         ecgn_done:
             /* should zeroize, since this function doesn't. */
             PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
             break;
-#endif /* NSS_DISABLE_ECC */
 
         default:
             crv = CKR_MECHANISM_INVALID;
     }
 
     if (crv != CKR_OK) {
         sftk_FreeObject(privateKey);
         sftk_FreeObject(publicKey);
@@ -5291,22 +5276,20 @@ sftk_PackagePrivateKey(SFTKObject *key, 
     NSSLOWKEYPrivateKey *lk = NULL;
     NSSLOWKEYPrivateKeyInfo *pki = NULL;
     SFTKAttribute *attribute = NULL;
     PLArenaPool *arena = NULL;
     SECOidTag algorithm = SEC_OID_UNKNOWN;
     void *dummy, *param = NULL;
     SECStatus rv = SECSuccess;
     SECItem *encodedKey = NULL;
-#ifndef NSS_DISABLE_ECC
 #ifdef EC_DEBUG
     SECItem *fordebug;
 #endif
     int savelen;
-#endif
 
     if (!key) {
         *crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */
         return NULL;
     }
 
     attribute = sftk_FindAttribute(key, CKA_KEY_TYPE);
     if (!attribute) {
@@ -5348,17 +5331,16 @@ sftk_PackagePrivateKey(SFTKObject *key, 
             prepare_low_dsa_priv_key_export_for_asn1(lk);
             dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
                                        nsslowkey_DSAPrivateKeyExportTemplate);
             prepare_low_pqg_params_for_asn1(&lk->u.dsa.params);
             param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
                                        nsslowkey_PQGParamsTemplate);
             algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
             break;
-#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             prepare_low_ec_priv_key_for_asn1(lk);
             /* Public value is encoded as a bit string so adjust length
              * to be in bits before ASN encoding and readjust
              * immediately after.
              *
              * Since the SECG specification recommends not including the
              * parameters as part of ECPrivateKey, we zero out the curveOID
@@ -5377,17 +5359,16 @@ sftk_PackagePrivateKey(SFTKObject *key, 
             SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
                       fordebug);
 #endif
 
             param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
 
             algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
             break;
-#endif /* NSS_DISABLE_ECC */
         case NSSLOWKEYDHKey:
         default:
             dummy = NULL;
             break;
     }
 
     if (!dummy || ((lk->keyType == NSSLOWKEYDSAKey) && !param)) {
         *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
@@ -5636,53 +5617,49 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
         case SEC_OID_ANSIX9_DSA_SIGNATURE:
             keyTemplate = nsslowkey_DSAPrivateKeyExportTemplate;
             paramTemplate = nsslowkey_PQGParamsTemplate;
             paramDest = &(lpk->u.dsa.params);
             lpk->keyType = NSSLOWKEYDSAKey;
             prepare_low_dsa_priv_key_export_for_asn1(lpk);
             prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
             break;
-/* case NSSLOWKEYDHKey: */
-#ifndef NSS_DISABLE_ECC
+        /* case NSSLOWKEYDHKey: */
         case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
             keyTemplate = nsslowkey_ECPrivateKeyTemplate;
             paramTemplate = NULL;
             paramDest = &(lpk->u.ec.ecParams.DEREncoding);
             lpk->keyType = NSSLOWKEYECKey;
             prepare_low_ec_priv_key_for_asn1(lpk);
             prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             keyTemplate = NULL;
             paramTemplate = NULL;
             paramDest = NULL;
             break;
     }
 
     if (!keyTemplate) {
         goto loser;
     }
 
     /* decode the private key and any algorithm parameters */
     rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
 
-#ifndef NSS_DISABLE_ECC
     if (lpk->keyType == NSSLOWKEYECKey) {
         /* convert length in bits to length in bytes */
         lpk->u.ec.publicValue.len >>= 3;
         rv = SECITEM_CopyItem(arena,
                               &(lpk->u.ec.ecParams.DEREncoding),
                               &(pki->algorithm.parameters));
         if (rv != SECSuccess) {
             goto loser;
         }
     }
-#endif /* NSS_DISABLE_ECC */
 
     if (rv != SECSuccess) {
         goto loser;
     }
     if (paramDest && paramTemplate) {
         rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate,
                                     &(pki->algorithm.parameters));
         if (rv != SECSuccess) {
@@ -5785,18 +5762,17 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
             break;
 #ifdef notdef
         case NSSLOWKEYDHKey:
             template = dhTemplate;
             templateCount = sizeof(dhTemplate) / sizeof(CK_ATTRIBUTE);
             keyType = CKK_DH;
             break;
 #endif
-/* what about fortezza??? */
-#ifndef NSS_DISABLE_ECC
+        /* what about fortezza??? */
         case NSSLOWKEYECKey:
             keyType = CKK_EC;
             crv = (sftk_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK : CKR_KEY_TYPE_INCONSISTENT;
             if (crv != CKR_OK)
                 break;
             crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType,
                                         sizeof(keyType));
             if (crv != CKR_OK)
@@ -5818,17 +5794,16 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
             if (crv != CKR_OK)
                 break;
             crv = sftk_AddAttributeType(key, CKA_VALUE,
                                         sftk_item_expand(&lpk->u.ec.privateValue));
             if (crv != CKR_OK)
                 break;
             /* XXX Do we need to decode the EC Params here ?? */
             break;
-#endif /* NSS_DISABLE_ECC */
         default:
             crv = CKR_KEY_TYPE_INCONSISTENT;
             break;
     }
 
 loser:
     if (lpk) {
         nsslowkey_DestroyPrivateKey(lpk);
@@ -6148,17 +6123,16 @@ sftk_MapKeySize(CK_KEY_TYPE keyType)
             return 24;
         /* IDEA and CAST need to be added */
         default:
             break;
     }
     return 0;
 }
 
-#ifndef NSS_DISABLE_ECC
 /* Inputs:
  *  key_len: Length of derived key to be generated.
  *  SharedSecret: a shared secret that is the output of a key agreement primitive.
  *  SharedInfo: (Optional) some data shared by the entities computing the secret key.
  *  SharedInfoLen: the length in octets of SharedInfo
  *  Hash: The hash function to be used in the KDF
  *  HashLen: the length in octets of the output of Hash
  * Output:
@@ -6261,17 +6235,16 @@ sftk_ANSI_X9_63_kdf(CK_BYTE **key, CK_UL
         return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
                                            SharedInfoLen, SHA384_HashBuf, SHA384_LENGTH);
     else if (kdf == CKD_SHA512_KDF)
         return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
                                            SharedInfoLen, SHA512_HashBuf, SHA512_LENGTH);
     else
         return CKR_MECHANISM_INVALID;
 }
-#endif /* NSS_DISABLE_ECC */
 
 /*
  * SSL Key generation given pre master secret
  */
 #define NUM_MIXERS 9
 static const char *const mixers[NUM_MIXERS] = {
     "A",
     "BB",
@@ -7237,17 +7210,16 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
                 sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
                 PORT_ZFree(derived.data, derived.len);
             } else
                 crv = CKR_HOST_MEMORY;
 
             break;
         }
 
-#ifndef NSS_DISABLE_ECC
         case CKM_ECDH1_DERIVE:
         case CKM_ECDH1_COFACTOR_DERIVE: {
             SECItem ecScalar, ecPoint;
             SECItem tmp;
             PRBool withCofactor = PR_FALSE;
             unsigned char *secret;
             unsigned char *keyData = NULL;
             unsigned int secretlen, pubKeyLen;
@@ -7377,17 +7349,16 @@ NSC_DeriveKey(CK_SESSION_HANDLE hSession
             PORT_Free(ecScalar.data);
             if (privKey != sourceKey->objectInfo)
                 nsslowkey_DestroyPrivateKey(privKey);
             if (arena) {
                 PORT_FreeArena(arena, PR_FALSE);
             }
             break;
         }
-#endif /* NSS_DISABLE_ECC */
 
         /* See RFC 5869 and CK_NSS_HKDFParams for documentation. */
         case CKM_NSS_HKDF_SHA1:
             hashType = HASH_AlgSHA1;
             goto hkdf;
         case CKM_NSS_HKDF_SHA256:
             hashType = HASH_AlgSHA256;
             goto hkdf;
--- a/lib/softoken/pkcs11u.c
+++ b/lib/softoken/pkcs11u.c
@@ -1256,23 +1256,21 @@ static const CK_ATTRIBUTE_TYPE dsaPubKey
 static const CK_ULONG dsaPubKeyAttrsCount =
     sizeof(dsaPubKeyAttrs) / sizeof(dsaPubKeyAttrs[0]);
 
 static const CK_ATTRIBUTE_TYPE dhPubKeyAttrs[] = {
     CKA_PRIME, CKA_BASE, CKA_VALUE
 };
 static const CK_ULONG dhPubKeyAttrsCount =
     sizeof(dhPubKeyAttrs) / sizeof(dhPubKeyAttrs[0]);
-#ifndef NSS_DISABLE_ECC
 static const CK_ATTRIBUTE_TYPE ecPubKeyAttrs[] = {
     CKA_EC_PARAMS, CKA_EC_POINT
 };
 static const CK_ULONG ecPubKeyAttrsCount =
     sizeof(ecPubKeyAttrs) / sizeof(ecPubKeyAttrs[0]);
-#endif
 
 static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = {
     CKA_DECRYPT, CKA_SIGN, CKA_SIGN_RECOVER, CKA_UNWRAP, CKA_SUBJECT,
     CKA_SENSITIVE, CKA_EXTRACTABLE, CKA_NETSCAPE_DB
 };
 static const CK_ULONG commonPrivKeyAttrsCount =
     sizeof(commonPrivKeyAttrs) / sizeof(commonPrivKeyAttrs[0]);
 
@@ -1289,23 +1287,21 @@ static const CK_ATTRIBUTE_TYPE dsaPrivKe
 static const CK_ULONG dsaPrivKeyAttrsCount =
     sizeof(dsaPrivKeyAttrs) / sizeof(dsaPrivKeyAttrs[0]);
 
 static const CK_ATTRIBUTE_TYPE dhPrivKeyAttrs[] = {
     CKA_PRIME, CKA_BASE, CKA_VALUE
 };
 static const CK_ULONG dhPrivKeyAttrsCount =
     sizeof(dhPrivKeyAttrs) / sizeof(dhPrivKeyAttrs[0]);
-#ifndef NSS_DISABLE_ECC
 static const CK_ATTRIBUTE_TYPE ecPrivKeyAttrs[] = {
     CKA_EC_PARAMS, CKA_VALUE
 };
 static const CK_ULONG ecPrivKeyAttrsCount =
     sizeof(ecPrivKeyAttrs) / sizeof(ecPrivKeyAttrs[0]);
-#endif
 
 static const CK_ATTRIBUTE_TYPE certAttrs[] = {
     CKA_CERTIFICATE_TYPE, CKA_VALUE, CKA_SUBJECT, CKA_ISSUER, CKA_SERIAL_NUMBER
 };
 static const CK_ULONG certAttrsCount =
     sizeof(certAttrs) / sizeof(certAttrs[0]);
 
 static const CK_ATTRIBUTE_TYPE trustAttrs[] = {
@@ -1400,22 +1396,20 @@ stfk_CopyTokenPrivateKey(SFTKObject *des
         case CKK_DSA:
             crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPrivKeyAttrs,
                                            dsaPrivKeyAttrsCount);
             break;
         case CKK_DH:
             crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
                                            dhPrivKeyAttrsCount);
             break;
-#ifndef NSS_DISABLE_ECC
         case CKK_EC:
             crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
                                            ecPrivKeyAttrsCount);
             break;
-#endif
         default:
             crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
                                      * of token keys into our database. */
     }
 fail:
     return crv;
 }
 
@@ -1462,22 +1456,20 @@ stfk_CopyTokenPublicKey(SFTKObject *dest
         case CKK_DSA:
             crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPubKeyAttrs,
                                            dsaPubKeyAttrsCount);
             break;
         case CKK_DH:
             crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
                                            dhPubKeyAttrsCount);
             break;
-#ifndef NSS_DISABLE_ECC
         case CKK_EC:
             crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
                                            ecPubKeyAttrsCount);
             break;
-#endif
         default:
             crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
                                      * of token keys into our database. */
     }
 fail:
     return crv;
 }
 CK_RV
--- a/lib/softoken/softkver.h
+++ b/lib/softoken/softkver.h
@@ -3,21 +3,17 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _SOFTKVER_H_
 #define _SOFTKVER_H_
 
-#ifndef NSS_DISABLE_ECC
 #define SOFTOKEN_ECC_STRING " Basic ECC"
-#else
-#define SOFTOKEN_ECC_STRING ""
-#endif
 
 /*
  * Softoken's major version, minor version, patch level, build number,
  * and whether this is a beta release.
  *
  * The format of the version string should be
  *     "<major version>.<minor version>[.<patch level>[.<build number>]][ <ECC>][ <Beta>]"
  */
--- a/tests/all.sh
+++ b/tests/all.sh
@@ -58,20 +58,16 @@
 #   HOST         - test machine host name
 #   DOMSUF       - test machine domain name
 #
 # Optional environment variables to specify build to use:
 # -------------------------------------------------------
 #   BUILT_OPT    - use optimized/debug build
 #   USE_64       - use 64bit/32bit build
 #
-# Optional environment variables to enable specific NSS features:
-# ---------------------------------------------------------------
-#   NSS_DISABLE_ECC             - disable ECC
-#
 # Optional environment variables to select which cycles/suites to test:
 # ---------------------------------------------------------------------
 #   NSS_CYCLES     - list of cycles to run (separated by space
 #                    character)
 #                  - by default all cycles are tested
 #
 #   NSS_TESTS      - list of all test suites to run (separated by space
 #                    character, without trailing .sh)
--- a/tests/cert/cert.sh
+++ b/tests/cert/cert.sh
@@ -41,21 +41,17 @@ cert_init()
       cd ../common
       . ./init.sh
   fi
   if [ -z "${IOPR_CERT_SOURCED}" ]; then
        . ../iopr/cert_iopr.sh
   fi
   SCRIPTNAME="cert.sh"
   CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      html_head "Certutil and Crlutil Tests with ECC"
-  else
-      html_head "Certutil and Crlutil Tests"
-  fi
+  html_head "Certutil and Crlutil Tests"
 
   LIBDIR="${DIST}/${OBJDIR}/lib"
 
   ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
   if [ ! "${ROOTCERTSFILE}" ] ; then
       html_failed "Looking for root certs module." 
       cert_log "ERROR: Root certs module not found."
       Exit 5 "Fatal - Root certs module not found."
@@ -295,24 +291,22 @@ cert_create_cert()
 	CU_ACTION="Import DSA Root CA for $CERTNAME"
 	certu -A -n "TestCA-dsa" -t "TC,TC,TC" -f "${R_PWFILE}" \
 	    -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-dsa.ca.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 
 
-    if [ -z "$NSS_DISABLE_ECC" ] ; then
 	CU_ACTION="Import EC Root CA for $CERTNAME"
 	certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
 	    -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
-    fi
 
     cert_add_cert "$5"
     return $?
 }
 
 ############################# cert_add_cert ############################
 # local shell function to add client certs to an existing CERT DB
 #     generate request
@@ -397,17 +391,16 @@ cert_add_cert()
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 	cert_log "SUCCESS: $CERTNAME's mixed DSA Cert Created"
 
 #
 #   Generate and add EC cert
 #
-    if [ -z "$NSS_DISABLE_ECC" ] ; then
 	CURVE="secp384r1"
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
 	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
@@ -449,17 +442,16 @@ cert_add_cert()
 
 	CU_ACTION="Import $CERTNAME's mixed EC Cert"
 	certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
 	    -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
 	cert_log "SUCCESS: $CERTNAME's mixed EC Cert Created"
-    fi
 
     return 0
 }
 
 ################################# cert_all_CA ################################
 # local shell function to build the additional Temp. Certificate Authority (CA)
 # used for the "real life" ssl test with 2 different CA's in the
 # client and in the server's dir
@@ -516,17 +508,16 @@ cert_all_CA()
 
 	rm $CLIENT_CADIR/dsaroot.cert $SERVER_CADIR/dsaroot.cert
 #	dsaroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
 #	in the chain
 
 
 
 
-    if [ -z "$NSS_DISABLE_ECC" ] ; then
 #
 #       Create EC version of TestCA
 	CA_CURVE="secp521r1"
 	ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
 #
 #       Create EC versions of the intermediate CA certs
 	ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
@@ -541,18 +532,16 @@ cert_all_CA()
 	ALL_CU_SUBJECT="CN=NSS Chain1 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
 	cert_ec_CA $CLIENT_CADIR chain-1-clientCA-ec "-c clientCA-ec" "u,u,u" ${D_CLIENT_CA} "6" ${CA_CURVE}
 	ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
 	cert_ec_CA $CLIENT_CADIR chain-2-clientCA-ec "-c chain-1-clientCA-ec" "u,u,u" ${D_CLIENT_CA} "7" ${CA_CURVE}
 
 	rm $CLIENT_CADIR/ecroot.cert $SERVER_CADIR/ecroot.cert
 #	ecroot.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
 #	in the chain
-
-    fi
 }
 
 ################################# cert_CA ################################
 # local shell function to build the Temp. Certificate Authority (CA)
 # used for testing purposes, creating  a CA Certificate and a root cert
 ##########################################################################
 cert_CA()
 {
@@ -827,17 +816,16 @@ cert_smime_client()
   CU_ACTION="Import Eve's cert into Alice's DB"
   certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
         -i ${R_EVEDIR}/Eve.cert 2>&1
 
   CU_ACTION="Import Eve's cert into Bob's DB"
   certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
         -i ${R_EVEDIR}/Eve.cert 2>&1
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
       echo "$SCRIPTNAME: Importing EC Certificates =============================="
       CU_ACTION="Import Bob's EC cert into Alice's db"
       certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
           -i ${R_BOBDIR}/Bob-ec.cert 2>&1
 
       CU_ACTION="Import Dave's EC cert into Alice's DB"
       certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
           -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
@@ -851,17 +839,16 @@ cert_smime_client()
 ## inside Eve's ECC and non-ECC certs are different.
 #     CU_ACTION="Import Eve's EC cert into Alice's DB"
 #     certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
 #         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
 
 #     CU_ACTION="Import Eve's EC cert into Bob's DB"
 #     certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
 #         -i ${R_EVEDIR}/Eve-ec.cert 2>&1
-  fi
 
   if [ "$CERTFAILED" != 0 ] ; then
       cert_log "ERROR: SMIME failed $RET"
   else
       cert_log "SUCCESS: SMIME passed"
   fi
 }
 
@@ -942,17 +929,16 @@ cert_extended_ssl()
       certu -A -n "${CERTNAME}-dsamixed" -t "u,u,u" -d "${PROFILEDIR}" \
 	  -f "${R_PWFILE}" -i "${CERTNAME}-dsamixed.cert" 2>&1
 
 #      CU_ACTION="Import Client mixed DSA Root CA -t T,, for $CERTNAME (ext.)"
 #      certu -A -n "clientCA-dsamixed" -t "T,," -f "${R_PWFILE}" \
 #	  -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-dsamixed.ca.cert" \
 #	  2>&1
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
 #
 #     Repeat the above for EC certs
 #
       EC_CURVE="secp256r1"
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
       CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
@@ -988,17 +974,16 @@ cert_extended_ssl()
       CU_ACTION="Import $CERTNAME's mixed EC Cert  -t u,u,u (ext)"
       certu -A -n "${CERTNAME}-ecmixed" -t "u,u,u" -d "${PROFILEDIR}" \
 	  -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
 
 #      CU_ACTION="Import Client mixed EC Root CA -t T,, for $CERTNAME (ext.)"
 #      certu -A -n "clientCA-ecmixed" -t "T,," -f "${R_PWFILE}" \
 #	  -d "${PROFILEDIR}" -i "${CLIENT_CADIR}/clientCA-ecmixed.ca.cert" \
 #	  2>&1
-  fi
 
   echo "Importing all the server's own CA chain into the servers DB"
   for CA in `find ${SERVER_CADIR} -name "?*.ca.cert"` ;
   do
       N=`basename $CA | sed -e "s/.ca.cert//"`
       if [ $N = "serverCA" -o $N = "serverCA-ec" -o $N = "serverCA-dsa" ] ; then
           T="-t C,C,C"
       else
@@ -1077,17 +1062,16 @@ cert_extended_ssl()
 
 #      CU_ACTION="Import Server DSA Root CA -t C,C,C for $CERTNAME (ext.)"
 #      certu -A -n "serverCA-dsa" -t "C,C,C" -f "${R_PWFILE}" \
 #	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-dsa.ca.cert" 2>&1
 #
 # done with mixed DSA certs
 #
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
 #
 #     Repeat the above for EC certs
 #
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
       CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -1124,17 +1108,16 @@ cert_extended_ssl()
 	  -f "${R_PWFILE}" -i "${CERTNAME}-ecmixed.cert" 2>&1
 
 #      CU_ACTION="Import Server EC Root CA -t C,C,C for $CERTNAME (ext.)"
 #      certu -A -n "serverCA-ec" -t "C,C,C" -f "${R_PWFILE}" \
 #	  -d "${PROFILEDIR}" -i "${SERVER_CADIR}/serverCA-ec.ca.cert" 2>&1
 #
 # done with mixed EC certs
 #
-  fi
 
   echo "Importing all the client's own CA chain into the servers DB"
   for CA in `find ${CLIENT_CADIR} -name "?*.ca.cert"` ;
   do
       N=`basename $CA | sed -e "s/.ca.cert//"`
       if [ $N = "clientCA" -o $N = "clientCA-ec" -o $N = "clientCA-dsa" ] ; then
           T="-t T,C,C"
       else
@@ -1171,20 +1154,18 @@ cert_ssl()
   CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
   cert_add_cert 
   CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
   certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
 
   CU_ACTION="Modify trust attributes of DSA Root CA -t TC,TC,TC"
   certu -M -n "TestCA-dsa" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
-      certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
-  fi
+  CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
+  certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
 #  cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
 #  echo "************* Copying CA files to ${SERVERDIR}"
 #  cp ${CADIR}/*.db .
 #  hw_acc
 #  CU_ACTION="Creating ${CERTNAME}'s Server Cert"
 #  CU_SUBJECT="CN=${CERTNAME}, O=BOGUS Netscape, L=Mountain View, ST=California, C=US"
 #  certu -S -n "${CERTNAME}" -c "TestCA" -t "Pu,Pu,Pu" -d ${PROFILEDIR} \
 #	 -f "${R_PWFILE}" -z "${R_NOISE_FILE}" -v 60 2>&1
@@ -1291,17 +1272,16 @@ MODSCRIPT
 
 ############################## cert_eccurves ###########################
 # local shell function to create server certs for all EC curves
 ########################################################################
 cert_eccurves()
 {
   ################# Creating Certs for EC curves test ########################
   #
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
     echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
     echo "             EC Curves Test Certificates ------------------------------------"
 
     cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
 
     CU_ACTION="Initializing EC Curve's Cert DB"
     certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
 
@@ -1332,18 +1312,16 @@ cert_eccurves()
 	fi
 	
 	if [ $RET -eq 0 ] ; then
 	  CU_ACTION="Import $CERTNAME's EC Cert"
 	  certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
 		-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
 	fi
     done
-
-  fi # $NSS_DISABLE_ECC
 }
 
 ########################### cert_extensions_test #############################
 # local shell function to test cert extensions generation
 ##############################################################################
 cert_extensions_test()
 {
     COUNT=`expr ${COUNT} + 1`
@@ -1685,32 +1663,30 @@ addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END
 addext reasonCode 0 4
 addext issuerAltNames 0 "rfc822Name:ca-dsaemail@ca.com|dnsName:ca-dsa.com|directoryName:CN=NSS Test CA (DSA),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-dsa.com|ipAddress:192.168.0.1|registerID=reg CA (DSA)"
 EOF_CRLINI
       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
       chmod 600 ${CRL_FILE_GRP_1}_or-dsa
 
 
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
 
 #     Until Bug 292285 is resolved, do not encode x400 Addresses. After
 #     the bug is resolved, reintroduce "x400Address:x400Address" within
 #     addext issuerAltNames ...
       crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
 	  -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END_} $CRL_GRP_DATE
 addext reasonCode 0 4
 addext issuerAltNames 0 "rfc822Name:ca-ecemail@ca.com|dnsName:ca-ec.com|directoryName:CN=NSS Test CA (ECC),O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca-ec.com|ipAddress:192.168.0.1|registerID=reg CA (ECC)"
 EOF_CRLINI
       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
       chmod 600 ${CRL_FILE_GRP_1}_or-ec
-  fi
 
   echo test > file
   ############################# Modification ##################################
 
   echo "$SCRIPTNAME: Modifying CA CRL by adding one more cert ============"
   sleep 2
   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
   CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
@@ -1731,27 +1707,25 @@ EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_END} $CRL_GRP_DATE
 EOF_CRLINI
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
   chmod 600 ${CRL_FILE_GRP_1}_or1-dsa
   TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-dsa"
 
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Modify CRL (ECC) by adding one more cert"
       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
 	  -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_END} $CRL_GRP_DATE
 EOF_CRLINI
       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
       chmod 600 ${CRL_FILE_GRP_1}_or1-ec
       TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or-ec"
-  fi
 
   ########### Removing one cert ${UNREVOKED_CERT_GRP_1} #######################
   echo "$SCRIPTNAME: Modifying CA CRL by removing one cert ==============="
   CU_ACTION="Modify CRL by removing one cert"
   sleep 2
   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
   crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
       -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
@@ -1770,26 +1744,24 @@ EOF_CRLINI
 update=$CRLUPDATE
 rmcert  ${UNREVOKED_CERT_GRP_1}
 EOF_CRLINI
   chmod 600 ${CRL_FILE_GRP_1}
   TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-dsa"
 
 
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Modify CRL (ECC) by removing one cert"
       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
 	  -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
 update=$CRLUPDATE
 rmcert  ${UNREVOKED_CERT_GRP_1}
 EOF_CRLINI
       chmod 600 ${CRL_FILE_GRP_1}-ec
       TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
-  fi
 
   ########### Creating second CRL which includes groups 1 and 2 ##############
   CRL_GRP_END=`expr ${CRL_GRP_2_BEGIN} + ${CRL_GRP_2_RANGE} - 1`
   CRL_FILE_GRP_2=${R_SERVERDIR}/root.crl_${CRL_GRP_2_BEGIN}-${CRL_GRP_END}
 
   echo "$SCRIPTNAME: Creating CA CRL for groups 1 and 2  ==============="
   sleep 2
   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
@@ -1799,28 +1771,26 @@ EOF_CRLINI
           -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
 addext invalidityDate 0 $CRLUPDATE
 rmcert  ${UNREVOKED_CERT_GRP_2}
 EOF_CRLINI
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
   chmod 600 ${CRL_FILE_GRP_2}
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
           -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
 addext invalidityDate 0 $CRLUPDATE
 rmcert  ${UNREVOKED_CERT_GRP_2}
 EOF_CRLINI
       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
       chmod 600 ${CRL_FILE_GRP_2}-ec
-  fi
 
   ########### Creating second CRL which includes groups 1, 2 and 3 ##############
   CRL_GRP_END=`expr ${CRL_GRP_3_BEGIN} + ${CRL_GRP_3_RANGE} - 1`
   CRL_FILE_GRP_3=${R_SERVERDIR}/root.crl_${CRL_GRP_3_BEGIN}-${CRL_GRP_END}
 
 
 
   echo "$SCRIPTNAME: Creating CA CRL for groups 1, 2 and 3  ==============="
@@ -1832,43 +1802,39 @@ EOF_CRLINI
             -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
 rmcert  ${UNREVOKED_CERT_GRP_3}
 addext crlNumber 0 2
 EOF_CRLINI
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
   chmod 600 ${CRL_FILE_GRP_3}
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
           -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
 rmcert  ${UNREVOKED_CERT_GRP_3}
 addext crlNumber 0 2
 EOF_CRLINI
       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
       chmod 600 ${CRL_FILE_GRP_3}-ec
-  fi
 
   ############ Importing Server CA Issued CRL for certs of first group #######
 
   echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
   CU_ACTION="Importing CRL for groups 1"
   crlu -D -n TestCA  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
   crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Importing CRL (ECC) for groups 1"
       crlu -D -n TestCA-ec  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
       crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
 	  -d "${R_SERVERDIR}"
       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
-  fi
 
   if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
       cert_log "ERROR: SSL CRL prep failed $CERTFAILED : $CRL_GEN_RES"
   else
       cert_log "SUCCESS: SSL CRL prep passed"
   fi
 }
 
--- a/tests/remote/Makefile
+++ b/tests/remote/Makefile
@@ -75,17 +75,16 @@ package_for_testing:
 	cat $(PCFG)                                  >> $(RTSH)
 	echo 'export NSS_TESTS=$(NSS_TESTS)'         >> $(RTSH)
 	echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(RTSH)
 	echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)'     >> $(RTSH)
 	echo 'export NSS_CYCLES=$(NSS_CYCLES)'       >> $(RTSH)
 	echo 'export USE_64=$(USE_64)'               >> $(RTSH)
 	echo 'export BUILD_OPT=$(BUILD_OPT)'         >> $(RTSH)
 	echo 'export PKITS_DATA=$(PKITS_DATA)'       >> $(RTSH)
-	echo 'export NSS_DISABLE_ECC=$(NSS_DISABLE_ECC)'                     >> $(RTSH)
 	echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)'                   >> $(RTSH)
 ifeq ($(OS_TARGET),Android)
 	# Android doesn't support FIPS tests, because
 	# dladdr does not return a full path for implicitly loaded libraries
 	echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg
 endif
 ifeq ($(CROSS_COMPILE),1)
 # execute signing on test system
--- a/tests/smime/smime.sh
+++ b/tests/smime/smime.sh
@@ -35,21 +35,17 @@ smime_init()
       . ./init.sh
   fi
   if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
       cd ../cert
       . ./cert.sh
   fi
   SCRIPTNAME=smime.sh
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      html_head "S/MIME Tests with ECC"
-  else
-      html_head "S/MIME Tests"
-  fi
+  html_head "S/MIME Tests"
 
   grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
       Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
   }
 
   SMIMEDIR=${HOSTDIR}/smime
   R_SMIMEDIR=../smime
   mkdir -p ${SMIMEDIR}
@@ -80,39 +76,37 @@ smime_sign()
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}
   html_msg $? 0 "Decode Alice's Attached Signature (${HASH})" "."
 
   echo "diff alice.txt alice.data.${HASH}"
   diff alice.txt alice.data.${HASH}
   html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "."
 
 # Test ECDSA signing for all hash algorithms.
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
-      echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
-      ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
-      html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
+  echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
+  echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
+  html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
 
-      echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
-      ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} 
-      html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
+  echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} 
+  html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
 
-      echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
-      echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
-      ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
-      html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
+  echo "$SCRIPTNAME: Signing Attached Message (ECDSA w/ ${HASH}) ------------------"
+  echo "cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -S -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.${SIG}
+  html_msg $? 0 "Create Attached Signature Alice (ECDSA w/ ${HASH})" "."
 
-      echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
-      ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
-      html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
+  echo "cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}"
+  ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.${SIG} -d ${P_R_BOBDIR} -o alice-ec.data.${HASH}
+  html_msg $? 0 "Decode Alice's Attached Signature (ECDSA w/ ${HASH})" "."
 
-      echo "diff alice.txt alice-ec.data.${HASH}"
-      diff alice.txt alice-ec.data.${HASH}
-      html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
-  fi
+  echo "diff alice.txt alice-ec.data.${HASH}"
+  diff alice.txt alice-ec.data.${HASH}
+  html_msg $? 0 "Compare Attached Signed Data and Original (ECDSA w/ ${HASH})" "."
 
 }
 
 
 
 smime_p7()
 {
   echo "$SCRIPTNAME: p7 util Data Tests ------------------------------"
--- a/tests/ssl/ssl.sh
+++ b/tests/ssl/ssl.sh
@@ -91,25 +91,18 @@ ssl_init()
 
   EC_SUITES=":C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D"
   EC_SUITES="${EC_SUITES}:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027"
   EC_SUITES="${EC_SUITES}:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA"
 
   NON_EC_SUITES=":0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B"
   NON_EC_SUITES="${NON_EC_SUITES}:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz"
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      ECC_STRING=" - with ECC"
-      # List of cipher suites to test, including ECC cipher suites.
-      CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
-  else
-      ECC_STRING=""
-      # List of cipher suites to test, excluding ECC cipher suites.
-      CIPHER_SUITES="-c ${NON_EC_SUITES}"
-  fi
+  # List of cipher suites to test, including ECC cipher suites.
+  CIPHER_SUITES="-c ${EC_SUITES}${NON_EC_SUITES}"
 
   if [ "${OS_ARCH}" != "WINNT" ]; then
       ulimit -n 1000 # make sure we have enough file descriptors
   fi
 
   cd ${CLIENTDIR}
 }
 
@@ -213,18 +206,17 @@ kill_selfserv()
 # also: wait until the server is up and running
 ########################################################################
 start_selfserv()
 {
   if [ -n "$testname" ] ; then
       echo "$SCRIPTNAME: $testname ----"
   fi
   sparam=`echo $sparam | sed -e 's;_; ;g'`
-  if [ -z "$NSS_DISABLE_ECC" ] && \
-     [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
+  if [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
       ECC_OPTIONS="-e ${HOSTADDR}-ecmixed -e ${HOSTADDR}-ec"
   else
       ECC_OPTIONS=""
   fi
   echo "selfserv starting at `date`"
   echo "selfserv -D -p ${PORT} -d ${P_R_SERVERDIR} -n ${HOSTADDR} ${SERVER_OPTIONS} \\"
   echo "         ${ECC_OPTIONS} -S ${HOSTADDR}-dsa -w nss ${sparam} -i ${R_SERVERPID}\\"
   echo "         -V ssl3:tls1.2 $verbose -H 1 &"
@@ -270,33 +262,33 @@ ignore_blank_lines()
 }
 
 ############################## ssl_cov #################################
 # local shell function to perform SSL Cipher Coverage tests
 ########################################################################
 ssl_cov()
 {
   #verbose="-v"
-  html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+  html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
   sparam="$CIPHER_SUITES"
 
   start_selfserv # Launch the server
 
   VMIN="ssl3"
   VMAX="tls1.1"
 
   ignore_blank_lines ${SSLCOV} | \
   while read ectype testmax param testname
   do
       echo "${testname}" | grep "EXPORT" > /dev/null
       EXP=$?
 
-      if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+      if [ "$ectype" = "ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       else
           echo "$SCRIPTNAME: running $testname ----------------------------"
           VMAX="ssl3"
           if [ "$testmax" = "TLS10" ]; then
               VMAX="tls1.0"
           fi
           if [ "$testmax" = "TLS11" ]; then
@@ -326,29 +318,29 @@ ssl_cov()
 }
 
 ############################## ssl_auth ################################
 # local shell function to perform SSL  Client Authentication tests
 ########################################################################
 ssl_auth()
 {
   #verbose="-v"
-  html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+  html_head "SSL Client Authentication $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   ignore_blank_lines ${SSLAUTH} | \
   while read ectype value sparam cparam testname
   do
       echo "${testname}" | grep "don't require client auth" > /dev/null
       CAUTH=$?
 
       if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-      elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+      elif [ "$ectype" = "ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       else
           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
           if [ "$ectype" = "SNI" ]; then
               cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
           fi
           start_selfserv
@@ -470,17 +462,17 @@ ssl_stapling_stress()
     P_R_SERVERDIR=${SAVE_P_R_SERVERDIR}
 }
 
 ############################ ssl_stapling ##############################
 # local shell function to perform SSL Cert Status (OCSP Stapling) tests
 ########################################################################
 ssl_stapling()
 {
-  html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+  html_head "SSL Cert Status (OCSP Stapling) $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   # tstclnt Exit code:
   # 0: have fresh and valid revocation data, status good
   # 1: cert failed to verify, prior to revocation checking
   # 2: missing, old or invalid revocation data
   # 3: have fresh and valid revocation data, status revoked
 
   # selfserv modes
@@ -503,17 +495,17 @@ ssl_stapling()
 }
 
 ############################ ssl_signed_cert_timestamps #################
 # local shell function to perform SSL Signed Certificate Timestamp tests
 #########################################################################
 ssl_signed_cert_timestamps()
 {
   #verbose="-v"
-  html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+  html_head "SSL Signed Certificate Timestamps $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
     testname="ssl_signed_cert_timestamps"
     value=0
 
     if [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
         return 0
     fi
@@ -541,29 +533,29 @@ ssl_signed_cert_timestamps()
 }
 
 
 ############################## ssl_stress ##############################
 # local shell function to perform SSL stress test
 ########################################################################
 ssl_stress()
 {
-  html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+  html_head "SSL Stress Test $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   ignore_blank_lines ${SSLSTRESS} | \
   while read ectype value sparam cparam testname
   do
       echo "${testname}" | grep "client auth" > /dev/null
       CAUTH=$?
       echo "${testname}" | grep "no login" > /dev/null
       NOLOGIN=$?
 
       if [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-      elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+      elif [ "$ectype" = "ECC" -a ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "${NOLOGIN}" -eq 0 ] && \
            [ "${CLIENT_MODE}" = "fips" -o "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
       else
           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
@@ -607,28 +599,28 @@ ssl_stress()
 }
 
 ############################ ssl_crl_ssl ###############################
 # local shell function to perform SSL test with/out revoked certs tests
 ########################################################################
 ssl_crl_ssl()
 {
   #verbose="-v"
-  html_head "CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+  html_head "CRL SSL Client Tests $NORM_EXT"
 
   # Using First CRL Group for this test. There are $CRL_GRP_1_RANGE certs in it.
   # Cert number $UNREVOKED_CERT_GRP_1 was not revoked
   CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
   CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
   UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
 
   ignore_blank_lines ${SSLAUTH} | \
   while read ectype value sparam cparam testname
   do
-    if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+    if [ "$ectype" = "ECC" ] ; then
         echo "$SCRIPTNAME: skipping $testname (ECC only)"
     elif [ "$ectype" = "SNI" ]; then
         continue
     else
 	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
 	pwd=`echo $cparam | grep nss`
 	user=`echo $cparam | grep TestUser`
 	_cparam=$cparam
@@ -685,17 +677,17 @@ ssl_crl_ssl()
 }
 
 ############################## ssl_cov #################################
 # local shell function to perform SSL Policy tests
 ########################################################################
 ssl_policy()
 {
   #verbose="-v"
-  html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
+  html_head "SSL POLICY $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE"
 
   testname=""
   sparam="$CIPHER_SUITES"
 
   if [ ! -f "${P_R_CLIENTDIR}/pkcs11.txt" ] ; then
       return;
   fi
 
@@ -707,17 +699,17 @@ ssl_policy()
   VMIN="ssl3"
   VMAX="tls1.2"
 
   ignore_blank_lines ${SSLPOLICY} | \
   while read value ectype testmax param policy testname
   do
       VMIN="ssl3"
 
-      if [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
+      if [ "$ectype" = "ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       else
           echo "$SCRIPTNAME: running $testname ----------------------------"
           VMAX="ssl3"
           if [ "$testmax" = "TLS10" ]; then
               VMAX="tls1.0"
           fi
           if [ "$testmax" = "TLS11" ]; then
@@ -886,33 +878,33 @@ GET crl://${SERVERDIR}/root.crl_${grpBeg
 
 ########################### ssl_crl_cache ##############################
 # local shell function to perform SSL test for crl cache functionality
 # with/out revoked certs
 ########################################################################
 ssl_crl_cache()
 {
   #verbose="-v"
-  html_head "Cache CRL SSL Client Tests $NORM_EXT $ECC_STRING"
+  html_head "Cache CRL SSL Client Tests $NORM_EXT"
   SSLAUTH_TMP=${TMP}/authin.tl.tmp
   SERV_ARG=-r_-r
   rm -f ${SSLAUTH_TMP}
   echo ${SSLAUTH_TMP}
 
   grep -- " $SERV_ARG " ${SSLAUTH} | grep -v "^#" | grep -v none | grep -v bogus > ${SSLAUTH_TMP}
   echo $?
   while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
     do
     sparam=$SERV_ARG
     start_selfserv
     exec < ${SSLAUTH_TMP}
     while read ectype value sparam cparam testname
       do
       [ "$ectype" = "" ] && continue
-      if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
+      if [ "$ectype" = "ECC" ] ; then
         echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       elif [ "$ectype" = "SNI" ]; then
           continue
       else
         servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
         pwd=`echo $cparam | grep nss`
         user=`echo $cparam | grep TestUser`
         _cparam=$cparam
--- a/tests/tools/tools.sh
+++ b/tests/tools/tools.sh
@@ -71,21 +71,17 @@ tools_init()
       . ./init.sh
   fi
   if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
       cd ../cert
       . ./cert.sh
   fi
   SCRIPTNAME=tools.sh
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      html_head "Tools Tests with ECC"
-  else
-      html_head "Tools Tests"
-  fi
+  html_head "Tools Tests"
 
   grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
       Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
   }
 
   TOOLSDIR=${HOSTDIR}/tools
   COPYDIR=${TOOLSDIR}/copydir
   SIGNDIR=${TOOLSDIR}/signdir
@@ -392,40 +388,38 @@ tools_p12_export_with_invalid_ciphers()
 # Repeats the test with ECC if enabled.
 ########################################################################
 tools_p12_export_list_import_with_default_ciphers()
 {
   echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
   
   export_list_import "DEFAULT" "DEFAULT"
 
-  if [ -z "$NSS_DISABLE_ECC" ] ; then
-      echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
-      echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
-      echo "         -w ${R_PWFILE}"
-      ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
-           -w ${R_PWFILE} 2>&1 
-      ret=$?
-      html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
-      check_tmpfile
+  echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
+  echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
+  echo "         -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
+       -w ${R_PWFILE} 2>&1 
+  ret=$?
+  html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
+  check_tmpfile
 
-      echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
-      echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
-      ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
-      ret=$?
-      html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
-      check_tmpfile
+  echo "$SCRIPTNAME: Importing Alice's email EC cert & key --------------"
+  echo "pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -i Alice-ec.p12 -d ${P_R_COPYDIR} -k ${R_PWFILE} -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Importing Alice's email EC cert & key (pk12util -i)"
+  check_tmpfile
 
-      echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
-      echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
-      ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
-      ret=$?
-      html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
-      check_tmpfile
-  fi
+  echo "$SCRIPTNAME: Listing Alice's pk12 EC file -----------------"
+  echo "pk12util -l Alice-ec.p12 -w ${R_PWFILE}"
+  ${BINDIR}/pk12util -l Alice-ec.p12 -w ${R_PWFILE} 2>&1
+  ret=$?
+  html_msg $ret 0 "Listing Alice's pk12 EC file (pk12util -l)"
+  check_tmpfile
 }
 
 ############################## tools_p12 ###############################
 # local shell function to test basic functionality of pk12util
 ########################################################################
 tools_p12()
 {
   tools_p12_export_list_import_with_default_ciphers