Bug 967153: Update to NSS 3.16 beta 5 (NSS_3_16_BETA5), r=me, a=sledru
authorBrian Smith <brian@briansmith.org>
Sun, 09 Mar 2014 20:29:21 -0700
changeset 184224 bf60b72ca0354ff06ed960c7191d11b7851e7984
parent 184223 ebf3963ed46ac089314fc99b4f5b176583898e0f
child 184225 fbbdc60eea00a27d5e3ab3be8ac9a317a760f25b
push id462
push userraliiev@mozilla.com
push dateTue, 22 Apr 2014 00:22:30 +0000
treeherdermozilla-release@ac5db8c74ac0 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersme, sledru
bugs967153
milestone29.0a2
Bug 967153: Update to NSS 3.16 beta 5 (NSS_3_16_BETA5), r=me, a=sledru
security/nss/Makefile
security/nss/TAG-INFO
security/nss/automation/buildbot-slave/bbenv-example.sh
security/nss/automation/buildbot-slave/build.sh
security/nss/cmd/bltest/blapitest.c
security/nss/cmd/certutil/certutil.c
security/nss/cmd/certutil/keystuff.c
security/nss/cmd/fipstest/fipstest.c
security/nss/cmd/lib/secutil.c
security/nss/cmd/modutil/install.c
security/nss/cmd/selfserv/selfserv.c
security/nss/cmd/ssltap/ssltap.c
security/nss/cmd/strsclnt/strsclnt.c
security/nss/cmd/tstclnt/tstclnt.c
security/nss/cmd/vfyserv/vfyserv.c
security/nss/cmd/vfyserv/vfyutil.c
security/nss/coreconf/Linux.mk
security/nss/coreconf/config.mk
security/nss/coreconf/coreconf.dep
security/nss/coverage/cov.sh
security/nss/lib/certdb/certdb.c
security/nss/lib/ckfw/builtins/certdata.txt
security/nss/lib/dbm/include/mcom_db.h
security/nss/lib/freebl/Makefile
security/nss/lib/freebl/arcfour.c
security/nss/lib/freebl/ec.c
security/nss/lib/freebl/loader.c
security/nss/lib/freebl/manifest.mn
security/nss/lib/freebl/mpi/mpi.h
security/nss/lib/freebl/mpi/target.mk
security/nss/lib/libpkix/include/pkix_pl_pki.h
security/nss/lib/nss/nss.h
security/nss/lib/pk11wrap/pk11pub.h
security/nss/lib/pk11wrap/pk11slot.c
security/nss/lib/softoken/ecdecode.c
security/nss/lib/softoken/fipstest.c
security/nss/lib/softoken/legacydb/keydb.c
security/nss/lib/softoken/legacydb/lgattr.c
security/nss/lib/softoken/legacydb/lgcreate.c
security/nss/lib/softoken/legacydb/lowcert.c
security/nss/lib/softoken/legacydb/lowkey.c
security/nss/lib/softoken/legacydb/lowkeyi.h
security/nss/lib/softoken/legacydb/lowkeyti.h
security/nss/lib/softoken/lowkey.c
security/nss/lib/softoken/lowkeyi.h
security/nss/lib/softoken/lowkeyti.h
security/nss/lib/softoken/pkcs11.c
security/nss/lib/softoken/pkcs11c.c
security/nss/lib/softoken/pkcs11u.c
security/nss/lib/softoken/softkver.h
security/nss/lib/softoken/softoken.h
security/nss/lib/ssl/derive.c
security/nss/lib/ssl/dtlscon.c
security/nss/lib/ssl/ssl3con.c
security/nss/lib/ssl/ssl3ecc.c
security/nss/lib/ssl/ssl3ext.c
security/nss/lib/ssl/sslcon.c
security/nss/lib/ssl/sslenum.c
security/nss/lib/ssl/sslimpl.h
security/nss/lib/ssl/sslinfo.c
security/nss/lib/ssl/sslnonce.c
security/nss/lib/ssl/sslproto.h
security/nss/lib/ssl/sslsecur.c
security/nss/lib/ssl/sslt.h
security/nss/lib/zlib/config.mk
security/nss/tests/all.sh
security/nss/tests/cert/cert.sh
security/nss/tests/common/cleanup.sh
security/nss/tests/remote/Makefile
security/nss/tests/smime/smime.sh
security/nss/tests/ssl/ssl.sh
security/nss/tests/tools/tools.sh
--- a/security/nss/Makefile
+++ b/security/nss/Makefile
@@ -56,16 +56,19 @@ NSPR_CONFIGURE = $(CORE_DEPTH)/../nspr/c
 #
 
 ifeq ($(OS_TARGET),Android)
 NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) --target=arm-linux-androideabi --with-android-version=$(OS_TARGET_RELEASE)
 endif
 ifdef BUILD_OPT
 NSPR_CONFIGURE_OPTS += --disable-debug --enable-optimize
 endif
+ifdef USE_X32
+NSPR_CONFIGURE_OPTS += --enable-x32
+endif
 ifdef USE_64
 NSPR_CONFIGURE_OPTS += --enable-64bit
 endif
 ifeq ($(OS_TARGET),WIN95)
 NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95
 endif
 ifdef USE_DEBUG_RTL
 NSPR_CONFIGURE_OPTS += --enable-debug-rtl
--- a/security/nss/TAG-INFO
+++ b/security/nss/TAG-INFO
@@ -1,1 +1,1 @@
-NSS_3_16_BETA3
+NSS_3_16_BETA5
--- a/security/nss/automation/buildbot-slave/bbenv-example.sh
+++ b/security/nss/automation/buildbot-slave/bbenv-example.sh
@@ -14,18 +14,16 @@ export HOST
 #HOST=localhost
 #DOMSUF=localdomain
 #export DOMSUF
 
 ARCH=$(uname -s)
 
 ulimit -c unlimited 2> /dev/null
 
-export NSS_ENABLE_ECC=1
-export NSS_ECC_MORE_THAN_SUITE_B=1
 export NSPR_LOG_MODULES="pkix:1"
 
 #export JAVA_HOME_32=
 #export JAVA_HOME_64=
 
 #enable if you have PKITS data
 #export PKITS_DATA=$HOME/pkits/data/
 
--- a/security/nss/automation/buildbot-slave/build.sh
+++ b/security/nss/automation/buildbot-slave/build.sh
@@ -283,17 +283,17 @@ prepare()
 {
     rm -rf ${OUTPUTDIR}.oldest >/dev/null 2>&1
     mv ${OUTPUTDIR}.older ${OUTPUTDIR}.oldest >/dev/null 2>&1
     mv ${OUTPUTDIR}.old ${OUTPUTDIR}.older >/dev/null 2>&1
     mv ${OUTPUTDIR}.last ${OUTPUTDIR}.old >/dev/null 2>&1
     mv ${OUTPUTDIR} ${OUTPUTDIR}.last >/dev/null 2>&1
     mkdir -p ${OUTPUTDIR}
 
-    if [ -n "${NSS_ENABLE_ECC}" -a -n "${NSS_ECC_MORE_THAN_SUITE_B}" ]; then
+    if [ -z "${NSS_DISABLE_ECC}" -a -n "${NSS_ECC_MORE_THAN_SUITE_B}" ]; then
         cd ${HGDIR}/nss
         ECF="lib/freebl/ecl/ecl-curve.h"
 	print_log "hg revert -r NSS_3_11_1_RTM ${ECF}"
         hg revert -r NSS_3_11_1_RTM security/nss/${ECF}
         cp -f security/nss/${ECF} ${ECF}
     fi
 
     return 0
--- a/security/nss/cmd/bltest/blapitest.c
+++ b/security/nss/cmd/bltest/blapitest.c
@@ -16,17 +16,17 @@
 #include "basicutil.h"
 #include "plgetopt.h"
 #include "softoken.h"
 #include "nspr.h"
 #include "secport.h"
 #include "secoid.h"
 #include "nssutil.h"
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #include "ecl-curve.h"
 SECStatus EC_DecodeParams(const SECItem *encodedParams, 
 	ECParams **ecparams);
 SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
 	      const ECParams *srcParams);
 #endif
 
 char *progName;
@@ -128,25 +128,25 @@ static void Usage()
     PRINTUSAGE("",	"-b", "size of input buffer");
     PRINTUSAGE("",	"-p", "do performance test");
     PRINTUSAGE("",	"-4", "run test in multithread mode. th_num number of parallel threads");
     PRINTUSAGE("",	"-5", "run test for specified time interval(in seconds)");
     fprintf(stderr, "\n");
     PRINTUSAGE(progName, "-S -m mode", "Sign a buffer");
     PRINTUSAGE("",	"", "[-i plaintext] [-o signature] [-k key]");
     PRINTUSAGE("",	"", "[-b bufsize]");
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     PRINTUSAGE("",	"", "[-n curvename]");
 #endif
     PRINTUSAGE("",	"", "[-p repetitions | -5 time_interval] [-4 th_num]");
     PRINTUSAGE("",	"-m", "cipher mode to use");
     PRINTUSAGE("",	"-i", "file which contains input buffer");
     PRINTUSAGE("",	"-o", "file for signature");
     PRINTUSAGE("",	"-k", "file which contains key");
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     PRINTUSAGE("",	"-n", "name of curve for EC key generation; one of:");
     PRINTUSAGE("",  "",   "  sect163k1, nistk163, sect163r1, sect163r2,");
     PRINTUSAGE("",  "",   "  nistb163, sect193r1, sect193r2, sect233k1, nistk233,");
     PRINTUSAGE("",  "",   "  sect233r1, nistb233, sect239k1, sect283k1, nistk283,");
     PRINTUSAGE("",  "",   "  sect283r1, nistb283, sect409k1, nistk409, sect409r1,");
     PRINTUSAGE("",  "",   "  nistb409, sect571k1, nistk571, sect571r1, nistb571,");
     PRINTUSAGE("",  "",   "  secp160k1, secp160r1, secp160r2, secp192k1, secp192r1,");
     PRINTUSAGE("",  "",   "  nistp192, secp224k1, secp224r1, nistp224, secp256k1,");
@@ -385,17 +385,17 @@ dsakey_from_filedata(SECItem *filedata)
     PLArenaPool *arena;
     arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
     key = (DSAPrivateKey *)PORT_ArenaZAlloc(arena, sizeof(DSAPrivateKey));
     key->params.arena = arena;
     key_from_filedata(arena, &key->params.prime, 0, 5, filedata);
     return key;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 static ECPrivateKey *
 eckey_from_filedata(SECItem *filedata)
 {
     ECPrivateKey *key;
     PLArenaPool *arena;
     SECStatus rv;
     ECParams *tmpECParams = NULL;
     arena = PORT_NewArena(BLTEST_DEFAULT_CHUNKSIZE);
@@ -539,17 +539,17 @@ getECParams(const char *curve)
      * oidData->oid.data so we simply prepend 0x06 and OID length
      */
     ecparams->data[0] = SEC_ASN1_OBJECT_ID;
     ecparams->data[1] = oidData->oid.len;
     memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
 
     return ecparams;
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 static void
 dump_pqg(PQGParams *pqg)
 {
     SECU_PrintInteger(stdout, &pqg->prime, "PRIME:", 0);
     SECU_PrintInteger(stdout, &pqg->subPrime, "SUBPRIME:", 0);
     SECU_PrintInteger(stdout, &pqg->base, "BASE:", 0);
 }
@@ -557,17 +557,17 @@ dump_pqg(PQGParams *pqg)
 static void
 dump_dsakey(DSAPrivateKey *key)
 {
     dump_pqg(&key->params);
     SECU_PrintInteger(stdout, &key->publicValue, "PUBLIC VALUE:", 0);
     SECU_PrintInteger(stdout, &key->privateValue, "PRIVATE VALUE:", 0);
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 static void
 dump_ecp(ECParams *ecp)
 {
     /* TODO other fields */
     SECU_PrintInteger(stdout, &ecp->base, "BASE POINT:", 0);
 }
 
 static void
@@ -646,17 +646,17 @@ typedef enum {
     bltestAES_GCM,        /* .                     */
     bltestCAMELLIA_ECB,   /* .                     */
     bltestCAMELLIA_CBC,   /* .                     */
     bltestSEED_ECB,       /* SEED algorithm	   */
     bltestSEED_CBC,       /* SEED algorithm	   */
     bltestRSA,            /* Public Key Ciphers    */
     bltestRSA_OAEP,       /* . (Public Key Enc.)   */
     bltestRSA_PSS,        /* . (Public Key Sig.)   */
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     bltestECDSA,          /* . (Public Key Sig.)   */
 #endif
     bltestDSA,            /* . (Public Key Sig.)   */
     bltestMD2,		  /* Hash algorithms	   */
     bltestMD5,		  /* .			   */
     bltestSHA1,           /* .			   */
     bltestSHA224,         /* .			   */
     bltestSHA256,         /* .			   */
@@ -685,17 +685,17 @@ static char *mode_strings[] =
     "aes_gcm",
     "camellia_ecb",
     "camellia_cbc",
     "seed_ecb",
     "seed_cbc",
     "rsa",
     "rsa_oaep",
     "rsa_pss",
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     "ecdsa",
 #endif
     /*"pqg",*/
     "dsa",
     "md2",
     "md5",
     "sha1",
     "sha224",
@@ -739,17 +739,17 @@ typedef struct
 {
     bltestIO   pqgdata;
     unsigned int keysize;
     bltestIO   keyseed;
     bltestIO   sigseed;
     PQGParams *pqg;
 } bltestDSAParams;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 typedef struct
 {
     char      *curveName;
     bltestIO   sigseed;
 } bltestECDSAParams;
 #endif
 
 typedef struct
@@ -758,17 +758,17 @@ typedef struct
     void *   privKey;
     void *   pubKey;
     bltestIO sig; /* if doing verify, the signature (which may come
                    * from sigfile. */
 
     union {
         bltestRSAParams rsa;
         bltestDSAParams dsa;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
         bltestECDSAParams ecdsa;
 #endif
     } cipherParams;
 } bltestAsymKeyParams;
 
 typedef struct
 {
     bltestIO   key; /* unused */
@@ -1261,17 +1261,17 @@ dsa_signDigest(void *cx, SECItem *output
 
 SECStatus
 dsa_verifyDigest(void *cx, SECItem *output, const SECItem *input)
 {
     bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
     return DSA_VerifyDigest((DSAPublicKey *)params->pubKey, output, input);
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 SECStatus
 ecdsa_signDigest(void *cx, SECItem *output, const SECItem *input)
 {
     bltestAsymKeyParams *params = (bltestAsymKeyParams *)cx;
     if (params->cipherParams.ecdsa.sigseed.buf.len > 0) {
         return ECDSA_SignDigestWithSeed(
                         (ECPrivateKey *)params->privKey,
                         output, input,
@@ -1715,17 +1715,17 @@ bltest_dsa_init(bltestCipherInfo *cipher
 	pubkey->publicValue.len = key->publicValue.len;
 	pubkey->publicValue.data = key->publicValue.data;
 	asymk->pubKey = pubkey;
 	cipherInfo->cipher.pubkeyCipher = dsa_verifyDigest;
     }
     return SECSuccess;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 SECStatus
 bltest_ecdsa_init(bltestCipherInfo *cipherInfo, PRBool encrypt)
 {
     int i;
     ECPrivateKey **dummyKey;
     PRIntervalTime time1, time2;
     bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
     cipherInfo->cx = asymk;
@@ -2072,30 +2072,30 @@ SHA512_restart(unsigned char *dest, cons
     SHA512_End(cx, dest, &len, MD5_LENGTH);
 finish:
     SHA512_DestroyContext(cx, PR_TRUE);
     return rv;
 }
 
 SECStatus
 pubkeyInitKey(bltestCipherInfo *cipherInfo, PRFileDesc *file,
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	      int keysize, int exponent, char *curveName)
 #else
 	      int keysize, int exponent)
 #endif
 {
     int i;
     SECStatus rv = SECSuccess;
     bltestAsymKeyParams *asymk = &cipherInfo->params.asymk;
     bltestRSAParams *rsap;
     RSAPrivateKey **rsaKey = NULL;
     bltestDSAParams *dsap;
     DSAPrivateKey **dsaKey = NULL;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     SECItem *tmpECParamsDER;
     ECParams *tmpECParams = NULL;
     SECItem ecSerialize[3];
     ECPrivateKey **ecKey = NULL;
 #endif
     switch (cipherInfo->mode) {
     case bltestRSA:
     case bltestRSA_PSS:
@@ -2127,17 +2127,17 @@ pubkeyInitKey(bltestCipherInfo *cipherIn
 	    CHECKERROR(rv, __LINE__);
 	    serialize_key(&(*dsaKey)->params.prime, 5, file);
 	} else {
 	    setupIO(cipherInfo->arena, &asymk->key, file, NULL, 0);
 	    *dsaKey = dsakey_from_filedata(&asymk->key.buf);
 	    dsap->keysize = (*dsaKey)->params.prime.len*8;
 	}
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case bltestECDSA:
 	ecKey = (ECPrivateKey **)&asymk->privKey;
 	if (curveName != NULL) {
 	    tmpECParamsDER = getECParams(curveName);
 	    rv = SECOID_Init();
 	    CHECKERROR(rv, __LINE__);
 	    rv = EC_DecodeParams(tmpECParamsDER, &tmpECParams) == SECFailure;
 	    CHECKERROR(rv, __LINE__);
@@ -2239,17 +2239,17 @@ cipherInit(bltestCipherInfo *cipherInfo,
 	break;
     case bltestDSA:
 	if (encrypt) {
 		SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 		                  DSA_MAX_SIGNATURE_LEN);
 	}
 	return bltest_dsa_init(cipherInfo, encrypt);
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case bltestECDSA:
 	if (encrypt) {
 		SECITEM_AllocItem(cipherInfo->arena, &cipherInfo->output.buf,
 		                  2 * MAX_ECKEY_LEN);
 	}
 	return bltest_ecdsa_init(cipherInfo, encrypt);
 	break;
 #endif
@@ -2489,17 +2489,17 @@ cipherFinish(bltestCipherInfo *cipherInf
     case bltestRC5_CBC:
 	RC5_DestroyContext((RC5Context *)cipherInfo->cx, PR_TRUE);
 	break;
 #endif
     case bltestRSA:      /* keys are alloc'ed within cipherInfo's arena, */
     case bltestRSA_PSS:  /* will be freed with it. */
     case bltestRSA_OAEP:
     case bltestDSA:
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case bltestECDSA:
 #endif
     case bltestMD2: /* hash contexts are ephemeral */
     case bltestMD5:
     case bltestSHA1:
     case bltestSHA224:
     case bltestSHA256:
     case bltestSHA384:
@@ -2669,17 +2669,17 @@ print_td:
           break;
       case bltestDSA:
           if (td) {
               fprintf(stdout, "%8s", "pqg_mod");
           } else {
               fprintf(stdout, "%8d", info->params.asymk.cipherParams.dsa.keysize);
           }
           break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
       case bltestECDSA:
           if (td) {
               fprintf(stdout, "%12s", "ec_curve");
           } else {
               ECPrivateKey *key = (ECPrivateKey*)info->params.asymk.privKey;
               ECCurveName curveName = key->ecParams.name;
               fprintf(stdout, "%12s",
                       ecCurve_map[curveName]? ecCurve_map[curveName]->text:
@@ -2901,17 +2901,17 @@ get_params(PLArenaPool *arena, bltestPar
 	load_file_data(arena, &params->asymk.cipherParams.dsa.keyseed, filename,
 	               bltestBase64Encoded);
 	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
 	load_file_data(arena, &params->asymk.cipherParams.dsa.sigseed, filename,
 	               bltestBase64Encoded);
 	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "ciphertext",j);
 	load_file_data(arena, &params->asymk.sig, filename, bltestBase64Encoded);
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case bltestECDSA:
 	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "key", j);
 	load_file_data(arena, &params->asymk.key, filename, bltestBase64Encoded);
 	params->asymk.privKey =
 	      (void *)eckey_from_filedata(&params->asymk.key.buf);
 	sprintf(filename, "%s/tests/%s/%s%d", testdir, modestr, "sigseed", j);
 	load_file_data(arena, &params->asymk.cipherParams.ecdsa.sigseed,
 	               filename, bltestBase64Encoded);
@@ -3123,17 +3123,17 @@ dump_file(bltestCipherMode mode, char *f
 	get_file_data(filename, &item, PR_TRUE);
 	pqg = pqg_from_filedata(&item);
 	dump_pqg(pqg);
 #endif
 	DSAPrivateKey *key;
 	load_file_data(arena, &keydata, filename, bltestBase64Encoded);
 	key = dsakey_from_filedata(&keydata.buf);
 	dump_dsakey(key);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     } else if (mode == bltestECDSA) {
 	ECPrivateKey *key;
 	load_file_data(arena, &keydata, filename, bltestBase64Encoded);
 	key = eckey_from_filedata(&keydata.buf);
 	dump_eckey(key);
 #endif
     }
     PORT_FreeArena(arena, PR_FALSE);
@@ -3368,17 +3368,17 @@ enum {
     opt_SigFile,
     opt_KeySize,
     opt_Hex,
     opt_Input,
     opt_PQGFile,
     opt_Key,
     opt_HexWSpc,
     opt_Mode,
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     opt_CurveName,
 #endif
     opt_Output,
     opt_Repetitions,
     opt_ZeroBuf,
     opt_Rounds,
     opt_Seed,
     opt_SigSeedFile,
@@ -3421,17 +3421,17 @@ static secuCommandFlag bltest_options[] 
     { /* opt_SigFile      */ 'f', PR_TRUE,  0, PR_FALSE },
     { /* opt_KeySize	  */ 'g', PR_TRUE,  0, PR_FALSE },
     { /* opt_Hex	  */ 'h', PR_FALSE, 0, PR_FALSE },
     { /* opt_Input	  */ 'i', PR_TRUE,  0, PR_FALSE },
     { /* opt_PQGFile	  */ 'j', PR_TRUE,  0, PR_FALSE },
     { /* opt_Key	  */ 'k', PR_TRUE,  0, PR_FALSE },
     { /* opt_HexWSpc	  */ 'l', PR_FALSE, 0, PR_FALSE },
     { /* opt_Mode	  */ 'm', PR_TRUE,  0, PR_FALSE },
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     { /* opt_CurveName	  */ 'n', PR_TRUE,  0, PR_FALSE },
 #endif
     { /* opt_Output	  */ 'o', PR_TRUE,  0, PR_FALSE },
     { /* opt_Repetitions  */ 'p', PR_TRUE,  0, PR_FALSE },
     { /* opt_ZeroBuf	  */ 'q', PR_FALSE, 0, PR_FALSE },
     { /* opt_Rounds	  */ 'r', PR_TRUE,  0, PR_FALSE },
     { /* opt_Seed	  */ 's', PR_TRUE,  0, PR_FALSE },
     { /* opt_SigSeedFile  */ 't', PR_TRUE,  0, PR_FALSE },
@@ -3456,17 +3456,17 @@ int main(int argc, char **argv)
     SECStatus rv = SECFailure;
 
     double              totalTime;
     PRIntervalTime      time1, time2;
     PRFileDesc          *outfile = NULL;
     bltestCipherInfo    *cipherInfoListHead, *cipherInfo;
     bltestIOMode        ioMode;
     int                 bufsize, exponent, curThrdNum;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     char		*curveName = NULL;
 #endif
     int			 i, commandsEntered;
     int			 inoff, outoff;
     int                  threads = 1;
 
     secuCommand bltest;
     bltest.numCommands = sizeof(bltest_commands) / sizeof(secuCommandFlag);
@@ -3690,17 +3690,17 @@ int main(int argc, char **argv)
 	     (bltest.options[opt_HexWSpc].activated) ? bltestHexSpaceDelim :
 						       bltestBinary;
 
     if (bltest.options[opt_Exponent].activated)
 	exponent = PORT_Atoi(bltest.options[opt_Exponent].arg);
     else
 	exponent = 65537;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     if (bltest.options[opt_CurveName].activated)
 	curveName = PORT_Strdup(bltest.options[opt_CurveName].arg);
     else
 	curveName = NULL;
 #endif
 
     if (bltest.commands[cmd_Verify].activated &&
         !bltest.options[opt_SigFile].activated) {
@@ -3778,17 +3778,17 @@ int main(int argc, char **argv)
             } else {
                 if (bltest.options[opt_KeySize].activated)
                     keysize = PORT_Atoi(bltest.options[opt_KeySize].arg);
                 else
                     keysize = 64; /* use 512-bit default */
                 file = PR_Open("tmp.key", PR_WRONLY|PR_CREATE_FILE, 00660);
             }
             params->key.mode = bltestBase64Encoded;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
             pubkeyInitKey(cipherInfo, file, keysize, exponent, curveName);
 #else
             pubkeyInitKey(cipherInfo, file, keysize, exponent);
 #endif
             PR_Close(file);
         }
 
         /* set up an initialization vector. */
--- a/security/nss/cmd/certutil/certutil.c
+++ b/security/nss/cmd/certutil/certutil.c
@@ -963,25 +963,25 @@ PrintSyntax(char *progName)
     FPS "\t%s -E -n cert-name -t trustargs [-d certdir] [-P dbprefix] [-a] [-i input]\n", 
 	progName);
     FPS "\t%s -F -n nickname [-d certdir] [-P dbprefix]\n", 
 	progName);
     FPS "\t%s -G -n key-name [-h token-name] [-k rsa] [-g key-size] [-y exp]\n" 
 	"\t\t [-f pwfile] [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -G [-h token-name] -k dsa [-q pqgfile -g key-size] [-f pwfile]\n"
 	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     FPS "\t%s -G [-h token-name] -k ec -q curve [-f pwfile]\n"
 	"\t\t [-z noisefile] [-d certdir] [-P dbprefix]\n", progName);
     FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|ec|rsa|all]\n", 
 	progName);
 #else
     FPS "\t%s -K [-n key-name] [-h token-name] [-k dsa|rsa|all]\n", 
 	progName);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     FPS "\t\t [-f pwfile] [-X] [-d certdir] [-P dbprefix]\n");
     FPS "\t%s --upgrade-merge --source-dir upgradeDir --upgrade-id uniqueID\n",
 	progName);
     FPS "\t\t [--upgrade-token-name tokenName] [-d targetDBDir]\n");
     FPS "\t\t [-P targetDBPrefix] [--source-prefix upgradeDBPrefix]\n");
     FPS "\t\t [-f targetPWfile] [-@ upgradePWFile]\n");
     FPS "\t%s --merge --source-dir sourceDBDir [-d targetDBdir]\n",
 	progName);
@@ -1150,36 +1150,36 @@ static void luG(enum usage_level ul, con
     int is_my_command = (command && 0 == strcmp(command, "G"));
     if (ul == usage_all || !command || is_my_command)
     FPS "%-15s Generate a new key pair\n",
         "-G");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "%-20s Name of token in which to generate key (default is internal)\n",
         "   -h token-name");
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
         "   -k key-type");
     FPS "%-20s Key size in bits, (min %d, max %d, default %d) (not for ec)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
 #else
     FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
         "   -k key-type");
     FPS "%-20s Key size in bits, (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     FPS "%-20s Set the public exponent value (3, 17, 65537) (rsa only)\n",
         "   -y exp");
     FPS "%-20s Specify the password file\n",
         "   -f password-file");
     FPS "%-20s Specify the noise file to be used\n",
         "   -z noisefile");
     FPS "%-20s read PQG value from pqgfile (dsa only)\n",
         "   -q pqgfile");
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     FPS "%-20s Elliptic curve name (ec only)\n",
         "   -q curve-name");
     FPS "%-20s One of nistp256, nistp384, nistp521\n", "");
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
     FPS "%-20s sect163k1, nistk163, sect163r1, sect163r2,\n", "");
     FPS "%-20s nistb163, sect193r1, sect193r2, sect233k1, nistk233,\n", "");
     FPS "%-20s sect233r1, nistb233, sect239k1, sect283k1, nistk283,\n", "");
     FPS "%-20s sect283r1, nistb283, sect409k1, nistk409, sect409r1,\n", "");
@@ -1281,17 +1281,17 @@ static void luK(enum usage_level ul, con
     FPS "%-15s List all private keys\n",
         "-K");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "%-20s Name of token to search (\"all\" for all tokens)\n",
         "   -h token-name ");
 
     FPS "%-20s Key type (\"all\" (default), \"dsa\","
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
                                                     " \"ec\","
 #endif
                                                     " \"rsa\")\n",
         "   -k key-type");
     FPS "%-20s The nickname of the key or associated certificate\n",
         "   -n name");
     FPS "%-20s Specify the password file\n",
         "   -f password-file");
@@ -1413,36 +1413,36 @@ static void luR(enum usage_level ul, con
     FPS "%-15s Generate a certificate request (stdout)\n",
         "-R");
     if (ul == usage_selected && !is_my_command)
         return;
     FPS "%-20s Specify the subject name (using RFC1485)\n",
         "   -s subject");
     FPS "%-20s Output the cert request to this file\n",
         "   -o output-req");
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
 #else
     FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
         "   -k key-type-or-id");
     FPS "%-20s or nickname of the cert key to use \n",
         "");
     FPS "%-20s Name of token in which to generate key (default is internal)\n",
         "   -h token-name");
     FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
     FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
         "   -q pqgfile");
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     FPS "%-20s Elliptic curve name (ec only)\n",
         "   -q curve-name");
     FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
         "");
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     FPS "%-20s Specify the password file\n",
         "   -f pwfile");
     FPS "%-20s Key database directory (default is ~/.netscape)\n",
         "   -d keydir");
     FPS "%-20s Cert & Key database prefix\n",
         "   -P dbprefix");
     FPS "%-20s Specify the contact phone number (\"123-456-7890\")\n",
         "   -p phone");
@@ -1565,34 +1565,34 @@ static void luS(enum usage_level ul, con
     FPS "%-20s Specify the nickname of the cert\n",
         "   -n key-name");
     FPS "%-20s Specify the subject name (using RFC1485)\n",
         "   -s subject");
     FPS "%-20s The nickname of the issuer cert\n",
         "   -c issuer-name");
     FPS "%-20s Set the certificate trust attributes (see -A above)\n",
         "   -t trustargs");
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     FPS "%-20s Type of key pair to generate (\"dsa\", \"ec\", \"rsa\" (default))\n",
 #else
     FPS "%-20s Type of key pair to generate (\"dsa\", \"rsa\" (default))\n",
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
         "   -k key-type-or-id");
     FPS "%-20s Name of token in which to generate key (default is internal)\n",
         "   -h token-name");
     FPS "%-20s Key size in bits, RSA keys only (min %d, max %d, default %d)\n",
         "   -g key-size", MIN_KEY_BITS, MAX_KEY_BITS, DEFAULT_KEY_BITS);
     FPS "%-20s Name of file containing PQG parameters (dsa only)\n",
         "   -q pqgfile");
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     FPS "%-20s Elliptic curve name (ec only)\n",
         "   -q curve-name");
     FPS "%-20s See the \"-G\" option for a full list of supported names.\n",
         "");
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     FPS "%-20s Self sign\n",
         "   -x");
     FPS "%-20s Cert serial number\n",
         "   -m serial-number");
     FPS "%-20s Time Warp\n",
         "   -w warp-months");
     FPS "%-20s Months valid (default is 3)\n",
         "   -v months-valid");
@@ -2443,22 +2443,22 @@ certutil_main(int argc, char **argv, PRB
     if (certutil.options[opt_KeySize].activated) {
 	keysize = PORT_Atoi(certutil.options[opt_KeySize].arg);
 	if ((keysize < MIN_KEY_BITS) || (keysize > MAX_KEY_BITS)) {
 	    PR_fprintf(PR_STDERR, 
                        "%s -g:  Keysize must be between %d and %d.\n",
 		       progName, MIN_KEY_BITS, MAX_KEY_BITS);
 	    return 255;
 	}
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	if (keytype == ecKey) {
 	    PR_fprintf(PR_STDERR, "%s -g:  Not for ec keys.\n", progName);
 	    return 255;
 	}
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     }
 
     /*  -h specify token name  */
     if (certutil.options[opt_TokenName].activated) {
 	if (PL_strcmp(certutil.options[opt_TokenName].arg, "all") == 0)
 	    slotname = NULL;
 	else
@@ -2478,20 +2478,20 @@ certutil_main(int argc, char **argv, PRB
 
     /*  -k key type  */
     if (certutil.options[opt_KeyType].activated) {
 	char * arg = certutil.options[opt_KeyType].arg;
 	if (PL_strcmp(arg, "rsa") == 0) {
 	    keytype = rsaKey;
 	} else if (PL_strcmp(arg, "dsa") == 0) {
 	    keytype = dsaKey;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	} else if (PL_strcmp(arg, "ec") == 0) {
 	    keytype = ecKey;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	} else if (PL_strcmp(arg, "all") == 0) {
 	    keytype = nullKey;
 	} else {
 	    /* use an existing private/public key pair */
 	    keysource = arg;
 	}
     } else if (certutil.commands[cmd_ListKeys].activated) {
 	keytype = nullKey;
@@ -2534,26 +2534,26 @@ certutil_main(int argc, char **argv, PRB
             srcCertPrefix = strdup(certutil.options[opt_SourcePrefix].arg);
         } else {
             Usage(progName);
         }
     }
 
     /*  -q PQG file or curve name */
     if (certutil.options[opt_PQGFile].activated) {
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	if ((keytype != dsaKey) && (keytype != ecKey)) {
 	    PR_fprintf(PR_STDERR, "%s -q: specifies a PQG file for DSA keys" \
 		       " (-k dsa) or a named curve for EC keys (-k ec)\n)",
 	               progName);
 #else   /* } */
 	if (keytype != dsaKey) {
 	    PR_fprintf(PR_STDERR, "%s -q: PQG file is for DSA key (-k dsa).\n)",
 	               progName);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	    return 255;
 	}
     }
 
     /*  -s subject name  */
     if (certutil.options[opt_Subject].activated) {
 	subject = CERT_AsciiToName(certutil.options[opt_Subject].arg);
 	if (!subject) {
--- a/security/nss/cmd/certutil/keystuff.c
+++ b/security/nss/cmd/certutil/keystuff.c
@@ -351,17 +351,17 @@ CERTUTIL_FileForRNG(const char *noise)
 	    PK11_RandomUpdate(buf,count);
 	}
     } while (count > 0);
 
     PR_Close(fd);
     return SECSuccess;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 typedef struct curveNameTagPairStr {
     char *curveName;
     SECOidTag curveOidTag;
 } CurveNameTagPair;
 
 #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
 /* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
 
@@ -479,17 +479,17 @@ getECParams(const char *curve)
      * oidData->oid.data so we simply prepend 0x06 and OID length
      */
     ecparams->data[0] = SEC_ASN1_OBJECT_ID;
     ecparams->data[1] = oidData->oid.len;
     memcpy(ecparams->data + 2, oidData->oid.data, oidData->oid.len);
 
     return ecparams;
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 SECKEYPrivateKey *
 CERTUTIL_GeneratePrivateKey(KeyType keytype, PK11SlotInfo *slot, int size,
 			    int publicExponent, const char *noise, 
 			    SECKEYPublicKey **pubkeyp, const char *pqgFile,
 			    PK11AttrFlags attrFlags, CK_FLAGS opFlagsOn,
 			    CK_FLAGS opFlagsOff, secuPWData *pwdata)
 {
@@ -540,37 +540,37 @@ CERTUTIL_GeneratePrivateKey(KeyType keyt
 	    if (dsaparams == NULL)
 	    	return NULL;
 	    params = dsaparams;
 	} else {
 	    /* cast away const, and don't set dsaparams */
 	    params = (void *)&default_pqg_params;
 	}
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case ecKey:
 	mechanism = CKM_EC_KEY_PAIR_GEN;
 	/* For EC keys, PQGFile determines EC parameters */
 	if ((params = (void *) getECParams(pqgFile)) == NULL)
 	    return NULL;
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     default:
 	return NULL;
     }
 
     fprintf(stderr, "\n\n");
     fprintf(stderr, "Generating key.  This may take a few moments...\n\n");
 
     privKey = PK11_GenerateKeyPairWithOpFlags(slot, mechanism, params, pubkeyp,
 				attrFlags, opFlagsOn, opFlagsOn|opFlagsOff,
 				pwdata /*wincx*/);
     /* free up the params */
     switch (keytype) {
     case dsaKey: if (dsaparams) CERTUTIL_DestroyParamsPQG(dsaparams); 
 	                                                      break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case ecKey: SECITEM_FreeItem((SECItem *)params, PR_TRUE); break;
 #endif
     default: /* nothing to free */                            break;
     }
     return privKey;
 }
--- a/security/nss/cmd/fipstest/fipstest.c
+++ b/security/nss/cmd/fipstest/fipstest.c
@@ -17,17 +17,17 @@
 #include "hasht.h"
 #include "lowkeyi.h"
 #include "softoken.h"
 
 #if 0
 #include "../../lib/freebl/mpi/mpi.h"
 #endif
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 extern SECStatus
 EC_DecodeParams(const SECItem *encodedParams, ECParams **ecparams);
 extern SECStatus
 EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
               const ECParams *srcParams);
 #endif
 
 #define ENCRYPT 1
@@ -1844,17 +1844,17 @@ int get_next_line(FILE *req, char *key, 
 	} else {
 	    writeto[w++] = c;
 	}
     }
     writeto[w] = '\0';
     return (c == EOF) ? -1 : ignore;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 typedef struct curveNameTagPairStr {
     char *curveName;
     SECOidTag curveOidTag;
 } CurveNameTagPair;
 
 #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP192R1
 /* #define DEFAULT_CURVE_OID_TAG  SEC_OID_SECG_EC_SECP160R1 */
 
@@ -2525,17 +2525,17 @@ ecdsa_sigver_test(char *reqfn)
 	}
     }
 loser:
     if (ecpub.ecParams.arena != NULL) {
 	PORT_FreeArena(ecpub.ecParams.arena, PR_FALSE);
     }
     fclose(ecdsareq);
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 
 /*
  * Read a value from the test and allocate the result.
  */
 static unsigned char *
 alloc_value(char *buf, int *len)
 {
@@ -5322,17 +5322,17 @@ int main(int argc, char **argv)
             dsa_pqgver_test(argv[3]);
         } else if (strcmp(argv[2], "siggen") == 0) {
             /* Signature Generation Test */
             dsa_siggen_test(argv[3]);
         } else if (strcmp(argv[2], "sigver") == 0) {
             /* Signature Verification Test */
             dsa_sigver_test(argv[3]);
         }
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     /*************/
     /*   ECDSA   */
     /*************/
     } else if (strcmp(argv[1], "ecdsa") == 0) {
 	/* argv[2]=keypair|pkv|siggen|sigver argv[3]=<test name>.req */
 	if (       strcmp(argv[2], "keypair") == 0) {
 	    /* Key Pair Generation Test */
 	    ecdsa_keypair_test(argv[3]);
@@ -5341,17 +5341,17 @@ int main(int argc, char **argv)
 	    ecdsa_pkv_test(argv[3]);
 	} else if (strcmp(argv[2], "siggen") == 0) {
 	    /* Signature Generation Test */
 	    ecdsa_siggen_test(argv[3]);
 	} else if (strcmp(argv[2], "sigver") == 0) {
 	    /* Signature Verification Test */
 	    ecdsa_sigver_test(argv[3]);
 	}
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     /*************/
     /*   RNG     */
     /*************/
     } else if (strcmp(argv[1], "rng") == 0) {
 	/* argv[2]=vst|mct argv[3]=<test name>.req */
 	if (       strcmp(argv[2], "vst") == 0) {
 	    /* Variable Seed Test */
 	    rng_vst(argv[3]);
--- a/security/nss/cmd/lib/secutil.c
+++ b/security/nss/cmd/lib/secutil.c
@@ -1359,17 +1359,17 @@ secu_PrintAttribute(FILE *out, SEC_PKCS7
 		    SECU_PrintTimeChoice(out, value, om, level+1);
 		    break;
 		}
 	    }
 	}
     }
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 static void
 secu_PrintECPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
 {
     SECItem curveOID = { siBuffer, NULL, 0};
 
     SECU_Indent(out, level); fprintf(out, "%s:\n", m);
     SECU_PrintInteger(out, &pk->u.ec.publicValue, "PublicValue", level+1);
     /* For named curves, the DEREncodedParams field contains an
@@ -1377,17 +1377,17 @@ secu_PrintECPublicKey(FILE *out, SECKEYP
      */
     if ((pk->u.ec.DEREncodedParams.len > 2) &&
 	(pk->u.ec.DEREncodedParams.data[0] == 0x06)) {
         curveOID.len = pk->u.ec.DEREncodedParams.data[1];
 	curveOID.data = pk->u.ec.DEREncodedParams.data + 2;
 	SECU_PrintObjectID(out, &curveOID, "Curve", level +1);
     }
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 void
 SECU_PrintRSAPublicKey(FILE *out, SECKEYPublicKey *pk, char *m, int level)
 {
     SECU_Indent(out, level); fprintf(out, "%s:\n", m);
     SECU_PrintInteger(out, &pk->u.rsa.modulus, "Modulus", level+1);
     SECU_PrintInteger(out, &pk->u.rsa.publicExponent, "Exponent", level+1);
     if (pk->u.rsa.publicExponent.len == 1 &&
@@ -1421,17 +1421,17 @@ secu_PrintSubjectPublicKeyInfo(FILE *out
 	case rsaKey:
 	    SECU_PrintRSAPublicKey(out, pk, "RSA Public Key", level +1);
 	    break;
 
 	case dsaKey:
 	    SECU_PrintDSAPublicKey(out, pk, "DSA Public Key", level +1);
 	    break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	case ecKey:
 	    secu_PrintECPublicKey(out, pk, "EC Public Key", level +1);
 	    break;
 #endif
 
 	case dhKey:
 	case fortezzaKey:
 	case keaKey:
--- a/security/nss/cmd/modutil/install.c
+++ b/security/nss/cmd/modutil/install.c
@@ -772,17 +772,17 @@ loser:
 		PR_Free(dest);
 	}
 	if(modDest) {
 		PR_Free(modDest);
 	}
 	if(tempname) {
 		PRFileInfo info;
 		if(PR_GetFileInfo(tempname, &info) == PR_SUCCESS) {
-			if((info.type == PR_FILE_DIRECTORY)) {
+			if(info.type == PR_FILE_DIRECTORY) {
 				/* Recursively remove temporary directory */
 				if(rm_dash_r(tempname)) {
 					error(PK11_INSTALL_REMOVE_DIR,
 						tempname);
 					ret=PK11_INSTALL_REMOVE_DIR;
 				}
 					
 			}
--- a/security/nss/cmd/selfserv/selfserv.c
+++ b/security/nss/cmd/selfserv/selfserv.c
@@ -102,40 +102,40 @@ const int ssl2CipherSuites[] = {
     SSL_EN_DES_64_CBC_WITH_MD5,			/* E */
     SSL_EN_DES_192_EDE3_CBC_WITH_MD5,		/* F */
     0
 };
 
 const int ssl3CipherSuites[] = {
     -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
     -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	 * b */
-    SSL_RSA_WITH_RC4_128_MD5,			/* c */
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
-    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
+    TLS_RSA_WITH_RC4_128_MD5,			/* c */
+    TLS_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
+    TLS_RSA_WITH_DES_CBC_SHA,			/* e */
+    TLS_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
+    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
     -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
-    SSL_RSA_WITH_NULL_MD5,			/* i */
+    TLS_RSA_WITH_NULL_MD5,			/* i */
     SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
     SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
     TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
     TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
-    SSL_RSA_WITH_RC4_128_SHA,			/* n */
+    TLS_RSA_WITH_RC4_128_SHA,			/* n */
     -1, /* TLS_DHE_DSS_WITH_RC4_128_SHA, 	 * o */
-    -1, /* SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,	 * p */
-    -1, /* SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,	 * q */
-    -1, /* SSL_DHE_RSA_WITH_DES_CBC_SHA,	 * r */
-    -1, /* SSL_DHE_DSS_WITH_DES_CBC_SHA,	 * s */
+    -1, /* TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,	 * p */
+    -1, /* TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,	 * q */
+    -1, /* TLS_DHE_RSA_WITH_DES_CBC_SHA,	 * r */
+    -1, /* TLS_DHE_DSS_WITH_DES_CBC_SHA,	 * s */
     -1, /* TLS_DHE_DSS_WITH_AES_128_CBC_SHA,	 * t */
     -1, /* TLS_DHE_RSA_WITH_AES_128_CBC_SHA,	 * u */
     TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
     -1, /* TLS_DHE_DSS_WITH_AES_256_CBC_SHA,	 * w */
     -1, /* TLS_DHE_RSA_WITH_AES_256_CBC_SHA,	 * x */
     TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
-    SSL_RSA_WITH_NULL_SHA,			/* z */
+    TLS_RSA_WITH_NULL_SHA,			/* z */
     0
 };
 
 /* data and structures for shutdown */
 static int	stopping;
 
 static PRBool  noDelay;
 static int     requestCert;
@@ -155,21 +155,21 @@ static void
 PrintUsageHeader(const char *progName)
 {
     fprintf(stderr, 
 "Usage: %s -n rsa_nickname -p port [-BDENRbjlmrsuvx] [-w password]\n"
 "         [-t threads] [-i pid_file] [-c ciphers] [-Y] [-d dbdir] [-g numblocks]\n"
 "         [-f password_file] [-L [seconds]] [-M maxProcs] [-P dbprefix]\n"
 "         [-V [min-version]:[max-version]] [-a sni_name]\n"
 "         [ T <good|revoked|unknown|badsig|corrupted|none|ocsp>] [-A ca]\n"
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 "         [-C SSLCacheEntries] [-e ec_nickname]\n"
 #else
 "         [-C SSLCacheEntries]\n"
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
         ,progName);
 }
 
 static void
 PrintParameterUsage()
 {
     fputs(
 "-V [min]:[max] restricts the set of enabled SSL/TLS protocol versions.\n"
@@ -1927,19 +1927,19 @@ server_main(
             errExit("SSL_OptionSet SSL_NO_CACHE");
         }
     }
 
     /* This cipher is not on by default. The Acceptance test
      * would like it to be. Turn this cipher on.
      */
 
-    secStatus = SSL_CipherPrefSetDefault( SSL_RSA_WITH_NULL_MD5, PR_TRUE);
+    secStatus = SSL_CipherPrefSetDefault( TLS_RSA_WITH_NULL_MD5, PR_TRUE);
     if ( secStatus != SECSuccess ) {
-	errExit("SSL_CipherPrefSetDefault:SSL_RSA_WITH_NULL_MD5");
+	errExit("SSL_CipherPrefSetDefault:TLS_RSA_WITH_NULL_MD5");
     }
 
     if (expectedHostNameVal) {
         SSL_HandshakeCallback(model_sock, handshakeCallback,
                               (void*)expectedHostNameVal);
     }
 
     if (requestCert) {
@@ -2128,17 +2128,17 @@ SECStatus enableOCSPStapling(const char*
     return SECFailure;
 }
 
 int
 main(int argc, char **argv)
 {
     char *               progName    = NULL;
     char *               nickName    = NULL;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     char *               ecNickName   = NULL;
 #endif
     const char *         fileName    = NULL;
     char *               cipherString= NULL;
     const char *         dir         = ".";
     char *               passwd      = NULL;
     char *               pwfile      = NULL;
     const char *         pidFile     = NULL;
@@ -2241,19 +2241,19 @@ main(int argc, char **argv)
                       PORT_Strdup(optstate->value); break;
 
 	case 'b': bindOnly = PR_TRUE; break;
 
 	case 'c': cipherString = PORT_Strdup(optstate->value); break;
 
 	case 'd': dir = optstate->value; break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	case 'e': ecNickName = PORT_Strdup(optstate->value); break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 	case 'f':
             pwdata.source = PW_FROMFILE;
             pwdata.data = pwfile = PORT_Strdup(optstate->value);
             break;
 
         case 'g': 
             testBulk = PR_TRUE;
@@ -2357,17 +2357,17 @@ main(int argc, char **argv)
 	}
         if (listen_sock) {
             PR_Close(listen_sock);
         }
 	exit(0);
     }
 
     if ((nickName == NULL)
- #ifdef NSS_ENABLE_ECC
+ #ifndef NSS_DISABLE_ECC
 						&& (ecNickName == NULL)
  #endif
     ) {
 
 	fprintf(stderr, "Required arg '-n' (rsa nickname) not supplied.\n");
 	fprintf(stderr, "Run '%s -h' for usage information.\n", progName);
         exit(6);
     }
@@ -2588,17 +2588,17 @@ main(int argc, char **argv)
 		exit(14);
 	    }
 	    fprintf(stderr, "selfserv: %s can%s bypass\n", nickName,
 		    bypassOK ? "" : "not");
 	}
 	setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_rsa], kt_rsa,
 			&pwdata);
     }
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     if (ecNickName) {
 	cert[kt_ecdh] = PK11_FindCertFromNickname(ecNickName, &pwdata);
 	if (cert[kt_ecdh] == NULL) {
 	    fprintf(stderr, "selfserv: Can't find certificate %s\n",
 		    ecNickName);
 	    exit(13);
 	}
 	privKey[kt_ecdh] = PK11_FindKeyByAnyCert(cert[kt_ecdh], &pwdata);
@@ -2615,17 +2615,17 @@ main(int argc, char **argv)
 		exit(15);
 	    }
 	    fprintf(stderr, "selfserv: %s can%s bypass\n", ecNickName,
 		    bypassOK ? "" : "not");
 	}
 	setupCertStatus(certStatusArena, ocspStaplingMode, cert[kt_ecdh], kt_ecdh,
 			&pwdata);
     }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     if (testbypass)
 	goto cleanup;
 
 /* allocate the array of thread slots, and launch the worker threads. */
     rv = launch_threads(&jobLoop, 0, 0, requestCert, useLocalThreads);
 
     if (rv == SECSuccess && logStats) {
@@ -2686,17 +2686,17 @@ cleanup:
         PORT_Free(passwd);
     }
     if (pwfile) {
         PORT_Free(pwfile);
     }
     if (certPrefix && certPrefix != emptyString) {                            
         PORT_Free(certPrefix);
     }
- #ifdef NSS_ENABLE_ECC
+ #ifndef NSS_DISABLE_ECC
     if (ecNickName) {
         PORT_Free(ecNickName);
     }
  #endif
 
     if (hasSidCache) {
 	SSL_ShutdownServerSessionIDCache();
     }
--- a/security/nss/cmd/ssltap/ssltap.c
+++ b/security/nss/cmd/ssltap/ssltap.c
@@ -488,23 +488,23 @@ const char * helloExtensionNameString(in
   default: sprintf(buf, "%d", ex_num);  ex_name = (const char *)buf; break;
   }
 
   return ex_name;
 }
 
 static int isNULLmac(int cs_int)
 {
-    return (cs_int == SSL_NULL_WITH_NULL_NULL); 
+    return (cs_int == TLS_NULL_WITH_NULL_NULL);
 }
 
 static int isNULLcipher(int cs_int)
 {
- return ((cs_int == SSL_RSA_WITH_NULL_MD5) ||
-         (cs_int == SSL_RSA_WITH_NULL_SHA) ||
+ return ((cs_int == TLS_RSA_WITH_NULL_MD5) ||
+         (cs_int == TLS_RSA_WITH_NULL_SHA) ||
          (cs_int == SSL_FORTEZZA_DMS_WITH_NULL_SHA) ||
          (cs_int == TLS_ECDH_ECDSA_WITH_NULL_SHA) ||
          (cs_int == TLS_ECDHE_ECDSA_WITH_NULL_SHA) ||
          (cs_int == TLS_ECDH_RSA_WITH_NULL_SHA) ||
          (cs_int == TLS_ECDHE_RSA_WITH_NULL_SHA));
 } 
 
 void partial_packet(int thispacket, int size, int needed)
--- a/security/nss/cmd/strsclnt/strsclnt.c
+++ b/security/nss/cmd/strsclnt/strsclnt.c
@@ -54,40 +54,40 @@ int ssl2CipherSuites[] = {
     SSL_EN_DES_64_CBC_WITH_MD5,                 /* E */
     SSL_EN_DES_192_EDE3_CBC_WITH_MD5,           /* F */
     0
 };
 
 int ssl3CipherSuites[] = {
     -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
     -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA     * b */
-    SSL_RSA_WITH_RC4_128_MD5,                   /* c */
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,              /* d */
-    SSL_RSA_WITH_DES_CBC_SHA,                   /* e */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,             /* f */
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,         /* g */
+    TLS_RSA_WITH_RC4_128_MD5,                   /* c */
+    TLS_RSA_WITH_3DES_EDE_CBC_SHA,              /* d */
+    TLS_RSA_WITH_DES_CBC_SHA,                   /* e */
+    TLS_RSA_EXPORT_WITH_RC4_40_MD5,             /* f */
+    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,         /* g */
     -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA        * h */
-    SSL_RSA_WITH_NULL_MD5,                      /* i */
+    TLS_RSA_WITH_NULL_MD5,                      /* i */
     SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,         /* j */
     SSL_RSA_FIPS_WITH_DES_CBC_SHA,              /* k */
     TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, 	/* l */
     TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,		/* m */
-    SSL_RSA_WITH_RC4_128_SHA,                   /* n */
+    TLS_RSA_WITH_RC4_128_SHA,                   /* n */
     TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
-    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
-    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
-    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
-    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
+    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
+    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
+    TLS_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
+    TLS_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
     TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
     TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
-    SSL_RSA_WITH_NULL_SHA,			/* z */
+    TLS_RSA_WITH_NULL_SHA,			/* z */
     0
 };
 
 #define NO_FULLHS_PERCENTAGE -1
 
 /* This global string is so that client main can see 
  * which ciphers to use. 
  */
--- a/security/nss/cmd/tstclnt/tstclnt.c
+++ b/security/nss/cmd/tstclnt/tstclnt.c
@@ -63,40 +63,40 @@ int ssl2CipherSuites[] = {
     SSL_EN_DES_64_CBC_WITH_MD5,			/* E */
     SSL_EN_DES_192_EDE3_CBC_WITH_MD5,		/* F */
     0
 };
 
 int ssl3CipherSuites[] = {
     -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
     -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,	 * b */
-    SSL_RSA_WITH_RC4_128_MD5,			/* c */
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
-    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
+    TLS_RSA_WITH_RC4_128_MD5,			/* c */
+    TLS_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
+    TLS_RSA_WITH_DES_CBC_SHA,			/* e */
+    TLS_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
+    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
     -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
-    SSL_RSA_WITH_NULL_MD5,			/* i */
+    TLS_RSA_WITH_NULL_MD5,			/* i */
     SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
     SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
     TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
     TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
-    SSL_RSA_WITH_RC4_128_SHA,			/* n */
+    TLS_RSA_WITH_RC4_128_SHA,			/* n */
     TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
-    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
-    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
-    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
-    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
+    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
+    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
+    TLS_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
+    TLS_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
     TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
     TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
-    SSL_RSA_WITH_NULL_SHA,			/* z */
+    TLS_RSA_WITH_NULL_SHA,			/* z */
     0
 };
 
 unsigned long __cmp_umuls;
 PRBool verbose;
 int renegotiationsToDo = 0;
 int renegotiationsDone = 0;
 
--- a/security/nss/cmd/vfyserv/vfyserv.c
+++ b/security/nss/cmd/vfyserv/vfyserv.c
@@ -492,17 +492,17 @@ main(int argc, char **argv)
                     goto cleanup;
                 }
             }
 	}
 
 	/* All cipher suites except RSA_NULL_MD5 are enabled by 
 	 * Domestic Policy. */
 	NSS_SetDomesticPolicy();
-	SSL_CipherPrefSetDefault(SSL_RSA_WITH_NULL_MD5, PR_TRUE);
+	SSL_CipherPrefSetDefault(TLS_RSA_WITH_NULL_MD5, PR_TRUE);
 
 	/* all the SSL2 and SSL3 cipher suites are enabled by default. */
 	if (cipherString) {
 	    int ndx;
 
 	    /* disable all the ciphers, then enable the ones we want. */
 	    disableAllSSLCiphers();
 
--- a/security/nss/cmd/vfyserv/vfyutil.c
+++ b/security/nss/cmd/vfyserv/vfyutil.c
@@ -22,40 +22,40 @@ int ssl2CipherSuites[] = {
     SSL_EN_DES_64_CBC_WITH_MD5,           /* E */
     SSL_EN_DES_192_EDE3_CBC_WITH_MD5,     /* F */
     0
 };
 
 int ssl3CipherSuites[] = {
     -1, /* SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA* a */
     -1, /* SSL_FORTEZZA_DMS_WITH_RC4_128_SHA,	 * b */
-    SSL_RSA_WITH_RC4_128_MD5,			/* c */
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
-    SSL_RSA_WITH_DES_CBC_SHA,			/* e */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
+    TLS_RSA_WITH_RC4_128_MD5,			/* c */
+    TLS_RSA_WITH_3DES_EDE_CBC_SHA,		/* d */
+    TLS_RSA_WITH_DES_CBC_SHA,			/* e */
+    TLS_RSA_EXPORT_WITH_RC4_40_MD5,		/* f */
+    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,		/* g */
     -1, /* SSL_FORTEZZA_DMS_WITH_NULL_SHA,	 * h */
-    SSL_RSA_WITH_NULL_MD5,			/* i */
+    TLS_RSA_WITH_NULL_MD5,			/* i */
     SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,		/* j */
     SSL_RSA_FIPS_WITH_DES_CBC_SHA,		/* k */
     TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,	/* l */
     TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,	        /* m */
-    SSL_RSA_WITH_RC4_128_SHA,			/* n */
+    TLS_RSA_WITH_RC4_128_SHA,			/* n */
     TLS_DHE_DSS_WITH_RC4_128_SHA,		/* o */
-    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
-    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
-    SSL_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
-    SSL_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
+    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,		/* p */
+    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,		/* q */
+    TLS_DHE_RSA_WITH_DES_CBC_SHA,		/* r */
+    TLS_DHE_DSS_WITH_DES_CBC_SHA,		/* s */
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	    	/* t */
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,       	/* u */
     TLS_RSA_WITH_AES_128_CBC_SHA,     	    	/* v */
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	    	/* w */
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,       	/* x */
     TLS_RSA_WITH_AES_256_CBC_SHA,     	    	/* y */
-    SSL_RSA_WITH_NULL_SHA,			/* z */
+    TLS_RSA_WITH_NULL_SHA,			/* z */
     0
 };
 
 /**************************************************************************
 ** 
 ** SSL callback routines.
 **
 **************************************************************************/
--- a/security/nss/coreconf/Linux.mk
+++ b/security/nss/coreconf/Linux.mk
@@ -50,21 +50,28 @@ endif
 else
 ifeq ($(OS_TEST),alpha)
         OS_REL_CFLAGS   = -D_ALPHA_
 	CPU_ARCH	= alpha
 else
 ifeq ($(OS_TEST),x86_64)
 ifeq ($(USE_64),1)
 	CPU_ARCH	= x86_64
+	ARCHFLAG	= -m64
+else
+ifeq ($(USE_X32),1)
+	CPU_ARCH	= x86_64
+	ARCHFLAG	= -mx32
+	64BIT_TAG	= _x32
 else
 	OS_REL_CFLAGS	= -Di386
 	CPU_ARCH	= x86
 	ARCHFLAG	= -m32
 endif
+endif
 else
 ifeq ($(OS_TEST),sparc64)
 	CPU_ARCH        = sparc
 else
 ifeq (,$(filter-out arm% sa110,$(OS_TEST)))
 	CPU_ARCH        = arm
 else
 ifeq (,$(filter-out parisc%,$(OS_TEST)))
@@ -118,22 +125,17 @@ ifdef MOZ_DEBUG_SYMBOLS
 endif
 endif
 
 
 ifeq ($(USE_PTHREADS),1)
 OS_PTHREAD = -lpthread 
 endif
 
-# See bug 537829, in particular comment 23.
-# Place -ansi and *_SOURCE before $(DSO_CFLAGS) so DSO_CFLAGS can override
-# -ansi on platforms like Android where the system headers are C99 and do
-# not build with -ansi.
-STANDARDS_CFLAGS	= -D_POSIX_SOURCE -D_BSD_SOURCE -D_XOPEN_SOURCE
-OS_CFLAGS		= $(STANDARDS_CFLAGS) $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR
+OS_CFLAGS		= $(DSO_CFLAGS) $(OS_REL_CFLAGS) $(ARCHFLAG) -Wall -Werror-implicit-function-declaration -Wno-switch -pipe -DLINUX -Dlinux -DHAVE_STRERROR
 OS_LIBS			= $(OS_PTHREAD) -ldl -lc
 
 ifdef USE_PTHREADS
 	DEFINES		+= -D_REENTRANT
 endif
 
 ARCH			= linux
 
--- a/security/nss/coreconf/config.mk
+++ b/security/nss/coreconf/config.mk
@@ -141,20 +141,20 @@ endif
 #######################################################################
 
 -include $(MKDEPENDENCIES)
 
 #######################################################################
 # [16.0] Global environ ment defines
 #######################################################################
 
-ifdef NSS_ENABLE_ECC
-DEFINES += -DNSS_ENABLE_ECC
+ifdef NSS_DISABLE_ECC
+DEFINES += -DNSS_DISABLE_ECC
 endif
-
+ 
 ifdef NSS_ECC_MORE_THAN_SUITE_B
 DEFINES += -DNSS_ECC_MORE_THAN_SUITE_B
 endif
 
 ifdef NSS_ALLOW_UNSUPPORTED_CRITICAL
 DEFINES += -DNSS_ALLOW_UNSUPPORTED_CRITICAL
 endif
 
@@ -180,8 +180,11 @@ endif
 # This allows all library and tools code to use the util function
 # implementations directly from libnssutil3, rather than the wrappers
 # in libnss3 which are present for binary compatibility only
 DEFINES += -DUSE_UTIL_DIRECTLY
 USE_UTIL_DIRECTLY = 1
 
 # Build with NO_NSPR_10_SUPPORT to avoid using obsolete NSPR features
 DEFINES += -DNO_NSPR_10_SUPPORT
+
+# Hide old, deprecated, TLS cipher suite names when building NSS
+DEFINES += -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
--- a/security/nss/coreconf/coreconf.dep
+++ b/security/nss/coreconf/coreconf.dep
@@ -5,8 +5,9 @@
 
 /*
  * A dummy header file that is a dependency for all the object files.
  * Used to force a full recompilation of NSS in Mozilla's Tinderbox
  * depend builds.  See comments in rules.mk.
  */
 
 #error "Do not include this header file."
+
--- a/security/nss/coverage/cov.sh
+++ b/security/nss/coverage/cov.sh
@@ -27,17 +27,16 @@ DATE_DIR="${BRANCH_DIR}/${DATE}-${ARCH}"
 CVS_DIR="${DATE_DIR}/cvs_mozilla"
 TCOV_DIR="${DATE_DIR}/tcov_mozilla"
 
 CVS_CHECKOUT_BRANCH="cvs_checkout_${BRANCH}"
 
 export HOST=`hostname`
 export DOMSUF=red.iplanet.com
 
-export NSS_ENABLE_ECC=1
 export NSS_ECC_MORE_THAN_SUITE_B=1
 export IOPR_HOSTADDR_LIST="dochinups.red.iplanet.com"
 export NSS_AIA_PATH="/share/builds/mccrel3/security/aia_certs"
 export NSS_AIA_HTTP="http://cindercone.red.iplanet.com/share/builds/mccrel3/security/aia_certs"
 
 export USE_TCOV=1
 export SUN_PROFDATA_DIR="${DATE_DIR}"
 export SUN_PROFDATA="tcov_data"
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1389,18 +1389,18 @@ cert_TestHostName(char * cn, const char 
 
 	/* For a cn pattern to be considered valid, the wildcard character...
 	 * - may occur only in a DNS name with at least 3 components, and
 	 * - may occur only as last character in the first component, and
 	 * - may be preceded by additional characters, and
 	 * - must not be preceded by an IDNA ACE prefix (xn--)
 	 */
 	if (wildcard && secondcndot && secondcndot[1] && firsthndot 
-	    && firstcndot  - wildcard  == 1 /* no chars between * and . */
-	    && secondcndot - firstcndot > 1 /* not .. */
+	    && firstcndot  - wildcard  == 1 /* wildcard is last char in first component */
+	    && secondcndot - firstcndot > 1 /* second component is non-empty */
 	    && PORT_Strrchr(cn, '*') == wildcard /* only one wildcard in cn */
 	    && !PORT_Strncasecmp(cn, hn, wildcard - cn)
 	    && !PORT_Strcasecmp(firstcndot, firsthndot)
 	       /* If hn starts with xn--, then cn must start with wildcard */
 	    && (PORT_Strncasecmp(hn, "xn--", 4) || wildcard == cn)) {
 	    /* valid wildcard pattern match */
 	    return SECSuccess;
 	}
--- a/security/nss/lib/ckfw/builtins/certdata.txt
+++ b/security/nss/lib/ckfw/builtins/certdata.txt
@@ -602,29 +602,29 @@ END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
 \002\004\065\336\364\317
 END
 CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_TRUSTED_DELEGATOR
 CKA_TRUST_STEP_UP_APPROVED CK_BBOOL CK_FALSE
 
-# Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements.""
+# Distrust "Distrust a pb.com certificate that does not comply with the baseline requirements."
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 1407252 (0x157914)
 # Subject: CN=*.pb.com,OU=Meters,O=Pitney Bowes,L=Danbury,ST=Connecticut,C=US
 # Not Valid Before: Mon Feb 01 14:54:04 2010
 # Not Valid After : Tue Sep 30 00:00:00 2014
 # Fingerprint (MD5): 8F:46:BE:99:47:6F:93:DC:5C:01:54:50:D0:4A:BD:AC
 # Fingerprint (SHA1): 30:F1:82:CA:1A:5E:4E:4F:F3:6E:D0:E6:38:18:B8:B9:41:CB:5F:8C
 CKA_CLASS CK_OBJECT_CLASS CKO_NSS_TRUST
 CKA_TOKEN CK_BBOOL CK_TRUE
 CKA_PRIVATE CK_BBOOL CK_FALSE
 CKA_MODIFIABLE CK_BBOOL CK_FALSE
-CKA_LABEL UTF8 "Distrust a pb.com certificate that does not comply with the baseline requirements.""
+CKA_LABEL UTF8 "Distrust a pb.com certificate that does not comply with the baseline requirements."
 CKA_ISSUER MULTILINE_OCTAL
 \060\116\061\013\060\011\006\003\125\004\006\023\002\125\123\061
 \020\060\016\006\003\125\004\012\023\007\105\161\165\151\146\141
 \170\061\055\060\053\006\003\125\004\013\023\044\105\161\165\151
 \146\141\170\040\123\145\143\165\162\145\040\103\145\162\164\151
 \146\151\143\141\164\145\040\101\165\164\150\157\162\151\164\171
 END
 CKA_SERIAL_NUMBER MULTILINE_OCTAL
--- a/security/nss/lib/dbm/include/mcom_db.h
+++ b/security/nss/lib/dbm/include/mcom_db.h
@@ -40,17 +40,21 @@
 #endif
 #include "prtypes.h"
 
 #if !defined(XP_BEOS) && !defined(XP_OS2) && !defined(XP_UNIX) || defined(NTO)
 typedef PRUintn uint;
 #endif
 typedef PRUint8 uint8;
 typedef PRUint16 uint16;
+/* On AIX 5.2, sys/inttypes.h (which is included by sys/types.h)
+ * defines the types int8, int16, int32, and int64. */
+#if !defined(AIX)
 typedef PRInt32 int32;
+#endif
 typedef PRUint32 uint32;
 
 #include <limits.h>
 
 #ifdef __DBINTERFACE_PRIVATE
 
 #ifdef HAVE_SYS_CDEFS_H
 #include <sys/cdefs.h>
--- a/security/nss/lib/freebl/Makefile
+++ b/security/nss/lib/freebl/Makefile
@@ -90,17 +90,17 @@ endif
 ifdef FREEBL_PRELINK_COMMAND
 	DEFINES +=-DFREEBL_PRELINK_COMMAND=\"$(FREEBL_PRELINK_COMMAND)\"
 endif
 # NSS_X86 means the target is a 32-bits x86 CPU architecture
 # NSS_X64 means the target is a 64-bits 64 CPU architecture
 # NSS_X86_OR_X64 means the target is either x86 or x64
 ifeq (,$(filter-out i386 x386 x86 x86_64,$(CPU_ARCH)))
         DEFINES += -DNSS_X86_OR_X64
-ifdef USE_64
+ifneq (,$(USE_64)$(USE_X32))
         DEFINES += -DNSS_X64
 else
         DEFINES += -DNSS_X86
 endif
 endif
 
 ifeq ($(OS_TARGET),OSF1)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_NO_MP_WORD
@@ -175,17 +175,17 @@ ifeq ($(CPU_ARCH),x86)
     DEFINES += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE
     DEFINES += -DMP_ASSEMBLY_DIV_2DX1D
 endif
 endif # Darwin
 
 ifeq ($(OS_TARGET),Linux)
 ifeq ($(CPU_ARCH),x86_64)
     ASFILES  = arcfour-amd64-gas.s mpi_amd64_gas.s
-    ASFLAGS += -m64 -fPIC -Wa,--noexecstack
+    ASFLAGS += -fPIC -Wa,--noexecstack
     DEFINES += -DNSS_BEVAND_ARCFOUR -DMPI_AMD64 -DMP_ASSEMBLY_MULTIPLY
     DEFINES += -DNSS_USE_COMBA
     DEFINES += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
 #   DEFINES += -DMPI_AMD64_ADD
     # comment the next two lines to turn off intel HW accelleration
     DEFINES += -DUSE_HW_AES
     ASFILES += intel-aes.s intel-gcm.s
     EXTRA_SRCS += intel-gcm-wrap.c
@@ -444,24 +444,24 @@ else
  	ifndef NS_USE_GCC
  	   MPCPU_SRCS =
  	   ASFILES += mpcpucache_x86.s
  	endif
     endif
 endif # Solaris for non-sparc family CPUs
 endif # target == SunOS
 
-ifdef NSS_ENABLE_ECC
+ifndef NSS_DISABLE_ECC
     ifdef ECL_USE_FP
 	#enable floating point ECC code	
 	DEFINES  += -DECL_USE_FP
 	ECL_SRCS += ecp_fp160.c ecp_fp192.c ecp_fp224.c ecp_fp.c
 	ECL_HDRS += ecp_fp.h
     endif
-endif # NSS_ENABLE_ECC
+endif
 
 #######################################################################
 # (5) Execute "global" rules. (OPTIONAL)                              #
 #######################################################################
 
 include $(CORE_DEPTH)/coreconf/rules.mk
 
 #######################################################################
--- a/security/nss/lib/freebl/arcfour.c
+++ b/security/nss/lib/freebl/arcfour.c
@@ -25,17 +25,17 @@
 #if defined(AIX) || defined(OSF1) || defined(NSS_BEVAND_ARCFOUR)
 /* Treat array variables as words, not bytes, on CPUs that take 
  * much longer to write bytes than to write words, or when using 
  * assembler code that required it.
  */
 #define USE_WORD
 #endif
 
-#if (defined(IS_64))
+#if defined(IS_64) || defined(NSS_BEVAND_ARCFOUR)
 typedef PRUint64 WORD;
 #else
 typedef PRUint32 WORD;
 #endif
 #define WORDSIZE sizeof(WORD)
 
 #if defined(USE_WORD)
 typedef WORD Stype;
--- a/security/nss/lib/freebl/ec.c
+++ b/security/nss/lib/freebl/ec.c
@@ -11,17 +11,17 @@
 #include "prerr.h"
 #include "secerr.h"
 #include "secmpi.h"
 #include "secitem.h"
 #include "mplogic.h"
 #include "ec.h"
 #include "ecl.h"
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 
 /* 
  * Returns true if pointP is the point at infinity, false otherwise
  */
 PRBool
 ec_point_at_infinity(SECItem *pointP)
 {
     unsigned int i;
@@ -187,28 +187,28 @@ cleanup:
     mp_clear(&b);
     if (err) {
 	MP_TO_SEC_ERROR(err);
 	rv = SECFailure;
     }
 
     return rv;
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 /* Generates a new EC key pair. The private key is a supplied
  * value and the public key is the result of performing a scalar 
  * point multiplication of that value with the curve's base point.
  */
 SECStatus 
 ec_NewKey(ECParams *ecParams, ECPrivateKey **privKey, 
     const unsigned char *privKeyBytes, int privKeyLen)
 {
     SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     PLArenaPool *arena;
     ECPrivateKey *key;
     mp_int k;
     mp_err err = MP_OKAY;
     int len;
 
 #if EC_DEBUG
     printf("ec_NewKey called\n");
@@ -296,41 +296,41 @@ cleanup:
 	PORT_FreeArena(arena, PR_TRUE);
 
 #if EC_DEBUG
     printf("ec_NewKey returning %s\n", 
 	(rv == SECSuccess) ? "success" : "failure");
 #endif
 #else
     PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     return rv;
 
 }
 
 /* Generates a new EC key pair. The private key is a supplied
  * random value (in seed) and the public key is the result of 
  * performing a scalar point multiplication of that value with 
  * the curve's base point.
  */
 SECStatus 
 EC_NewKeyFromSeed(ECParams *ecParams, ECPrivateKey **privKey, 
     const unsigned char *seed, int seedlen)
 {
     SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     rv = ec_NewKey(ecParams, privKey, seed, seedlen);
 #else
     PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     return rv;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 /* Generate a random private key using the algorithm A.4.1 of ANSI X9.62,
  * modified a la FIPS 186-2 Change Notice 1 to eliminate the bias in the
  * random number generator.
  *
  * Parameters
  * - order: a buffer that holds the curve's group order
  * - len: the length in octets of the order buffer
  *
@@ -376,27 +376,27 @@ cleanup:
 	rv = SECFailure;
     }
     if (rv != SECSuccess && privKeyBytes) {
 	PORT_Free(privKeyBytes);
 	privKeyBytes = NULL;
     }
     return privKeyBytes;
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 /* Generates a new EC key pair. The private key is a random value and
  * the public key is the result of performing a scalar point multiplication
  * of that value with the curve's base point.
  */
 SECStatus 
 EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey)
 {
     SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     int len;
     unsigned char *privKeyBytes = NULL;
 
     if (!ecParams) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
 
@@ -411,31 +411,31 @@ cleanup:
 	PORT_ZFree(privKeyBytes, len);
     }
 #if EC_DEBUG
     printf("EC_NewKey returning %s\n", 
 	(rv == SECSuccess) ? "success" : "failure");
 #endif
 #else
     PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     
     return rv;
 }
 
 /* Validates an EC public key as described in Section 5.2.2 of
  * X9.62. The ECDH primitive when used without the cofactor does
  * not address small subgroup attacks, which may occur when the
  * public key is not valid. These attacks can be prevented by 
  * validating the public key before using ECDH.
  */
 SECStatus 
 EC_ValidatePublicKey(ECParams *ecParams, SECItem *publicValue)
 {
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     mp_int Px, Py;
     ECGroup *group = NULL;
     SECStatus rv = SECFailure;
     mp_err err = MP_OKAY;
     int len;
 
     if (!ecParams || !publicValue) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
@@ -501,17 +501,17 @@ cleanup:
     if (err) {
 	MP_TO_SEC_ERROR(err);
 	rv = SECFailure;
     }
     return rv;
 #else
     PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
     return SECFailure;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 }
 
 /* 
 ** Performs an ECDH key derivation by computing the scalar point
 ** multiplication of privateValue and publicValue (with or without the
 ** cofactor) and returns the x-coordinate of the resulting elliptic
 ** curve point in derived secret.  If successful, derivedSecret->data
 ** is set to the address of the newly allocated buffer containing the
@@ -522,17 +522,17 @@ cleanup:
 SECStatus 
 ECDH_Derive(SECItem  *publicValue, 
             ECParams *ecParams,
             SECItem  *privateValue,
             PRBool    withCofactor,
             SECItem  *derivedSecret)
 {
     SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     unsigned int len = 0;
     SECItem pointQ = {siBuffer, NULL, 0};
     mp_int k; /* to hold the private value */
     mp_int cofactor;
     mp_err err = MP_OKAY;
 #if EC_DEBUG
     int i;
 #endif
@@ -591,31 +591,31 @@ cleanup:
 	MP_TO_SEC_ERROR(err);
     }
 
     if (pointQ.data) {
 	PORT_ZFree(pointQ.data, 2*len + 1);
     }
 #else
     PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
 
 /* Computes the ECDSA signature (a concatenation of two values r and s)
  * on the digest using the given key and the random value kb (used in
  * computing s).
  */
 SECStatus 
 ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature, 
     const SECItem *digest, const unsigned char *kb, const int kblen)
 {
     SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     mp_int x1;
     mp_int d, k;     /* private key, random integer */
     mp_int r, s;     /* tuple (r, s) is the signature */
     mp_int n;
     mp_err err = MP_OKAY;
     ECParams *ecParams = NULL;
     SECItem kGpoint = { siBuffer, NULL, 0};
     int flen = 0;    /* length in bytes of the field size */
@@ -817,30 +817,30 @@ cleanup:
     }
 
 #if EC_DEBUG
     printf("ECDSA signing with seed %s\n",
 	(rv == SECSuccess) ? "succeeded" : "failed");
 #endif
 #else
     PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
    return rv;
 }
 
 /*
 ** Computes the ECDSA signature on the digest using the given key 
 ** and a random seed.
 */
 SECStatus 
 ECDSA_SignDigest(ECPrivateKey *key, SECItem *signature, const SECItem *digest)
 {
     SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     int len;
     unsigned char *kBytes= NULL;
 
     if (!key) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
 	return SECFailure;
     }
 
@@ -858,30 +858,30 @@ cleanup:
     }
 
 #if EC_DEBUG
     printf("ECDSA signing %s\n",
 	(rv == SECSuccess) ? "succeeded" : "failed");
 #endif
 #else
     PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
 
 /*
 ** Checks the signature on the given digest using the key provided.
 */
 SECStatus 
 ECDSA_VerifyDigest(ECPublicKey *key, const SECItem *signature, 
                  const SECItem *digest)
 {
     SECStatus rv = SECFailure;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     mp_int r_, s_;           /* tuple (r', s') is received signature) */
     mp_int c, u1, u2, v;     /* intermediate values used in verification */
     mp_int x1;
     mp_int n;
     mp_err err = MP_OKAY;
     ECParams *ecParams = NULL;
     SECItem pointC = { siBuffer, NULL, 0 };
     int slen;       /* length in bytes of a half signature (r or s) */
@@ -1068,13 +1068,13 @@ cleanup:
     }
 
 #if EC_DEBUG
     printf("ECDSA verification %s\n",
 	(rv == SECSuccess) ? "succeeded" : "failed");
 #endif
 #else
     PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     return rv;
 }
 
--- a/security/nss/lib/freebl/loader.c
+++ b/security/nss/lib/freebl/loader.c
@@ -75,16 +75,18 @@ getLibName(void)
     }
     if (found_int_hybrid) {
 	return int_hybrid_shared_lib;
     }
     return non_hybrid_shared_lib;
 }
 
 #elif defined(HPUX) && !defined(NSS_USE_64) && !defined(__ia64)
+#include <unistd.h>
+
 /* This code tests to see if we're running on a PA2.x CPU.
 ** It returns true (1) if so, and false (0) otherwise.
 */
 static const char *
 getLibName(void)
 {
     long cpu = sysconf(_SC_CPU_VERSION);
     return (cpu == CPU_PA_RISC2_0) 
--- a/security/nss/lib/freebl/manifest.mn
+++ b/security/nss/lib/freebl/manifest.mn
@@ -64,17 +64,17 @@ PRIVATE_EXPORTS = \
 	ecl-curve.h \
 	$(NULL)
 
 MPI_HDRS = mpi-config.h mpi.h mpi-priv.h mplogic.h mpprime.h logtab.h mp_gf2m.h
 MPI_SRCS = mpprime.c mpmontg.c mplogic.c mpi.c mp_gf2m.c
 
 
 ECL_HDRS = ecl-exp.h ecl.h ec2.h ecp.h ecl-priv.h
-ifdef NSS_ENABLE_ECC
+ifndef NSS_DISABLE_ECC
 ECL_SRCS = ecl.c ecl_curve.c ecl_mult.c ecl_gf.c \
 	ecp_aff.c ecp_jac.c ecp_mont.c \
 	ec_naf.c ecp_jm.c ecp_256.c ecp_384.c ecp_521.c \
 	ecp_256_32.c
 ifdef NSS_ECC_MORE_THAN_SUITE_B
 ECL_SRCS += ec2_aff.c ec2_mont.c ec2_proj.c \
 	ec2_163.c ec2_193.c ec2_233.c \
 	ecp_192.c ecp_224.c
--- a/security/nss/lib/freebl/mpi/mpi.h
+++ b/security/nss/lib/freebl/mpi/mpi.h
@@ -51,21 +51,21 @@ typedef int               mp_err;
 #if !defined(ULONG_MAX) 
 #error "ULONG_MAX not defined"
 #elif !defined(UINT_MAX)
 #error "UINT_MAX not defined"
 #elif !defined(USHRT_MAX)
 #error "USHRT_MAX not defined"
 #endif
 
-#if defined(ULONG_LONG_MAX)			/* GCC, HPUX */
-#define MP_ULONG_LONG_MAX ULONG_LONG_MAX
-#elif defined(ULLONG_MAX)			/* Solaris */
+#if defined(ULLONG_MAX)				/* C99, Solaris */
 #define MP_ULONG_LONG_MAX ULLONG_MAX
 /* MP_ULONG_LONG_MAX was defined to be ULLONG_MAX */
+#elif defined(ULONG_LONG_MAX)			/* HPUX */
+#define MP_ULONG_LONG_MAX ULONG_LONG_MAX
 #elif defined(ULONGLONG_MAX)			/* IRIX, AIX */
 #define MP_ULONG_LONG_MAX ULONGLONG_MAX
 #endif
 
 /* We only use unsigned long for mp_digit iff long is more than 32 bits. */
 #if !defined(MP_USE_UINT_DIGIT) && ULONG_MAX > MP_32BIT_MAX
 typedef unsigned long     mp_digit;
 #define MP_DIGIT_MAX      ULONG_MAX
--- a/security/nss/lib/freebl/mpi/target.mk
+++ b/security/nss/lib/freebl/mpi/target.mk
@@ -200,32 +200,32 @@ MPICMN += $(MP_CONFIG)
 mpi_amd64_asm.o: mpi_amd64_sun.s
 	$(AS) -xarch=generic64 -P -D_ASM mpi_amd64_sun.s
 endif
 
 ifeq ($(TARGET),WIN32)
 ifeq ($(CPU_ARCH),x86_64)
 AS_OBJS = mpi_amd64.obj mpi_amd64_masm.obj mp_comba_amd64_masm.asm
 CFLAGS  = -Od -Z7 -MDd -W3 -nologo -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USER)
-CFLAGS += -DWIN32 -DWIN64 -D_WINDOWS -D_AMD_64_ -D_M_AMD64 -DWIN95 -DXP_PC -DNSS_ENABLE_ECC 
+CFLAGS += -DWIN32 -DWIN64 -D_WINDOWS -D_AMD_64_ -D_M_AMD64 -DWIN95 -DXP_PC
 CFLAGS += $(MPICMN)
 
 $(AS_OBJS): %.obj : %.asm
 	ml64 -Cp -Sn -Zi -coff -nologo -c $<
 
 $(LIBOBJS): %.obj : %.c 
 	cl $(CFLAGS) -Fo$@ -c $<
 else
 AS_OBJS = mpi_x86.obj
 MPICMN += -DMP_ASSEMBLY_MULTIPLY -DMP_ASSEMBLY_SQUARE -DMP_ASSEMBLY_DIV_2DX1D
 MPICMN += -DMP_USE_UINT_DIGIT -DMP_NO_MP_WORD -DMP_API_COMPATIBLE 
 MPICMN += -DMP_MONT_USE_MP_MUL 
 MPICMN += -DMP_CHAR_STORE_SLOW -DMP_IS_LITTLE_ENDIAN
 CFLAGS  = -Od -Z7 -MDd -W3 -nologo -DDEBUG -D_DEBUG -UNDEBUG -DDEBUG_$(USER)
-CFLAGS += -DWIN32 -D_WINDOWS -D_X86_ -DWIN95 -DXP_PC -DNSS_ENABLE_ECC 
+CFLAGS += -DWIN32 -D_WINDOWS -D_X86_ -DWIN95 -DXP_PC
 CFLAGS += $(MPICMN)
 
 $(AS_OBJS): %.obj : %.asm
 	ml -Cp -Sn -Zi -coff -nologo -c $<
 
 $(LIBOBJS): %.obj : %.c 
 	cl $(CFLAGS) -Fo$@ -c $<
 
--- a/security/nss/lib/libpkix/include/pkix_pl_pki.h
+++ b/security/nss/lib/libpkix/include/pkix_pl_pki.h
@@ -1510,17 +1510,17 @@ typedef enum PKIX_PL_TrustAnchorModeEnum
         PKIX_PL_TrustAnchorMode_Additive,
 
         /* Indicates that ONLY trust anchors should be considered as
          * trustworthy.
          * Note: If the underlying platform supports marking a certificate as
          *       explicitly untrustworthy, explicitly configured trust anchors
          *       MAY be ignored/rejected.
          */
-        PKIX_PL_TrustAnchorMode_Exclusive,
+        PKIX_PL_TrustAnchorMode_Exclusive
 } PKIX_PL_TrustAnchorMode;
 
 /*
  * FUNCTION: PKIX_PL_Cert_IsCertTrusted
  * DESCRIPTION:
  *
  *  Checks the Cert specified by "cert" to determine, in a manner that depends
  *  on the underlying platform, whether it is trusted, and stores the result in
--- a/security/nss/lib/nss/nss.h
+++ b/security/nss/lib/nss/nss.h
@@ -4,17 +4,17 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef __nss_h_
 #define __nss_h_
 
 /* The private macro _NSS_ECC_STRING is for NSS internal use only. */
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
 #define _NSS_ECC_STRING " Extended ECC"
 #else
 #define _NSS_ECC_STRING " Basic ECC"
 #endif
 #else
 #define _NSS_ECC_STRING ""
 #endif
--- a/security/nss/lib/pk11wrap/pk11pub.h
+++ b/security/nss/lib/pk11wrap/pk11pub.h
@@ -767,17 +767,18 @@ CK_MECHANISM_TYPE
 PK11_GetPBECryptoMechanism(SECAlgorithmID *algid, 
 			   SECItem **param, SECItem *pwd);
 
 /**********************************************************************
  * Functions to manage secmod flags
  **********************************************************************/
 PK11DefaultArrayEntry *PK11_GetDefaultArray(int *size);
 SECStatus PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
-				   PK11DefaultArrayEntry *entry, PRBool add);
+				   const PK11DefaultArrayEntry *entry,
+				   PRBool add);
 
 /**********************************************************************
  * Functions to look at PKCS #11 dependent data
  **********************************************************************/
 PK11GenericObject *PK11_FindGenericObjects(PK11SlotInfo *slot, 
 						CK_OBJECT_CLASS objClass);
 PK11GenericObject *PK11_GetNextGenericObject(PK11GenericObject *object);
 PK11GenericObject *PK11_GetPrevGenericObject(PK11GenericObject *object);
--- a/security/nss/lib/pk11wrap/pk11slot.c
+++ b/security/nss/lib/pk11wrap/pk11slot.c
@@ -943,19 +943,20 @@ PK11_LoadSlotList(PK11SlotInfo *slot, PK
 }
 
 
 /*
  * update a slot to its new attribute according to the slot list
  * returns: SECSuccess if nothing to do or add/delete is successful
  */
 SECStatus
-PK11_UpdateSlotAttribute(PK11SlotInfo *slot, PK11DefaultArrayEntry *entry,
-                        PRBool add)  
-                        /* add: PR_TRUE if want to turn on */
+PK11_UpdateSlotAttribute(PK11SlotInfo *slot,
+                         const PK11DefaultArrayEntry *entry,
+                         PRBool add)
+                         /* add: PR_TRUE if want to turn on */
 {
     SECStatus result = SECSuccess;
     PK11SlotList *slotList = PK11_GetSlotList(entry->mechanism);
 
     if (add) { /* trying to turn on a mechanism */
                  
         /* turn on the default flag in the slot */
         slot->defaultFlags |= entry->flag;
--- a/security/nss/lib/softoken/ecdecode.c
+++ b/security/nss/lib/softoken/ecdecode.c
@@ -1,13 +1,13 @@
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 
 #include "blapi.h"
 #include "secoid.h"
 #include "secitem.h"
 #include "secerr.h"
 #include "ec.h"
 #include "ecl-curve.h"
 
@@ -598,9 +598,9 @@ EC_DecodeParams(const SECItem *encodedPa
 	PORT_FreeArena(arena, PR_TRUE);	
 	return SECFailure;
     } else {
 	*ecparams = params;;
 	return SECSuccess;
     }
 }
 
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
--- a/security/nss/lib/softoken/fipstest.c
+++ b/security/nss/lib/softoken/fipstest.c
@@ -8,17 +8,17 @@
 #include "softoken.h"   /* Required for RC2-ECB, RC2-CBC, RC4, DES-ECB,  */
                         /*              DES-CBC, DES3-ECB, DES3-CBC, RSA */
                         /*              and DSA.                         */
 #include "seccomon.h"   /* Required for RSA and DSA. */
 #include "lowkeyi.h"    /* Required for RSA and DSA. */
 #include "pkcs11.h"     /* Required for PKCS #11. */
 #include "secerr.h"
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #include "ec.h"         /* Required for ECDSA */
 #endif
 
 
 /* FIPS preprocessor directives for RC2-ECB and RC2-CBC.        */
 #define FIPS_RC2_KEY_LENGTH                      5  /*  40-bits */
 #define FIPS_RC2_ENCRYPT_LENGTH                  8  /*  64-bits */
 #define FIPS_RC2_DECRYPT_LENGTH                  8  /*  64-bits */
@@ -1607,17 +1607,17 @@ sftk_fips_RSA_PowerUpSelfTest( void )
 rsa_loser:
 
     nsslowkey_DestroyPublicKey( rsa_public_key );
     nsslowkey_DestroyPrivateKey( rsa_private_key );
 
     return( CKR_DEVICE_ERROR );
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 
 static CK_RV
 sftk_fips_ECDSA_Test(const PRUint8 *encodedParams, 
                      unsigned int encodedParamsLen,
                      const PRUint8 *knownSignature, 
                      unsigned int knownSignatureLen) {
 
     /* ECDSA Known Seed info for curves nistp256 and nistk283  */
@@ -1790,17 +1790,17 @@ sftk_fips_ECDSA_PowerUpSelfTest() {
     if (crv != CKR_OK) {
         return( CKR_DEVICE_ERROR );
     }
 #endif
 
     return( CKR_OK );
 }
 
-#endif    /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 static CK_RV
 sftk_fips_DSA_PowerUpSelfTest( void )
 {
     /* DSA Known P (1024-bits), Q (160-bits), and G (1024-bits) Values. */
     static const PRUint8 dsa_P[] = {
          0x80,0xb0,0xd1,0x9d,0x6e,0xa4,0xf3,0x28, 
          0x9f,0x24,0xa9,0x8a,0x49,0xd0,0x0c,0x63, 
@@ -2075,17 +2075,17 @@ sftk_fipsPowerUpSelfTest( void )
         return rv;
 
     /* RNG Power-Up SelfTest(s). */
     rv = sftk_fips_RNG_PowerUpSelfTest();
 
     if( rv != CKR_OK )
         return rv;
     
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     /* ECDSA Power-Up SelfTest(s). */
     rv = sftk_fips_ECDSA_PowerUpSelfTest();
 
     if( rv != CKR_OK )
         return rv;
 #endif
 
     /* Software/Firmware Integrity Test. */
--- a/security/nss/lib/softoken/legacydb/keydb.c
+++ b/security/nss/lib/softoken/legacydb/keydb.c
@@ -1138,22 +1138,22 @@ nsslowkey_KeyForCertExists(NSSLOWKEYDBHa
       case NSSLOWKEYDSAKey:
 	namekey.data = pubkey->u.dsa.publicValue.data;
 	namekey.size = pubkey->u.dsa.publicValue.len;
 	break;
       case NSSLOWKEYDHKey:
 	namekey.data = pubkey->u.dh.publicValue.data;
 	namekey.size = pubkey->u.dh.publicValue.len;
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
       case NSSLOWKEYECKey:
 	namekey.data = pubkey->u.ec.publicValue.data;
 	namekey.size = pubkey->u.ec.publicValue.len;
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
       default:
 	/* XXX We don't do Fortezza or DH yet. */
 	return PR_FALSE;
     }
 
     if (handle->version != 3) {
 	unsigned char buf[SHA1_LENGTH];
 	SHA1_HashBuf(buf,namekey.data,namekey.size);
@@ -1470,17 +1470,17 @@ seckey_encrypt_private_key( PLArenaPool 
 			    SDB *sdbpw, SECItem *result)
 {
     NSSLOWKEYPrivateKeyInfo *pki = NULL;
     SECStatus rv = SECFailure;
     PLArenaPool *temparena = NULL;
     SECItem *der_item = NULL;
     SECItem *cipherText = NULL;
     SECItem *dummy = NULL;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     SECItem *fordebug = NULL;
     int savelen;
 #endif
 
     temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     if(temparena == NULL)
 	goto loser;
 
@@ -1550,17 +1550,17 @@ seckey_encrypt_private_key( PLArenaPool 
 	}
 
 	rv = SECOID_SetAlgorithmID(temparena, &(pki->algorithm),
 				   SEC_OID_X942_DIFFIE_HELMAN_KEY, dummy);
 	if (rv == SECFailure) {
 	    goto loser;
 	}
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
       case NSSLOWKEYECKey:
 	lg_prepare_low_ec_priv_key_for_asn1(pk);
 	/* Public value is encoded as a bit string so adjust length
 	 * to be in bits before ASN encoding and readjust 
 	 * immediately after.
 	 *
 	 * Since the SECG specification recommends not including the
 	 * parameters as part of ECPrivateKey, we zero out the curveOID
@@ -1589,17 +1589,17 @@ seckey_encrypt_private_key( PLArenaPool 
 	    goto loser;
 	}
 	
 	fordebug = &(pki->privateKey);
 	SEC_PRINT("seckey_encrypt_private_key()", "PrivateKey", 
 		  pk->keyType, fordebug);
 
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
       default:
 	/* We don't support DH or Fortezza private keys yet */
 	PORT_Assert(PR_FALSE);
 	break;
     }
 
     /* setup encrypted private key info */
     dummy = SEC_ASN1EncodeItem(temparena, der_item, pki, 
@@ -1699,17 +1699,17 @@ static NSSLOWKEYPrivateKey *
 seckey_decrypt_private_key(SECItem*epki,
 			   SDB *sdbpw)
 {
     NSSLOWKEYPrivateKey *pk = NULL;
     NSSLOWKEYPrivateKeyInfo *pki = NULL;
     SECStatus rv = SECFailure;
     PLArenaPool *temparena = NULL, *permarena = NULL;
     SECItem *dest = NULL;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     SECItem *fordebug = NULL;
 #endif
 
     if((epki == NULL) || (sdbpw == NULL))
 	goto loser;
 
     temparena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
     permarena = PORT_NewArena(SEC_ASN1_DEFAULT_ARENA_SIZE);
@@ -1807,17 +1807,17 @@ seckey_decrypt_private_key(SECItem*epki,
 		pk->keyType = NSSLOWKEYDHKey;
 		lg_prepare_low_dh_priv_key_for_asn1(pk);
                 if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
                     &pki->privateKey) ) break;
 		rv = SEC_QuickDERDecodeItem(permarena, pk,
 					lg_nsslowkey_DHPrivateKeyTemplate,
 					&newPrivateKey);
 		break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	      case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
 		pk->keyType = NSSLOWKEYECKey;
 		lg_prepare_low_ec_priv_key_for_asn1(pk);
 
 		fordebug = &pki->privateKey;
 		SEC_PRINT("seckey_decrypt_private_key()", "PrivateKey", 
 			  pk->keyType, fordebug);
                 if (SECSuccess != SECITEM_CopyItem(permarena, &newPrivateKey,
@@ -1844,17 +1844,17 @@ seckey_decrypt_private_key(SECItem*epki,
 		if (rv != SECSuccess)
 		    goto loser;
 
 		if (pk->u.ec.publicValue.len != 0) {
 		    pk->u.ec.publicValue.len >>= 3;
 		}
 
 		break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	      default:
 		rv = SECFailure;
 		break;
 	    }
 	}
 	else if(PORT_GetError() == SEC_ERROR_BAD_DER)
 	{
 	    PORT_SetError(SEC_ERROR_BAD_PASSWORD);
--- a/security/nss/lib/softoken/legacydb/lgattr.c
+++ b/security/nss/lib/softoken/legacydb/lgattr.c
@@ -418,21 +418,21 @@ lg_GetPubItem(NSSLOWKEYPublicKey *pubKey
 	    pubItem = &pubKey->u.rsa.modulus;
 	    break;
     case NSSLOWKEYDSAKey:
 	    pubItem = &pubKey->u.dsa.publicValue;
 	    break;
     case NSSLOWKEYDHKey:
 	    pubItem = &pubKey->u.dh.publicValue;
 	    break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case NSSLOWKEYECKey:
 	    pubItem = &pubKey->u.ec.publicValue;
 	    break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     default:
 	    break;
     }
     return pubItem;
 }
 
 static const SEC_ASN1Template lg_SerialTemplate[] = {
     { SEC_ASN1_INTEGER, offsetof(NSSLOWCERTCertificate,serialNumber) },
@@ -546,17 +546,17 @@ lg_FindDHPublicKeyAttribute(NSSLOWKEYPub
 	return lg_CopyAttributeSigned(attribute,type,key->u.dh.base.data,
 					key->u.dh.base.len);
     default:
 	break;
     }
     return lg_invalidAttribute(attribute);
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 static CK_RV
 lg_FindECPublicKeyAttribute(NSSLOWKEYPublicKey *key, CK_ATTRIBUTE_TYPE type,
 				CK_ATTRIBUTE *attribute)
 {
     unsigned char hash[SHA1_LENGTH];
     CK_KEY_TYPE keyType = CKK_EC;
 
     switch (type) {
@@ -596,17 +596,17 @@ lg_FindECPublicKeyAttribute(NSSLOWKEYPub
 	    SECITEM_FreeItem(pubValue, PR_TRUE);
 	    return crv;
 	}
     default:
 	break;
     }
     return lg_invalidAttribute(attribute);
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 
 static CK_RV
 lg_FindPublicKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
 				CK_ATTRIBUTE *attribute)
 {
     NSSLOWKEYPublicKey   *key;
     CK_RV crv;
@@ -648,20 +648,20 @@ lg_FindPublicKeyAttribute(LGObjectCache 
 
     switch (key->keyType) {
     case NSSLOWKEYRSAKey:
 	return lg_FindRSAPublicKeyAttribute(key,type,attribute);
     case NSSLOWKEYDSAKey:
 	return lg_FindDSAPublicKeyAttribute(key,type,attribute);
     case NSSLOWKEYDHKey:
 	return lg_FindDHPublicKeyAttribute(key,type,attribute);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case NSSLOWKEYECKey:
 	return lg_FindECPublicKeyAttribute(key,type,attribute);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     default:
 	break;
     }
 
     return lg_invalidAttribute(attribute);
 }
 
 static CK_RV
@@ -940,17 +940,17 @@ lg_FindDHPrivateKeyAttribute(NSSLOWKEYPr
 					key->u.dh.publicValue.data,
 					key->u.dh.publicValue.len);
     default:
 	break;
     }
     return lg_invalidAttribute(attribute);
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 static CK_RV
 lg_FindECPrivateKeyAttribute(NSSLOWKEYPrivateKey *key, CK_ATTRIBUTE_TYPE type,
 				CK_ATTRIBUTE *attribute, SDB *sdbpw)
 {
     unsigned char hash[SHA1_LENGTH];
     CK_KEY_TYPE keyType = CKK_EC;
 
     switch (type) {
@@ -978,17 +978,17 @@ lg_FindECPrivateKeyAttribute(NSSLOWKEYPr
 	return lg_CopyAttributeSigned(attribute, type,
 					key->u.ec.publicValue.data,
 					key->u.ec.publicValue.len);
     default:
 	break;
     }
     return lg_invalidAttribute(attribute);
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 static CK_RV
 lg_FindPrivateKeyAttribute(LGObjectCache *obj, CK_ATTRIBUTE_TYPE type,
 				CK_ATTRIBUTE *attribute)
 {
     NSSLOWKEYPrivateKey  *key;
     char *label;
     CK_RV crv;
@@ -1025,20 +1025,20 @@ lg_FindPrivateKeyAttribute(LGObjectCache
     }
     switch (key->keyType) {
     case NSSLOWKEYRSAKey:
 	return lg_FindRSAPrivateKeyAttribute(key,type,attribute,obj->sdb);
     case NSSLOWKEYDSAKey:
 	return lg_FindDSAPrivateKeyAttribute(key,type,attribute,obj->sdb);
     case NSSLOWKEYDHKey:
 	return lg_FindDHPrivateKeyAttribute(key,type,attribute,obj->sdb);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case NSSLOWKEYECKey:
 	return lg_FindECPrivateKeyAttribute(key,type,attribute,obj->sdb);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     default:
 	break;
     }
 
     return lg_invalidAttribute(attribute);
 }
 
 static CK_RV
--- a/security/nss/lib/softoken/legacydb/lgcreate.c
+++ b/security/nss/lib/softoken/legacydb/lgcreate.c
@@ -394,45 +394,45 @@ static CK_RV
 lg_createPublicKeyObject(SDB *sdb, CK_KEY_TYPE key_type,
      CK_OBJECT_HANDLE *handle, const CK_ATTRIBUTE *templ, CK_ULONG count)
 {
     CK_ATTRIBUTE_TYPE pubKeyAttr = CKA_VALUE;
     CK_RV crv = CKR_OK;
     NSSLOWKEYPrivateKey *priv;
     SECItem pubKeySpace = {siBuffer, NULL, 0};
     SECItem *pubKey;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     SECItem pubKey2Space = {siBuffer, NULL, 0};
     PLArenaPool *arena = NULL;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     NSSLOWKEYDBHandle *keyHandle = NULL;
 	
 
     switch (key_type) {
     case CKK_RSA:
 	pubKeyAttr = CKA_MODULUS;
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKK_EC:
 	pubKeyAttr = CKA_EC_POINT;
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     case CKK_DSA:
     case CKK_DH:
 	break;
     default:
 	return CKR_ATTRIBUTE_VALUE_INVALID;
     }
 
 
     pubKey = &pubKeySpace;
     crv = lg_Attribute2SSecItem(NULL,pubKeyAttr,templ,count,pubKey);
     if (crv != CKR_OK) return crv;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     if (key_type == CKK_EC) {
 	SECStatus rv;
 	/*
 	 * for ECC, use the decoded key first.
 	 */
 	arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
 	if (arena == NULL) {
 	    crv = CKR_HOST_MEMORY;
@@ -445,17 +445,17 @@ lg_createPublicKeyObject(SDB *sdb, CK_KE
 	    /* decode didn't work, just try the pubKey */
 	    PORT_FreeArena(arena, PR_FALSE);
 	    arena = NULL;
 	} else {
 	    /* try the decoded pub key first */
 	    pubKey = &pubKey2Space;
 	}
     }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     PORT_Assert(pubKey->data);
     if (pubKey->data == NULL) {
 	crv = CKR_ATTRIBUTE_VALUE_INVALID;
 	goto done;
     }
     keyHandle = lg_getKeyDB(sdb);
     if (keyHandle == NULL) {
@@ -466,17 +466,17 @@ lg_createPublicKeyObject(SDB *sdb, CK_KE
 	unsigned char buf[SHA1_LENGTH];
 	SHA1_HashBuf(buf,pubKey->data,pubKey->len);
 	PORT_Memcpy(pubKey->data,buf,sizeof(buf));
 	pubKey->len = sizeof(buf);
     }
     /* make sure the associated private key already exists */
     /* only works if we are logged in */
     priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey, sdb /*password*/);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     if (priv == NULL && pubKey == &pubKey2Space) {
 	/* no match on the decoded key, match the original pubkey */
 	pubKey = &pubKeySpace;
     	priv = nsslowkey_FindKeyByPublicKey(keyHandle, pubKey, 
 					    sdb /*password*/);
     }
 #endif
     if (priv == NULL) {
@@ -487,17 +487,17 @@ lg_createPublicKeyObject(SDB *sdb, CK_KE
     }
     lg_nsslowkey_DestroyPrivateKey(priv);
     crv = CKR_OK;
 
     *handle = lg_mkHandle(sdb, pubKey, LG_TOKEN_TYPE_PUB);
 
 done:
     PORT_Free(pubKeySpace.data);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     if (arena) 
 	PORT_FreeArena(arena, PR_FALSE);
 #endif
 
     return crv;
 }
 
 /* make a private key from a verified object */
@@ -594,17 +594,17 @@ lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUT
 	if (lg_hasAttribute(CKA_NETSCAPE_DB, templ, count)) {
 	    crv = lg_Attribute2SSecItem(arena, CKA_NETSCAPE_DB,templ,count,
 					&privKey->u.dh.publicValue);
 	    /* privKey was zero'd so public value is already set to NULL, 0
 	     * if we don't set it explicitly */
 	}
 	break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKK_EC:
 	privKey->keyType = NSSLOWKEYECKey;
 	crv = lg_Attribute2SSecItem(arena, CKA_EC_PARAMS,templ,count,
 	                              &privKey->u.ec.ecParams.DEREncoding);
     	if (crv != CKR_OK) break;
 
 	/* Fill out the rest of the ecParams structure
 	 * based on the encoded params
@@ -623,17 +623,17 @@ lg_mkPrivKey(SDB *sdb, const CK_ATTRIBUT
 	    if (crv != CKR_OK) break;
 	    /* privKey was zero'd so public value is already set to NULL, 0
 	     * if we don't set it explicitly */
 	}
         rv = DER_SetUInteger(privKey->arena, &privKey->u.ec.version,
                           NSSLOWKEY_EC_PRIVATE_KEY_VERSION);
 	if (rv != SECSuccess) crv = CKR_HOST_MEMORY;
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     default:
 	crv = CKR_KEY_TYPE_INCONSISTENT;
 	break;
     }
     *crvp = crv;
     if (crv != CKR_OK) {
 	PORT_FreeArena(arena,PR_FALSE);
--- a/security/nss/lib/softoken/legacydb/lowcert.c
+++ b/security/nss/lib/softoken/legacydb/lowcert.c
@@ -788,17 +788,17 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCe
         break;
       case SEC_OID_X942_DIFFIE_HELMAN_KEY:
         pubk->keyType = NSSLOWKEYDHKey;
         prepare_low_dh_pub_key_for_asn1(pubk);
         rv = SEC_QuickDERDecodeItem(arena, pubk,
 				 nsslowcert_DHPublicKeyTemplate, &os);
         if (rv == SECSuccess) return pubk;
         break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
       case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
         pubk->keyType = NSSLOWKEYECKey;
 	/* Since PKCS#11 directly takes the DER encoding of EC params
 	 * and public value, we don't need any decoding here.
 	 */
         rv = SECITEM_CopyItem(arena, &pubk->u.ec.ecParams.DEREncoding, 
 	    &spki.algorithm.parameters);
         if ( rv != SECSuccess )
@@ -809,17 +809,17 @@ nsslowcert_ExtractPublicKey(NSSLOWCERTCe
 	 */
 	if (LGEC_FillParams(arena, &pubk->u.ec.ecParams.DEREncoding,
 	    &pubk->u.ec.ecParams) != SECSuccess) 
 	    break;
 
         rv = SECITEM_CopyItem(arena, &pubk->u.ec.publicValue, &os);
 	if (rv == SECSuccess) return pubk;
         break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
       default:
         rv = SECFailure;
         break;
     }
 
     lg_nsslowkey_DestroyPublicKey (pubk);
     return NULL;
 }
--- a/security/nss/lib/softoken/legacydb/lowkey.c
+++ b/security/nss/lib/softoken/legacydb/lowkey.c
@@ -94,17 +94,17 @@ const SEC_ASN1Template lg_nsslowkey_DHPr
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.base) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.prime) },
     { 0, }
 };
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 
 /* XXX This is just a placeholder for later when we support
  * generic curves and need full-blown support for parsing EC
  * parameters. For now, we only support named curves in which
  * EC params are simply encoded as an object ID and we don't
  * use lg_nsslowkey_ECParamsTemplate.
  */
 const SEC_ASN1Template lg_nsslowkey_ECParamsTemplate[] = {
@@ -211,17 +211,17 @@ LGEC_CopyParams(PLArenaPool *arena, ECPa
 	goto loser;
     }
 
     return SECSuccess;
 
 loser:
     return SECFailure;
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 /*
  * See bugzilla bug 125359
  * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
  * all of the templates above that en/decode into integers must be converted
  * from ASN.1's signed integer type.  This is done by marking either the
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
@@ -261,34 +261,34 @@ void
 lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.dh.prime.type = siUnsignedInteger;
     key->u.dh.base.type = siUnsignedInteger;
     key->u.dh.publicValue.type = siUnsignedInteger;
     key->u.dh.privateValue.type = siUnsignedInteger;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 void
 lg_prepare_low_ecparams_for_asn1(ECParams *params)
 {
     params->DEREncoding.type = siUnsignedInteger;
     params->curveOID.type = siUnsignedInteger;
 }
 
 void
 lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.ec.version.type = siUnsignedInteger;
     key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
     key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
     key->u.ec.privateValue.type = siUnsignedInteger;
     key->u.ec.publicValue.type = siUnsignedInteger;
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 void
 lg_nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
 {
     if (privk && privk->arena) {
 	PORT_FreeArena(privk->arena, PR_TRUE);
     }
 }
@@ -373,17 +373,17 @@ lg_nsslowkey_ConvertToPublicKey(NSSLOWKE
 	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
 				  &privk->u.dh.prime);
 	    if (rv != SECSuccess) break;
 	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
 				  &privk->u.dh.base);
 	    if (rv == SECSuccess) return pubk;
 	}
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
       case NSSLOWKEYECKey:
 	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
 						    sizeof(NSSLOWKEYPublicKey));
 	if (pubk != NULL) {
 	    SECStatus rv;
 
 	    pubk->arena = arena;
 	    pubk->keyType = privk->keyType;
@@ -392,17 +392,17 @@ lg_nsslowkey_ConvertToPublicKey(NSSLOWKE
 	    if (rv != SECSuccess) break;
 	    pubk->u.ec.ecParams.arena = arena;
 	    /* Copy the rest of the params */
 	    rv = LGEC_CopyParams(arena, &(pubk->u.ec.ecParams),
 			       &(privk->u.ec.ecParams));
 	    if (rv == SECSuccess) return pubk;
 	}
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	/* No Fortezza in Low Key implementations (Fortezza keys aren't
 	 * stored in our data base */
     default:
 	break;
     }
 
     PORT_FreeArena (arena, PR_FALSE);
     return NULL;
--- a/security/nss/lib/softoken/legacydb/lowkeyi.h
+++ b/security/nss/lib/softoken/legacydb/lowkeyi.h
@@ -21,20 +21,20 @@ SEC_BEGIN_PROTOS
  * from ASN.1's signed integer type.  This is done by marking either the
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
 extern void lg_prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void lg_prepare_low_pqg_params_for_asn1(PQGParams *params);
 extern void lg_prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void lg_prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 extern void lg_prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void lg_prepare_low_ecparams_for_asn1(ECParams *params);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 typedef char * (* NSSLOWKEYDBNameFunc)(void *arg, int dbVersion);
     
 /*
 ** Open a key database.
 */
 extern NSSLOWKEYDBHandle *nsslowkey_OpenKeyDB(PRBool readOnly,
 					   const char *domain,
@@ -130,17 +130,17 @@ nsslowkey_StoreKeyByPublicKeyAlg(NSSLOWK
 extern NSSLOWKEYPrivateKey *
 nsslowkey_FindKeyByPublicKey(NSSLOWKEYDBHandle *handle, SECItem *modulus, 
 			  SDB *sdb);
 
 extern char *
 nsslowkey_FindKeyNicknameByPublicKey(NSSLOWKEYDBHandle *handle,
                                         SECItem *modulus, SDB *sdb);
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 /*
  * smaller version of EC_FillParams. In this code, we only need
  * oid and DER data.
  */
 SECStatus LGEC_FillParams(PLArenaPool *arena, const SECItem *encodedParams,
     ECParams *params);
 
 /* Copy all of the fields from srcParams into dstParams */
--- a/security/nss/lib/softoken/legacydb/lowkeyti.h
+++ b/security/nss/lib/softoken/legacydb/lowkeyti.h
@@ -38,21 +38,21 @@ typedef struct NSSLOWKEYDBHandleStr NSSL
 ** Typedef for callback to get a password "key".
 */
 extern const SEC_ASN1Template lg_nsslowkey_PQGParamsTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_RSAPrivateKeyTemplate2[];
 extern const SEC_ASN1Template lg_nsslowkey_DSAPrivateKeyTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_DHPrivateKeyExportTemplate[];
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #define NSSLOWKEY_EC_PRIVATE_KEY_VERSION   1  /* as per SECG 1 C.4 */
 extern const SEC_ASN1Template lg_nsslowkey_ECParamsTemplate[];
 extern const SEC_ASN1Template lg_nsslowkey_ECPrivateKeyTemplate[];
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 extern const SEC_ASN1Template lg_nsslowkey_PrivateKeyInfoTemplate[];
 extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
 
 /*
  * PKCS #8 attributes
  */
 struct NSSLOWKEYAttributeStr {
--- a/security/nss/lib/softoken/lowkey.c
+++ b/security/nss/lib/softoken/lowkey.c
@@ -4,17 +4,17 @@
 #include "lowkeyi.h"
 #include "secoid.h"
 #include "secitem.h"
 #include "secder.h"
 #include "base64.h"
 #include "secasn1.h"
 #include "secerr.h"
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #include "softoken.h"
 #endif
 
 SEC_ASN1_MKSUB(SEC_AnyTemplate)
 SEC_ASN1_MKSUB(SEC_BitStringTemplate)
 SEC_ASN1_MKSUB(SEC_ObjectIDTemplate)
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 
@@ -86,17 +86,17 @@ const SEC_ASN1Template nsslowkey_DHPriva
     { SEC_ASN1_SEQUENCE, 0, NULL, sizeof(NSSLOWKEYPrivateKey) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.publicValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.privateValue) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.base) },
     { SEC_ASN1_INTEGER, offsetof(NSSLOWKEYPrivateKey,u.dh.prime) },
     { 0, }
 };
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 
 /* XXX This is just a placeholder for later when we support
  * generic curves and need full-blown support for parsing EC
  * parameters. For now, we only support named curves in which
  * EC params are simply encoded as an object ID and we don't
  * use nsslowkey_ECParamsTemplate.
  */
 const SEC_ASN1Template nsslowkey_ECParamsTemplate[] = {
@@ -135,17 +135,17 @@ const SEC_ASN1Template nsslowkey_ECPriva
 #endif
     { SEC_ASN1_OPTIONAL | SEC_ASN1_CONSTRUCTED |
       SEC_ASN1_EXPLICIT | SEC_ASN1_CONTEXT_SPECIFIC |
       SEC_ASN1_XTRN | 1, 
       offsetof(NSSLOWKEYPrivateKey,u.ec.publicValue),
       SEC_ASN1_SUB(SEC_BitStringTemplate) }, 
     { 0, }
 };
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 /*
  * See bugzilla bug 125359
  * Since NSS (via PKCS#11) wants to handle big integers as unsigned ints,
  * all of the templates above that en/decode into integers must be converted
  * from ASN.1's signed integer type.  This is done by marking either the
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
@@ -191,34 +191,34 @@ void
 prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.dh.prime.type = siUnsignedInteger;
     key->u.dh.base.type = siUnsignedInteger;
     key->u.dh.publicValue.type = siUnsignedInteger;
     key->u.dh.privateValue.type = siUnsignedInteger;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 void
 prepare_low_ecparams_for_asn1(ECParams *params)
 {
     params->DEREncoding.type = siUnsignedInteger;
     params->curveOID.type = siUnsignedInteger;
 }
 
 void
 prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key)
 {
     key->u.ec.version.type = siUnsignedInteger;
     key->u.ec.ecParams.DEREncoding.type = siUnsignedInteger;
     key->u.ec.ecParams.curveOID.type = siUnsignedInteger;
     key->u.ec.privateValue.type = siUnsignedInteger;
     key->u.ec.publicValue.type = siUnsignedInteger;
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 void
 nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *privk)
 {
     if (privk && privk->arena) {
 	PORT_FreeArena(privk->arena, PR_TRUE);
     }
 }
@@ -336,17 +336,17 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
 	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.prime,
 				  &privk->u.dh.prime);
 	    if (rv != SECSuccess) break;
 	    rv = SECITEM_CopyItem(arena, &pubk->u.dh.base,
 				  &privk->u.dh.base);
 	    if (rv == SECSuccess) return pubk;
 	}
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
       case NSSLOWKEYECKey:
 	pubk = (NSSLOWKEYPublicKey *)PORT_ArenaZAlloc(arena,
 						    sizeof(NSSLOWKEYPublicKey));
 	if (pubk != NULL) {
 	    SECStatus rv;
 
 	    pubk->arena = arena;
 	    pubk->keyType = privk->keyType;
@@ -355,17 +355,17 @@ nsslowkey_ConvertToPublicKey(NSSLOWKEYPr
 	    if (rv != SECSuccess) break;
 	    pubk->u.ec.ecParams.arena = arena;
 	    /* Copy the rest of the params */
 	    rv = EC_CopyParams(arena, &(pubk->u.ec.ecParams),
 			       &(privk->u.ec.ecParams));
 	    if (rv == SECSuccess) return pubk;
 	}
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	/* No Fortezza in Low Key implementations (Fortezza keys aren't
 	 * stored in our data base */
     default:
 	break;
     }
 
     PORT_FreeArena (arena, PR_FALSE);
     return NULL;
@@ -454,34 +454,34 @@ nsslowkey_CopyPrivateKey(NSSLOWKEYPrivat
 	    returnKey->u.dsa.params.arena = poolp;
 	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.prime),
 					&(privKey->u.dh.prime));
 	    if(rv != SECSuccess) break;
 	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.dh.base),
 					&(privKey->u.dh.base));
 	    if(rv != SECSuccess) break;
 	    break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	case NSSLOWKEYECKey:
 	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.version),
 	    				&(privKey->u.ec.version));
 	    if(rv != SECSuccess) break;
 	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.publicValue),
 	    				&(privKey->u.ec.publicValue));
 	    if(rv != SECSuccess) break;
 	    rv = SECITEM_CopyItem(poolp, &(returnKey->u.ec.privateValue),
 	    				&(privKey->u.ec.privateValue));
 	    if(rv != SECSuccess) break;
 	    returnKey->u.ec.ecParams.arena = poolp;
 	    /* Copy the rest of the params */
 	    rv = EC_CopyParams(poolp, &(returnKey->u.ec.ecParams),
 			       &(privKey->u.ec.ecParams));
 	    if (rv != SECSuccess) break;
 	    break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	default:
 	    rv = SECFailure;
     }
 
 loser:
 
     if(rv != SECSuccess) {
 	PORT_FreeArena(poolp, PR_TRUE);
--- a/security/nss/lib/softoken/lowkeyi.h
+++ b/security/nss/lib/softoken/lowkeyi.h
@@ -20,20 +20,20 @@ SEC_BEGIN_PROTOS
  * source or destination (encoding or decoding, respectively) type as
  * siUnsignedInteger.
  */
 extern void prepare_low_rsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void prepare_low_pqg_params_for_asn1(PQGParams *params);
 extern void prepare_low_dsa_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void prepare_low_dsa_priv_key_export_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void prepare_low_dh_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 extern void prepare_low_ec_priv_key_for_asn1(NSSLOWKEYPrivateKey *key);
 extern void prepare_low_ecparams_for_asn1(ECParams *params);
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 /*
 ** Destroy a private key object.
 **	"key" the object
 **	"freeit" if PR_TRUE then free the object as well as its sub-objects
 */
 extern void nsslowkey_DestroyPrivateKey(NSSLOWKEYPrivateKey *key);
 
--- a/security/nss/lib/softoken/lowkeyti.h
+++ b/security/nss/lib/softoken/lowkeyti.h
@@ -15,21 +15,21 @@
 ** Typedef for callback to get a password "key".
 */
 extern const SEC_ASN1Template nsslowkey_PQGParamsTemplate[];
 extern const SEC_ASN1Template nsslowkey_RSAPrivateKeyTemplate[];
 extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyTemplate[];
 extern const SEC_ASN1Template nsslowkey_DSAPrivateKeyExportTemplate[];
 extern const SEC_ASN1Template nsslowkey_DHPrivateKeyTemplate[];
 extern const SEC_ASN1Template nsslowkey_DHPrivateKeyExportTemplate[];
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #define NSSLOWKEY_EC_PRIVATE_KEY_VERSION   1  /* as per SECG 1 C.4 */
 extern const SEC_ASN1Template nsslowkey_ECParamsTemplate[];
 extern const SEC_ASN1Template nsslowkey_ECPrivateKeyTemplate[];
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 extern const SEC_ASN1Template nsslowkey_PrivateKeyInfoTemplate[];
 extern const SEC_ASN1Template nsslowkey_EncryptedPrivateKeyInfoTemplate[];
 
 /*
  * PKCS #8 attributes
  */
 struct NSSLOWKEYAttributeStr {
--- a/security/nss/lib/softoken/pkcs11.c
+++ b/security/nss/lib/softoken/pkcs11.c
@@ -297,27 +297,27 @@ static const struct mechanismList mechan
      {CKM_DSA_SHA1,		{DSA_MIN_P_BITS, DSA_MAX_P_BITS,
 				 CKF_SN_VR},              PR_TRUE},
      /* -------------------- Diffie Hellman Operations --------------------- */
      /* no diffie hellman yet */
      {CKM_DH_PKCS_KEY_PAIR_GEN,	{DH_MIN_P_BITS, DH_MAX_P_BITS, 
 				 CKF_GENERATE_KEY_PAIR}, PR_TRUE}, 
      {CKM_DH_PKCS_DERIVE,	{DH_MIN_P_BITS, DH_MAX_P_BITS,
 				 CKF_DERIVE}, 	PR_TRUE}, 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
      /* -------------------- Elliptic Curve Operations --------------------- */
      {CKM_EC_KEY_PAIR_GEN,      {EC_MIN_KEY_BITS, EC_MAX_KEY_BITS,
 				 CKF_GENERATE_KEY_PAIR|CKF_EC_BPNU}, PR_TRUE}, 
      {CKM_ECDH1_DERIVE,         {EC_MIN_KEY_BITS, EC_MAX_KEY_BITS,
 				 CKF_DERIVE|CKF_EC_BPNU}, PR_TRUE}, 
      {CKM_ECDSA,                {EC_MIN_KEY_BITS, EC_MAX_KEY_BITS,
 				 CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
      {CKM_ECDSA_SHA1,           {EC_MIN_KEY_BITS, EC_MAX_KEY_BITS,
 				 CKF_SN_VR|CKF_EC_BPNU}, PR_TRUE}, 
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
      /* ------------------------- RC2 Operations --------------------------- */
      {CKM_RC2_KEY_GEN,		{1, 128, CKF_GENERATE},		PR_TRUE},
      {CKM_RC2_ECB,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
      {CKM_RC2_CBC,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
      {CKM_RC2_MAC,		{1, 128, CKF_SN_VR},		PR_TRUE},
      {CKM_RC2_MAC_GENERAL,	{1, 128, CKF_SN_VR},		PR_TRUE},
      {CKM_RC2_CBC_PAD,		{1, 128, CKF_EN_DE_WR_UN},	PR_TRUE},
      /* ------------------------- RC4 Operations --------------------------- */
@@ -922,31 +922,31 @@ sftk_handlePublicKeyObject(SFTKSession *
 	    return crv;
 	}
 	verify = CK_FALSE;
 	derive = CK_TRUE;
 	encrypt = CK_FALSE;
 	recover = CK_FALSE;
 	wrap = CK_FALSE;
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKK_EC:
 	if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) {
 	    return CKR_TEMPLATE_INCOMPLETE;
 	}
 	if ( !sftk_hasAttribute(object, CKA_EC_POINT)) {
 	    return CKR_TEMPLATE_INCOMPLETE;
 	}
 	derive = CK_TRUE;    /* for ECDH */
 	verify = CK_TRUE;    /* for ECDSA */
 	encrypt = CK_FALSE;
 	recover = CK_FALSE;
 	wrap = CK_FALSE;
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     default:
 	return CKR_ATTRIBUTE_VALUE_INVALID;
     }
 
     /* make sure the required fields exist */
     crv = sftk_defaultAttribute(object,CKA_SUBJECT,NULL,0);
     if (crv != CKR_OK)  return crv; 
     crv = sftk_defaultAttribute(object,CKA_ENCRYPT,&encrypt,sizeof(CK_BBOOL));
@@ -1083,30 +1083,30 @@ sftk_handlePrivateKeyObject(SFTKSession 
 	}
 	if ( !sftk_hasAttribute(object, CKA_VALUE)) {
 	    return CKR_TEMPLATE_INCOMPLETE;
 	}
 	encrypt = CK_FALSE;
 	recover = CK_FALSE;
 	wrap = CK_FALSE;
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKK_EC:
 	if ( !sftk_hasAttribute(object, CKA_EC_PARAMS)) {
 	    return CKR_TEMPLATE_INCOMPLETE;
 	}
 	if ( !sftk_hasAttribute(object, CKA_VALUE)) {
 	    return CKR_TEMPLATE_INCOMPLETE;
 	}
 	encrypt = CK_FALSE;
 	sign = CK_TRUE;
 	recover = CK_FALSE;
 	wrap = CK_FALSE;
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     case CKK_NSS_JPAKE_ROUND1:
         if (!sftk_hasAttribute(object, CKA_PRIME) ||
             !sftk_hasAttribute(object, CKA_SUBPRIME) ||
             !sftk_hasAttribute(object, CKA_BASE)) {
             return CKR_TEMPLATE_INCOMPLETE;
         }
         /* fall through */
     case CKK_NSS_JPAKE_ROUND2:
@@ -1703,17 +1703,17 @@ NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKO
 							object,CKA_PRIME);
     	if (crv != CKR_OK) break;
 	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.base,
 							object,CKA_BASE);
     	if (crv != CKR_OK) break;
     	crv = sftk_Attribute2SSecItem(arena,&pubKey->u.dh.publicValue,
 							object,CKA_VALUE);
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKK_EC:
 	pubKey->keyType = NSSLOWKEYECKey;
 	crv = sftk_Attribute2SSecItem(arena,
 	                              &pubKey->u.ec.ecParams.DEREncoding,
 	                              object,CKA_EC_PARAMS);
 	if (crv != CKR_OK) break;
 
 	/* Fill out the rest of the ecParams structure 
@@ -1763,17 +1763,17 @@ NSSLOWKEYPublicKey *sftk_GetPubKey(SFTKO
 		}
 		/* replace our previous with the decoded key */
 		pubKey->u.ec.publicValue = publicValue;
 		break;
 	    }
 	   crv = CKR_ATTRIBUTE_VALUE_INVALID;
 	}
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     default:
 	crv = CKR_KEY_TYPE_INCONSISTENT;
 	break;
     }
     *crvp = crv;
     if (crv != CKR_OK) {
     	PORT_FreeArena(arena,PR_FALSE);
 	return NULL;
@@ -1872,17 +1872,17 @@ sftk_mkPrivKey(SFTKObject *object, CK_KE
 	itemTemplateCount++;
 	SFTK_SET_ITEM_TEMPLATE(itemTemplate, itemTemplateCount,
 		&privKey->u.dh.privateValue, CKA_VALUE);
 	itemTemplateCount++;
 	/* privKey was zero'd so public value is already set to NULL, 0
 	 * if we don't set it explicitly */
 	break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKK_EC:
 	privKey->keyType = NSSLOWKEYECKey;
 	crv = sftk_Attribute2SSecItem(arena, 
 				      &privKey->u.ec.ecParams.DEREncoding,
 				      object,CKA_EC_PARAMS);
     	if (crv != CKR_OK) break;
 
 	/* Fill out the rest of the ecParams structure
@@ -1914,17 +1914,17 @@ sftk_mkPrivKey(SFTKObject *object, CK_KE
 	     * http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56561
 	     */
 #if defined (__arm__) && !defined(__thumb__) && defined (__GNUC__)
 	    *crvp = CKR_HOST_MEMORY;
 	    break;
 #endif
 	}
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     default:
 	crv = CKR_KEY_TYPE_INCONSISTENT;
 	break;
     }
     if (crv == CKR_OK && itemTemplateCount != 0) {
 	PORT_Assert(itemTemplateCount > 0);
 	PORT_Assert(itemTemplateCount <= SFTK_MAX_ITEM_TEMPLATE);
--- a/security/nss/lib/softoken/pkcs11c.c
+++ b/security/nss/lib/softoken/pkcs11c.c
@@ -57,29 +57,29 @@ typedef struct {
     PRUint8 random[46];
 } SSL3RSAPreMasterSecret;
 
 static void sftk_Null(void *data, PRBool freeit)
 {
     return;
 } 
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #ifdef EC_DEBUG
 #define SEC_PRINT(str1, str2, num, sitem) \
     printf("pkcs11c.c:%s:%s (keytype=%d) [len=%d]\n", \
             str1, str2, num, sitem->len); \
     for (i = 0; i < sitem->len; i++) { \
 	    printf("%02x:", sitem->data[i]); \
     } \
     printf("\n") 
 #else
 #define SEC_PRINT(a, b, c, d) 
 #endif
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 /*
  * free routines.... Free local type  allocated data, and convert
  * other free routines to the destroy signature.
  */
 static void
 sftk_FreePrivKey(NSSLOWKEYPrivateKey *key, PRBool freeit)
 {
@@ -115,17 +115,17 @@ sftk_MapCryptError(int error)
 	case SEC_ERROR_BAD_SIGNATURE:
 	    return CKR_SIGNATURE_INVALID;
 	case SEC_ERROR_INVALID_KEY:
 	    return CKR_KEY_SIZE_RANGE;
 	case SEC_ERROR_BAD_KEY:  /* an EC public key that fails validation */
 	    return CKR_KEY_SIZE_RANGE;  /* the closest error code */
 	case SEC_ERROR_UNSUPPORTED_EC_POINT_FORM:
 	    return CKR_TEMPLATE_INCONSISTENT;
-	/* EC functions set this error if NSS_ENABLE_ECC is not defined */
+	/* EC functions set this error if NSS_DISABLE_ECC is defined */
 	case SEC_ERROR_UNSUPPORTED_KEYALG:
 	    return CKR_MECHANISM_INVALID;
 	case SEC_ERROR_UNSUPPORTED_ELLIPTIC_CURVE:
 	    return CKR_DOMAIN_PARAMS_INVALID;
 	/* key pair generation failed after max number of attempts */
 	case SEC_ERROR_NEED_RANDOM:
 	    return CKR_FUNCTION_FAILED;
     }
@@ -2237,17 +2237,17 @@ nsc_DSA_Sign_Stub(void *ctx, void *sigBu
     rv = DSA_SignDigest(&(key->u.dsa), &signature, &digest);
     if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
 	sftk_fatalError = PR_TRUE;
     }
     *sigLen = signature.len;
     return rv;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 static SECStatus
 nsc_ECDSAVerifyStub(void *ctx, void *sigBuf, unsigned int sigLen,
                     void *dataBuf, unsigned int dataLen)
 {
     SECItem signature, digest;
     NSSLOWKEYPublicKey *key = (NSSLOWKEYPublicKey *)ctx;
 
     signature.data = (unsigned char *)sigBuf;
@@ -2272,17 +2272,17 @@ nsc_ECDSASignStub(void *ctx, void *sigBu
     digest.len = dataLen;
     rv = ECDSA_SignDigest(&(key->u.ec), &signature, &digest);
     if (rv != SECSuccess && PORT_GetError() == SEC_ERROR_LIBRARY_FAILURE) {
 	sftk_fatalError = PR_TRUE;
     }
     *sigLen = signature.len;
     return rv;
 }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 /* NSC_SignInit setups up the signing operations. There are three basic
  * types of signing:
  *	(1) the tradition single part, where "Raw RSA" or "Raw DSA" is applied
  *  to data in a single Sign operation (which often looks a lot like an
  *  encrypt, with data coming in and data going out).
  *	(2) Hash based signing, where we continually hash the data, then apply
  *  some sort of signature to the end.
@@ -2424,17 +2424,17 @@ finish_rsa:
 	context->cipherInfo = privKey;
 	context->update     = (SFTKCipher) nsc_DSA_Sign_Stub;
 	context->destroy    = (privKey == key->objectInfo) ?
 		(SFTKDestroy) sftk_Null:(SFTKDestroy)sftk_FreePrivKey;
 	context->maxLen     = DSA_MAX_SIGNATURE_LEN;
 
 	break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKM_ECDSA_SHA1:
 	context->multi = PR_TRUE;
 	crv = sftk_doSubSHA1(context);
 	if (crv != CKR_OK) break;
 	/* fall through */
     case CKM_ECDSA:
 	if (key_type != CKK_EC) {
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
@@ -2447,17 +2447,17 @@ finish_rsa:
 	}
 	context->cipherInfo = privKey;
 	context->update     = (SFTKCipher) nsc_ECDSASignStub;
 	context->destroy    = (privKey == key->objectInfo) ?
 		(SFTKDestroy) sftk_Null:(SFTKDestroy)sftk_FreePrivKey;
 	context->maxLen     = MAX_ECKEY_LEN * 2;
 
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 #define INIT_HMAC_MECH(mmm) \
     case CKM_ ## mmm ## _HMAC_GENERAL: \
 	crv = sftk_doHMACInit(context, HASH_Alg ## mmm ,key, \
 				*(CK_ULONG *)pMechanism->pParameter); \
 	break; \
     case CKM_ ## mmm ## _HMAC: \
 	crv = sftk_doHMACInit(context, HASH_Alg ## mmm ,key, mmm ## _LENGTH); \
@@ -3055,17 +3055,17 @@ finish_rsa:
 	pubKey = sftk_GetPubKey(key,CKK_DSA,&crv);
 	if (pubKey == NULL) {
 	    break;
 	}
 	context->cipherInfo = pubKey;
 	context->verify     = (SFTKVerify) nsc_DSA_Verify_Stub;
 	context->destroy    = sftk_Null;
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKM_ECDSA_SHA1:
 	context->multi = PR_TRUE;
 	crv = sftk_doSubSHA1(context);
 	if (crv != CKR_OK) break;
 	/* fall through */
     case CKM_ECDSA:
 	if (key_type != CKK_EC) {
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
@@ -3075,17 +3075,17 @@ finish_rsa:
 	if (pubKey == NULL) {
 	    crv = CKR_HOST_MEMORY;
 	    break;
 	}
 	context->cipherInfo = pubKey;
 	context->verify     = (SFTKVerify) nsc_ECDSAVerifyStub;
 	context->destroy    = sftk_Null;
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     INIT_HMAC_MECH(MD2)
     INIT_HMAC_MECH(MD5)
     INIT_HMAC_MECH(SHA224)
     INIT_HMAC_MECH(SHA256)
     INIT_HMAC_MECH(SHA384)
     INIT_HMAC_MECH(SHA512)
 
@@ -4204,17 +4204,17 @@ sftk_PairwiseConsistencyCheck(CK_SESSION
 	    signature_length = modulusLen;
 	    mech.mechanism = CKM_RSA_PKCS;
 	    break;
 	case CKK_DSA:
 	    signature_length = DSA_MAX_SIGNATURE_LEN;
 	    pairwise_digest_length = subPrimeLen;
 	    mech.mechanism = CKM_DSA;
 	    break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	case CKK_EC:
 	    signature_length = MAX_ECKEY_LEN * 2;
 	    mech.mechanism = CKM_ECDSA;
 	    break;
 #endif
 	default:
 	    return CKR_DEVICE_ERROR;
 	}
@@ -4327,22 +4327,22 @@ CK_RV NSC_GenerateKeyPair (CK_SESSION_HA
     PQGParams 		pqgParam;
     DHParams  		dhParam;
     DSAPrivateKey *	dsaPriv;
 
     /* Diffie Hellman */
     int 		private_value_bits = 0;
     DHPrivateKey *	dhPriv;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     /* Elliptic Curve Cryptography */
     SECItem  		ecEncodedParams;  /* DER Encoded parameters */
     ECPrivateKey *	ecPriv;
     ECParams *          ecParams;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     CHECK_FORK();
 
     if (!slot) {
         return CKR_SESSION_HANDLE_INVALID;
     }
     /*
      * now lets create an object to hang the attributes off of
@@ -4662,17 +4662,17 @@ dsagn_done:
 	crv=sftk_AddAttributeType(privateKey, CKA_VALUE, 
 			      sftk_item_expand(&dhPriv->privateValue));
 
 dhgn_done:
 	/* should zeroize, since this function doesn't. */
 	PORT_FreeArena(dhPriv->arena, PR_TRUE);
 	break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKM_EC_KEY_PAIR_GEN:
 	sftk_DeleteAttributeType(privateKey,CKA_EC_PARAMS);
 	sftk_DeleteAttributeType(privateKey,CKA_VALUE);
     	sftk_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB);
 	key_type = CKK_EC;
 
 	/* extract the necessary parameters and copy them to private keys */
 	crv = sftk_Attribute2SSecItem(NULL, &ecEncodedParams, publicKey, 
@@ -4725,17 +4725,17 @@ dhgn_done:
 	if (crv != CKR_OK) goto ecgn_done;
 
         crv = sftk_AddAttributeType(privateKey,CKA_NETSCAPE_DB,
 			   sftk_item_expand(&ecPriv->publicValue));
 ecgn_done:
 	/* should zeroize, since this function doesn't. */
 	PORT_FreeArena(ecPriv->ecParams.arena, PR_TRUE);
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     default:
 	crv = CKR_MECHANISM_INVALID;
     }
 
     if (crv != CKR_OK) {
 	sftk_FreeObject(privateKey);
 	sftk_FreeObject(publicKey);
@@ -4845,17 +4845,17 @@ static SECItem *sftk_PackagePrivateKey(S
     NSSLOWKEYPrivateKey *lk = NULL;
     NSSLOWKEYPrivateKeyInfo *pki = NULL;
     SFTKAttribute *attribute = NULL;
     PLArenaPool *arena = NULL;
     SECOidTag algorithm = SEC_OID_UNKNOWN;
     void *dummy, *param = NULL;
     SECStatus rv = SECSuccess;
     SECItem *encodedKey = NULL;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     SECItem *fordebug;
     int savelen;
 #endif
 
     if(!key) {
 	*crvp = CKR_KEY_HANDLE_INVALID; /* really can't happen */
 	return NULL;
     }
@@ -4900,17 +4900,17 @@ static SECItem *sftk_PackagePrivateKey(S
             prepare_low_dsa_priv_key_export_for_asn1(lk);
 	    dummy = SEC_ASN1EncodeItem(arena, &pki->privateKey, lk,
 				       nsslowkey_DSAPrivateKeyExportTemplate);
 	    prepare_low_pqg_params_for_asn1(&lk->u.dsa.params);
 	    param = SEC_ASN1EncodeItem(NULL, NULL, &(lk->u.dsa.params),
 				       nsslowkey_PQGParamsTemplate);
 	    algorithm = SEC_OID_ANSIX9_DSA_SIGNATURE;
 	    break;
-#ifdef NSS_ENABLE_ECC	    
+#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
             prepare_low_ec_priv_key_for_asn1(lk);
 	    /* Public value is encoded as a bit string so adjust length
 	     * to be in bits before ASN encoding and readjust 
 	     * immediately after.
 	     *
 	     * Since the SECG specification recommends not including the
 	     * parameters as part of ECPrivateKey, we zero out the curveOID
@@ -4927,17 +4927,17 @@ static SECItem *sftk_PackagePrivateKey(S
 	    fordebug = &pki->privateKey;
 	    SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKey", lk->keyType,
 		      fordebug);
 
 	    param = SECITEM_DupItem(&lk->u.ec.ecParams.DEREncoding);
 
 	    algorithm = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
 	    break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	case NSSLOWKEYDHKey:
 	default:
 	    dummy = NULL;
 	    break;
     }
  
     if(!dummy || ((lk->keyType == NSSLOWKEYDSAKey) && !param)) {
 	*crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */
@@ -4960,17 +4960,17 @@ static SECItem *sftk_PackagePrivateKey(S
 	rv = SECFailure;
 	goto loser;
     }
 
     encodedKey = SEC_ASN1EncodeItem(NULL, NULL, pki, 
 				    nsslowkey_PrivateKeyInfoTemplate);
     *crvp = encodedKey ? CKR_OK : CKR_DEVICE_ERROR;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     fordebug = encodedKey;
     SEC_PRINT("sftk_PackagePrivateKey()", "PrivateKeyInfo", lk->keyType,
 	      fordebug);
 #endif
 loser:
     if(arena) {
 	PORT_FreeArena(arena, PR_TRUE);
     }
@@ -5186,52 +5186,52 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
 	    keyTemplate = nsslowkey_DSAPrivateKeyExportTemplate;
 	    paramTemplate = nsslowkey_PQGParamsTemplate;
 	    paramDest = &(lpk->u.dsa.params);
 	    lpk->keyType = NSSLOWKEYDSAKey;
 	    prepare_low_dsa_priv_key_export_for_asn1(lpk);
 	    prepare_low_pqg_params_for_asn1(&lpk->u.dsa.params);
 	    break;
 	/* case NSSLOWKEYDHKey: */
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
         case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
 	    keyTemplate = nsslowkey_ECPrivateKeyTemplate;
 	    paramTemplate = NULL;
 	    paramDest = &(lpk->u.ec.ecParams.DEREncoding);
 	    lpk->keyType = NSSLOWKEYECKey;
 	    prepare_low_ec_priv_key_for_asn1(lpk);
 	    prepare_low_ecparams_for_asn1(&lpk->u.ec.ecParams);
 	    break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	default:
 	    keyTemplate = NULL;
 	    paramTemplate = NULL;
 	    paramDest = NULL;
 	    break;
     }
 
     if(!keyTemplate) {
 	goto loser;
     }
 
     /* decode the private key and any algorithm parameters */
     rv = SEC_QuickDERDecodeItem(arena, lpk, keyTemplate, &pki->privateKey);
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     if (lpk->keyType == NSSLOWKEYECKey) {
         /* convert length in bits to length in bytes */
 	lpk->u.ec.publicValue.len >>= 3;
         rv = SECITEM_CopyItem(arena, 
 			      &(lpk->u.ec.ecParams.DEREncoding),
 	                      &(pki->algorithm.parameters));
 	if(rv != SECSuccess) {
 	    goto loser;
 	}
     }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     if(rv != SECSuccess) {
 	goto loser;
     }
     if(paramDest && paramTemplate) {
 	rv = SEC_QuickDERDecodeItem(arena, paramDest, paramTemplate, 
 				 &(pki->algorithm.parameters));
 	if(rv != SECSuccess) {
@@ -5316,17 +5316,17 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
 #ifdef notdef
         case NSSLOWKEYDHKey:
 	    template = dhTemplate;
 	    templateCount = sizeof(dhTemplate)/sizeof(CK_ATTRIBUTE);
 	    keyType = CKK_DH;
 	    break;
 #endif
 	/* what about fortezza??? */
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
         case NSSLOWKEYECKey:
 	    keyType = CKK_EC;
 	    crv = (sftk_hasAttribute(key, CKA_NETSCAPE_DB)) ? CKR_OK :
 						CKR_KEY_TYPE_INCONSISTENT;
 	    if(crv != CKR_OK) break;
 	    crv = sftk_AddAttributeType(key, CKA_KEY_TYPE, &keyType, 
 						sizeof(keyType));
 	    if(crv != CKR_OK) break;
@@ -5342,17 +5342,17 @@ sftk_unwrapPrivateKey(SFTKObject *key, S
 	    crv = sftk_AddAttributeType(key, CKA_EC_PARAMS,
 				 sftk_item_expand(&lpk->u.ec.ecParams.DEREncoding));
 	    if(crv != CKR_OK) break;
 	    crv = sftk_AddAttributeType(key, CKA_VALUE, 
 			sftk_item_expand(&lpk->u.ec.privateValue));
 	    if(crv != CKR_OK) break;
 	    /* XXX Do we need to decode the EC Params here ?? */
 	    break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	default:
 	    crv = CKR_KEY_TYPE_INCONSISTENT;
 	    break;
     }
 
 loser:
     if(lpk) {
 	nsslowkey_DestroyPrivateKey(lpk);
@@ -5652,17 +5652,17 @@ sftk_MapKeySize(CK_KEY_TYPE keyType)
 	return 24;
     /* IDEA and CAST need to be added */
     default:
 	break;
     }
     return 0;
 }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 /* Inputs:
  *  key_len: Length of derived key to be generated.
  *  SharedSecret: a shared secret that is the output of a key agreement primitive.
  *  SharedInfo: (Optional) some data shared by the entities computing the secret key.
  *  SharedInfoLen: the length in octets of SharedInfo
  *  Hash: The hash function to be used in the KDF
  *  HashLen: the length in octets of the output of Hash
  * Output:
@@ -5763,17 +5763,17 @@ static CK_RV sftk_ANSI_X9_63_kdf(CK_BYTE
 	return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
 		   		 SharedInfoLen, SHA384_HashBuf, SHA384_LENGTH);
     else if (kdf == CKD_SHA512_KDF)
 	return sftk_compute_ANSI_X9_63_kdf(key, key_len, SharedSecret, SharedInfo,
 		   		 SharedInfoLen, SHA512_HashBuf, SHA512_LENGTH);
     else
 	return CKR_MECHANISM_INVALID;
 }
-#endif
+#endif /* NSS_DISABLE_ECC */
 
 /*
  * SSL Key generation given pre master secret
  */
 #define NUM_MIXERS 9
 static const char * const mixers[NUM_MIXERS] = { 
     "A", 
     "BB", 
@@ -6709,17 +6709,17 @@ key_and_mac_derive_fail:
 	    sftk_forceAttribute(key, CKA_VALUE, derived.data, derived.len);
 	    PORT_ZFree(derived.data, derived.len);
 	} else
 	    crv = CKR_HOST_MEMORY;
 	    
 	break;
       }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKM_ECDH1_DERIVE:
     case CKM_ECDH1_COFACTOR_DERIVE:
       {
 	SECItem  ecScalar, ecPoint;
 	SECItem  tmp;
 	PRBool   withCofactor = PR_FALSE;
 	unsigned char *secret;
 	unsigned char *keyData = NULL;
@@ -6867,17 +6867,17 @@ ec_loser:
 	if (privKey != sourceKey->objectInfo)
 	    nsslowkey_DestroyPrivateKey(privKey);
 	if (arena) {
 	    PORT_FreeArena(arena, PR_FALSE);
 	}
 	break;
 
       }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     /* See RFC 5869 and CK_NSS_HKDFParams for documentation. */
     case CKM_NSS_HKDF_SHA1:   hashType = HASH_AlgSHA1;   goto hkdf;
     case CKM_NSS_HKDF_SHA256: hashType = HASH_AlgSHA256; goto hkdf;
     case CKM_NSS_HKDF_SHA384: hashType = HASH_AlgSHA384; goto hkdf;
     case CKM_NSS_HKDF_SHA512: hashType = HASH_AlgSHA512; goto hkdf;
 hkdf: {
         const CK_NSS_HKDFParams * params =
--- a/security/nss/lib/softoken/pkcs11u.c
+++ b/security/nss/lib/softoken/pkcs11u.c
@@ -1241,17 +1241,17 @@ static const CK_ATTRIBUTE_TYPE dsaPubKey
 static const CK_ULONG dsaPubKeyAttrsCount = 
 			sizeof(dsaPubKeyAttrs)/sizeof(dsaPubKeyAttrs[0]);
 
 static const CK_ATTRIBUTE_TYPE dhPubKeyAttrs[] = {
     CKA_PRIME, CKA_BASE, CKA_VALUE
 };
 static const CK_ULONG dhPubKeyAttrsCount = 
 			sizeof(dhPubKeyAttrs)/sizeof(dhPubKeyAttrs[0]);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 static const CK_ATTRIBUTE_TYPE ecPubKeyAttrs[] = {
     CKA_EC_PARAMS, CKA_EC_POINT
 };
 static const CK_ULONG ecPubKeyAttrsCount = 
 			sizeof(ecPubKeyAttrs)/sizeof(ecPubKeyAttrs[0]);
 #endif
 
 static const CK_ATTRIBUTE_TYPE commonPrivKeyAttrs[] = {
@@ -1274,17 +1274,17 @@ static const CK_ATTRIBUTE_TYPE dsaPrivKe
 static const CK_ULONG dsaPrivKeyAttrsCount = 
 			sizeof(dsaPrivKeyAttrs)/sizeof(dsaPrivKeyAttrs[0]);
 
 static const CK_ATTRIBUTE_TYPE dhPrivKeyAttrs[] = {
     CKA_PRIME, CKA_BASE, CKA_VALUE
 };
 static const CK_ULONG dhPrivKeyAttrsCount = 
 			sizeof(dhPrivKeyAttrs)/sizeof(dhPrivKeyAttrs[0]);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 static const CK_ATTRIBUTE_TYPE ecPrivKeyAttrs[] = {
     CKA_EC_PARAMS, CKA_VALUE
 };
 static const CK_ULONG ecPrivKeyAttrsCount = 
 			sizeof(ecPrivKeyAttrs)/sizeof(ecPrivKeyAttrs[0]);
 #endif
 
 static const CK_ATTRIBUTE_TYPE certAttrs[] = {
@@ -1385,17 +1385,17 @@ stfk_CopyTokenPrivateKey(SFTKObject *des
     case CKK_DSA:
 	crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPrivKeyAttrs,
 							dsaPrivKeyAttrsCount);
 	break;
     case CKK_DH:
 	crv = stfk_CopyTokenAttributes(destObject, src_to, dhPrivKeyAttrs,
 							dhPrivKeyAttrsCount);
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKK_EC:
 	crv = stfk_CopyTokenAttributes(destObject, src_to, ecPrivKeyAttrs,
 							ecPrivKeyAttrsCount);
 	break;
 #endif
      default:
 	crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
 				* of token keys into our database. */
@@ -1447,17 +1447,17 @@ stfk_CopyTokenPublicKey(SFTKObject *dest
     case CKK_DSA:
 	crv = stfk_CopyTokenAttributes(destObject, src_to, dsaPubKeyAttrs,
 							dsaPubKeyAttrsCount);
 	break;
     case CKK_DH:
 	crv = stfk_CopyTokenAttributes(destObject, src_to, dhPubKeyAttrs,
 							dhPubKeyAttrsCount);
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case CKK_EC:
 	crv = stfk_CopyTokenAttributes(destObject, src_to, ecPubKeyAttrs,
 							ecPubKeyAttrsCount);
 	break;
 #endif
      default:
 	crv = CKR_DEVICE_ERROR; /* shouldn't happen unless we store more types
 				* of token keys into our database. */
--- a/security/nss/lib/softoken/softkver.h
+++ b/security/nss/lib/softoken/softkver.h
@@ -3,17 +3,17 @@
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef _SOFTKVER_H_
 #define _SOFTKVER_H_
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #ifdef NSS_ECC_MORE_THAN_SUITE_B
 #define SOFTOKEN_ECC_STRING " Extended ECC"
 #else
 #define SOFTOKEN_ECC_STRING " Basic ECC"
 #endif
 #else
 #define SOFTOKEN_ECC_STRING ""
 #endif
--- a/security/nss/lib/softoken/softoken.h
+++ b/security/nss/lib/softoken/softoken.h
@@ -30,17 +30,17 @@ RSA_HashSign(SECOidTag hashOid, NSSLOWKE
              unsigned char *sig, unsigned int *sigLen, unsigned int maxLen,
              const unsigned char *hash, unsigned int hashLen);
 
 extern SECStatus
 RSA_HashCheckSign(SECOidTag hashOid, NSSLOWKEYPublicKey *key,
                   const unsigned char *sig, unsigned int sigLen,
                   const unsigned char *hash, unsigned int hashLen);
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 /*
 ** pepare an ECParam structure from DEREncoded params
  */
 extern SECStatus EC_FillParams(PLArenaPool *arena,
                                const SECItem *encodedParams, ECParams *params);
 extern SECStatus EC_DecodeParams(const SECItem *encodedParams, 
 				ECParams **ecparams);
 extern SECStatus EC_CopyParams(PLArenaPool *arena, ECParams *dstParams,
--- a/security/nss/lib/ssl/derive.c
+++ b/security/nss/lib/ssl/derive.c
@@ -612,48 +612,48 @@ SSL_CanBypass(CERTCertificate *cert, SEC
     CK_MECHANISM_TYPE mechanism_array[2];
     SECItem           enc_pms = {siBuffer, NULL, 0};
     PRBool	      isTLS = PR_FALSE;
     SSLCipherSuiteInfo csdef;
     PRBool	      testrsa = PR_FALSE;
     PRBool	      testrsa_export = PR_FALSE;
     PRBool	      testecdh = PR_FALSE;
     PRBool	      testecdhe = PR_FALSE;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     SECKEYECParams ecParams = { siBuffer, NULL, 0 };
 #endif
 
     if (!cert || !srvPrivkey || !ciphersuites || !pcanbypass) {
 	PORT_SetError(SEC_ERROR_INVALID_ARGS);
         return SECFailure;
     }
     
     srvPubkey = CERT_ExtractPublicKey(cert);
     if (!srvPubkey)
         return SECFailure;
 	
     *pcanbypass = PR_TRUE;
     rv = SECFailure;
     
     /* determine which KEAs to test */
-    /* 0 (SSL_NULL_WITH_NULL_NULL) is used as a list terminator because
+    /* 0 (TLS_NULL_WITH_NULL_NULL) is used as a list terminator because
      * SSL3 and TLS specs forbid negotiating that cipher suite number.
      */
     for (i=0; i < nsuites && (suite = *ciphersuites++) != 0; i++) {
 	/* skip SSL2 cipher suites and ones NSS doesn't support */
 	if (SSL_GetCipherSuiteInfo(suite, &csdef, sizeof(csdef)) != SECSuccess
 	    || SSL_IS_SSL2_CIPHER(suite) )
 	    continue;
 	switch (csdef.keaType) {
 	case ssl_kea_rsa:
 	    switch (csdef.cipherSuite) {
 	    case TLS_RSA_EXPORT1024_WITH_RC4_56_SHA:
 	    case TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA:
-	    case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
-	    case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
+	    case TLS_RSA_EXPORT_WITH_RC4_40_MD5:
+	    case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
 		testrsa_export = PR_TRUE;
 	    }
 	    if (!testrsa_export)
 		testrsa = PR_TRUE;
 	    break;
 	case ssl_kea_ecdh:
 	    if (strcmp(csdef.keaTypeName, "ECDHE") == 0) /* ephemeral? */
 		testecdhe = PR_TRUE;
@@ -750,17 +750,17 @@ SSL_CanBypass(CERTCertificate *cert, SEC
 	}
 
 	/* Check for NULL to avoid double free. 
 	 * SECItem_FreeItem sets data NULL in secitem.c#265 
 	 */
 	if (enc_pms.data != NULL) {
 	    SECITEM_FreeItem(&enc_pms, PR_FALSE);
         }
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	for (; (privKeytype == ecKey && ( testecdh || testecdhe)) ||
 	       (privKeytype == rsaKey && testecdhe); ) {
 	    CK_MECHANISM_TYPE target;
 	    SECKEYPublicKey  *keapub = NULL;
 	    SECKEYPrivateKey *keapriv;
 	    SECKEYPublicKey  *cpub = NULL; /* client's ephemeral ECDH keys */
 	    SECKEYPrivateKey *cpriv = NULL;
 	    SECKEYECParams   *pecParams = NULL;
@@ -854,17 +854,17 @@ SSL_CanBypass(CERTCertificate *cert, SEC
 		goto done;
 	    break;
 	}
 	/* Check for NULL to avoid double free. */
 	if (ecParams.data != NULL) {
 	    PORT_Free(ecParams.data);
 	    ecParams.data = NULL;
 	}
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	if (pms)
 	    PK11_FreeSymKey(pms);
     }
 
     /* *pcanbypass has been set */
     rv = SECSuccess;
     
   done:
@@ -872,22 +872,22 @@ SSL_CanBypass(CERTCertificate *cert, SEC
 	PK11_FreeSymKey(pms);
 
     /* Check for NULL to avoid double free. 
      * SECItem_FreeItem sets data NULL in secitem.c#265 
      */
     if (enc_pms.data != NULL) {
     	SECITEM_FreeItem(&enc_pms, PR_FALSE);
     }
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     if (ecParams.data != NULL) {
         PORT_Free(ecParams.data);
         ecParams.data = NULL;
     }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     if (srvPubkey) {
     	SECKEY_DestroyPublicKey(srvPubkey);
 	srvPubkey = NULL;
     }
 
 
     return rv;
--- a/security/nss/lib/ssl/dtlscon.c
+++ b/security/nss/lib/ssl/dtlscon.c
@@ -25,29 +25,29 @@ static const PRUint16 COMMON_MTU_VALUES[
     576 - 28,   /* Common assumption */
     256 - 28    /* We're in serious trouble now */
 };
 
 #define DTLS_COOKIE_BYTES 32
 
 /* List copied from ssl3con.c:cipherSuites */
 static const ssl3CipherSuite nonDTLSSuites[] = {
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-#endif  /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     TLS_DHE_DSS_WITH_RC4_128_SHA,
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     TLS_ECDH_RSA_WITH_RC4_128_SHA,
     TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
-#endif  /* NSS_ENABLE_ECC */
-    SSL_RSA_WITH_RC4_128_MD5,
-    SSL_RSA_WITH_RC4_128_SHA,
+#endif /* NSS_DISABLE_ECC */
+    TLS_RSA_WITH_RC4_128_MD5,
+    TLS_RSA_WITH_RC4_128_SHA,
     TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,
+    TLS_RSA_EXPORT_WITH_RC4_40_MD5,
     0 /* End of list marker */
 };
 
 /* Map back and forth between TLS and DTLS versions in wire format.
  * Mapping table is:
  *
  * TLS             DTLS
  * 1.1 (0302)      1.0 (feff)
--- a/security/nss/lib/ssl/ssl3con.c
+++ b/security/nss/lib/ssl/ssl3con.c
@@ -84,98 +84,98 @@ static SECStatus ssl3_AESGCMBypass(ssl3K
  * in this table must match the ordering in SSL_ImplementedCiphers (sslenum.c)
  *
  * Important: See bug 946147 before enabling, reordering, or adding any cipher
  * suites to this list.
  */
 static ssl3CipherSuiteCfg cipherSuites[ssl_V3_SUITES_IMPLEMENTED] = {
    /*      cipher_suite                     policy       enabled   isPresent */
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
  { TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
    /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA is out of order to work around
     * bug 946147.
     */
  { TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,        SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_RC4_128_SHA,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
  { TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_128_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_AES_256_CBC_SHA,        SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,     SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,   SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
- { SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,       SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_DHE_DSS_WITH_RC4_128_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
  { TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,    SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_RC4_128_SHA,         SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_RC4_128_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
  /* RSA */
  { TLS_RSA_WITH_AES_128_GCM_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_128_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_128_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_WITH_AES_256_CBC_SHA,            SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_AES_256_CBC_SHA256,         SSL_ALLOWED, PR_TRUE,  PR_FALSE},
  { TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,       SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_WITH_SEED_CBC_SHA,               SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_WITH_3DES_EDE_CBC_SHA,           SSL_ALLOWED, PR_TRUE,  PR_FALSE},
- { SSL_RSA_WITH_RC4_128_SHA,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
- { SSL_RSA_WITH_RC4_128_MD5,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_3DES_EDE_CBC_SHA,           SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_SHA,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
+ { TLS_RSA_WITH_RC4_128_MD5,                SSL_ALLOWED, PR_TRUE,  PR_FALSE},
 
  /* 56-bit DES "domestic" cipher suites */
- { SSL_DHE_RSA_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_DHE_DSS_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_RSA_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_DHE_DSS_WITH_DES_CBC_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { SSL_RSA_FIPS_WITH_DES_CBC_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_WITH_DES_CBC_SHA,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_DES_CBC_SHA,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
 
  /* export ciphersuites with 1024-bit public key exchange keys */
  { TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,     SSL_ALLOWED, PR_FALSE, PR_FALSE},
 
  /* export ciphersuites with 512-bit public key exchange keys */
- { SSL_RSA_EXPORT_WITH_RC4_40_MD5,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_EXPORT_WITH_RC4_40_MD5,          SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,      SSL_ALLOWED, PR_FALSE, PR_FALSE},
 
  /* ciphersuites with no encryption */
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
  { TLS_ECDHE_ECDSA_WITH_NULL_SHA,           SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDHE_RSA_WITH_NULL_SHA,             SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_RSA_WITH_NULL_SHA,              SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_ECDH_ECDSA_WITH_NULL_SHA,            SSL_ALLOWED, PR_FALSE, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
- { SSL_RSA_WITH_NULL_SHA,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+#endif /* NSS_DISABLE_ECC */
+ { TLS_RSA_WITH_NULL_SHA,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
  { TLS_RSA_WITH_NULL_SHA256,                SSL_ALLOWED, PR_FALSE, PR_FALSE},
- { SSL_RSA_WITH_NULL_MD5,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
+ { TLS_RSA_WITH_NULL_MD5,                   SSL_ALLOWED, PR_FALSE, PR_FALSE},
 };
 
 /* Verify that SSL_ImplementedCiphers and cipherSuites are in consistent order.
  */
 #ifdef DEBUG
 void ssl3_CheckCipherSuiteOrderConsistency()
 {
     unsigned int i;
@@ -219,31 +219,31 @@ compressionEnabled(sslSocket *ss, SSLCom
 #endif
     default:
 	return PR_FALSE;
     }
 }
 
 static const /*SSL3ClientCertificateType */ PRUint8 certificate_types [] = {
     ct_RSA_sign,
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     ct_ECDSA_sign,
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     ct_DSS_sign,
 };
 
 /* This block is the contents of the supported_signature_algorithms field of
  * our TLS 1.2 CertificateRequest message, in wire format. See
  * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
  *
  * This block contains only sha256 entries because we only support TLS 1.2
  * CertificateVerify messages that use the handshake hash. */
 static const PRUint8 supported_signature_algorithms[] = {
     tls_hash_sha256, tls_sig_rsa,
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     tls_hash_sha256, tls_sig_ecdsa,
 #endif
     tls_hash_sha256, tls_sig_dsa,
 };
 
 #define EXPORT_RSA_KEY_LENGTH 64	/* bytes */
 
 
@@ -294,73 +294,73 @@ static const ssl3KEADef kea_defs[] =
     {kea_dh_rsa_export,  kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
     {kea_dhe_dss,        kt_dh,       sign_dsa,  PR_FALSE,   0, PR_FALSE},
     {kea_dhe_dss_export, kt_dh,       sign_dsa,  PR_TRUE,  512, PR_FALSE},
     {kea_dhe_rsa,        kt_dh,       sign_rsa,  PR_FALSE,   0, PR_FALSE},
     {kea_dhe_rsa_export, kt_dh,       sign_rsa,  PR_TRUE,  512, PR_FALSE},
     {kea_dh_anon,        kt_dh,       sign_null, PR_FALSE,   0, PR_FALSE},
     {kea_dh_anon_export, kt_dh,       sign_null, PR_TRUE,  512, PR_FALSE},
     {kea_rsa_fips,       kt_rsa,      sign_rsa,  PR_FALSE,   0, PR_TRUE },
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     {kea_ecdh_ecdsa,     kt_ecdh,     sign_ecdsa,  PR_FALSE, 0, PR_FALSE},
     {kea_ecdhe_ecdsa,    kt_ecdh,     sign_ecdsa,  PR_FALSE,   0, PR_FALSE},
     {kea_ecdh_rsa,       kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
     {kea_ecdhe_rsa,      kt_ecdh,     sign_rsa,  PR_FALSE,   0, PR_FALSE},
     {kea_ecdh_anon,      kt_ecdh,     sign_null,  PR_FALSE,   0, PR_FALSE},
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 };
 
 /* must use ssl_LookupCipherSuiteDef to access */
 static const ssl3CipherSuiteDef cipher_suite_defs[] = 
 {
 /*  cipher_suite                    bulk_cipher_alg mac_alg key_exchange_alg */
 
-    {SSL_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
-    {SSL_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
-    {SSL_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
+    {TLS_NULL_WITH_NULL_NULL,       cipher_null,   mac_null, kea_null},
+    {TLS_RSA_WITH_NULL_MD5,         cipher_null,   mac_md5, kea_rsa},
+    {TLS_RSA_WITH_NULL_SHA,         cipher_null,   mac_sha, kea_rsa},
     {TLS_RSA_WITH_NULL_SHA256,      cipher_null,   hmac_sha256, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
-    {SSL_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
-    {SSL_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+    {TLS_RSA_EXPORT_WITH_RC4_40_MD5,cipher_rc4_40, mac_md5, kea_rsa_export},
+    {TLS_RSA_WITH_RC4_128_MD5,      cipher_rc4,    mac_md5, kea_rsa},
+    {TLS_RSA_WITH_RC4_128_SHA,      cipher_rc4,    mac_sha, kea_rsa},
+    {TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
                                     cipher_rc2_40, mac_md5, kea_rsa_export},
 #if 0 /* not implemented */
-    {SSL_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
-    {SSL_RSA_EXPORT_WITH_DES40_CBC_SHA,
+    {TLS_RSA_WITH_IDEA_CBC_SHA,     cipher_idea,   mac_sha, kea_rsa},
+    {TLS_RSA_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_rsa_export},
 #endif
-    {SSL_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
-    {SSL_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
-    {SSL_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss},
-    {SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+    {TLS_RSA_WITH_DES_CBC_SHA,      cipher_des,    mac_sha, kea_rsa},
+    {TLS_RSA_WITH_3DES_EDE_CBC_SHA, cipher_3des,   mac_sha, kea_rsa},
+    {TLS_DHE_DSS_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_dss},
+    {TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
                                     cipher_3des,   mac_sha, kea_dhe_dss},
     {TLS_DHE_DSS_WITH_RC4_128_SHA,  cipher_rc4,    mac_sha, kea_dhe_dss},
 #if 0 /* not implemented */
-    {SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
+    {TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_dh_dss_export},
-    {SSL_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
-    {SSL_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
-    {SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
+    {TLS_DH_DSS_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_dss},
+    {TLS_DH_DSS_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_dss},
+    {TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_dh_rsa_export},
-    {SSL_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
-    {SSL_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa},
-    {SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
+    {TLS_DH_RSA_DES_CBC_SHA,        cipher_des,    mac_sha, kea_dh_rsa},
+    {TLS_DH_RSA_3DES_CBC_SHA,       cipher_3des,   mac_sha, kea_dh_rsa},
+    {TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_dh_dss_export},
-    {SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
+    {TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_dh_rsa_export},
 #endif
-    {SSL_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
-    {SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    {TLS_DHE_RSA_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dhe_rsa},
+    {TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
                                     cipher_3des,   mac_sha, kea_dhe_rsa},
 #if 0
     {SSL_DH_ANON_EXPORT_RC4_40_MD5, cipher_rc4_40, mac_md5, kea_dh_anon_export},
-    {SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA,
+    {TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA,
                                     cipher_des40,  mac_sha, kea_dh_anon_export},
-    {SSL_DH_ANON_DES_CBC_SHA,       cipher_des,    mac_sha, kea_dh_anon},
-    {SSL_DH_ANON_3DES_CBC_SHA,      cipher_3des,   mac_sha, kea_dh_anon},
+    {TLS_DH_anon_WITH_DES_CBC_SHA,  cipher_des,    mac_sha, kea_dh_anon},
+    {TLS_DH_anon_WITH_3DES_CBC_SHA, cipher_3des,   mac_sha, kea_dh_anon},
 #endif
 
 
 /* New TLS cipher suites */
     {TLS_RSA_WITH_AES_128_CBC_SHA,     	cipher_aes_128, mac_sha, kea_rsa},
     {TLS_RSA_WITH_AES_128_CBC_SHA256,	cipher_aes_128, hmac_sha256, kea_rsa},
     {TLS_DHE_DSS_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_dss},
     {TLS_DHE_RSA_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dhe_rsa},
@@ -368,20 +368,20 @@ static const ssl3CipherSuiteDef cipher_s
     {TLS_RSA_WITH_AES_256_CBC_SHA,     	cipher_aes_256, mac_sha, kea_rsa},
     {TLS_RSA_WITH_AES_256_CBC_SHA256,	cipher_aes_256, hmac_sha256, kea_rsa},
     {TLS_DHE_DSS_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_dss},
     {TLS_DHE_RSA_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dhe_rsa},
     {TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, cipher_aes_256, hmac_sha256, kea_dhe_rsa},
 #if 0
     {TLS_DH_DSS_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_dss},
     {TLS_DH_RSA_WITH_AES_128_CBC_SHA,  	cipher_aes_128, mac_sha, kea_dh_rsa},
-    {TLS_DH_ANON_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dh_anon},
+    {TLS_DH_anon_WITH_AES_128_CBC_SHA, 	cipher_aes_128, mac_sha, kea_dh_anon},
     {TLS_DH_DSS_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_dss},
     {TLS_DH_RSA_WITH_AES_256_CBC_SHA,  	cipher_aes_256, mac_sha, kea_dh_rsa},
-    {TLS_DH_ANON_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dh_anon},
+    {TLS_DH_anon_WITH_AES_256_CBC_SHA, 	cipher_aes_256, mac_sha, kea_dh_anon},
 #endif
 
     {TLS_RSA_WITH_SEED_CBC_SHA,	    cipher_seed,   mac_sha, kea_rsa},
 
     {TLS_RSA_WITH_CAMELLIA_128_CBC_SHA, cipher_camellia_128, mac_sha, kea_rsa},
     {TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
      cipher_camellia_128, mac_sha, kea_dhe_dss},
     {TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
@@ -400,17 +400,17 @@ static const ssl3CipherSuiteDef cipher_s
     {SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_rsa_fips},
     {SSL_RSA_FIPS_WITH_DES_CBC_SHA, cipher_des,    mac_sha, kea_rsa_fips},
 
     {TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_dhe_rsa},
     {TLS_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_rsa},
     {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_rsa},
     {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, cipher_aes_128_gcm, mac_aead, kea_ecdhe_ecdsa},
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     {TLS_ECDH_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, cipher_3des, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, cipher_aes_128, mac_sha, kea_ecdh_ecdsa},
     {TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, cipher_aes_256, mac_sha, kea_ecdh_ecdsa},
 
     {TLS_ECDHE_ECDSA_WITH_NULL_SHA,        cipher_null, mac_sha, kea_ecdhe_ecdsa},
     {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,      cipher_rc4, mac_sha, kea_ecdhe_ecdsa},
@@ -434,17 +434,17 @@ static const ssl3CipherSuiteDef cipher_s
 
 #if 0
     {TLS_ECDH_anon_WITH_NULL_SHA,         cipher_null,    mac_sha, kea_ecdh_anon},
     {TLS_ECDH_anon_WITH_RC4_128_SHA,      cipher_rc4,     mac_sha, kea_ecdh_anon},
     {TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, cipher_3des,    mac_sha, kea_ecdh_anon},
     {TLS_ECDH_anon_WITH_AES_128_CBC_SHA,  cipher_aes_128, mac_sha, kea_ecdh_anon},
     {TLS_ECDH_anon_WITH_AES_256_CBC_SHA,  cipher_aes_256, mac_sha, kea_ecdh_anon},
 #endif
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 };
 
 static const CK_MECHANISM_TYPE kea_alg_defs[] = {
     0x80000000L,
     CKM_RSA_PKCS,
     CKM_DH_PKCS_DERIVE,
     CKM_KEA_KEY_DERIVE,
     CKM_ECDH1_DERIVE
@@ -507,17 +507,17 @@ const char * const ssl3_cipherName[] = {
     "AES-256",
     "Camellia-128",
     "Camellia-256",
     "SEED-CBC",
     "AES-128-GCM",
     "missing"
 };
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 /* The ECCWrappedKeyInfo structure defines how various pieces of 
  * information are laid out within wrappedSymmetricWrappingkey 
  * for ECDH key exchange. Since wrappedSymmetricWrappingkey is 
  * a 512-byte buffer (see sslimpl.h), the variable length field 
  * in ECCWrappedKeyInfo can be at most (512 - 8) = 504 bytes.
  *
  * XXX For now, NSS only supports named elliptic curves of size 571 bits 
  * or smaller. The public value will fit within 145 bytes and EC params
@@ -529,17 +529,17 @@ const char * const ssl3_cipherName[] = {
 typedef struct ECCWrappedKeyInfoStr {
     PRUint16 size;            /* EC public key size in bits */
     PRUint16 encodedParamLen; /* length (in bytes) of DER encoded EC params */
     PRUint16 pubValueLen;     /* length (in bytes) of EC public value */
     PRUint16 wrappedKeyLen;   /* length (in bytes) of the wrapped key */
     PRUint8 var[MAX_EC_WRAPPED_KEY_BUFLEN]; /* this buffer contains the */
     /* EC public-key params, the EC public value and the wrapped key  */
 } ECCWrappedKeyInfo;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 #if defined(TRACE)
 
 static char *
 ssl3_DecodeHandshakeType(int msgType)
 {
     char * rv;
     static char line[40];
@@ -617,25 +617,25 @@ ssl3_CipherSuiteAllowedForVersionRange(
     ssl3CipherSuite cipherSuite,
     const SSLVersionRange *vrange)
 {
     switch (cipherSuite) {
     /* See RFC 4346 A.5. Export cipher suites must not be used in TLS 1.1 or
      * later. This set of cipher suites is similar to, but different from, the
      * set of cipher suites considered exportable by SSL_IsExportCipherSuite.
      */
-    case SSL_RSA_EXPORT_WITH_RC4_40_MD5:
-    case SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
-    /*   SSL_RSA_EXPORT_WITH_DES40_CBC_SHA:      never implemented
-     *   SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:   never implemented
-     *   SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:   never implemented
-     *   SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:  never implemented
-     *   SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:  never implemented
-     *   SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5:     never implemented
-     *   SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA:  never implemented
+    case TLS_RSA_EXPORT_WITH_RC4_40_MD5:
+    case TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5:
+    /*   TLS_RSA_EXPORT_WITH_DES40_CBC_SHA:      never implemented
+     *   TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA:   never implemented
+     *   TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA:   never implemented
+     *   TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA:  never implemented
+     *   TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA:  never implemented
+     *   TLS_DH_anon_EXPORT_WITH_RC4_40_MD5:     never implemented
+     *   TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA:  never implemented
      */
 	return vrange->min <= SSL_LIBRARY_VERSION_TLS_1_0;
     case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_RSA_WITH_AES_256_CBC_SHA256:
     case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
     case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
     case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
     case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
@@ -726,17 +726,17 @@ ssl3_config_match_init(sslSocket *ss)
 	    	suite->isPresent = PR_FALSE;
 		continue;
 	    }
 	    cipher_alg = bulk_cipher_defs[cipher_def->bulk_cipher_alg].calg;
 	    PORT_Assert(  alg2Mech[cipher_alg].calg == cipher_alg);
 	    cipher_mech = alg2Mech[cipher_alg].cmech;
 	    exchKeyType =
 	    	    kea_defs[cipher_def->key_exchange_alg].exchKeyType;
-#ifndef NSS_ENABLE_ECC
+#ifdef NSS_DISABLE_ECC
 	    svrAuth = ss->serverCerts + exchKeyType;
 #else
 	    /* XXX SSLKEAType isn't really a good choice for 
 	     * indexing certificates. It doesn't work for
 	     * (EC)DHE-* ciphers. Here we use a hack to ensure
 	     * that the server uses an RSA cert for (EC)DHE-RSA.
 	     */
 	    switch (cipher_def->key_exchange_alg) {
@@ -760,17 +760,17 @@ ssl3_config_match_init(sslSocket *ss)
 		 * we could support both key exchange mechanisms
 		 * simultaneously. For now, both of them use
 		 * whatever is in the certificate slot for kt_ecdh
 		 */
 	    default:
 		svrAuth = ss->serverCerts + exchKeyType;
 		break;
 	    }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 	    /* Mark the suites that are backed by real tokens, certs and keys */
 	    suite->isPresent = (PRBool)
 		(((exchKeyType == kt_null) ||
 		   ((!isServer || (svrAuth->serverKeyPair &&
 		                   svrAuth->SERVERKEY &&
 				   svrAuth->serverCertChain)) &&
 		    PK11_TokenExists(kea_alg_defs[exchKeyType]))) &&
@@ -919,30 +919,30 @@ ssl3_SignHashes(SSL3Hashes *hash, SECKEY
 	if (hash->hashAlg == SEC_OID_UNKNOWN) {
 	    hashItem.data = hash->u.s.sha;
 	    hashItem.len = sizeof(hash->u.s.sha);
 	} else {
 	    hashItem.data = hash->u.raw;
 	    hashItem.len = hash->len;
 	}
 	break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case ecKey:
 	doDerEncode = PR_TRUE;
 	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
 	 * In that case, we use just the SHA1 part. */
 	if (hash->hashAlg == SEC_OID_UNKNOWN) {
 	    hashItem.data = hash->u.s.sha;
 	    hashItem.len = sizeof(hash->u.s.sha);
 	} else {
 	    hashItem.data = hash->u.raw;
 	    hashItem.len = hash->len;
 	}
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     default:
 	PORT_SetError(SEC_ERROR_INVALID_KEY);
 	goto done;
     }
     PRINT_BUF(60, (NULL, "hash(es) to be signed", hashItem.data, hashItem.len));
 
     if (hash->hashAlg == SEC_OID_UNKNOWN) {
 	signatureLen = PK11_SignatureLen(key);
@@ -1030,17 +1030,17 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash
 	    if (!signature) {
 	    	PORT_SetError(SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE);
 		return SECFailure;
 	    }
 	    buf = signature;
 	}
 	break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case ecKey:
 	encAlg = SEC_OID_ANSIX962_EC_PUBLIC_KEY;
 	/* SEC_OID_UNKNOWN is used to specify the MD5/SHA1 concatenated hash.
 	 * In that case, we use just the SHA1 part.
 	 * ECDSA signatures always encode the integers r and s using ASN.1
 	 * (unlike DSA where ASN.1 encoding is used with TLS but not with
 	 * SSL3). So we can use VFY_VerifyDigestDirect for ECDSA.
 	 */
@@ -1048,17 +1048,17 @@ ssl3_VerifySignedHashes(SSL3Hashes *hash
 	    hashAlg = SEC_OID_SHA1;
 	    hashItem.data = hash->u.s.sha;
 	    hashItem.len = sizeof(hash->u.s.sha);
 	} else {
 	    hashItem.data = hash->u.raw;
 	    hashItem.len = hash->len;
 	}
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     default:
     	SECKEY_DestroyPublicKey(key);
 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
 	return SECFailure;
     }
 
     PRINT_BUF(60, (NULL, "hash(es) to be verified",
@@ -5073,22 +5073,22 @@ ssl3_SendClientHello(sslSocket *ss, PRBo
 	}
 	maxBytes        -= extLen;
 	total_exten_len += extLen;
 
 	if (total_exten_len > 0)
 	    total_exten_len += 2;
     }
 
-#if defined(NSS_ENABLE_ECC)
+#ifndef NSS_DISABLE_ECC
     if (!total_exten_len || !isTLS) {
 	/* not sending the elliptic_curves and ec_point_formats extensions */
     	ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     }
-#endif
+#endif /* NSS_DISABLE_ECC */
 
     if (IS_DTLS(ss)) {
 	ssl3_DisableNonDTLSSuites(ss);
     }
 
     /* how many suites are permitted by policy and user preference? */
     num_suites = count_cipher_suites(ss, ss->ssl3.policy, PR_TRUE);
     if (!num_suites) {
@@ -5389,21 +5389,21 @@ ssl_UnwrapSymWrappingKey(
 	SSLWrappedSymWrappingKey *pWswk,
 	SECKEYPrivateKey *        svrPrivKey,
 	SSL3KEAType               exchKeyType,
 	CK_MECHANISM_TYPE         masterWrapMech,
 	void *                    pwArg)
 {
     PK11SymKey *             unwrappedWrappingKey  = NULL;
     SECItem                  wrappedKey;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     PK11SymKey *             Ks;
     SECKEYPublicKey          pubWrapKey;
     ECCWrappedKeyInfo        *ecWrapped;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     /* found the wrapping key on disk. */
     PORT_Assert(pWswk->symWrapMechanism == masterWrapMech);
     PORT_Assert(pWswk->exchKeyType      == exchKeyType);
     if (pWswk->symWrapMechanism != masterWrapMech ||
 	pWswk->exchKeyType      != exchKeyType) {
 	goto loser;
     }
@@ -5415,17 +5415,17 @@ ssl_UnwrapSymWrappingKey(
     switch (exchKeyType) {
 
     case kt_rsa:
 	unwrappedWrappingKey =
 	    PK11_PubUnwrapSymKey(svrPrivKey, &wrappedKey,
 				 masterWrapMech, CKA_UNWRAP, 0);
 	break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case kt_ecdh:
         /* 
          * For kt_ecdh, we first create an EC public key based on
          * data stored with the wrappedSymmetricWrappingkey. Next,
          * we do an ECDH computation involving this public key and
          * the SSL server's (long-term) EC private key. The resulting
          * shared secret is treated the same way as Fortezza's Ks, i.e.,
          * it is used to recover the symmetric wrapping key.
@@ -5554,22 +5554,22 @@ getWrappingKey( sslSocket *       ss,
     PK11SymKey *             unwrappedWrappingKey  = NULL;
     PK11SymKey **            pSymWrapKey;
     CK_MECHANISM_TYPE        asymWrapMechanism = CKM_INVALID_MECHANISM;
     int                      length;
     int                      symWrapMechIndex;
     SECStatus                rv;
     SECItem                  wrappedKey;
     SSLWrappedSymWrappingKey wswk;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     PK11SymKey *      Ks = NULL;
     SECKEYPublicKey   *pubWrapKey = NULL;
     SECKEYPrivateKey  *privWrapKey = NULL;
     ECCWrappedKeyInfo *ecWrapped;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     svrPrivKey  = ss->serverCerts[exchKeyType].SERVERKEY;
     PORT_Assert(svrPrivKey != NULL);
     if (!svrPrivKey) {
     	return NULL;	/* why are we here?!? */
     }
 
     symWrapMechIndex = ssl_FindIndexByWrapMechanism(masterWrapMech);
@@ -5642,17 +5642,17 @@ getWrappingKey( sslSocket *       ss,
     /* wrap symmetric wrapping key in server's public key. */
     switch (exchKeyType) {
     case kt_rsa:
 	asymWrapMechanism = CKM_RSA_PKCS;
 	rv = PK11_PubWrapSymKey(asymWrapMechanism, svrPubKey,
 	                        unwrappedWrappingKey, &wrappedKey);
 	break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case kt_ecdh:
 	/*
 	 * We generate an ephemeral EC key pair. Perform an ECDH
 	 * computation involving this ephemeral EC public key and
 	 * the SSL server's (long-term) EC private key. The resulting
 	 * shared secret is treated in the same way as Fortezza's Ks, 
 	 * i.e., it is used to wrap the wrapping key. To facilitate
 	 * unwrapping in ssl_UnwrapWrappingKey, we also store all
@@ -5728,17 +5728,17 @@ getWrappingKey( sslSocket *       ss,
 	ecWrapped->wrappedKeyLen = wrappedKey.len;
 
 ec_cleanup:
 	if (privWrapKey) SECKEY_DestroyPrivateKey(privWrapKey);
 	if (pubWrapKey) SECKEY_DestroyPublicKey(pubWrapKey);
 	if (Ks) PK11_FreeSymKey(Ks);
 	asymWrapMechanism = masterWrapMech;
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     default:
 	rv = SECFailure;
 	break;
     }
 
     if (rv != SECSuccess) {
 	ssl_MapLowLevelError(SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE);
@@ -6041,21 +6041,21 @@ ssl3_SendClientKeyExchange(sslSocket *ss
     case kt_rsa:
 	rv = sendRSAClientKeyExchange(ss, serverKey);
 	break;
 
     case kt_dh:
 	rv = sendDHClientKeyExchange(ss, serverKey);
 	break;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case kt_ecdh:
 	rv = ssl3_SendECDHClientKeyExchange(ss, serverKey);
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     default:
 	/* got an unknown or unsupported Key Exchange Algorithm.  */
 	SEND_ALERT
 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
 	break;
     }
 
@@ -6773,21 +6773,21 @@ ssl3_HandleServerKeyExchange(sslSocket *
             PORT_FreeArena(arena, PR_FALSE);
 	    goto no_memory;
         }
     	ss->sec.peerKey = peerKey;
     	ss->ssl3.hs.ws = wait_cert_request;
     	return SECSuccess;
     }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case kt_ecdh:
 	rv = ssl3_HandleECDHServerKeyExchange(ss, b, length);
 	return rv;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     default:
     	desc    = handshake_failure;
 	errCode = SEC_ERROR_UNSUPPORTED_KEYALG;
 	break;		/* goto alert_loser; */
     }
 
 alert_loser:
@@ -7515,24 +7515,24 @@ ssl3_SendServerHelloSequence(sslSocket *
 		return rv;	/* err code was set. */
 	    }
 	} else {
 #ifndef HACKED_EXPORT_SERVER
 	    PORT_SetError(SSL_ERROR_PUB_KEY_SIZE_LIMIT_EXCEEDED);
 	    return rv;
 #endif
 	}
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     } else if ((kea_def->kea == kea_ecdhe_rsa) ||
 	       (kea_def->kea == kea_ecdhe_ecdsa)) {
 	rv = ssl3_SendServerKeyExchange(ss);
 	if (rv != SECSuccess) {
 	    return rv;	/* err code was set. */
 	}
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
     }
 
     if (ss->opt.requestCertificate) {
 	rv = ssl3_SendCertificateRequest(ss);
 	if (rv != SECSuccess) {
 	    return rv;		/* err code is set. */
 	}
     }
@@ -7810,17 +7810,17 @@ ssl3_HandleClientHello(sslSocket *ss, SS
 	    SSL_AtomicIncrementLong(& ssl3stats.hch_sid_cache_not_ok );
 	    if (ss->sec.uncache)
                 ss->sec.uncache(sid);
 	    ssl_FreeSID(sid);
 	    sid = NULL;
 	}
     }
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     /* Disable any ECC cipher suites for which we have no cert. */
     ssl3_FilterECCipherSuitesByServerCerts(ss);
 #endif
 
     if (IS_DTLS(ss)) {
 	ssl3_DisableNonDTLSSuites(ss);
     }
 
@@ -8427,17 +8427,17 @@ ssl3_HandleV2ClientHello(sslSocket *ss, 
 
     PORT_Memset(&ss->ssl3.hs.client_random, 0, SSL3_RANDOM_LENGTH);
     PORT_Memcpy(
 	&ss->ssl3.hs.client_random.rand[SSL3_RANDOM_LENGTH - rand_length],
 	random, rand_length);
 
     PRINT_BUF(60, (ss, "client random:", &ss->ssl3.hs.client_random.rand[0],
 		   SSL3_RANDOM_LENGTH));
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     /* Disable any ECC cipher suites for which we have no cert. */
     ssl3_FilterECCipherSuitesByServerCerts(ss);
 #endif
     i = ssl3_config_match_init(ss);
     if (i <= 0) {
     	errCode = PORT_GetError();	/* error code is already set. */
 	goto alert_loser;
     }
@@ -8816,22 +8816,22 @@ ssl3_SendServerKeyExchange(sslSocket *ss
 	rv = ssl3_AppendHandshakeVariable(ss, signed_hash.data,
 	                                  signed_hash.len, 2);
 	if (rv != SECSuccess) {
 	    goto loser; 	/* err set by AppendHandshake. */
 	}
 	PORT_Free(signed_hash.data);
 	return SECSuccess;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case kt_ecdh: {
 	rv = ssl3_SendECDHServerKeyExchange(ss, &sigAndHash);
 	return rv;
     }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     case kt_dh:
     case kt_null:
     default:
 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
 	break;
     }
 loser:
@@ -9244,19 +9244,19 @@ double_bypass:
  */
 static SECStatus
 ssl3_HandleClientKeyExchange(sslSocket *ss, SSL3Opaque *b, PRUint32 length)
 {
     SECKEYPrivateKey *serverKey         = NULL;
     SECStatus         rv;
     const ssl3KEADef *kea_def;
     ssl3KeyPair     *serverKeyPair      = NULL;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     SECKEYPublicKey *serverPubKey       = NULL;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     SSL_TRC(3, ("%d: SSL3[%d]: handle client_key_exchange handshake",
 		SSL_GETPID(), ss->fd));
 
     PORT_Assert( ss->opt.noLocks || ssl_HaveRecvBufLock(ss) );
     PORT_Assert( ss->opt.noLocks || ssl_HaveSSL3HandshakeLock(ss) );
 
     if (ss->ssl3.hs.ws != wait_client_key) {
@@ -9276,17 +9276,17 @@ ssl3_HandleClientKeyExchange(sslSocket *
 	      ss->stepDownKeyPair == NULL) {
 	 	/* shouldn't happen, don't use step down if it does */
 		goto skip;
 	 }
     	serverKeyPair = ss->stepDownKeyPair;
 	ss->sec.keaKeyBits = EXPORT_RSA_KEY_LENGTH * BPB;
     } else 
 skip:
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     /* XXX Using SSLKEAType to index server certifiates
      * does not work for (EC)DHE ciphers. Until we have
      * an indexing mechanism general enough for all key
      * exchange algorithms, we'll need to deal with each
      * one seprately.
      */
     if ((kea_def->kea == kea_ecdhe_rsa) ||
                (kea_def->kea == kea_ecdhe_ecdsa)) {
@@ -9322,17 +9322,17 @@ skip:
 	rv = ssl3_HandleRSAClientKeyExchange(ss, b, length, serverKey);
 	if (rv != SECSuccess) {
 	    SEND_ALERT
 	    return SECFailure;	/* error code set */
 	}
 	break;
 
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     case kt_ecdh:
 	/* XXX We really ought to be able to store multiple
 	 * EC certs (a requirement if we wish to support both
 	 * ECDH-RSA and ECDH-ECDSA key exchanges concurrently).
 	 * When we make that change, we'll need an index other
 	 * than kt_ecdh to pick the right EC certificate.
 	 */
 	if (serverKeyPair) {
@@ -9344,17 +9344,17 @@ skip:
 	    return SECFailure;
 	}
 	rv = ssl3_HandleECDHClientKeyExchange(ss, b, length, 
 					      serverPubKey, serverKey);
 	if (rv != SECSuccess) {
 	    return SECFailure;	/* error code set */
 	}
 	break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     default:
 	(void) ssl3_HandshakeFailure(ss);
 	PORT_SetError(SEC_ERROR_UNSUPPORTED_KEYALG);
 	return SECFailure;
     }
     ss->ssl3.hs.ws = ss->sec.peerCert ? wait_cert_verify : wait_change_cipher;
     return SECSuccess;
@@ -9404,27 +9404,31 @@ ssl3_HandleNewSessionTicket(sslSocket *s
 	(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
 	PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
 	return SECFailure;
     }
     ss->ssl3.hs.newSessionTicket.ticket_lifetime_hint =
 	(PRUint32)ssl3_ConsumeHandshakeNumber(ss, 4, &b, &length);
 
     rv = ssl3_ConsumeHandshakeVariable(ss, &ticketData, 2, &b, &length);
-    if (length != 0 || rv != SECSuccess) {
+    if (rv != SECSuccess || length != 0) {
 	(void)SSL3_SendAlert(ss, alert_fatal, decode_error);
 	PORT_SetError(SSL_ERROR_RX_MALFORMED_NEW_SESSION_TICKET);
 	return SECFailure;  /* malformed */
     }
-    rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
-			  &ticketData);
-    if (rv != SECSuccess) {
-	return rv;
-    }
-    ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
+    /* If the server sent a zero-length ticket, ignore it and keep the
+     * existing ticket. */
+    if (ticketData.len != 0) {
+	rv = SECITEM_CopyItem(NULL, &ss->ssl3.hs.newSessionTicket.ticket,
+			      &ticketData);
+	if (rv != SECSuccess) {
+	    return rv;
+	}
+	ss->ssl3.hs.receivedNewSessionTicket = PR_TRUE;
+    }
 
     ss->ssl3.hs.ws = wait_change_cipher;
     return SECSuccess;
 }
 
 #ifdef NISCC_TEST
 static PRInt32 connNum = 0;
 
@@ -9949,17 +9953,17 @@ ssl3_AuthCertificate(sslSocket *ss)
 	** it will get fixed when we handle the server key exchange message.
 	*/
 	SECKEYPublicKey * pubKey  = CERT_ExtractPublicKey(cert);
 	ss->sec.authAlgorithm = ss->ssl3.hs.kea_def->signKeyType;
 	ss->sec.keaType       = ss->ssl3.hs.kea_def->exchKeyType;
 	if (pubKey) {
 	    ss->sec.keaKeyBits = ss->sec.authKeyBits =
 		SECKEY_PublicKeyStrengthInBits(pubKey);
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	    if (ss->sec.keaType == kt_ecdh) {
 		/* Get authKeyBits from signing key.
 		 * XXX The code below uses a quick approximation of
 		 * key size based on cert->signatureWrap.signature.data
 		 * (which contains the DER encoded signature). The field
 		 * cert->signatureWrap.signature.len contains the
 		 * length of the encoded signature in bits.
 		 */
@@ -9975,28 +9979,28 @@ ssl3_AuthCertificate(sslSocket *ss)
 		} else if (ss->ssl3.hs.kea_def->kea == kea_ecdh_rsa) {
 		    ss->sec.authKeyBits = cert->signatureWrap.signature.len;
 		    /* 
 		     * XXX: if cert is not signed by rsa we should
 		     * destroy pubKey and goto bad_cert
 		     */
 		}
 	    }
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	    SECKEY_DestroyPublicKey(pubKey); 
 	    pubKey = NULL;
     	}
 
 	ss->ssl3.hs.ws = wait_cert_request; /* disallow server_key_exchange */
 	if (ss->ssl3.hs.kea_def->is_limited ||
 	    /* XXX OR server cert is signing only. */
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_ecdsa ||
 	    ss->ssl3.hs.kea_def->kea == kea_ecdhe_rsa ||
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 	    ss->ssl3.hs.kea_def->exchKeyType == kt_dh) {
 	    ss->ssl3.hs.ws = wait_server_key; /* allow server_key_exchange */
 	}
     } else {
 	ss->ssl3.hs.ws = wait_client_key;
     }
 
     PORT_Assert(rv == SECSuccess);
@@ -10560,17 +10564,17 @@ xmit_loser:
 	effectiveExchKeyType = ss->ssl3.hs.kea_def->exchKeyType;
     }
 
     if (sid->cached == never_cached && !ss->opt.noCache && ss->sec.cache) {
 	/* fill in the sid */
 	sid->u.ssl3.cipherSuite = ss->ssl3.hs.cipher_suite;
 	sid->u.ssl3.compression = ss->ssl3.hs.compression;
 	sid->u.ssl3.policy      = ss->ssl3.policy;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	sid->u.ssl3.negotiatedECCurves = ss->ssl3.hs.negotiatedECCurves;
 #endif
 	sid->u.ssl3.exchKeyType = effectiveExchKeyType;
 	sid->version            = ss->version;
 	sid->authAlgorithm      = ss->sec.authAlgorithm;
 	sid->authKeyBits        = ss->sec.authKeyBits;
 	sid->keaType            = ss->sec.keaType;
 	sid->keaKeyBits         = ss->sec.keaKeyBits;
@@ -11696,17 +11700,17 @@ ssl3_InitState(sslSocket *ss)
     ssl_GetSpecWriteLock(ss);
     ss->ssl3.crSpec = ss->ssl3.cwSpec = &ss->ssl3.specs[0];
     ss->ssl3.prSpec = ss->ssl3.pwSpec = &ss->ssl3.specs[1];
     ss->ssl3.hs.sendingSCSV = PR_FALSE;
     ssl3_InitCipherSpec(ss, ss->ssl3.crSpec);
     ssl3_InitCipherSpec(ss, ss->ssl3.prSpec);
 
     ss->ssl3.hs.ws = (ss->sec.isServer) ? wait_client_hello : wait_server_hello;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     ss->ssl3.hs.negotiatedECCurves = ssl3_GetSupportedECCurveMask(ss);
 #endif
     ssl_ReleaseSpecWriteLock(ss);
 
     PORT_Memset(&ss->xtnData, 0, sizeof(TLSExtensionData));
 
     if (IS_DTLS(ss)) {
 	ss->ssl3.hs.sendMessageSeq = 0;
--- a/security/nss/lib/ssl/ssl3ecc.c
+++ b/security/nss/lib/ssl/ssl3ecc.c
@@ -25,17 +25,17 @@
 #include "prthread.h"
 #include "prinit.h"
 
 #include "pk11func.h"
 #include "secmod.h"
 
 #include <stdio.h>
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 
 #ifndef PK11_SETATTRS
 #define PK11_SETATTRS(x,id,v,l) (x)->type = (id); \
 		(x)->pValue=(v); (x)->ulValueLen = (l);
 #endif
 
 #define SSL_GET_SERVER_PUBLIC_KEY(sock, type) \
     (ss->serverCerts[type].serverKeyPair ? \
@@ -1253,9 +1253,9 @@ ssl3_HandleSupportedCurvesXtn(sslSocket 
     return SECFailure;
 
 loser:
     /* no common curve supported */
     ssl3_DisableECCSuites(ss, ecSuites);
     return SECFailure;
 }
 
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
--- a/security/nss/lib/ssl/ssl3ext.c
+++ b/security/nss/lib/ssl/ssl3ext.c
@@ -225,17 +225,17 @@ ssl3_GetSessionTicketKeys(const unsigned
 
 /* Table of handlers for received TLS hello extensions, one per extension.
  * In the second generation, this table will be dynamic, and functions
  * will be registered here.
  */
 /* This table is used by the server, to handle client hello extensions. */
 static const ssl3HelloExtensionHandler clientHelloHandlers[] = {
     { ssl_server_name_xtn,        &ssl3_HandleServerNameXtn },
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     { ssl_elliptic_curves_xtn,    &ssl3_HandleSupportedCurvesXtn },
     { ssl_ec_point_formats_xtn,   &ssl3_HandleSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,     &ssl3_ServerHandleSessionTicketXtn },
     { ssl_renegotiation_info_xtn, &ssl3_HandleRenegotiationInfoXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ServerHandleNextProtoNegoXtn },
     { ssl_use_srtp_xtn,           &ssl3_HandleUseSRTPXtn },
     { ssl_cert_status_xtn,        &ssl3_ServerHandleStatusRequestXtn },
@@ -267,17 +267,17 @@ static const ssl3HelloExtensionHandler s
  * These static tables are for the formatting of client hello extensions.
  * The server's table of hello senders is dynamic, in the socket struct,
  * and sender functions are registered there.
  */
 static const 
 ssl3HelloExtensionSender clientHelloSendersTLS[SSL_MAX_EXTENSIONS] = {
     { ssl_server_name_xtn,        &ssl3_SendServerNameXtn        },
     { ssl_renegotiation_info_xtn, &ssl3_SendRenegotiationInfoXtn },
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     { ssl_elliptic_curves_xtn,    &ssl3_SendSupportedCurvesXtn },
     { ssl_ec_point_formats_xtn,   &ssl3_SendSupportedPointFormatsXtn },
 #endif
     { ssl_session_ticket_xtn,     &ssl3_SendSessionTicketXtn },
     { ssl_next_proto_nego_xtn,    &ssl3_ClientSendNextProtoNegoXtn },
     { ssl_app_layer_protocol_xtn, &ssl3_ClientSendAppProtoXtn },
     { ssl_use_srtp_xtn,           &ssl3_SendUseSRTPXtn },
     { ssl_cert_status_xtn,        &ssl3_ClientSendStatusRequestXtn },
@@ -2214,17 +2214,17 @@ ssl3_ClientSendSigAlgsXtn(sslSocket * ss
 {
     static const unsigned char signatureAlgorithms[] = {
 	/* This block is the contents of our signature_algorithms extension, in
 	 * wire format. See
 	 * https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 */
 	tls_hash_sha256, tls_sig_rsa,
 	tls_hash_sha384, tls_sig_rsa,
 	tls_hash_sha1,   tls_sig_rsa,
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	tls_hash_sha256, tls_sig_ecdsa,
 	tls_hash_sha384, tls_sig_ecdsa,
 	tls_hash_sha1,   tls_sig_ecdsa,
 #endif
 	tls_hash_sha256, tls_sig_dsa,
 	tls_hash_sha1,   tls_sig_dsa,
     };
     PRInt32 extension_length;
--- a/security/nss/lib/ssl/sslcon.c
+++ b/security/nss/lib/ssl/sslcon.c
@@ -3096,25 +3096,25 @@ ssl2_BeginClientHandshake(sslSocket *ss)
 	ssl_GetSSL3HandshakeLock(ss);
 	ssl_GetXmitBufLock(ss);
 	rv =  ssl3_SendClientHello(ss, PR_FALSE);
 	ssl_ReleaseXmitBufLock(ss);
 	ssl_ReleaseSSL3HandshakeLock(ss);
 
 	return rv;
     }
-#if defined(NSS_ENABLE_ECC)
+#ifndef NSS_DISABLE_ECC
     /* ensure we don't neogtiate ECC cipher suites with SSL2 hello */
     ssl3_DisableECCSuites(ss, NULL); /* disable all ECC suites */
     if (ss->cipherSpecs != NULL) {
 	PORT_Free(ss->cipherSpecs);
 	ss->cipherSpecs     = NULL;
 	ss->sizeCipherSpecs = 0;
     }
-#endif
+#endif /* NSS_DISABLE_ECC */
 
     if (!ss->cipherSpecs) {
         rv = ssl2_ConstructCipherSpecs(ss);
 	if (rv < 0) {
 	    return rv;
     	}
     }
     localCipherSpecs = ss->cipherSpecs;
--- a/security/nss/lib/ssl/sslenum.c
+++ b/security/nss/lib/ssl/sslenum.c
@@ -42,97 +42,97 @@
  *      TLS_KRB5_EXPORT_WITH_RC4_40_MD5 { 0x00,0x2B }
  *      TLS_RSA_WITH_AES_128_CBC_SHA { 0x00,0x2F }
  *      TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A }
  *      TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 }
  * The broken server only supports the third and fourth ones and will select
  * the third one.
  */
 const PRUint16 SSL_ImplementedCiphers[] = {
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
     /* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA must appear before
      * TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA to work around bug 946147.
      */
     TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,
     TLS_ECDHE_RSA_WITH_RC4_128_SHA,
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
     TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
     TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
     TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA,
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
     TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
     TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
     TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA,
-    SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-    SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
+    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
     TLS_DHE_DSS_WITH_RC4_128_SHA,
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
     TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
     TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
     TLS_ECDH_ECDSA_WITH_RC4_128_SHA,
     TLS_ECDH_RSA_WITH_RC4_128_SHA,
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     TLS_RSA_WITH_AES_128_GCM_SHA256,
     TLS_RSA_WITH_AES_128_CBC_SHA,
     TLS_RSA_WITH_AES_128_CBC_SHA256,
     TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
     TLS_RSA_WITH_AES_256_CBC_SHA,
     TLS_RSA_WITH_AES_256_CBC_SHA256,
     TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
     TLS_RSA_WITH_SEED_CBC_SHA,
     SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,
-    SSL_RSA_WITH_3DES_EDE_CBC_SHA,
-    SSL_RSA_WITH_RC4_128_SHA,
-    SSL_RSA_WITH_RC4_128_MD5,
+    TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+    TLS_RSA_WITH_RC4_128_SHA,
+    TLS_RSA_WITH_RC4_128_MD5,
 
     /* 56-bit DES "domestic" cipher suites */
-    SSL_DHE_RSA_WITH_DES_CBC_SHA,
-    SSL_DHE_DSS_WITH_DES_CBC_SHA,
+    TLS_DHE_RSA_WITH_DES_CBC_SHA,
+    TLS_DHE_DSS_WITH_DES_CBC_SHA,
     SSL_RSA_FIPS_WITH_DES_CBC_SHA,
-    SSL_RSA_WITH_DES_CBC_SHA,
+    TLS_RSA_WITH_DES_CBC_SHA,
 
     /* export ciphersuites with 1024-bit public key exchange keys */
     TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,
     TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA,
 
     /* export ciphersuites with 512-bit public key exchange keys */
-    SSL_RSA_EXPORT_WITH_RC4_40_MD5,
-    SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
+    TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+    TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5,
 
     /* ciphersuites with no encryption */
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     TLS_ECDHE_ECDSA_WITH_NULL_SHA,
     TLS_ECDHE_RSA_WITH_NULL_SHA,
     TLS_ECDH_RSA_WITH_NULL_SHA,
     TLS_ECDH_ECDSA_WITH_NULL_SHA,
-#endif /* NSS_ENABLE_ECC */
-    SSL_RSA_WITH_NULL_SHA,
+#endif /* NSS_DISABLE_ECC */
+    TLS_RSA_WITH_NULL_SHA,
     TLS_RSA_WITH_NULL_SHA256,
-    SSL_RSA_WITH_NULL_MD5,
+    TLS_RSA_WITH_NULL_MD5,
 
     /* SSL2 cipher suites. */
     SSL_EN_RC4_128_WITH_MD5,
     SSL_EN_RC2_128_CBC_WITH_MD5,
     SSL_EN_DES_192_EDE3_CBC_WITH_MD5,  /* actually 112, not 192 */
     SSL_EN_DES_64_CBC_WITH_MD5,
     SSL_EN_RC4_128_EXPORT40_WITH_MD5,
     SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5,
--- a/security/nss/lib/ssl/sslimpl.h
+++ b/security/nss/lib/ssl/sslimpl.h
@@ -283,21 +283,21 @@ typedef struct {
 #else
     ssl3CipherSuite cipher_suite;
     PRUint8         policy;
     unsigned char   enabled   : 1;
     unsigned char   isPresent : 1;
 #endif
 } ssl3CipherSuiteCfg;
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 #define ssl_V3_SUITES_IMPLEMENTED 61
 #else
 #define ssl_V3_SUITES_IMPLEMENTED 37
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 #define MAX_DTLS_SRTP_CIPHER_SUITES 4
 
 typedef struct sslOptionsStr {
     /* If SSL_SetNextProtoNego has been called, then this contains the
      * list of supported protocols. */
     SECItem nextProtoNego;
 
@@ -648,19 +648,19 @@ struct sslSessionIDStr {
 	    SSLCompressionMethod  compression;
 	    int                   policy;
 	    ssl3SidKeys           keys;
 	    CK_MECHANISM_TYPE     masterWrapMech;
 				  /* mechanism used to wrap master secret */
             SSL3KEAType           exchKeyType;
 				  /* key type used in exchange algorithm,
 				   * and to wrap the sym wrapping key. */
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 	    PRUint32              negotiatedECCurves;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 	    /* The following values are NOT restored from the server's on-disk
 	     * session cache, but are restored from the client's cache.
 	     */
  	    PK11SymKey *      clientWriteKey;
 	    PK11SymKey *      serverWriteKey;
 
 	    /* The following values pertain to the slot that wrapped the 
@@ -880,19 +880,19 @@ const ssl3CipherSuiteDef *suite_def;
     NewSessionTicket      newSessionTicket;
 
     PRUint16              finishedBytes; /* size of single finished below */
     union {
 	TLSFinished       tFinished[2]; /* client, then server */
 	SSL3Finished      sFinished[2];
 	SSL3Opaque        data[72];
     }                     finishedMsgs;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     PRUint32              negotiatedECCurves; /* bit mask */
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
     PRBool                authCertificatePending;
     /* Which function should SSL_RestartHandshake* call if we're blocked?
      * One of NULL, ssl3_SendClientSecondRound, ssl3_FinishHandshake,
      * or ssl3_AlwaysFail */
     sslRestartTarget      restartTarget;
     /* Shared state between ssl3_HandleFinished and ssl3_FinishHandshake */
     PRBool                cacheSID;
@@ -1591,17 +1591,17 @@ int ssl3_GatherCompleteHandshake(sslSock
 /*
  * When talking to export clients or using export cipher suites, servers 
  * with public RSA keys larger than 512 bits need to use a 512-bit public
  * key, signed by the larger key.  The smaller key is a "step down" key.
  * Generate that key pair and keep it around.
  */
 extern SECStatus ssl3_CreateRSAStepDownKeys(sslSocket *ss);
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 extern void      ssl3_FilterECCipherSuitesByServerCerts(sslSocket *ss);
 extern PRBool    ssl3_IsECCEnabled(sslSocket *ss);
 extern SECStatus ssl3_DisableECCSuites(sslSocket * ss, 
                                        const ssl3CipherSuite * suite);
 extern PRUint32  ssl3_GetSupportedECCurveMask(sslSocket *ss);
 
 
 /* Macro for finding a curve equivalent in strength to RSA key's */
@@ -1646,17 +1646,17 @@ typedef enum { ec_noName     = 0,
 	       ec_pastLastName
 } ECName;
 
 extern SECStatus ssl3_ECName2Params(PLArenaPool *arena, ECName curve,
 				   SECKEYECParams *params);
 ECName	ssl3_GetCurveWithECKeyStrength(PRUint32 curvemsk, int requiredECCbits);
 
 
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 extern SECStatus ssl3_CipherPrefSetDefault(ssl3CipherSuite which, PRBool on);
 extern SECStatus ssl3_CipherPrefGetDefault(ssl3CipherSuite which, PRBool *on);
 extern SECStatus ssl2_CipherPrefSetDefault(PRInt32 which, PRBool enabled);
 extern SECStatus ssl2_CipherPrefGetDefault(PRInt32 which, PRBool *enabled);
 
 extern SECStatus ssl3_CipherPrefSet(sslSocket *ss, ssl3CipherSuite which, PRBool on);
 extern SECStatus ssl3_CipherPrefGet(sslSocket *ss, ssl3CipherSuite which, PRBool *on);
@@ -1681,17 +1681,17 @@ extern SECStatus ssl3_HandleHandshakeMes
 extern void ssl3_DestroySSL3Info(sslSocket *ss);
 
 extern SECStatus ssl3_NegotiateVersion(sslSocket *ss, 
 				       SSL3ProtocolVersion peerVersion,
 				       PRBool allowLargerPeerVersion);
 
 extern SECStatus ssl_GetPeerInfo(sslSocket *ss);
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 /* ECDH functions */
 extern SECStatus ssl3_SendECDHClientKeyExchange(sslSocket * ss, 
 			     SECKEYPublicKey * svrPubKey);
 extern SECStatus ssl3_HandleECDHServerKeyExchange(sslSocket *ss, 
 					SSL3Opaque *b, PRUint32 length);
 extern SECStatus ssl3_HandleECDHClientKeyExchange(sslSocket *ss, 
 				     SSL3Opaque *b, PRUint32 length,
                                      SECKEYPublicKey *srvrPubKey,
@@ -1766,17 +1766,17 @@ extern PRInt32 ssl3_SendServerNameXtn(ss
 /* Assigns new cert, cert chain and keys to ss->serverCerts
  * struct. If certChain is NULL, tries to find one. Aborts if
  * fails to do so. If cert and keyPair are NULL - unconfigures
  * sslSocket of kea type.*/
 extern SECStatus ssl_ConfigSecureServer(sslSocket *ss, CERTCertificate *cert,
                                         const CERTCertificateList *certChain,
                                         ssl3KeyPair *keyPair, SSLKEAType kea);
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 extern PRInt32 ssl3_SendSupportedCurvesXtn(sslSocket *ss,
 			PRBool append, PRUint32 maxBytes);
 extern PRInt32 ssl3_SendSupportedPointFormatsXtn(sslSocket *ss,
 			PRBool append, PRUint32 maxBytes);
 #endif
 
 /* call the registered extension handlers. */
 extern SECStatus ssl3_HandleHelloExtensions(sslSocket *ss, 
--- a/security/nss/lib/ssl/sslinfo.c
+++ b/security/nss/lib/ssl/sslinfo.c
@@ -143,40 +143,40 @@ static const SSLCipherSuiteInfo suiteInf
 {0,CS(TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA), S_DSA, K_DHE, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
 {0,CS(TLS_DHE_DSS_WITH_RC4_128_SHA),          S_DSA, K_DHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA256),   S_RSA, K_DHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
 {0,CS(TLS_DHE_RSA_WITH_AES_128_GCM_SHA256),   S_RSA, K_DHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
 {0,CS(TLS_DHE_RSA_WITH_AES_128_CBC_SHA),      S_RSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
 {0,CS(TLS_DHE_DSS_WITH_AES_128_CBC_SHA),      S_DSA, K_DHE, C_AES, B_128, M_SHA, 1, 0, 0, },
 {0,CS(TLS_RSA_WITH_SEED_CBC_SHA),             S_RSA, K_RSA, C_SEED,B_128, M_SHA, 1, 0, 0, },
 {0,CS(TLS_RSA_WITH_CAMELLIA_128_CBC_SHA),     S_RSA, K_RSA, C_CAMELLIA, B_128, M_SHA, 0, 0, 0, },
-{0,CS(SSL_RSA_WITH_RC4_128_SHA),              S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, },
-{0,CS(SSL_RSA_WITH_RC4_128_MD5),              S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
+{0,CS(TLS_RSA_WITH_RC4_128_SHA),              S_RSA, K_RSA, C_RC4, B_128, M_SHA, 0, 0, 0, },
+{0,CS(TLS_RSA_WITH_RC4_128_MD5),              S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
 {0,CS(TLS_RSA_WITH_AES_128_CBC_SHA256),       S_RSA, K_RSA, C_AES, B_128, M_SHA256, 1, 0, 0, },
 {0,CS(TLS_RSA_WITH_AES_128_CBC_SHA),          S_RSA, K_RSA, C_AES, B_128, M_SHA, 1, 0, 0, },
 
-{0,CS(SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA),     S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
-{0,CS(SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA),     S_DSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
+{0,CS(TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA),     S_RSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA),     S_DSA, K_DHE, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
 {0,CS(SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA),    S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 1, },
-{0,CS(SSL_RSA_WITH_3DES_EDE_CBC_SHA),         S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
+{0,CS(TLS_RSA_WITH_3DES_EDE_CBC_SHA),         S_RSA, K_RSA, C_3DES,B_3DES,M_SHA, 1, 0, 0, },
 
-{0,CS(SSL_DHE_RSA_WITH_DES_CBC_SHA),          S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
-{0,CS(SSL_DHE_DSS_WITH_DES_CBC_SHA),          S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_RSA_WITH_DES_CBC_SHA),          S_RSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
+{0,CS(TLS_DHE_DSS_WITH_DES_CBC_SHA),          S_DSA, K_DHE, C_DES, B_DES, M_SHA, 0, 0, 0, },
 {0,CS(SSL_RSA_FIPS_WITH_DES_CBC_SHA),         S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 1, },
-{0,CS(SSL_RSA_WITH_DES_CBC_SHA),              S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 0, },
+{0,CS(TLS_RSA_WITH_DES_CBC_SHA),              S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 0, 0, },
 
 {0,CS(TLS_RSA_EXPORT1024_WITH_RC4_56_SHA),    S_RSA, K_RSA, C_RC4, B_56,  M_SHA, 0, 1, 0, },
 {0,CS(TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA),   S_RSA, K_RSA, C_DES, B_DES, M_SHA, 0, 1, 0, },
-{0,CS(SSL_RSA_EXPORT_WITH_RC4_40_MD5),        S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
-{0,CS(SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5),    S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, },
+{0,CS(TLS_RSA_EXPORT_WITH_RC4_40_MD5),        S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
+{0,CS(TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5),    S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, },
 {0,CS(TLS_RSA_WITH_NULL_SHA256),              S_RSA, K_RSA, C_NULL,B_0,   M_SHA256, 0, 1, 0, },
-{0,CS(SSL_RSA_WITH_NULL_SHA),                 S_RSA, K_RSA, C_NULL,B_0,   M_SHA, 0, 1, 0, },
-{0,CS(SSL_RSA_WITH_NULL_MD5),                 S_RSA, K_RSA, C_NULL,B_0,   M_MD5, 0, 1, 0, },
+{0,CS(TLS_RSA_WITH_NULL_SHA),                 S_RSA, K_RSA, C_NULL,B_0,   M_SHA, 0, 1, 0, },
+{0,CS(TLS_RSA_WITH_NULL_MD5),                 S_RSA, K_RSA, C_NULL,B_0,   M_MD5, 0, 1, 0, },
 
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
 /* ECC cipher suites */
 {0,CS(TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), S_RSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
 {0,CS(TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256), S_ECDSA, K_ECDHE, C_AESGCM, B_128, M_AEAD_128, 1, 0, 0, },
 
 {0,CS(TLS_ECDH_ECDSA_WITH_NULL_SHA),          S_ECDSA, K_ECDH, C_NULL, B_0, M_SHA, 0, 0, 0, },
 {0,CS(TLS_ECDH_ECDSA_WITH_RC4_128_SHA),       S_ECDSA, K_ECDH, C_RC4, B_128, M_SHA, 0, 0, 0, },
 {0,CS(TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA),  S_ECDSA, K_ECDH, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
 {0,CS(TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA),   S_ECDSA, K_ECDH, C_AES, B_128, M_SHA, 1, 0, 0, },
@@ -196,17 +196,17 @@ static const SSLCipherSuiteInfo suiteInf
 {0,CS(TLS_ECDH_RSA_WITH_AES_256_CBC_SHA),     S_RSA, K_ECDH, C_AES, B_256, M_SHA, 1, 0, 0, },
 
 {0,CS(TLS_ECDHE_RSA_WITH_NULL_SHA),           S_RSA, K_ECDHE, C_NULL, B_0, M_SHA, 0, 0, 0, },
 {0,CS(TLS_ECDHE_RSA_WITH_RC4_128_SHA),        S_RSA, K_ECDHE, C_RC4, B_128, M_SHA, 0, 0, 0, },
 {0,CS(TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA),   S_RSA, K_ECDHE, C_3DES, B_3DES, M_SHA, 1, 0, 0, },
 {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA),    S_RSA, K_ECDHE, C_AES, B_128, M_SHA, 1, 0, 0, },
 {0,CS(TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256), S_RSA, K_ECDHE, C_AES, B_128, M_SHA256, 1, 0, 0, },
 {0,CS(TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA),    S_RSA, K_ECDHE, C_AES, B_256, M_SHA, 1, 0, 0, },
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
 
 /* SSL 2 table */
 {0,CK(SSL_CK_RC4_128_WITH_MD5),               S_RSA, K_RSA, C_RC4, B_128, M_MD5, 0, 0, 0, },
 {0,CK(SSL_CK_RC2_128_CBC_WITH_MD5),           S_RSA, K_RSA, C_RC2, B_128, M_MD5, 0, 0, 0, },
 {0,CK(SSL_CK_DES_192_EDE3_CBC_WITH_MD5),      S_RSA, K_RSA, C_3DES,B_3DES,M_MD5, 0, 0, 0, },
 {0,CK(SSL_CK_DES_64_CBC_WITH_MD5),            S_RSA, K_RSA, C_DES, B_DES, M_MD5, 0, 0, 0, },
 {0,CK(SSL_CK_RC4_128_EXPORT40_WITH_MD5),      S_RSA, K_RSA, C_RC4, B_40,  M_MD5, 0, 1, 0, },
 {0,CK(SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5),  S_RSA, K_RSA, C_RC2, B_40,  M_MD5, 0, 1, 0, }
--- a/security/nss/lib/ssl/sslnonce.c
+++ b/security/nss/lib/ssl/sslnonce.c
@@ -478,28 +478,26 @@ ssl_Time(void)
 }
 
 void
 ssl3_SetSIDSessionTicket(sslSessionID *sid,
                          /*in/out*/ NewSessionTicket *newSessionTicket)
 {
     PORT_Assert(sid);
     PORT_Assert(newSessionTicket);
+    PORT_Assert(newSessionTicket->ticket.data);
+    PORT_Assert(newSessionTicket->ticket.len != 0);
 
     /* if sid->u.ssl3.lock, we are updating an existing entry that is already
      * cached or was once cached, so we need to acquire and release the write
      * lock. Otherwise, this is a new session that isn't shared with anything
      * yet, so no locking is needed.
      */
     if (sid->u.ssl3.lock) {
 	PR_RWLock_Wlock(sid->u.ssl3.lock);
-
-	/* A server might have sent us an empty ticket, which has the
-	 * effect of clearing the previously known ticket.
-	 */
 	if (sid->u.ssl3.locked.sessionTicket.ticket.data) {
 	    SECITEM_FreeItem(&sid->u.ssl3.locked.sessionTicket.ticket,
 			     PR_FALSE);
 	}
     }
 
     PORT_Assert(!sid->u.ssl3.locked.sessionTicket.ticket.data);
 
--- a/security/nss/lib/ssl/sslproto.h
+++ b/security/nss/lib/ssl/sslproto.h
@@ -76,94 +76,128 @@
 #define SSL_EN_RC4_128_WITH_MD5			0xFF01
 #define SSL_EN_RC4_128_EXPORT40_WITH_MD5	0xFF02
 #define SSL_EN_RC2_128_CBC_WITH_MD5		0xFF03
 #define SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5	0xFF04
 #define SSL_EN_IDEA_128_CBC_WITH_MD5		0xFF05
 #define SSL_EN_DES_64_CBC_WITH_MD5		0xFF06
 #define SSL_EN_DES_192_EDE3_CBC_WITH_MD5	0xFF07
 
-/* SSL v3 Cipher Suites */
-#define SSL_NULL_WITH_NULL_NULL			0x0000
+/* Deprecated SSL 3.0 & libssl names replaced by IANA-registered TLS names. */
+#ifndef SSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES
+#define SSL_NULL_WITH_NULL_NULL                TLS_NULL_WITH_NULL_NULL
+#define SSL_RSA_WITH_NULL_MD5                  TLS_RSA_WITH_NULL_MD5
+#define SSL_RSA_WITH_NULL_SHA                  TLS_RSA_WITH_NULL_SHA
+#define SSL_RSA_EXPORT_WITH_RC4_40_MD5         TLS_RSA_EXPORT_WITH_RC4_40_MD5
+#define SSL_RSA_WITH_RC4_128_MD5               TLS_RSA_WITH_RC4_128_MD5
+#define SSL_RSA_WITH_RC4_128_SHA               TLS_RSA_WITH_RC4_128_SHA
+#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5     TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+#define SSL_RSA_WITH_IDEA_CBC_SHA              TLS_RSA_WITH_IDEA_CBC_SHA
+#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA      TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
+#define SSL_RSA_WITH_DES_CBC_SHA               TLS_RSA_WITH_DES_CBC_SHA
+#define SSL_RSA_WITH_3DES_EDE_CBC_SHA          TLS_RSA_WITH_3DES_EDE_CBC_SHA
+#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA   TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA
+#define SSL_DH_DSS_WITH_DES_CBC_SHA            TLS_DH_DSS_WITH_DES_CBC_SHA
+#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA       TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
+#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA   TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA
+#define SSL_DH_RSA_WITH_DES_CBC_SHA            TLS_DH_RSA_WITH_DES_CBC_SHA
+#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA       TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA
+#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA  TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
+#define SSL_DHE_DSS_WITH_DES_CBC_SHA           TLS_DHE_DSS_WITH_DES_CBC_SHA
+#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA      TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
+#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA  TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
+#define SSL_DHE_RSA_WITH_DES_CBC_SHA           TLS_DHE_RSA_WITH_DES_CBC_SHA
+#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA      TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+#define SSL_DH_ANON_WITH_RC4_128_MD5           TLS_DH_anon_WITH_RC4_128_MD5
+#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA  TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA
+#define SSL_DH_ANON_WITH_DES_CBC_SHA           TLS_DH_anon_WITH_DES_CBC_SHA
+#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA      TLS_DH_anon_WITH_3DES_EDE_CBC_SHA
+#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5     TLS_DH_anon_EXPORT_WITH_RC4_40_MD5
+#define TLS_DH_ANON_WITH_AES_128_CBC_SHA       TLS_DH_anon_WITH_AES_128_CBC_SHA
+#define TLS_DH_ANON_WITH_AES_256_CBC_SHA       TLS_DH_anon_WITH_AES_256_CBC_SHA
+#define TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA  TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA
+#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA  TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA
+#endif
 
-#define SSL_RSA_WITH_NULL_MD5			0x0001
-#define SSL_RSA_WITH_NULL_SHA			0x0002
-#define SSL_RSA_EXPORT_WITH_RC4_40_MD5		0x0003
-#define SSL_RSA_WITH_RC4_128_MD5		0x0004
-#define SSL_RSA_WITH_RC4_128_SHA		0x0005
-#define SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0x0006
-#define SSL_RSA_WITH_IDEA_CBC_SHA		0x0007
-#define SSL_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0008
-#define SSL_RSA_WITH_DES_CBC_SHA		0x0009
-#define SSL_RSA_WITH_3DES_EDE_CBC_SHA		0x000a
-						       
-#define SSL_DH_DSS_EXPORT_WITH_DES40_CBC_SHA	0x000b
-#define SSL_DH_DSS_WITH_DES_CBC_SHA		0x000c
-#define SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA	0x000d
-#define SSL_DH_RSA_EXPORT_WITH_DES40_CBC_SHA	0x000e
-#define SSL_DH_RSA_WITH_DES_CBC_SHA		0x000f
-#define SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA	0x0010
-						       
-#define SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA	0x0011
-#define SSL_DHE_DSS_WITH_DES_CBC_SHA		0x0012
-#define SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA	0x0013
-#define SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0014
-#define SSL_DHE_RSA_WITH_DES_CBC_SHA		0x0015
-#define SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA	0x0016
-						       
-#define SSL_DH_ANON_EXPORT_WITH_RC4_40_MD5	0x0017
-#define SSL_DH_ANON_WITH_RC4_128_MD5		0x0018
-#define SSL_DH_ANON_EXPORT_WITH_DES40_CBC_SHA	0x0019
-#define SSL_DH_ANON_WITH_DES_CBC_SHA		0x001a
-#define SSL_DH_ANON_WITH_3DES_EDE_CBC_SHA	0x001b
+#define TLS_NULL_WITH_NULL_NULL			0x0000
+
+#define TLS_RSA_WITH_NULL_MD5			0x0001
+#define TLS_RSA_WITH_NULL_SHA			0x0002
+#define TLS_RSA_EXPORT_WITH_RC4_40_MD5		0x0003
+#define TLS_RSA_WITH_RC4_128_MD5		0x0004
+#define TLS_RSA_WITH_RC4_128_SHA		0x0005
+#define TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5	0x0006
+#define TLS_RSA_WITH_IDEA_CBC_SHA		0x0007
+#define TLS_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0008
+#define TLS_RSA_WITH_DES_CBC_SHA		0x0009
+#define TLS_RSA_WITH_3DES_EDE_CBC_SHA		0x000a
+
+#define TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA	0x000b
+#define TLS_DH_DSS_WITH_DES_CBC_SHA		0x000c
+#define TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA	0x000d
+#define TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA	0x000e
+#define TLS_DH_RSA_WITH_DES_CBC_SHA		0x000f
+#define TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA	0x0010
+
+#define TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA	0x0011
+#define TLS_DHE_DSS_WITH_DES_CBC_SHA		0x0012
+#define TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA	0x0013
+#define TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA	0x0014
+#define TLS_DHE_RSA_WITH_DES_CBC_SHA		0x0015
+#define TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA	0x0016
+
+#define TLS_DH_anon_EXPORT_WITH_RC4_40_MD5	0x0017
+#define TLS_DH_anon_WITH_RC4_128_MD5		0x0018
+#define TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA	0x0019
+#define TLS_DH_anon_WITH_DES_CBC_SHA		0x001a
+#define TLS_DH_anon_WITH_3DES_EDE_CBC_SHA	0x001b
 
 #define SSL_FORTEZZA_DMS_WITH_NULL_SHA		0x001c /* deprecated */
 #define SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA	0x001d /* deprecated */
 #define SSL_FORTEZZA_DMS_WITH_RC4_128_SHA	0x001e /* deprecated */
 
-/* New TLS cipher suites */
 #define TLS_RSA_WITH_AES_128_CBC_SHA      	0x002F
 #define TLS_DH_DSS_WITH_AES_128_CBC_SHA   	0x0030
 #define TLS_DH_RSA_WITH_AES_128_CBC_SHA   	0x0031
 #define TLS_DHE_DSS_WITH_AES_128_CBC_SHA  	0x0032
 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA  	0x0033
-#define TLS_DH_ANON_WITH_AES_128_CBC_SHA  	0x0034
+#define TLS_DH_anon_WITH_AES_128_CBC_SHA  	0x0034
 
 #define TLS_RSA_WITH_AES_256_CBC_SHA      	0x0035
 #define TLS_DH_DSS_WITH_AES_256_CBC_SHA   	0x0036
 #define TLS_DH_RSA_WITH_AES_256_CBC_SHA   	0x0037
 #define TLS_DHE_DSS_WITH_AES_256_CBC_SHA  	0x0038
 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA  	0x0039
-#define TLS_DH_ANON_WITH_AES_256_CBC_SHA  	0x003A
+#define TLS_DH_anon_WITH_AES_256_CBC_SHA  	0x003A
 #define TLS_RSA_WITH_NULL_SHA256		0x003B
 #define TLS_RSA_WITH_AES_128_CBC_SHA256  	0x003C
 #define TLS_RSA_WITH_AES_256_CBC_SHA256  	0x003D
 
 #define TLS_RSA_WITH_CAMELLIA_128_CBC_SHA      	0x0041
 #define TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA   	0x0042
 #define TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA   	0x0043
 #define TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA  	0x0044
 #define TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA  	0x0045
-#define TLS_DH_ANON_WITH_CAMELLIA_128_CBC_SHA  	0x0046
+#define TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA  	0x0046
 
 #define TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA     0x0062
 #define TLS_RSA_EXPORT1024_WITH_RC4_56_SHA      0x0064
 
 #define TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA 0x0063
 #define TLS_DHE_DSS_EXPORT1024_WITH_RC4_56_SHA  0x0065
 #define TLS_DHE_DSS_WITH_RC4_128_SHA            0x0066
 #define TLS_DHE_RSA_WITH_AES_128_CBC_SHA256     0x0067
 #define TLS_DHE_RSA_WITH_AES_256_CBC_SHA256     0x006B
 
 #define TLS_RSA_WITH_CAMELLIA_256_CBC_SHA      	0x0084
 #define TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA   	0x0085
 #define TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA   	0x0086
 #define TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA  	0x0087
 #define TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA  	0x0088
-#define TLS_DH_ANON_WITH_CAMELLIA_256_CBC_SHA  	0x0089
+#define TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA  	0x0089
 
 #define TLS_RSA_WITH_SEED_CBC_SHA		0x0096
 
 #define TLS_RSA_WITH_AES_128_GCM_SHA256         0x009C
 #define TLS_DHE_RSA_WITH_AES_128_GCM_SHA256     0x009E
 #define TLS_DHE_DSS_WITH_AES_128_GCM_SHA256     0x00A2
 
 /* TLS "Signaling Cipher Suite Value" (SCSV). May be requested by client.
--- a/security/nss/lib/ssl/sslsecur.c
+++ b/security/nss/lib/ssl/sslsecur.c
@@ -691,21 +691,21 @@ NSS_FindCertKEAType(CERTCertificate * ce
   switch (tag) {
   case SEC_OID_X500_RSA_ENCRYPTION:
   case SEC_OID_PKCS1_RSA_ENCRYPTION:
     keaType = kt_rsa;
     break;
   case SEC_OID_X942_DIFFIE_HELMAN_KEY:
     keaType = kt_dh;
     break;
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
   case SEC_OID_ANSIX962_EC_PUBLIC_KEY:
     keaType = kt_ecdh;
     break;
-#endif /* NSS_ENABLE_ECC */
+#endif /* NSS_DISABLE_ECC */
   default:
     keaType = kt_null;
   }
   
  loser:
   
   return keaType;
 }
--- a/security/nss/lib/ssl/sslt.h
+++ b/security/nss/lib/ssl/sslt.h
@@ -176,17 +176,17 @@ typedef enum {
     SSL_sni_type_total
 } SSLSniNameType;
 
 /* Supported extensions. */
 /* Update SSL_MAX_EXTENSIONS whenever a new extension type is added. */
 typedef enum {
     ssl_server_name_xtn              = 0,
     ssl_cert_status_xtn              = 5,
-#ifdef NSS_ENABLE_ECC
+#ifndef NSS_DISABLE_ECC
     ssl_elliptic_curves_xtn          = 10,
     ssl_ec_point_formats_xtn         = 11,
 #endif
     ssl_signature_algorithms_xtn     = 13,
     ssl_use_srtp_xtn                 = 14,
     ssl_app_layer_protocol_xtn       = 16,
     ssl_session_ticket_xtn           = 35,
     ssl_next_proto_nego_xtn          = 13172,
--- a/security/nss/lib/zlib/config.mk
+++ b/security/nss/lib/zlib/config.mk
@@ -9,8 +9,12 @@
 #
 
 TARGETS        = $(LIBRARY) $(PROGRAMS)
 SHARED_LIBRARY =
 IMPORT_LIBRARY =
 PROGRAM        =
 
 EXTRA_LIBS     = $(LIBRARY)
+
+ifeq ($(OS_TARGET),Linux)
+DEFINES += -DHAVE_UNISTD_H
+endif
--- a/security/nss/tests/all.sh
+++ b/security/nss/tests/all.sh
@@ -54,17 +54,17 @@
 #
 # Optional environment variables to specify build to use:
 # -------------------------------------------------------
 #   BUILT_OPT    - use optimized/debug build 
 #   USE_64       - use 64bit/32bit build
 #
 # Optional environment variables to enable specific NSS features:
 # ---------------------------------------------------------------
-#   NSS_ENABLE_ECC              - enable ECC
+#   NSS_DISABLE_ECC             - disable ECC
 #   NSS_ECC_MORE_THAN_SUITE_B   - enable extended ECC
 #
 # Optional environment variables to select which cycles/suites to test:
 # ---------------------------------------------------------------------
 #   NSS_CYCLES     - list of cycles to run (separated by space 
 #                    character)
 #                  - by default all cycles are tested
 #
--- a/security/nss/tests/cert/cert.sh
+++ b/security/nss/tests/cert/cert.sh
@@ -41,17 +41,17 @@ cert_init()
       cd ../common
       . ./init.sh
   fi
   if [ -z "${IOPR_CERT_SOURCED}" ]; then
        . ../iopr/cert_iopr.sh
   fi
   SCRIPTNAME="cert.sh"
   CRL_GRP_DATE=`date -u "+%Y%m%d%H%M%SZ"`
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       html_head "Certutil and Crlutil Tests with ECC"
   else
       html_head "Certutil and Crlutil Tests"
   fi
 
   LIBDIR="${DIST}/${OBJDIR}/lib"
 
   ROOTCERTSFILE=`ls -1 ${LIBDIR}/*nssckbi* | head -1`
@@ -287,17 +287,17 @@ cert_create_cert()
 
     CU_ACTION="Import Root CA for $CERTNAME"
     certu -A -n "TestCA" -t "TC,TC,TC" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${R_CADIR}/TestCA.ca.cert" 2>&1
     if [ "$RET" -ne 0 ]; then
         return $RET
     fi
 
-    if [ -n "$NSS_ENABLE_ECC" ] ; then
+    if [ -z "$NSS_DISABLE_ECC" ] ; then
 	CU_ACTION="Import EC Root CA for $CERTNAME"
 	certu -A -n "TestCA-ec" -t "TC,TC,TC" -f "${R_PWFILE}" \
 	    -d "${PROFILEDIR}" -i "${R_CADIR}/TestCA-ec.ca.cert" 2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
     fi
 
@@ -335,17 +335,17 @@ cert_add_cert()
         return $RET
     fi
 
     cert_log "SUCCESS: $CERTNAME's Cert Created"
 
 #
 #   Generate and add EC cert
 #
-    if [ -n "$NSS_ENABLE_ECC" ] ; then
+    if [ -z "$NSS_DISABLE_ECC" ] ; then
 	CURVE="secp384r1"
 	CU_ACTION="Generate EC Cert Request for $CERTNAME"
 	CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	certu -R -k ec -q "${CURVE}" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
 	    -z "${R_NOISE_FILE}" -o req  2>&1
 	if [ "$RET" -ne 0 ]; then
             return $RET
 	fi
@@ -425,17 +425,17 @@ cert_all_CA()
     ALL_CU_SUBJECT="CN=NSS Chain2 Client Test CA, O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
     cert_CA $CLIENT_CADIR chain-2-clientCA "-c chain-1-clientCA" "u,u,u" ${D_CLIENT_CA} "7"
 
     rm $CLIENT_CADIR/root.cert $SERVER_CADIR/root.cert
 
     # root.cert in $CLIENT_CADIR and in $SERVER_CADIR is one of the last 
     # in the chain
 
-    if [ -n "$NSS_ENABLE_ECC" ] ; then
+    if [ -z "$NSS_DISABLE_ECC" ] ; then
 #
 #       Create EC version of TestCA
 	CA_CURVE="secp521r1"
 	ALL_CU_SUBJECT="CN=NSS Test CA (ECC), O=BOGUS NSS, L=Mountain View, ST=California, C=US"
 	cert_ec_CA $CADIR TestCA-ec -x "CTu,CTu,CTu" ${D_CA} "1" ${CA_CURVE}
 #
 #       Create EC versions of the intermediate CA certs
 	ALL_CU_SUBJECT="CN=NSS Server Test CA (ECC), O=BOGUS NSS, L=Santa Clara, ST=California, C=US"
@@ -666,17 +666,17 @@ cert_smime_client()
   CU_ACTION="Import Eve's cert into Alice's DB"
   certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
         -i ${R_EVEDIR}/Eve.cert 2>&1
 
   CU_ACTION="Import Eve's cert into Bob's DB"
   certu -E -t ",," -d ${P_R_BOBDIR} -f ${R_PWFILE} \
         -i ${R_EVEDIR}/Eve.cert 2>&1
 
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       echo "$SCRIPTNAME: Importing EC Certificates =============================="
       CU_ACTION="Import Bob's EC cert into Alice's db"
       certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
           -i ${R_BOBDIR}/Bob-ec.cert 2>&1
 
       CU_ACTION="Import Dave's EC cert into Alice's DB"
       certu -E -t ",," -d ${P_R_ALICEDIR} -f ${R_PWFILE} \
           -i ${R_DAVEDIR}/Dave-ec.cert 2>&1
@@ -737,17 +737,17 @@ cert_extended_ssl()
   CU_ACTION="Import $CERTNAME's Cert  -t u,u,u (ext)"
   certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
         -i "${CERTNAME}.cert" 2>&1
 
   CU_ACTION="Import Client Root CA -t T,, for $CERTNAME (ext.)"
   certu -A -n "clientCA" -t "T,," -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${CLIENT_CADIR}/clientCA.ca.cert" 2>&1
 
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
 #
 #     Repeat the above for EC certs
 #
       EC_CURVE="secp256r1"
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
       CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
@@ -825,17 +825,17 @@ cert_extended_ssl()
 
   CU_ACTION="Import $CERTNAME's Cert -t u,u,u (ext)"
   certu -A -n "$CERTNAME" -t "u,u,u" -d "${PROFILEDIR}" -f "${R_PWFILE}" \
         -i "${CERTNAME}.cert" 2>&1
   CU_ACTION="Import Server Root CA -t C,C,C for $CERTNAME (ext.)"
   certu -A -n "serverCA" -t "C,C,C" -f "${R_PWFILE}" -d "${PROFILEDIR}" \
           -i "${SERVER_CADIR}/serverCA.ca.cert" 2>&1
 
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
 #
 #     Repeat the above for EC certs
 #
       CU_ACTION="Generate EC Cert Request for $CERTNAME (ext)"
       CU_SUBJECT="CN=$CERTNAME, E=${CERTNAME}-ec@bogus.com, O=BOGUS NSS, L=Mountain View, ST=California, C=US"
       certu -R -d "${PROFILEDIR}" -k ec -q "${EC_CURVE}" -f "${R_PWFILE}" \
 	  -z "${R_NOISE_FILE}" -o req 2>&1
 
@@ -915,17 +915,17 @@ cert_ssl()
   cert_create_cert ${SERVERDIR} "${HOSTADDR}" 100 ${D_SERVER}
   echo "$SCRIPTNAME: Creating Server CA Issued Certificate for \\"
   echo "             ${HOSTADDR}-sni --------------------------------"
   CERTSERIAL=101
   CERTNAME="${HOST}-sni${sniCertCount}.${DOMSUF}"
   cert_add_cert 
   CU_ACTION="Modify trust attributes of Root CA -t TC,TC,TC"
   certu -M -n "TestCA" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Modify trust attributes of EC Root CA -t TC,TC,TC"
       certu -M -n "TestCA-ec" -t "TC,TC,TC" -d ${PROFILEDIR} -f "${R_PWFILE}"
   fi
 #  cert_init_cert ${SERVERDIR} "${HOSTADDR}" 1 ${D_SERVER}
 #  echo "************* Copying CA files to ${SERVERDIR}"
 #  cp ${CADIR}/*.db .
 #  hw_acc
 #  CU_ACTION="Creating ${CERTNAME}'s Server Cert"
@@ -935,18 +935,18 @@ cert_ssl()
 
   if [ "$CERTFAILED" != 0 ] ; then
       cert_log "ERROR: SSL failed $RET"
   else
       cert_log "SUCCESS: SSL passed"
   fi
 
   echo "$SCRIPTNAME: Creating database for OCSP stapling tests  ==============="
-  echo "cp -rv ${SERVERDIR} ${STAPLINGDIR}"
-  cp -rv ${R_SERVERDIR} ${R_STAPLINGDIR}
+  echo "cp -r ${SERVERDIR} ${STAPLINGDIR}"
+  cp -r ${R_SERVERDIR} ${R_STAPLINGDIR}
   pk12u -o ${R_STAPLINGDIR}/ca.p12 -n TestCA -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_CADIR}
   pk12u -i ${R_STAPLINGDIR}/ca.p12 -k ${R_PWFILE} -w ${R_PWFILE} -d ${R_STAPLINGDIR}
 }
 ############################## cert_stresscerts ################################
 # local shell function to create client certs for SSL stresstest
 ########################################################################
 cert_stresscerts()
 {
@@ -1023,17 +1023,17 @@ MODSCRIPT
 
 ############################## cert_eccurves ###########################
 # local shell function to create server certs for all EC curves
 ########################################################################
 cert_eccurves()
 {
   ################# Creating Certs for EC curves test ########################
   #
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
     echo "$SCRIPTNAME: Creating Server CA Issued Certificate for "
     echo "             EC Curves Test Certificates ------------------------------------"
 
     cert_init_cert "${ECCURVES_DIR}" "EC Curves Test Certificates" 1 ${D_ECCURVES}
 
     CU_ACTION="Initializing EC Curve's Cert DB"
     certu -N -d "${PROFILEDIR}" -f "${R_PWFILE}" 2>&1
 
@@ -1083,17 +1083,17 @@ cert_eccurves()
 	
 	if [ $RET -eq 0 ] ; then
 	  CU_ACTION="Import $CERTNAME's EC Cert"
 	  certu -A -n "${CERTNAME}-ec" -t "u,u,u" -d "${PROFILEDIR}" \
 		-f "${R_PWFILE}" -i "${CERTNAME}-ec.cert" 2>&1
 	fi
     done
 
-  fi # if NSS_ENABLE_ECC=1
+  fi # $NSS_DISABLE_ECC
 }
 
 ########################### cert_extensions_test #############################
 # local shell function to test cert extensions generation
 ##############################################################################
 cert_extensions_test()
 {
     COUNT=`expr ${COUNT} + 1`
@@ -1222,17 +1222,17 @@ addcert ${CRL_GRP_1_BEGIN}-${CRL_GRP_END
 addext reasonCode 0 4
 addext issuerAltNames 0 "rfc822Name:caemail@ca.com|dnsName:ca.com|directoryName:CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US|URI:http://ca.com|ipAddress:192.168.0.1|registerID=reg CA"
 EOF_CRLINI
 # This extension should be added to the list, but currently nss has bug
 #addext authKeyId 0 "CN=NSS Test CA,O=BOGUS NSS,L=Mountain View,ST=California,C=US" 1
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
   chmod 600 ${CRL_FILE_GRP_1}_or
 
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Generating CRL (ECC) for range ${CRL_GRP_1_BEGIN}-${CRL_GRP_END} TestCA-ec authority"
 
 #     Until Bug 292285 is resolved, do not encode x400 Addresses. After
 #     the bug is resolved, reintroduce "x400Address:x400Address" within
 #     addext issuerAltNames ...
       crlu -q -d $CADIR -G -n "TestCA-ec" -f ${R_PWFILE} \
 	  -o ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
 update=$CRLUPDATE
@@ -1255,17 +1255,17 @@ EOF_CRLINI
   crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}_or1 \
       -i ${CRL_FILE_GRP_1}_or <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_END} $CRL_GRP_DATE
 EOF_CRLINI
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
   chmod 600 ${CRL_FILE_GRP_1}_or1
   TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or"
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Modify CRL (ECC) by adding one more cert"
       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} \
 	  -o ${CRL_FILE_GRP_1}_or1-ec -i ${CRL_FILE_GRP_1}_or-ec <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_END} $CRL_GRP_DATE
 EOF_CRLINI
       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
       chmod 600 ${CRL_FILE_GRP_1}_or1-ec
@@ -1279,17 +1279,17 @@ EOF_CRLINI
   CRLUPDATE=`date -u "+%Y%m%d%H%M%SZ"`
   crlu -d $CADIR -M -n "TestCA" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1} \
       -i ${CRL_FILE_GRP_1}_or1 <<EOF_CRLINI
 update=$CRLUPDATE
 rmcert  ${UNREVOKED_CERT_GRP_1}
 EOF_CRLINI
   chmod 600 ${CRL_FILE_GRP_1}
   TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1"
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Modify CRL (ECC) by removing one cert"
       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_1}-ec \
 	  -i ${CRL_FILE_GRP_1}_or1-ec <<EOF_CRLINI
 update=$CRLUPDATE
 rmcert  ${UNREVOKED_CERT_GRP_1}
 EOF_CRLINI
       chmod 600 ${CRL_FILE_GRP_1}-ec
       TEMPFILES="$TEMPFILES ${CRL_FILE_GRP_1}_or1-ec"
@@ -1308,17 +1308,17 @@ EOF_CRLINI
           -i ${CRL_FILE_GRP_1} <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
 addext invalidityDate 0 $CRLUPDATE
 rmcert  ${UNREVOKED_CERT_GRP_2}
 EOF_CRLINI
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
   chmod 600 ${CRL_FILE_GRP_2}
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Creating CRL (ECC) for groups 1 and 2"
       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_2}-ec \
           -i ${CRL_FILE_GRP_1}-ec <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_2_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
 addext invalidityDate 0 $CRLUPDATE
 rmcert  ${UNREVOKED_CERT_GRP_2}
 EOF_CRLINI
@@ -1341,17 +1341,17 @@ EOF_CRLINI
             -i ${CRL_FILE_GRP_2} <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
 rmcert  ${UNREVOKED_CERT_GRP_3}
 addext crlNumber 0 2
 EOF_CRLINI
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
   chmod 600 ${CRL_FILE_GRP_3}
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Creating CRL (ECC) for groups 1, 2 and 3"
       crlu -d $CADIR -M -n "TestCA-ec" -f ${R_PWFILE} -o ${CRL_FILE_GRP_3}-ec \
           -i ${CRL_FILE_GRP_2}-ec <<EOF_CRLINI
 update=$CRLUPDATE
 addcert ${CRL_GRP_3_BEGIN}-${CRL_GRP_END} $CRL_GRP_DATE
 rmcert  ${UNREVOKED_CERT_GRP_3}
 addext crlNumber 0 2
 EOF_CRLINI
@@ -1361,17 +1361,17 @@ EOF_CRLINI
 
   ############ Importing Server CA Issued CRL for certs of first group #######
 
   echo "$SCRIPTNAME: Importing Server CA Issued CRL for certs ${CRL_GRP_BEGIN} trough ${CRL_GRP_END}"
   CU_ACTION="Importing CRL for groups 1"
   crlu -D -n TestCA  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
   crlu -I -i ${CRL_FILE} -n "TestCA" -f "${R_PWFILE}" -d "${R_SERVERDIR}"
   CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       CU_ACTION="Importing CRL (ECC) for groups 1"
       crlu -D -n TestCA-ec  -f "${R_PWFILE}" -d "${R_SERVERDIR}"
       crlu -I -i ${CRL_FILE}-ec -n "TestCA-ec" -f "${R_PWFILE}" \
 	  -d "${R_SERVERDIR}"
       CRL_GEN_RES=`expr $? + $CRL_GEN_RES`
   fi
 
   if [ "$CERTFAILED" != 0 -o "$CRL_GEN_RES" != 0 ] ; then
--- a/security/nss/tests/common/cleanup.sh
+++ b/security/nss/tests/common/cleanup.sh
@@ -9,16 +9,19 @@ if [ -z "${CLEANUP}" -o "${CLEANUP}" = "
     echo
     echo "SUMMARY:"
     echo "========"
     echo "NSS variables:"
     echo "--------------"
     echo "HOST=${HOST}"
     echo "DOMSUF=${DOMSUF}"
     echo "BUILD_OPT=${BUILD_OPT}"
+    if [ "${OS_ARCH}" = "Linux" ]; then
+        echo "USE_X32=${USE_X32}"
+    fi
     echo "USE_64=${USE_64}"
     echo "NSS_CYCLES=\"${NSS_CYCLES}\""
     echo "NSS_TESTS=\"${NSS_TESTS}\""
     echo "NSS_SSL_TESTS=\"${NSS_SSL_TESTS}\""
     echo "NSS_SSL_RUN=\"${NSS_SSL_RUN}\""
     echo "NSS_AIA_PATH=${NSS_AIA_PATH}"
     echo "NSS_AIA_HTTP=${NSS_AIA_HTTP}"
     echo "NSS_AIA_OCSP=${NSS_AIA_OCSP}"
--- a/security/nss/tests/remote/Makefile
+++ b/security/nss/tests/remote/Makefile
@@ -75,17 +75,17 @@ package_for_testing:
 	cat $(PCFG)                                  >> $(RTSH)
 	echo 'export NSS_TESTS=$(NSS_TESTS)'         >> $(RTSH)
 	echo 'export NSS_SSL_TESTS=$(NSS_SSL_TESTS)' >> $(RTSH)
 	echo 'export NSS_SSL_RUN=$(NSS_SSL_RUN)'     >> $(RTSH)
 	echo 'export NSS_CYCLES=$(NSS_CYCLES)'       >> $(RTSH)
 	echo 'export USE_64=$(USE_64)'               >> $(RTSH)
 	echo 'export BUILD_OPT=$(BUILD_OPT)'         >> $(RTSH)
 	echo 'export PKITS_DATA=$(PKITS_DATA)'       >> $(RTSH)
-	echo 'export NSS_ENABLE_ECC=$(NSS_ENABLE_ECC)'                       >> $(RTSH)
+	echo 'export NSS_DISABLE_ECC=$(NSS_DISABLE_ECC)'                     >> $(RTSH)
 	echo 'export NSS_ECC_MORE_THAN_SUITE_B=$(NSS_ECC_MORE_THAN_SUITE_B)' >> $(RTSH)
 	echo 'export NSPR_LOG_MODULES=$(NSPR_LOG_MODULES)'                   >> $(RTSH)
 ifeq ($(OS_TARGET),Android)
 	# Android doesn't support FIPS tests, because
 	# dladdr does not return a full path for implicitly loaded libraries
 	echo "export NSS_TEST_DISABLE_FIPS=1" >> $(DIST)/platform.cfg
 endif
 ifeq ($(CROSS_COMPILE),1)
--- a/security/nss/tests/smime/smime.sh
+++ b/security/nss/tests/smime/smime.sh
@@ -35,17 +35,17 @@ smime_init()
       . ./init.sh
   fi
   if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
       cd ../cert
       . ./cert.sh
   fi
   SCRIPTNAME=smime.sh
 
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       html_head "S/MIME Tests with ECC"
   else
       html_head "S/MIME Tests"
   fi
 
   grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
       Exit 11 "Fatal - S/MIME of cert.sh needs to pass first"
   }
@@ -80,17 +80,17 @@ smime_sign()
   ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice.${SIG} -d ${P_R_BOBDIR} -o alice.data.${HASH}
   html_msg $? 0 "Decode Alice's Attached Signature (${HASH})" "."
 
   echo "diff alice.txt alice.data.${HASH}"
   diff alice.txt alice.data.${HASH}
   html_msg $? 0 "Compare Attached Signed Data and Original (${HASH})" "."
 
 # Test ECDSA signing for all hash algorithms.
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       echo "$SCRIPTNAME: Signing Detached Message ECDSA w/ {$HASH} ------------------"
       echo "cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}"
       ${PROFTOOL} ${BINDIR}/cmsutil -S -T -N Alice-ec ${HASH_CMD} -i alice.txt -d ${P_R_ALICEDIR} -p nss -o alice-ec.d${SIG}
       html_msg $? 0 "Create Detached Signature Alice (ECDSA w/ ${HASH})" "."
 
       echo "cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} "
       ${PROFTOOL} ${BINDIR}/cmsutil -D -i alice-ec.d${SIG} -c alice.txt -d ${P_R_BOBDIR} 
       html_msg $? 0 "Verifying Alice's Detached Signature (ECDSA w/ ${HASH})" "."
--- a/security/nss/tests/ssl/ssl.sh
+++ b/security/nss/tests/ssl/ssl.sh
@@ -77,17 +77,17 @@ ssl_init()
 
   fileout=0 #FIXME, looks like all.sh tried to turn this on but actually didn't
   #fileout=1
   #verbose="-v" #FIXME - see where this is usefull
 
   USER_NICKNAME=TestUser
   NORM_EXT=""
 
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       ECC_STRING=" - with ECC"
   else
       ECC_STRING=""
   fi
 
   CSHORT="-c ABCDEF:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
   CLONG="-c ABCDEF:C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C027:C02B:C02F:003B:003C:003D:0041:0084:009Ccdefgijklmnvyz"
 
@@ -197,17 +197,17 @@ kill_selfserv()
 # also: wait until the server is up and running
 ########################################################################
 start_selfserv()
 {
   if [ -n "$testname" ] ; then
       echo "$SCRIPTNAME: $testname ----"
   fi
   sparam=`echo $sparam | sed -e 's;_; ;g'`
-  if [ -n "$NSS_ENABLE_ECC" ] && \
+  if [ -z "$NSS_DISABLE_ECC" ] && \
      [ -z "$NO_ECC_CERTS" -o "$NO_ECC_CERTS" != "1"  ] ; then
       ECC_OPTIONS="-e ${HOSTADDR}-ec"
   else
       ECC_OPTIONS=""
   fi
   if [ "$1" = "mixed" ]; then
       ECC_OPTIONS="-e ${HOSTADDR}-ecmixed"
   fi
@@ -253,17 +253,17 @@ start_selfserv()
 ############################## ssl_cov #################################
 # local shell function to perform SSL Cipher Coverage tests
 ########################################################################
 ssl_cov()
 {
   html_head "SSL Cipher Coverage $NORM_EXT - server $SERVER_MODE/client $CLIENT_MODE $ECC_STRING"
 
   testname=""
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       sparam="$CLONG"
   else
       sparam="$CSHORT"
   fi
 
   mixed=0
   start_selfserv # Launch the server
 
@@ -287,17 +287,17 @@ ssl_cov()
           # default in libssl but it is enabled by default in tstclnt; we want
           # to test the libssl default whenever possible.
           SSL2_FLAGS=
           VMIN="ssl3"
       fi
       
       if [ "$NORM_EXT" = "Extended Test" -a "${SSL2}" -eq 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-      elif [ "$ectype" = "ECC" -a -z "$NSS_ENABLE_ECC" ] ; then
+      elif [ "$ectype" = "ECC" -a -n "$NSS_DISABLE_ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       elif [ "$SERVER_MODE" = "fips" -o "$CLIENT_MODE" = "fips" ] && [ "$SSL2" -eq 0 -o "$EXP" -eq 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "`echo $ectype | cut -b 1`" != "#" ] ; then
           echo "$SCRIPTNAME: running $testname ----------------------------"
           VMAX="ssl3"
           if [ "$testmax" = "TLS10" ]; then
               VMAX="tls1.0"
@@ -369,17 +369,17 @@ ssl_auth()
       [ -z "$ectype" ] && continue
       echo "${testname}" | grep "don't require client auth" > /dev/null
       CAUTH=$?
 
       if [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -eq 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-      elif [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
+      elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
           if [ "$ectype" = "SNI" ]; then
               cparam=`echo $cparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
               sparam=`echo $sparam | sed -e "s/Host/$HOST/g" -e "s/Dom/$DOMSUF/g" `
           fi
           start_selfserv
@@ -552,17 +552,17 @@ ssl_stress()
       SSL2=$?
       echo "${testname}" | grep "client auth" > /dev/null
       CAUTH=$?
 
       if [ "${SSL2}" -eq 0 -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
       elif [ "$ectype" = "SNI" -a "$NORM_EXT" = "Extended Test" ] ; then
           echo "$SCRIPTNAME: skipping  $testname for $NORM_EXT"
-      elif [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
+      elif [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
           echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       elif [ "${SERVER_MODE}" = "fips" -o "${CLIENT_MODE}" = "fips" ] && [ "${SSL2}" -eq 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "${CLIENT_MODE}" = "fips" -a "${CAUTH}" -ne 0 ] ; then
           echo "$SCRIPTNAME: skipping  $testname (non-FIPS only)"
       elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
           cparam=`echo $cparam | sed -e 's;_; ;g' -e "s/TestUser/$USER_NICKNAME/g" `
           if [ "$ectype" = "SNI" ]; then
@@ -618,17 +618,17 @@ ssl_crl_ssl()
   CRL_GROUP_BEGIN=$CRL_GRP_1_BEGIN
   CRL_GROUP_RANGE=$CRL_GRP_1_RANGE
   UNREVOKED_CERT=$UNREVOKED_CERT_GRP_1
 
   exec < ${SSLAUTH}
   while read ectype value sparam cparam testname
   do
     [ "$ectype" = "" ] && continue
-    if [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
+    if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
         echo "$SCRIPTNAME: skipping $testname (ECC only)"
     elif [ "$ectype" = "SNI" ]; then
         continue
     elif [ "`echo $ectype | cut -b 1`" != "#" ]; then
 	servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
 	pwd=`echo $cparam | grep nss`
 	user=`echo $cparam | grep TestUser`
 	_cparam=$cparam
@@ -811,17 +811,17 @@ ssl_crl_cache()
   while [ $? -eq 0 -a -f ${SSLAUTH_TMP} ]
     do
     sparam=$SERV_ARG
     start_selfserv
     exec < ${SSLAUTH_TMP}
     while read ectype value sparam cparam testname
       do
       [ "$ectype" = "" ] && continue
-      if [ "$ectype" = "ECC" -a  -z "$NSS_ENABLE_ECC" ] ; then
+      if [ "$ectype" = "ECC" -a  -n "$NSS_DISABLE_ECC" ] ; then
         echo "$SCRIPTNAME: skipping  $testname (ECC only)"
       elif [ "$ectype" = "SNI" ]; then
           continue
       else
         servarg=`echo $sparam | awk '{r=split($0,a,"-r") - 1;print r;}'`
         pwd=`echo $cparam | grep nss`
         user=`echo $cparam | grep TestUser`
         _cparam=$cparam
--- a/security/nss/tests/tools/tools.sh
+++ b/security/nss/tests/tools/tools.sh
@@ -71,17 +71,17 @@ tools_init()
       . ./init.sh
   fi
   if [ ! -r $CERT_LOG_FILE ]; then  # we need certificates here
       cd ../cert
       . ./cert.sh
   fi
   SCRIPTNAME=tools.sh
 
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       html_head "Tools Tests with ECC"
   else
       html_head "Tools Tests"
   fi
 
   grep "SUCCESS: SMIME passed" $CERT_LOG_FILE >/dev/null || {
       Exit 15 "Fatal - S/MIME of cert.sh needs to pass first"
   }
@@ -367,17 +367,17 @@ tools_p12_export_with_null_ciphers()
 # Repeats the test with ECC if enabled.
 ########################################################################
 tools_p12_export_list_import_with_default_ciphers()
 {
   echo "$SCRIPTNAME: Exporting Alice's email cert & key - default ciphers"
   
   export_list_import "DEFAULT" "DEFAULT"
 
-  if [ -n "$NSS_ENABLE_ECC" ] ; then
+  if [ -z "$NSS_DISABLE_ECC" ] ; then
       echo "$SCRIPTNAME: Exporting Alice's email EC cert & key---------------"
       echo "pk12util -o Alice-ec.p12 -n \"Alice-ec\" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \\"
       echo "         -w ${R_PWFILE}"
       ${BINDIR}/pk12util -o Alice-ec.p12 -n "Alice-ec" -d ${P_R_ALICEDIR} -k ${R_PWFILE} \
            -w ${R_PWFILE} 2>&1 
       ret=$?
       html_msg $ret 0 "Exporting Alice's email EC cert & key (pk12util -o)"
       check_tmpfile