diff --git a/prepare_source b/prepare_source
index 9148119..2d0a7bf 100755
--- a/prepare_source
+++ b/prepare_source
@@ -27,3 +27,4 @@ rm -rf "$dir/src/debian/config"
 cp -r config "$dir/src/debian/"
 
 apply_patches fixes_debian
+import_upstream_patches
diff --git a/upstream_patches/no-sha1-for-fips.patch b/upstream_patches/no-sha1-for-fips.patch
new file mode 100644
index 0000000..0893002
--- /dev/null
+++ b/upstream_patches/no-sha1-for-fips.patch
@@ -0,0 +1,43 @@
+diff -Nur a/crypto/testmgr.c b/crypto/testmgr.c
+--- a/crypto/testmgr.c	2026-02-19 16:33:27.000000000 +0100
++++ b/crypto/testmgr.c	2026-02-24 09:44:34.790238895 +0100
+@@ -4090,7 +4090,6 @@
+ 		.alg = "authenc(hmac(sha1),cbc(aes))",
+ 		.generic_driver = "authenc(hmac-sha1-lib,cbc(aes-generic))",
+ 		.test = alg_test_aead,
+-		.fips_allowed = 1,
+ 		.suite = {
+ 			.aead = __VECS(hmac_sha1_aes_cbc_tv_temp)
+ 		}
+@@ -4111,7 +4110,6 @@
+ 	}, {
+ 		.alg = "authenc(hmac(sha1),ctr(aes))",
+ 		.test = alg_test_null,
+-		.fips_allowed = 1,
+ 	}, {
+ 		.alg = "authenc(hmac(sha1),ecb(cipher_null))",
+ 		.generic_driver = "authenc(hmac-sha1-lib,ecb-cipher_null)",
+@@ -4122,7 +4120,6 @@
+ 	}, {
+ 		.alg = "authenc(hmac(sha1),rfc3686(ctr(aes)))",
+ 		.test = alg_test_null,
+-		.fips_allowed = 1,
+ 	}, {
+ 		.alg = "authenc(hmac(sha224),cbc(des))",
+ 		.generic_driver = "authenc(hmac-sha224-lib,cbc(des-generic))",
+@@ -4984,7 +4981,6 @@
+ 		.alg = "hmac(sha1)",
+ 		.generic_driver = "hmac-sha1-lib",
+ 		.test = alg_test_hash,
+-		.fips_allowed = 1,
+ 		.suite = {
+ 			.hash = __VECS(hmac_sha1_tv_template)
+ 		}
+@@ -5356,7 +5352,6 @@
+ 		.alg = "sha1",
+ 		.generic_driver = "sha1-lib",
+ 		.test = alg_test_hash,
+-		.fips_allowed = 1,
+ 		.suite = {
+ 			.hash = __VECS(sha1_tv_template)
+ 		}
diff --git a/upstream_patches/series b/upstream_patches/series
new file mode 100644
index 0000000..a764882
--- /dev/null
+++ b/upstream_patches/series
@@ -0,0 +1 @@
+no-sha1-for-fips.patch