Log Message:
Update to 3.31

Changelog:
New functionality:
==================
* Allow certificates to be specified by RFC7512 PKCS#11 URIs.
* Allow querying a certificate object for its temporary or permanent storage
  status in a thread safe way.

New Functions:
==============
* CERT_GetCertIsPerm - retrieve the permanent storage status attribute of a
  certificate in a thread safe way.
* CERT_GetCertIsTemp - retrieve the temporary storage status attribute of a
  certificate in a thread safe way.
* PK11_FindCertFromURI - find a certificate identified by the given URI.
* PK11_FindCertsFromURI - find a list of certificates identified by the given
  URI.
* PK11_GetModuleURI - retrieve the URI of the given module.
* PK11_GetTokenURI - retrieve the URI of a token based on the given slot
  information.
* PK11URI_CreateURI - create a new PK11URI object from a set of attributes.
* PK11URI_DestroyURI - destroy a PK11URI object.
* PK11URI_FormatURI - format a PK11URI object to a string.
* PK11URI_GetPathAttribute - retrieve a path attribute with the given name.
* PK11URI_GetQueryAttribute - retrieve a query attribute with the given name.
* PK11URI_ParseURI - parse PKCS#11 URI and return a new PK11URI object.

New Macros:
===========
* Several new macros that start with PK11URI_PATTR_ for path attributes defined
  in RFC7512.
* Several new macros that start with PK11URI_QATTR_ for query attributes defined
  in RFC7512.

Notable Changes:
================
* The APIs that set a TLS version range have been changed to trim the requested
  range to the overlap with a systemwide crypto policy, if configured.
  SSL_VersionRangeGetSupported can be used to query the overlap between the
  library's supported range of TLS versions and the systemwide policy.
* Previously, SSL_VersionRangeSet and SSL_VersionRangeSetDefault returned a
  failure if the requested version range wasn't fully allowed by the systemwide
  crypto policy. They have been changed to return success, if at least one TLS
  version overlaps between the requested range and the systemwide policy. An
  application may call SSL_VersionRangeGet and SSL_VersionRangeGetDefault to
  query the TLS version range that was effectively activated.
* Corrected the encoding of Domain Name Constraints extensions created by
  certutil.
* NSS supports a clean seeding mechanism for *NIX systems now using only
  /dev/urandom. This is used only when SEED_ONLY_DEV_URANDOM is set at compile
  time.
* CERT_AsciiToName can handle OIDs in dotted decimal form now.

The HG tag is NSS_3_31_RTM. NSS 3.31 requires NSPR 4.15 or newer.