8 files changed, 95 insertions, 52 deletions

diff --git a/.travis/install.sh b/.travis/install.sh
index 17aee435..3ff723da 100755
--- a/.travis/install.sh
+++ b/.travis/install.sh
@@ -35,8 +35,8 @@ if [[ "$(uname -s)" == 'Darwin' ]]; then
             ;;
         pypy)
             brew outdated pyenv || brew upgrade pyenv
-            pyenv install pypy-2.6.0
-            pyenv global pypy-2.6.0
+            pyenv install pypy-2.6.1
+            pyenv global pypy-2.6.1
             ;;
         pypy3)
             brew outdated pyenv || brew upgrade pyenv
@@ -57,8 +57,8 @@ else
         PYENV_ROOT="$HOME/.pyenv"
         PATH="$PYENV_ROOT/bin:$PATH"
         eval "$(pyenv init -)"
-        pyenv install pypy-2.6.0
-        pyenv global pypy-2.6.0
+        pyenv install pypy-2.6.1
+        pyenv global pypy-2.6.1
     fi
     pip install virtualenv
 fi
diff --git a/.travis/run.sh b/.travis/run.sh
index 1ce8011f..3667b333 100755
--- a/.travis/run.sh
+++ b/.travis/run.sh
@@ -26,7 +26,7 @@ else
         PYENV_ROOT="$HOME/.pyenv"
         PATH="$PYENV_ROOT/bin:$PATH"
         eval "$(pyenv init -)"
-        pyenv global pypy-2.6.0
+        pyenv global pypy-2.6.1
     fi
 fi
 source ~/.venv/bin/activate
diff --git a/docs/fernet.rst b/docs/fernet.rst
index 8ea33eef..a066ae63 100644
--- a/docs/fernet.rst
+++ b/docs/fernet.rst
@@ -106,6 +106,45 @@ has support for implementing key rotation via :class:`MultiFernet`.
 
     See :meth:`Fernet.decrypt` for more information.
 
+
+Using passwords with Fernet
+---------------------------
+
+It is possible to use passwords with Fernet. To do this, you need to run the
+password through a key derivation function such as
+:class:`~cryptography.hazmat.primitives.kdf.pbkdf2.PBKDF2HMAC`, bcrypt or
+scrypt.
+
+.. code-block:: python
+
+    import base64
+    import os
+
+    from cryptography.fernet import Fernet
+    from cryptography.hazmat.backends import default_backend
+    from cryptography.hazmat.primitives import hashes
+    from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+
+    password = b"password"
+    salt = os.urandom(16)
+
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=salt,
+        iterations=100000,
+        backend=default_backend
+    )
+    key = base64.urlsafe_b64encode(kdf.derive(password))
+    f = Fernet(key)
+
+In this scheme, the salt has to be stored in a retrievable location in order
+to derive the same key from the password in the future.
+
+The iteration count used should be adjusted to be as high as your server can
+tolerate. A good default is at least 100,000 iterations which is what Django
+`recommends`_ in 2014.
+
 Implementation
 --------------
 
@@ -125,3 +164,4 @@ For complete details consult the `specification`_.
 
 .. _`Fernet`: https://github.com/fernet/spec/
 .. _`specification`: https://github.com/fernet/spec/blob/master/Spec.md
+.. _`recommends`: https://github.com/django/django/blob/master/django/utils/crypto.py#L148
diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index 1eed7c7a..75497840 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -1,6 +1,7 @@
 affine
 backend
 backends
+bcrypt
 Backends
 Blowfish
 boolean
@@ -22,6 +23,7 @@ deserialize
 deserialized
 Diffie
 Docstrings
+Django
 Encodings
 fernet
 Fernet
diff --git a/docs/x509/tutorial.rst b/docs/x509/tutorial.rst
index d1c8ba14..0fa061a2 100644
--- a/docs/x509/tutorial.rst
+++ b/docs/x509/tutorial.rst
@@ -67,13 +67,16 @@ a few details:
     ...     x509.NameAttribute(NameOID.LOCALITY_NAME, u"San Francisco"),
     ...     x509.NameAttribute(NameOID.ORGANIZATION_NAME, u"My Company"),
     ...     x509.NameAttribute(NameOID.COMMON_NAME, u"mysite.com"),
-    ... ])).add_extension(x509.SubjectAlternativeName([
-    ...     # Describe what sites we want this certificate for.
-    ...     x509.DNSName(u"mysite.com"),
-    ...     x509.DNSName(u"www.mysite.com"),
-    ...     x509.DNSName(u"subdomain.mysite.com"),
+    ... ])).add_extension(
+    ...     x509.SubjectAlternativeName([
+    ...         # Describe what sites we want this certificate for.
+    ...         x509.DNSName(u"mysite.com"),
+    ...         x509.DNSName(u"www.mysite.com"),
+    ...         x509.DNSName(u"subdomain.mysite.com"),
+    ...     ]),
+    ...     critical=False,
     ... # Sign the CSR with our private key.
-    ... ])).sign(key, hashes.SHA256(), default_backend())
+    ... ).sign(key, hashes.SHA256(), default_backend())
     >>> # Write our CSR out to disk.
     >>> with open("path/to/csr.pem", "wb") as f:
     ...     f.write(csr.public_bytes(serialization.Encoding.PEM))
diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
index 8c4abcd6..197bcb8c 100644
--- a/src/cryptography/hazmat/backends/openssl/backend.py
+++ b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -529,13 +529,6 @@ class Backend(object):
 
         self._binding.init_static_locks()
 
-        # adds all ciphers/digests for EVP
-        self._lib.OpenSSL_add_all_algorithms()
-        # registers available SSL/TLS ciphers and digests
-        self._lib.SSL_library_init()
-        # loads error strings for libcrypto and libssl functions
-        self._lib.SSL_load_error_strings()
-
         self._cipher_registry = {}
         self._register_default_ciphers()
         self.activate_osrandom_engine()
diff --git a/src/cryptography/hazmat/bindings/openssl/binding.py b/src/cryptography/hazmat/bindings/openssl/binding.py
index e18d89c5..50d7f6d5 100644
--- a/src/cryptography/hazmat/bindings/openssl/binding.py
+++ b/src/cryptography/hazmat/bindings/openssl/binding.py
@@ -92,6 +92,12 @@ class Binding(object):
             if not cls._lib_loaded:
                 cls.lib = build_conditional_library(lib, CONDITIONAL_NAMES)
                 cls._lib_loaded = True
+                # initialize the SSL library
+                cls.lib.SSL_library_init()
+                # adds all ciphers/digests for EVP
+                cls.lib.OpenSSL_add_all_algorithms()
+                # loads error strings for libcrypto and libssl functions
+                cls.lib.SSL_load_error_strings()
                 cls._register_osrandom_engine()
 
     @classmethod
diff --git a/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem b/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem
index 960363d0..fdc82ae6 100644
--- a/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem
+++ b/vectors/cryptography_vectors/x509/custom/crl_all_reasons.pem
@@ -1,37 +1,36 @@
 -----BEGIN X509 CRL-----
-MIIGZTCCBU0CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV
+MIIGRzCCBS8CAQIwDQYJKoZIhvcNAQELBQAwJzELMAkGA1UEBhMCVVMxGDAWBgNV
 BAMMD2NyeXB0b2dyYXBoeS5pbxgPMjAxNTAxMDEwMDAwMDBaGA8yMDE2MDEwMTAw
-MDAwMFowggTsMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjB1AgEBGA8yMDE1MDEwMTAw
-MDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDcGA1UdHQEB/wQtMCuk
-KTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1Ud
-FQQDCgEAMHUCAQIYDzIwMTUwMTAxMDAwMDAwWjBfMBgGA1UdGAQRGA8yMDE1MDEw
-MTAwMDAwMFowNwYDVR0dAQH/BC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQD
-DA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwdQIBAxgPMjAxNTAxMDEwMDAw
-MDBaMF8wGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA3BgNVHR0BAf8ELTArpCkw
-JzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUE
-AwoBAjB1AgEEGA8yMDE1MDEwMTAwMDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEw
-MDAwMDBaMDcGA1UdHQEB/wQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP
-Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEDMHUCAQUYDzIwMTUwMTAxMDAwMDAw
-WjBfMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNwYDVR0dAQH/BC0wK6QpMCcx
-CzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMK
-AQQwdQIBBhgPMjAxNTAxMDEwMDAwMDBaMF8wGAYDVR0YBBEYDzIwMTUwMTAxMDAw
-MDAwWjA3BgNVHR0BAf8ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2Ny
-eXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBBTB1AgEHGA8yMDE1MDEwMTAwMDAwMFow
-XzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDcGA1UdHQEB/wQtMCukKTAnMQsw
-CQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEG
-MHUCAQgYDzIwMTUwMTAxMDAwMDAwWjBfMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAw
-MFowNwYDVR0dAQH/BC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw
-dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgwdQIBCRgPMjAxNTAxMDEwMDAwMDBaMF8w
-GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA3BgNVHR0BAf8ELTArpCkwJzELMAkG
-A1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBCTB1
-AgEKGA8yMDE1MDEwMTAwMDAwMFowXzAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBa
-MDcGA1UdHQEB/wQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRv
-Z3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIwMTUwMTAxMDAwMDAwWjAYMAoG
-A1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3DQEBCwUAA4IBAQAYO41YpMSq
-6pPwgp2gqBUHPkFe4FuoxP4kXpsdAurQMb3WM8eZBNMQkgLP94ZYW3cliy+QClb3
-3EzTbckFhnS/avpQGD92hkp7gY5aETL8PuxFpK8qD3gzS+YZ0icbHbqacGxRYwT5
-rdSKb0B5soXe6Wf149Z6mze3X8+kCKpZILHytFzlCeiUZ0lG4bZRYNyQEqGzpsXD
-8LuA5McqwASR1QkGNJTT7TKLBIfhy4CSt5aclnmdf4sWNQa9i560lj38ariZExXV
-mqtqFIfhvJiVwpljj08uWZocVJcCOEQ9yxk5iVRWMicT79p6wukHqq8ecJBkgH/W
-EO3JcHNjZRmW
+MDAwMFowggTOMBQCAQAYDzIwMTUwMTAxMDAwMDAwWjByAgEBGA8yMDE1MDEwMTAw
+MDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAn
+MQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQD
+CgEAMHICAQIYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAw
+MDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlw
+dG9ncmFwaHkuaW8wCgYDVR0VBAMKAQEwcgIBAxgPMjAxNTAxMDEwMDAwMDBaMFww
+GAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTArpCkwJzELMAkGA1UE
+BhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNVHRUEAwoBAjByAgEE
+GA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAxMDEwMDAwMDBaMDQG
+A1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5
+LmlvMAoGA1UdFQQDCgEDMHICAQUYDzIwMTUwMTAxMDAwMDAwWjBcMBgGA1UdGAQR
+GA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJBgNVBAYTAlVTMRgw
+FgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQQwcgIBBhgPMjAxNTAx
+MDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAwWjA0BgNVHR0ELTAr
+pCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dyYXBoeS5pbzAKBgNV
+HRUEAwoBBTByAgEHGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNVHRgEERgPMjAxNTAx
+MDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJVUzEYMBYGA1UEAwwP
+Y3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEGMHICAQgYDzIwMTUwMTAxMDAwMDAw
+WjBcMBgGA1UdGAQRGA8yMDE1MDEwMTAwMDAwMFowNAYDVR0dBC0wK6QpMCcxCzAJ
+BgNVBAYTAlVTMRgwFgYDVQQDDA9jcnlwdG9ncmFwaHkuaW8wCgYDVR0VBAMKAQgw
+cgIBCRgPMjAxNTAxMDEwMDAwMDBaMFwwGAYDVR0YBBEYDzIwMTUwMTAxMDAwMDAw
+WjA0BgNVHR0ELTArpCkwJzELMAkGA1UEBhMCVVMxGDAWBgNVBAMMD2NyeXB0b2dy
+YXBoeS5pbzAKBgNVHRUEAwoBCTByAgEKGA8yMDE1MDEwMTAwMDAwMFowXDAYBgNV
+HRgEERgPMjAxNTAxMDEwMDAwMDBaMDQGA1UdHQQtMCukKTAnMQswCQYDVQQGEwJV
+UzEYMBYGA1UEAwwPY3J5cHRvZ3JhcGh5LmlvMAoGA1UdFQQDCgEKMC4CAQsYDzIw
+MTUwMTAxMDAwMDAwWjAYMAoGA1UdFQQDCgEBMAoGAyoDBAQDCgEAMA0GCSqGSIb3
+DQEBCwUAA4IBAQBTaloHlPaCZzYee8LxkWej5meiqxQVNWFoVdjesroa+f1FRrH+
+drRU60Nq97KCKf7f9GNN/J3ZIlQmYhmuDqh12f+XLpotoj1ZRfBz2hjFCkJlv+2c
+oWWGNHgA70ndFoVtcmX088SYpX8E3ARATivS4q2h9WlwV6rO93mhg3HGIe3JpcK4
+7BcW6Poi/ut/zsDOkVbI00SqaujRpdmdCTht82MH3ztjyDkI9KYaD/YEweKSrWOz
+SdEILd164bfBeLuplVI+xpmTEMVNpXBlSXl7+xIw9Vk7p7Q1Pa3k/SvhOldYCm6y
+C1xAg/AAq6w78yzYt18j5Mj0s6eeHi1YpHKw
 -----END X509 CRL-----