Be sure not to ask NSS to use an invalid PKCS11 mechanism.

Bugscape bug 53875.  r=relyea.

security/nss/lib/smime/cmsenvdata.c

@@ -34,7 +34,7 @@
 /*
  * CMS envelopedData methods.
  *
- * $Id: cmsenvdata.c,v 1.7 2002/01/25 19:08:18 relyea%netscape.com Exp $
+ * $Id: cmsenvdata.c,v 1.8 2003/11/20 02:00:04 nelsonb%netscape.com Exp $
  */
 
 #include "cmslocal.h"
@@ -360,7 +360,11 @@ NSS_CMSEnvelopedData_Decode_BeforeData(NSSCMSEnvelopedData *envd)
 
     cinfo = &(envd->contentInfo);
     bulkalgtag = NSS_CMSContentInfo_GetContentEncAlgTag(cinfo);
-    bulkkey = NSS_CMSRecipientInfo_UnwrapBulkKey(ri,recipient->subIndex,
+    if (bulkalgtag == SEC_OID_UNKNOWN) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+    } else 
+	bulkkey = 
+	    NSS_CMSRecipientInfo_UnwrapBulkKey(ri,recipient->subIndex,
 						    recipient->cert,
 						    recipient->privkey,
 						    bulkalgtag);

security/nss/lib/smime/cmspubkey.c

@@ -34,7 +34,7 @@
 /*
  * CMS public key crypto
  *
- * $Id: cmspubkey.c,v 1.5 2002/12/17 01:39:46 wtc%netscape.com Exp $
+ * $Id: cmspubkey.c,v 1.6 2003/11/20 02:00:04 nelsonb%netscape.com Exp $
  */
 
 #include "cmslocal.h"
@@ -128,7 +128,14 @@ PK11SymKey *
 NSS_CMSUtil_DecryptSymKey_RSA(SECKEYPrivateKey *privkey, SECItem *encKey, SECOidTag bulkalgtag)
 {
     /* that's easy */
-    return PK11_PubUnwrapSymKey(privkey, encKey, PK11_AlgtagToMechanism(bulkalgtag), CKA_DECRYPT, 0);
+    CK_MECHANISM_TYPE target;
+    PORT_Assert(bulkalgtag != SEC_OID_UNKNOWN);
+    target = PK11_AlgtagToMechanism(bulkalgtag);
+    if (bulkalgtag == SEC_OID_UNKNOWN || target == CKM_INVALID_MECHANISM) {
+	PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
+	return NULL;
+    }
+    return PK11_PubUnwrapSymKey(privkey, encKey, target, CKA_DECRYPT, 0);
 }
 
 /* ====== MISSI (Fortezza) ========================================================== */