fix(core,legacy): Fix domain-only ethTypedData

When doing Ethereum signTypedData, and the primaryType="EIP712Domain",
we completely ignore the "message" part and only sign the domain.

According to the community, this is technically allowed by the spec,
and may be used by ETH smart contracts to save on gas.

Test case generated by @MetaMask/eth-sig-util's library.

See: https://ethereum-magicians.org/t/eip-712-standards-clarification-primarytype-as-domaintype/3286

Author: aloisklink

common/tests/fixtures/ethereum/sign_typed_data.json

@@ -4,6 +4,28 @@
         "passphrase": ""
     },
     "tests": [
+        {
+            "name": "empty_message",
+            "comment": "Bare minimum valid EIP-712 signature",
+            "parameters": {
+                "path": "m/44'/60'/0'/0/0",
+                "metamask_v4_compat": true,
+                "data": {
+                    "types": {
+                        "EIP712Domain": []
+                    },
+                    "primaryType": "EIP712Domain",
+                    "message": {},
+                    "domain": {}
+                },
+                "message_hash": "0x",
+                "domain_separator_hash": "0x6192106f129ce05c9075d319c1fa6ea9b3ae37cbd0c1ef92e2be7137bb07baa1"
+            },
+            "result": {
+                "address": "0x73d0385F4d8E00C5e6504C6030F47BF6212736A8",
+                "sig": "0x18aaea9abed7cd88d3763a9a420e2e7b71a9f991685fbc62d74da86326cffa680644862d459d1973e422777a3933bc74190b1cae9a5418ddaea645a7d7630dd91c"
+            }
+        },
         {
             "name": "basic_data",
             "parameters": {

core/src/apps/ethereum/sign_typed_data.py

@@ -71,32 +71,46 @@ async def generate_typed_data_hash(
     )
     await typed_data_envelope.collect_types()
 
+    # EIP-712 prefix
+    parts = [b"\x19\x01"]
+
     name, version = await get_name_and_version_for_domain(ctx, typed_data_envelope)
     show_domain = await should_show_domain(ctx, name, version)
-    domain_separator = await typed_data_envelope.hash_struct(
-        primary_type="EIP712Domain",
-        member_path=[0],
-        show_data=show_domain,
-        parent_objects=["EIP712Domain"],
+    # domain_seperator
+    parts.append(
+        await typed_data_envelope.hash_struct(
+            primary_type="EIP712Domain",
+            member_path=[0],
+            show_data=show_domain,
+            parent_objects=["EIP712Domain"],
+        )
     )
 
-    show_message = await should_show_struct(
-        ctx,
-        description=primary_type,
-        data_members=typed_data_envelope.types[primary_type].members,
-        title="Confirm message",
-        button_text="Show full message",
-    )
-    message_hash = await typed_data_envelope.hash_struct(
-        primary_type=primary_type,
-        member_path=[1],
-        show_data=show_message,
-        parent_objects=[primary_type],
-    )
+    # Setting the primary_type to "EIP712Domain" is technically in spec
+    # In this case, we ignore the "message" part and only use the "domain" part
+    # https://ethereum-magicians.org/t/eip-712-standards-clarification-primarytype-as-domaintype/3286
+    if primary_type != "EIP712Domain":
+        show_message = await should_show_struct(
+            ctx,
+            description=primary_type,
+            data_members=typed_data_envelope.types[primary_type].members,
+            title="Confirm message",
+            button_text="Show full message",
+        )
+        parts.append(
+            await typed_data_envelope.hash_struct(
+                primary_type=primary_type,
+                member_path=[1],
+                show_data=show_message,
+                parent_objects=[primary_type],
+            )
+        )
+
+    full_bytes_to_hash = b"".join(parts)
 
-    await confirm_hash(ctx, message_hash)
+    await confirm_hash(ctx, full_bytes_to_hash)
 
-    return keccak256(b"\x19" + b"\x01" + domain_separator + message_hash)
+    return keccak256(full_bytes_to_hash)
 
 
 def get_hash_writer() -> HashWriter:

legacy/firmware/ethereum.c

@@ -987,12 +987,27 @@ static void ethereum_typed_hash(const uint8_t domain_separator_hash[32],
   keccak_Final(&ctx, hash);
 }
 
+// When primaryType="EIP712Domain", we ignore message_hash completely
+static void ethereum_domain_only_typed_hash(
+    const uint8_t domain_separator_hash[32], uint8_t hash[32]) {
+  struct SHA3_CTX ctx = {0};
+  sha3_256_Init(&ctx);
+  sha3_Update(&ctx, (const uint8_t *)"\x19\x01", 2);
+  sha3_Update(&ctx, domain_separator_hash, 32);
+  keccak_Final(&ctx, hash);
+}
+
 void ethereum_typed_hash_sign(const EthereumSignTypedHash *msg,
                               const HDNode *node,
                               EthereumTypedDataSignature *resp) {
   uint8_t hash[32] = {0};
-  ethereum_typed_hash(msg->domain_separator_hash.bytes, msg->message_hash.bytes,
-                      hash);
+
+  if (msg->message_hash.size) {
+    ethereum_typed_hash(msg->domain_separator_hash.bytes,
+                        msg->message_hash.bytes, hash);
+  } else {
+    ethereum_domain_only_typed_hash(msg->domain_separator_hash.bytes, hash);
+  }
 
   uint8_t v = 0;
   if (ecdsa_sign_digest(&secp256k1, node->private_key, hash,

legacy/firmware/fsm_msg_ethereum.h

@@ -262,12 +262,17 @@ void fsm_msgEthereumSignTypedHash(const EthereumSignTypedHash *msg) {
     layoutHome();
     return;
   }
-  layoutConfirmHash(&bmp_icon_warning, _("EIP-712 message hash"),
-                    msg->message_hash.bytes, 32);
-  if (!protectButton(ButtonRequestType_ButtonRequest_Other, false)) {
-    fsm_sendFailure(FailureType_Failure_ActionCancelled, NULL);
-    layoutHome();
-    return;
+
+  // No message hash when setting primaryType="EIP712Domain"
+  // https://ethereum-magicians.org/t/eip-712-standards-clarification-primarytype-as-domaintype/3286
+  if (msg->message_hash.size) {
+    layoutConfirmHash(&bmp_icon_warning, _("EIP-712 message hash"),
+                      msg->message_hash.bytes, 32);
+    if (!protectButton(ButtonRequestType_ButtonRequest_Other, false)) {
+      fsm_sendFailure(FailureType_Failure_ActionCancelled, NULL);
+      layoutHome();
+      return;
+    }
   }
 
   ethereum_typed_hash_sign(msg, node, resp);