diff --git a/.cryptsetup.metadata b/.cryptsetup.metadata
index 332265b..43f7538 100644
--- a/.cryptsetup.metadata
+++ b/.cryptsetup.metadata
@@ -1 +1 @@
-73945fc1ab637ce58c1f4bd5dd9c529cf96b16e7 SOURCES/cryptsetup-1.6.3.tar.bz2
+2e7a045cc88491df4f08e0f4023c15fcbdf170d6 SOURCES/cryptsetup-1.6.6.tar.xz
diff --git a/.gitignore b/.gitignore
index f8a34f5..00371b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/cryptsetup-1.6.3.tar.bz2
+SOURCES/cryptsetup-1.6.6.tar.xz
diff --git a/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch b/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch
new file mode 100644
index 0000000..a780383
--- /dev/null
+++ b/SOURCES/cryptsetup-1.6.7-drop-fips-post.patch
@@ -0,0 +1,110 @@
+From 01b2be2b72bc5509e8155982b9dae0bc5914b6c9 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Thu, 30 Oct 2014 15:21:31 +0100
+Subject: [PATCH 1/2] libcryptsetup: drop FIPS power on self test
+
+- cryptsetup library is not required to be FIPS certified anymore
+  due to fact gcrypt PBKDF2 algorithm can be used instead of
+  cryptsetup internal one.
+
+- check in library constructor is no longer needed and therefore
+  removed.
+
+- all other checks regarding MK extraction or random generator
+  restrictions remain the same
+---
+ lib/setup.c      |  5 -----
+ lib/utils_fips.c | 23 +----------------------
+ lib/utils_fips.h |  5 +----
+ 3 files changed, 2 insertions(+), 31 deletions(-)
+
+diff --git a/lib/setup.c b/lib/setup.c
+index 8261445..0ca9e11 100644
+--- a/lib/setup.c
++++ b/lib/setup.c
+@@ -2690,8 +2690,3 @@ int crypt_get_active_device(struct crypt_device *cd, const char *name,
+ 
+ 	return 0;
+ }
+-
+-static void __attribute__((constructor)) libcryptsetup_ctor(void)
+-{
+-	crypt_fips_libcryptsetup_check();
+-}
+diff --git a/lib/utils_fips.c b/lib/utils_fips.c
+index 9a3caae..1e284f6 100644
+--- a/lib/utils_fips.c
++++ b/lib/utils_fips.c
+@@ -1,7 +1,7 @@
+ /*
+  * FIPS mode utilities
+  *
+- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License
+@@ -18,15 +18,11 @@
+  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+  */
+ 
+-#include <stdlib.h>
+-#include <stdio.h>
+ #include <unistd.h>
+-#include "nls.h"
+ #include "utils_fips.h"
+ 
+ #if !ENABLE_FIPS
+ int crypt_fips_mode(void) { return 0; }
+-void crypt_fips_libcryptsetup_check(void) {}
+ #else
+ #include <fipscheck.h>
+ 
+@@ -34,21 +30,4 @@ int crypt_fips_mode(void)
+ {
+ 	return FIPSCHECK_kernel_fips_mode() && !access(FIPS_MODULE_FILE, F_OK);
+ }
+-
+-static void crypt_fips_verify(const char *name, const char *function)
+-{
+-	if (access(FIPS_MODULE_FILE, F_OK))
+-		return;
+-
+-	if (!FIPSCHECK_verify(name, function)) {
+-		fputs(_("FIPS checksum verification failed.\n"), stderr);
+-		if (FIPSCHECK_kernel_fips_mode())
+-			_exit(EXIT_FAILURE);
+-	}
+-}
+-
+-void crypt_fips_libcryptsetup_check(void)
+-{
+-	crypt_fips_verify(LIBCRYPTSETUP_VERSION_FIPS, "crypt_init");
+-}
+ #endif /* ENABLE_FIPS */
+diff --git a/lib/utils_fips.h b/lib/utils_fips.h
+index 59f2339..fc430bd 100644
+--- a/lib/utils_fips.h
++++ b/lib/utils_fips.h
+@@ -1,7 +1,7 @@
+ /*
+  * FIPS mode utilities
+  *
+- * Copyright (C) 2011-2013, Red Hat, Inc. All rights reserved.
++ * Copyright (C) 2011-2014, Red Hat, Inc. All rights reserved.
+  *
+  * This program is free software; you can redistribute it and/or
+  * modify it under the terms of the GNU General Public License
+@@ -21,9 +21,6 @@
+ #ifndef _UTILS_FIPS_H
+ #define _UTILS_FIPS_H
+ 
+-struct crypt_device;
+-
+ int crypt_fips_mode(void);
+-void crypt_fips_libcryptsetup_check(void);
+ 
+ #endif /* _UTILS_FIPS_H */
+-- 
+1.9.3
+
diff --git a/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch b/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch
new file mode 100644
index 0000000..4464cce
--- /dev/null
+++ b/SOURCES/cryptsetup-1.6.7-use-fsync-isntead-of-odirect.patch
@@ -0,0 +1,85 @@
+From 3d6bcae84c5f55a82dc0056e3d7da33bee3f00b9 Mon Sep 17 00:00:00 2001
+From: Ondrej Kozina <okozina@redhat.com>
+Date: Wed, 17 Sep 2014 16:38:39 +0200
+Subject: [PATCH] reencrypt: use fsync instead of O_DIRECT flag
+
+O_DIRECT operations directed towards filesystem are problematic:
+There's no sane way how to detect specific filesystem requirements
+for such operations.
+
+This patch is replacing O_DIRECT flag with O_SYNC flag for all
+open() calls related to reencrypt log. The O_SYNC flag is used
+when --use-fsync option is detected.
+
+Man page is modified accordingly.
+---
+ man/cryptsetup-reencrypt.8 |  6 ++++--
+ src/cryptsetup_reencrypt.c | 12 ++----------
+ 2 files changed, 6 insertions(+), 12 deletions(-)
+
+diff --git a/man/cryptsetup-reencrypt.8 b/man/cryptsetup-reencrypt.8
+index b3c374c..e0de656 100644
+--- a/man/cryptsetup-reencrypt.8
++++ b/man/cryptsetup-reencrypt.8
+@@ -158,13 +158,15 @@ WARNING: This is destructive operation and cannot be reverted.
+ 
+ .TP
+ .B "\-\-use-directio"
+-Use direct-io (O_DIRECT) for all read/write data operations.
++Use direct-io (O_DIRECT) for all read/write data operations related
++to block device undergoing reencryption.
+ 
+ Useful if direct-io operations perform better than normal buffered
+ operations (e.g. in virtual environments).
+ .TP
+ .B "\-\-use-fsync"
+-Use fsync call after every written block.
++Use fsync call after every written block. This applies for reencryption
++log files as well.
+ .TP
+ .B "\-\-write-log"
+ Update log file after every block write. This can slow down reencryption
+diff --git a/src/cryptsetup_reencrypt.c b/src/cryptsetup_reencrypt.c
+index 997c388..a1cc51d 100644
+--- a/src/cryptsetup_reencrypt.c
++++ b/src/cryptsetup_reencrypt.c
+@@ -76,7 +76,7 @@ struct reenc_ctx {
+ 	char crypt_path_org[PATH_MAX];
+ 	char crypt_path_new[PATH_MAX];
+ 	int log_fd;
+-	char *log_buf;
++	char log_buf[SECTOR_SIZE];
+ 
+ 	struct {
+ 		char *password;
+@@ -351,13 +351,11 @@ static void close_log(struct reenc_ctx *rc)
+ 	log_dbg("Closing LUKS reencryption log file %s.", rc->log_file);
+ 	if (rc->log_fd != -1)
+ 		close(rc->log_fd);
+-	free(rc->log_buf);
+-	rc->log_buf = NULL;
+ }
+ 
+ static int open_log(struct reenc_ctx *rc)
+ {
+-	int flags = opt_directio ? O_DIRECT : 0;
++	int flags = opt_fsync ? O_SYNC : 0;
+ 
+ 	rc->log_fd = open(rc->log_file, O_RDWR|O_EXCL|O_CREAT|flags, S_IRUSR|S_IWUSR);
+ 	if (rc->log_fd != -1) {
+@@ -371,12 +369,6 @@ static int open_log(struct reenc_ctx *rc)
+ 	if (rc->log_fd == -1)
+ 		return -EINVAL;
+ 
+-	if (posix_memalign((void *)&rc->log_buf, alignment(rc->log_fd), SECTOR_SIZE)) {
+-		log_err(_("Allocation of aligned memory failed.\n"));
+-		close_log(rc);
+-		return -ENOMEM;
+-	}
+-
+ 	if (!rc->in_progress && write_log(rc) < 0) {
+ 		close_log(rc);
+ 		return -EIO;
+-- 
+1.9.3
+
diff --git a/SPECS/cryptsetup.spec b/SPECS/cryptsetup.spec
index 7e33af5..4d4c135 100644
--- a/SPECS/cryptsetup.spec
+++ b/SPECS/cryptsetup.spec
@@ -1,23 +1,32 @@
+%{!?python_sitearch: %global python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
+
+%define python3_enable 0
+
 Summary: A utility for setting up encrypted disks
 Name: cryptsetup
-Version: 1.6.3
-Release: 2%{?dist}
+Version: 1.6.6
+Release: 3%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: Applications/System
 URL: http://cryptsetup.googlecode.com/
 BuildRequires: libgcrypt-devel, popt-devel, device-mapper-devel
 BuildRequires: libgpg-error-devel, libuuid-devel, libsepol-devel
 BuildRequires: libselinux-devel, python-devel, libpwquality-devel
+%if %{python3_enable}
+BuildRequires: python3-devel
+%endif
 BuildRequires: fipscheck-devel >= 1.3.0
 Provides: cryptsetup-luks = %{version}-%{release}
 Obsoletes: cryptsetup-luks < 1.4.0
-Requires: cryptsetup-libs = %{version}-%{release}
-Requires: fipscheck-lib%{_isa} >= 1.3.0
+Requires: cryptsetup-libs%{?_isa} = %{version}-%{release}
+Requires: fipscheck-lib%{?_isa} >= 1.3.0
 Requires: libpwquality >= 1.2.0
 
 %define dracutmodulesdir %{_prefix}/lib/dracut/modules.d
 %define upstream_version %{version}
-Source0: http://cryptsetup.googlecode.com/files/cryptsetup-%{upstream_version}.tar.bz2
+Source0: https://www.kernel.org/pub/linux/utils/cryptsetup/v1.6/cryptsetup-%{upstream_version}.tar.xz
+Patch0: %{name}-1.6.7-use-fsync-isntead-of-odirect.patch
+Patch1: %{name}-1.6.7-drop-fips-post.patch
 
 %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
 %define configure_cipher --enable-gcrypt-pbkdf2
@@ -47,10 +56,11 @@ Group: System Environment/Libraries
 Summary: Cryptsetup shared library
 Provides: cryptsetup-luks-libs = %{version}-%{release}
 Obsoletes: cryptsetup-luks-libs < 1.4.0
-Requires: fipscheck-lib%{_isa} >= 1.3.0
+Obsoletes: cryptsetup-reencrypt-libs < 1.6.5
+Requires: fipscheck-lib%{?_isa} >= 1.3.0
 # Need support for empty password in gcrypt PBKDF2
 %if 0%{?fedora} >= 19 || 0%{?rhel} >= 7
-Requires: libgcrypt >= 1.5.0-9
+Requires: libgcrypt >= 1.5.3-3
 %endif
 
 %description libs
@@ -68,11 +78,13 @@ disk verification using dm-verity kernel module.
 %package reencrypt
 Group: Applications/System
 Summary: A utility for offline reencryption of LUKS encrypted disks.
+Provides: cryptsetup-reencrypt = %{version}-%{release}
+Obsoletes: cryptsetup-reencrypt < 1.6.5
 Requires: cryptsetup-libs = %{version}-%{release}
 
 %description reencrypt
 This package contains cryptsetup-reencrypt utility which
-can be used for offline reencryption of disk in site.
+can be used for offline reencryption of disk in situ.
 Also includes dracut module required to perform reencryption
 of device containing a root filesystem.
 
@@ -87,10 +99,29 @@ Obsoletes: python-cryptsetup < 1.4.0
 This package provides Python bindings for libcryptsetup, a library
 for setting up disk encryption using dm-crypt kernel module.
 
+%if %{python3_enable}
+%package python3
+Group: System Environment/Libraries
+Summary: Python3 bindings for libcryptsetup
+Requires: %{name}-libs = %{version}-%{release}
+Provides: python3-cryptsetup = %{version}-%{release}
+
+%description python3
+This package provides Python bindings for libcryptsetup, a library
+for setting up disk encryption using dm-crypt kernel module.
+%endif
+
 %prep
 %setup -q -n cryptsetup-%{upstream_version}
+%patch0 -p1
+%patch1 -p1
 chmod -x python/pycryptsetup-test.py
 
+%if %{python3_enable}
+# copy the whole directory for the python3 build
+cp -a . %{py3dir}
+%endif
+
 %build
 %configure --enable-python --enable-fips --enable-cryptsetup-reencrypt --enable-pwquality %{?configure_cipher}
 # remove rpath
@@ -98,18 +129,25 @@ sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
 make %{?_smp_mflags}
 
-%install
-# Generate HMAC checksums (FIPS)
-%define __spec_install_post \
-  %{?__debug_package:%{__debug_install_post}} \
-  %{__arch_install_post} \
-  %{__os_install_post} \
-  fipshmac -d %{buildroot}/%{_libdir}/fipscheck %{buildroot}/%{_libdir}/libcryptsetup.so.* \
-%{nil}
+%if %{python3_enable}
+pushd %{py3dir}
+%configure --enable-python --with-python_version=3
+make %{?_smp_mflags}
+popd
+%endif
 
+%install
 make install DESTDIR=%{buildroot}
 rm -rf %{buildroot}/%{_libdir}/*.la
 install -d %{buildroot}/%{_libdir}/fipscheck
+
+%if %{python3_enable}
+pushd %{py3dir}
+make install DESTDIR=%{buildroot}
+rm -rf %{buildroot}/%{_libdir}/*.la
+popd
+%endif
+
 %find_lang cryptsetup
 
 install -d -m755 %{buildroot}/%{dracutmodulesdir}/90reencrypt
@@ -122,17 +160,22 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd
 %postun -n cryptsetup-libs -p /sbin/ldconfig
 
 %files
-%doc COPYING AUTHORS FAQ docs/*ReleaseNotes
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc AUTHORS FAQ docs/*ReleaseNotes
 %{_mandir}/man8/cryptsetup.8.gz
 %{_sbindir}/cryptsetup
 
 %files -n veritysetup
-%doc COPYING
+%{!?_licensedir:%global license %%doc}
+%license COPYING
 %{_mandir}/man8/veritysetup.8.gz
 %{_sbindir}/veritysetup
 
 %files reencrypt
-%doc COPYING misc/dracut_90reencrypt/README
+%{!?_licensedir:%global license %%doc}
+%license COPYING
+%doc misc/dracut_90reencrypt/README
 %{_mandir}/man8/cryptsetup-reencrypt.8.gz
 %{_sbindir}/cryptsetup-reencrypt
 %{dracutmodulesdir}/90reencrypt
@@ -145,18 +188,41 @@ install -m755 misc/dracut_90reencrypt/reencrypt.sh %{buildroot}/%{dracutmodulesd
 %{_libdir}/pkgconfig/libcryptsetup.pc
 
 %files libs -f cryptsetup.lang
-%doc COPYING COPYING.LGPL
+%{!?_licensedir:%global license %%doc}
+%license COPYING COPYING.LGPL
 %{_libdir}/libcryptsetup.so.*
-%{_libdir}/fipscheck/libcryptsetup.so.*.hmac
 
 %files python
-%doc COPYING.LGPL python/pycryptsetup-test.py
+%{!?_licensedir:%global license %%doc}
+%license COPYING.LGPL
+%doc python/pycryptsetup-test.py
 %exclude %{python_sitearch}/pycryptsetup.la
 %{python_sitearch}/pycryptsetup.so
 
+%if %{python3_enable}
+%files python3
+%{!?_licensedir:%global license %%doc}
+%license COPYING.LGPL
+%doc python/pycryptsetup-test.py
+%exclude %{python3_sitearch}/pycryptsetup.la
+%{python3_sitearch}/pycryptsetup.so
+%endif
+
 %clean
 
 %changelog
+* Thu Dec 18 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.6-3
+- drop FIPS power on self test and library checksum
+- Resolves: #1158897
+
+* Mon Sep 29 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.6-2
+- patch: fix failures related to reencrypt log files
+- Resolves: #1140199
+
+* Mon Sep  8 2014 Ondrej Kozina <okozina@redhat.com> - 1.6.6-1
+- Update to cryptsetup 1.6.6.
+- Resolves: #1117372 #1038097
+
 * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 1.6.3-2
 - Mass rebuild 2014-01-24