Revert didn't even build, build with the actual fix.

nss-3.94-fix-ec-encoding.patch

@@ -0,0 +1,107 @@
+diff --git a/lib/freebl/blapit.h b/lib/freebl/blapit.h
+--- a/lib/freebl/blapit.h
++++ b/lib/freebl/blapit.h
+@@ -387,17 +387,18 @@ typedef struct DHPrivateKeyStr DHPrivate
+ */
+ 
+ /*
+ ** The ECParams data structures can encode elliptic curve
+ ** parameters for both GFp and GF2m curves.
+ */
+ 
+ typedef enum { ec_params_explicit,
+-               ec_params_named
++               ec_params_named,
++               ec_params_edwards_named
+ } ECParamsType;
+ 
+ typedef enum { ec_field_GFp = 1,
+                ec_field_GF2m,
+                ec_field_plain
+ } ECFieldType;
+ 
+ struct ECFieldIDStr {
+diff --git a/lib/freebl/ecdecode.c b/lib/freebl/ecdecode.c
+--- a/lib/freebl/ecdecode.c
++++ b/lib/freebl/ecdecode.c
+@@ -171,16 +171,17 @@ EC_FillParams(PLArenaPool *arena, const 
+              * (the NIST P-521 curve)
+              */
+             CHECK_SEC_OK(gf_populate_params_bytes(ECCurve_SECG_PRIME_521R1,
+                                                   ec_field_GFp, params));
+             break;
+ 
+         case SEC_OID_CURVE25519:
+             /* Populate params for Curve25519 */
++            params->type = ec_params_edwards_named;
+             CHECK_SEC_OK(gf_populate_params_bytes(ECCurve25519,
+                                                   ec_field_plain,
+                                                   params));
+             break;
+ 
+         default:
+             break;
+     };
+diff --git a/lib/softoken/pkcs11.c b/lib/softoken/pkcs11.c
+--- a/lib/softoken/pkcs11.c
++++ b/lib/softoken/pkcs11.c
+@@ -1921,17 +1921,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
+                 /* special note: We can't just use the first byte to distinguish
+                  * between EC_POINT_FORM_UNCOMPRESSED and SEC_ASN1_OCTET_STRING.
+                  * Both are 0x04. */
+ 
+                 /* Handle the non-DER encoded case.
+                  * Some curves are always pressumed to be non-DER.
+                  */
+                 if (pubKey->u.ec.publicValue.len == keyLen &&
+-                    (pubKey->u.ec.ecParams.fieldID.type == ec_field_plain ||
++                    (pubKey->u.ec.ecParams.type == ec_params_edwards_named ||
+                      pubKey->u.ec.publicValue.data[0] == EC_POINT_FORM_UNCOMPRESSED)) {
+                     break; /* key was not DER encoded, no need to unwrap */
+                 }
+ 
+                 /* handle the encoded case */
+                 if ((pubKey->u.ec.publicValue.data[0] == SEC_ASN1_OCTET_STRING) &&
+                     pubKey->u.ec.publicValue.len > keyLen) {
+                     SECItem publicValue;
+@@ -1941,17 +1941,17 @@ sftk_GetPubKey(SFTKObject *object, CK_KE
+                                                 SEC_ASN1_GET(SEC_OctetStringTemplate),
+                                                 &pubKey->u.ec.publicValue);
+                     /* nope, didn't decode correctly */
+                     if ((rv != SECSuccess) || (publicValue.len != keyLen)) {
+                         crv = CKR_ATTRIBUTE_VALUE_INVALID;
+                         break;
+                     }
+                     /* we don't handle compressed points except in the case of ECCurve25519 */
+-                    if ((pubKey->u.ec.ecParams.fieldID.type != ec_field_plain) &&
++                    if ((pubKey->u.ec.ecParams.type != ec_params_edwards_named) &&
+                         (publicValue.data[0] != EC_POINT_FORM_UNCOMPRESSED)) {
+                         crv = CKR_ATTRIBUTE_VALUE_INVALID;
+                         break;
+                     }
+                     /* replace our previous with the decoded key */
+                     pubKey->u.ec.publicValue = publicValue;
+                     break;
+                 }
+diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
+--- a/lib/softoken/pkcs11c.c
++++ b/lib/softoken/pkcs11c.c
+@@ -5655,17 +5655,17 @@ NSC_GenerateKeyPair(CK_SESSION_HANDLE hS
+                     sftk_fatalError = PR_TRUE;
+                 }
+                 PORT_FreeArena(ecParams->arena, PR_TRUE);
+                 crv = sftk_MapCryptError(PORT_GetError());
+                 break;
+             }
+ 
+             if (PR_GetEnvSecure("NSS_USE_DECODED_CKA_EC_POINT") ||
+-                ecParams->fieldID.type == ec_field_plain) {
++                ecParams->type == ec_params_edwards_named) {
+                 PORT_FreeArena(ecParams->arena, PR_TRUE);
+                 crv = sftk_AddAttributeType(publicKey, CKA_EC_POINT,
+                                             sftk_item_expand(&ecPriv->publicValue));
+             } else {
+                 PORT_FreeArena(ecParams->arena, PR_TRUE);
+                 SECItem *pubValue = SEC_ASN1EncodeItem(NULL, NULL,
+                                                        &ecPriv->publicValue,
+                                                        SEC_ASN1_GET(SEC_OctetStringTemplate));

nss.spec

@@ -131,13 +131,12 @@ Patch4:           iquote.patch
 Patch12:          nss-signtool-format.patch
 # fedora disabled dbm by default
 Patch40:          nss-no-dbm-man-page.patch
+# https://bugzilla.mozilla.org/show_bug.cgi?id=1861265
+Patch50:          nss-3.94-fix-ec-encoding.patch
 
 Patch100:         nspr-config-pc.patch
 Patch101:         nspr-gcc-atomics.patch
 
-# NSS reversion patchtes
-Patch300:         nss-3.94-HACL-p256.patch
-
 %description
 Network Security Services (NSS) is a set of libraries designed to
 support cross-platform development of security-enabled client and
@@ -299,7 +298,6 @@ popd
 
 pushd nss
 %autopatch -p1 -M 99
-%patch -P 300 -R -p1
 popd
 
 # https://bugzilla.redhat.com/show_bug.cgi?id=1247353