diff --git a/ChangeLog b/ChangeLog
index 9da96ae77..e70f196c4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2008-08-25  Dan Williams  <dcbw@redhat.com>
+
+	* libnm-util/crypto_gnutls.c
+	  libnm-util/crypto_nss.c
+		- (crypto_init, crypto_deinit): refcount init/deinit
+		- (crypto_md5_hash): allow NULL salt
+
 2008-08-22  Michael Biebl  <mbiebl@gmail.com>
 
 	* libnm-glib/Makefile.am
diff --git a/libnm-util/crypto_gnutls.c b/libnm-util/crypto_gnutls.c
index 92b40ddb6..16a92a9f2 100644
--- a/libnm-util/crypto_gnutls.c
+++ b/libnm-util/crypto_gnutls.c
@@ -29,17 +29,23 @@
 
 #include "crypto.h"
 
+static guint32 refcount = 0;
+
 gboolean
 crypto_init (GError **error)
 {
-	gnutls_global_init();
+	if (refcount == 0)
+		gnutls_global_init();
+	refcount++;
 	return TRUE;
 }
 
 void
 crypto_deinit (void)
 {
-	gnutls_global_deinit();
+	refcount--;
+	if (refcount == 0)
+		gnutls_global_deinit();
 }
 
 gboolean
@@ -59,8 +65,9 @@ crypto_md5_hash (const char *salt,
 	char digest[MD5_HASH_LEN];
 	char *p = buffer;
 
-	g_return_val_if_fail (salt != NULL, FALSE);
-	g_return_val_if_fail (salt_len >= 8, FALSE);
+	if (salt)
+		g_return_val_if_fail (salt_len >= 8, FALSE);
+
 	g_return_val_if_fail (password != NULL, FALSE);
 	g_return_val_if_fail (password_len > 0, FALSE);
 	g_return_val_if_fail (buffer != NULL, FALSE);
@@ -81,7 +88,8 @@ crypto_md5_hash (const char *salt,
 		if (count++)
 			gcry_md_write (ctx, digest, digest_len);
 		gcry_md_write (ctx, password, password_len);
-		gcry_md_write (ctx, salt, 8); /* Only use 8 bytes of salt */
+		if (salt)
+			gcry_md_write (ctx, salt, 8); /* Only use 8 bytes of salt */
 		gcry_md_final (ctx);
 		memcpy (digest, gcry_md_read (ctx, 0), digest_len);
 		gcry_md_reset (ctx);
diff --git a/libnm-util/crypto_nss.c b/libnm-util/crypto_nss.c
index a6ac33e86..b938f4253 100644
--- a/libnm-util/crypto_nss.c
+++ b/libnm-util/crypto_nss.c
@@ -32,20 +32,27 @@
 
 #include "crypto.h"
 
+static guint32 refcount = 0;
 
 gboolean
 crypto_init (GError **error)
 {
-	PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1);
-	NSS_NoDB_Init (NULL);
+	if (refcount == 0) {
+		PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 1);
+		NSS_NoDB_Init (NULL);
+	}
+	refcount++;
 	return TRUE;
 }
 
 void
 crypto_deinit (void)
 {
-	NSS_Shutdown ();
-	PR_Cleanup ();
+	refcount--;
+	if (refcount == 0) {
+		NSS_Shutdown ();
+		PR_Cleanup ();
+	}
 }
 
 gboolean
@@ -64,8 +71,9 @@ crypto_md5_hash (const char *salt,
 	char digest[MD5_HASH_LEN];
 	char *p = buffer;
 
-	g_return_val_if_fail (salt != NULL, FALSE);
-	g_return_val_if_fail (salt_len >= 8, FALSE);
+	if (salt)
+		g_return_val_if_fail (salt_len >= 8, FALSE);
+
 	g_return_val_if_fail (password != NULL, FALSE);
 	g_return_val_if_fail (password_len > 0, FALSE);
 	g_return_val_if_fail (buffer != NULL, FALSE);
@@ -87,7 +95,8 @@ crypto_md5_hash (const char *salt,
 		if (count++)
 			PK11_DigestOp (ctx, (const unsigned char *) digest, digest_len);
 		PK11_DigestOp (ctx, (const unsigned char *) password, password_len);
-		PK11_DigestOp (ctx, (const unsigned char *) salt, 8); /* Only use 8 bytes of salt */
+		if (salt)
+			PK11_DigestOp (ctx, (const unsigned char *) salt, 8); /* Only use 8 bytes of salt */
 		PK11_DigestFinal (ctx, (unsigned char *) digest, &digest_len, sizeof (digest));
 
 		while (nkey && (i < digest_len)) {