[Bug] Encrypted QR codes with different i_vector in AES-CBC mode are identical.

[earthdiver]

When creating an encrypted QR code in AES-CBC mode, we are obtaining an additional entropy from the camera, but the generated QR codes are identical for each combination of key, mnemonic_id, and mnemonic. I believe that the first block of data_bytes should not be i_vector (how about replacing it with something like b'x\ff'*16 ?).

[odudex]

Thank you for your important finding! It helped me identify an error in the CBC encryption implementation, which unintentionally "deactivated" i_vector. I'm ashamed of not performing similar test before. We've made a dedicated release for the fix. Thank you again for the catch!

[tadeubas]

Release with the fix: https://github.com/selfcustody/krux/releases/tag/v24.11.1