From 994ddf017f5e24fe721f35d7b38c90f18af6877d Mon Sep 17 00:00:00 2001 From: Wouter Gritter Date: Thu, 21 May 2026 22:51:14 +0200 Subject: [PATCH] Use `SecureRandom` to generate verification/anti-MITM token --- .../proxy/connection/client/InitialLoginSessionHandler.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/proxy/src/main/java/com/velocitypowered/proxy/connection/client/InitialLoginSessionHandler.java b/proxy/src/main/java/com/velocitypowered/proxy/connection/client/InitialLoginSessionHandler.java index 482fb76e64..0febc76d33 100644 --- a/proxy/src/main/java/com/velocitypowered/proxy/connection/client/InitialLoginSessionHandler.java +++ b/proxy/src/main/java/com/velocitypowered/proxy/connection/client/InitialLoginSessionHandler.java @@ -50,9 +50,9 @@ import java.security.GeneralSecurityException; import java.security.KeyPair; import java.security.MessageDigest; +import java.security.SecureRandom; import java.util.Arrays; import java.util.Optional; -import java.util.concurrent.ThreadLocalRandom; import net.kyori.adventure.text.Component; import net.kyori.adventure.text.format.NamedTextColor; import org.apache.logging.log4j.LogManager; @@ -65,6 +65,7 @@ public class InitialLoginSessionHandler implements MinecraftSessionHandler { private static final Logger logger = LogManager.getLogger(InitialLoginSessionHandler.class); + private static final SecureRandom SECURE_RANDOM = new SecureRandom(); private static final String MOJANG_HASJOINED_URL = System.getProperty("mojang.sessionserver", "https://sessionserver.mojang.com/session/minecraft/hasJoined") @@ -286,7 +287,7 @@ public boolean handle(EncryptionResponsePacket packet) { private EncryptionRequestPacket generateEncryptionRequest() { byte[] verify = new byte[4]; - ThreadLocalRandom.current().nextBytes(verify); + SECURE_RANDOM.nextBytes(verify); EncryptionRequestPacket request = new EncryptionRequestPacket(); request.setPublicKey(server.getServerKeyPair().getPublic().getEncoded());