diff --git a/xs_openssl.h b/xs_openssl.h
index 43a18e1..d31442a 100644
--- a/xs_openssl.h
+++ b/xs_openssl.h
@@ -11,6 +11,7 @@ d_char *xs_sha256_base64(const void *input, int size);
 d_char *xs_rsa_genkey(int bits);
 d_char *xs_rsa_sign(char *secret, char *mem, int size);
 int xs_rsa_verify(char *pubkey, char *mem, int size, char *b64sig);
+d_char *xs_evp_sign(char *secret, char *mem, int size);
 
 
 #ifdef XS_IMPLEMENTATION
@@ -19,6 +20,7 @@ int xs_rsa_verify(char *pubkey, char *mem, int size, char *b64sig);
 #include "openssl/sha.h"
 #include "openssl/rsa.h"
 #include "openssl/pem.h"
+#include "openssl/evp.h"
 
 d_char *xs_md5_hex(const void *input, int size)
 {
@@ -174,6 +176,45 @@ int xs_rsa_verify(char *pubkey, char *mem, int size, char *b64sig)
     return r;
 }
 
+
+d_char *xs_evp_sign(char *secret, char *mem, int size)
+/* signs a memory block (secret is in PEM format) */
+{
+    d_char *signature = NULL;
+    BIO *b;
+    unsigned char *sig;
+    unsigned int sig_len;
+    EVP_PKEY *pkey;
+
+    EVP_MD_CTX *mdctx;
+    const EVP_MD *md;
+
+    /* un-PEM the key */
+    b = BIO_new_mem_buf(secret, strlen(secret));
+    pkey = PEM_read_bio_PrivateKey(b, NULL, NULL, NULL);
+
+    md = EVP_get_digestbyname("sha256");
+
+    mdctx = EVP_MD_CTX_new();
+
+    sig_len = EVP_PKEY_size(pkey);
+    sig = malloc(sig_len);
+
+    EVP_SignInit(mdctx, md);
+    EVP_SignUpdate(mdctx, mem, size);
+
+    if (EVP_SignFinal(mdctx, sig, &sig_len, pkey) == 1)
+        signature = xs_base64_enc((char *)sig, sig_len);
+
+    EVP_MD_CTX_free(mdctx);
+
+    BIO_free(b);
+    free(sig);
+
+    return signature;
+}
+
+
 #endif /* XS_IMPLEMENTATION */
 
 #endif /* _XS_OPENSSL_H */