diff --git a/include/cybozu/sha2.hpp b/include/cybozu/sha2.hpp
index f8630bd..f002926 100644
--- a/include/cybozu/sha2.hpp
+++ b/include/cybozu/sha2.hpp
@@ -472,11 +472,9 @@ public:
 
 namespace cybozu {
 
-/*
-	HMAC-SHA-256
-	hmac must have 32 bytes buffer
-*/
-inline void hmac256(void *hmac, const void *key, size_t keySize, const void *msg, size_t msgSize)
+namespace sha2_local {
+
+inline void hmac256_inner(void *hmac, const void *key, size_t keySize, const void *msg, size_t msgSize, bool addZeroByte)
 {
 	const uint8_t ipad = 0x36;
 	const uint8_t opad = 0x5c;
@@ -494,7 +492,13 @@ inline void hmac256(void *hmac, const void *key, size_t keySize, const void *msg
 	}
 	memset(k + keySize, ipad, 64 - keySize);
 	hash.update(k, 64);
-	hash.digest(hmac, 32, msg, msgSize);
+	if (addZeroByte) {
+		hash.update(msg, msgSize);
+		const char zero = '\x00';
+		hash.digest(hmac, 32, &zero, 1);
+	} else {
+		hash.digest(hmac, 32, msg, msgSize);
+	}
 	hash.clear();
 	for (size_t i = 0; i < 64; i++) {
 		k[i] = k[i] ^ (ipad ^ opad);
@@ -503,4 +507,23 @@ inline void hmac256(void *hmac, const void *key, size_t keySize, const void *msg
 	hash.digest(hmac, 32, hmac, 32);
 }
 
+} // cybozu::sha2_local
+
+/*
+	HMAC-SHA-256
+	hmac must have 32 bytes buffer
+*/
+inline void hmac256(void *hmac, const void *key, size_t keySize, const void *msg, size_t msgSize)
+{
+	sha2_local::hmac256_inner(hmac, key, keySize, msg, msgSize, false);
+}
+
+/*
+	hmac256 for [msg] + [\x00]
+*/
+inline void hmac256addZeroByte(void *hmac, const void *key, size_t keySize, const void *msg, size_t msgSize)
+{
+	sha2_local::hmac256_inner(hmac, key, keySize, msg, msgSize, true);
+}
+
 } // cybozu