nrfconnect · rlubos · Nov 21, 2025 · Nov 4, 2025 · Nov 4, 2025 · Nov 4, 2025
@@ -7,21 +7,18 @@ LE Pairing Responder
    :local:
    :depth: 2
 
-The LE Pairing Responder model is a vendor model.
+The LE Pairing Responder model is a vendor model and you must enable the :kconfig:option:`CONFIG_BT_APP_PASSKEY` Kconfig option to use this model.
 This model can be used to hand over a passkey that will authenticate a Bluetooth LE connection over a mesh network when it is not possible to use other pairing methods.
 
-Before the pairing is initiated, an initiator should send an LE Pairing message with Passkey Reset sub-opcode to set a new passkey for the next pairing request.
+Before the pairing is initiated, an initiator must send an LE Pairing message with the Passkey Reset sub-opcode.
+If the passkey has been set by the :c:func:`bt_mesh_le_pair_resp_passkey_set` function, the predefined passkey will be returned in the Passkey Status message.
+Otherwise, a new passkey will be generated by LE Pairing Responder model and returned in the Passkey Status message.
 The passkey returned in the LE Pairing message with the Passkey Status sub-opcode should be used for the next pairing.
 
-The passkey is generated using the :c:func:`bt_rand` function and set to the host using the :c:func:`bt_passkey_set` function.
-The latter requires the :kconfig:option:`CONFIG_BT_FIXED_PASSKEY` option to be enabled.
-
-.. note::
-   The warning generated by the :kconfig:option:`CONFIG_BT_FIXED_PASSKEY` option should be disregarded as long as the application always invalidates the previously used passkey by calling the :c:func:`bt_mesh_le_pair_resp_passkey_invalidate` function regardless of the pairing result (see below).
-
-This model requires an application to only enable the display capability for the LE pairing by setting the :c:member:`bt_conn_auth_cb.pairing_display` callback.
-After every pairing request, the application must invalidate the previously used passkey by calling the :c:func:`bt_mesh_le_pair_resp_passkey_invalidate` function.
-This function can be called from callbacks :c:member:`bt_conn_auth_info_cb.pairing_complete` and :c:member:`bt_conn_auth_info_cb.pairing_failed`.
+This model requires an application to only enable the display capability for the LE pairing by setting the :c:member:`bt_conn_auth_cb.passkey_display` callback.
+The application must also set the :c:member:`bt_conn_auth_cb.app_passkey` callback to use the passkey generated by LE Pairing Responder model.
+After every pairing request, the application must invalidate the previously used passkey by calling the :c:func:`bt_mesh_le_pair_resp_passkey_invalidate` function or calling :c:func:`bt_mesh_le_pair_resp_passkey_set` with the :c:macro:`BT_PASSKEY_RAND` value.
+Those functions can be called from callbacks :c:member:`bt_conn_auth_info_cb.pairing_complete` and :c:member:`bt_conn_auth_info_cb.pairing_failed`.
 See the :file:`samples/bluetooth/mesh/common/smp_bt_auth.c` file for the reference.
 
 .. figure:: images/bt_mesh_le_pair_resp.svg

@@ -110,6 +110,24 @@ Matter
       To fix this, you must now manually create the :file:`CodeDrivenCallback.h` and :file:`CodeDrivenInitShutdown.cpp` files, and implement the ``MatterClusterServerInitCallback`` and ``MatterClusterServerShutdownCallback`` callbacks to handle server initialization, shutdown, and Matter cluster commands.
       Ensure that these callbacks contain your application's command handling logic as required.
 
+    * :ref:`matter_lock_sample` sample:
+
+      * The :kconfig:option:`CONFIG_BT_FIXED_PASSKEY` Kconfig option has been deprecated, replace it with the :kconfig:option:`CONFIG_BT_APP_PASSKEY` Kconfig option.
+        Now, if you want to use a fixed passkey for the Matter Lock NUS service, register the :c:member:`bt_conn_auth_cb.app_passkey` callback in the :c:struct:`bt_conn_auth_cb` structure.
+
+        For example:
+
+       .. code-block:: c
+
+          static uint32_t AuthAppPasskey(struct bt_conn *conn)
+          {
+              return 123456;
+          }
+
+          static struct bt_conn_auth_cb sConnAuthCallbacks = {
+              .app_passkey = AuthAppPasskey,
+          };
+
 Serial LTE modem
 ----------------
 

@@ -198,6 +198,10 @@ Bluetooth Mesh
   * Deprecated the :kconfig:option:`CONFIG_BT_MESH_NLC_PERF_CONF` and :kconfig:option:`CONFIG_BT_MESH_NLC_PERF_DEFAULT` Kconfig options.
     Existing configurations continue to work but you should migrate to individual profile options.
 
+* Updated the LE Pairing Responder model:
+
+  * Deprecated the :kconfig:option:`CONFIG_BT_FIXED_PASSKEY` option in favor of the new and supported :kconfig:option:`CONFIG_BT_APP_PASSKEY` option.
+
 DECT NR+
 --------
 
@@ -484,6 +488,10 @@ Bluetooth Mesh samples
 
     * Support for external flash memory for the ``nrf52840dk/nrf52840`` and the ``nrf54l15dk/nrf54l15/cpuapp`` as the secondary partition for the DFU process.
 
+   * Updated:
+
+    * The sample to use the :kconfig:option:`CONFIG_BT_APP_PASSKEY` option instead of the deprecated :kconfig:option:`CONFIG_BT_FIXED_PASSKEY` option.
+
 * :ref:`ble_mesh_dfu_target` sample:
 
   * Added:
@@ -707,6 +715,7 @@ Matter samples
 
    * Added a callback for the auto-relock feature.
      This resolves the :ref:`known issue <known_issues>` KRKNWK-20691.
+   * Updated the NUS service to use the :kconfig:option:`CONFIG_BT_APP_PASSKEY` Kconfig option instead of the deprecated :kconfig:option:`CONFIG_BT_FIXED_PASSKEY` Kconfig option.
 
 Networking samples
 ------------------

@@ -32,22 +32,35 @@ extern "C" {
 			     _bt_mesh_le_pair_resp_op, NULL, NULL,                                 \
 			     &_bt_mesh_le_pair_resp_cb)
 
-/* @brief Invalidate previously used passkey.
+/** @brief Invalidate previously used passkey.
  *
  * A user must call this function when a pairing request completes regardless of the status.
  */
 void bt_mesh_le_pair_resp_passkey_invalidate(void);
 
-/* @brief Set own passkey instead of using randomly generating passkeys.
+/** @brief Set own passkey instead of using randomly generating passkeys.
  *
  * By default, passkeys will be randomly generated on every new request. This function allows to use
  * pre-defined passkey instead.
  *
- * @params passkey Passkey to use for the pairing, or @ref BT_PASSKEY_INVALID to use randomly
+ * @param passkey Passkey to use for the pairing, or BT_PASSKEY_RAND to use randomly
  *		   generated passkey again.
  */
 void bt_mesh_le_pair_resp_passkey_set(uint32_t passkey);
 
+/** @brief Get passkey to be used in the very next pairing.
+ *
+ * This function will return the passkey set by the @ref bt_mesh_le_pair_resp_passkey_set function
+ * or it will return a randomly generated passkey by the reset message.
+ *
+ * If the passkey has never been set or the Reset message has never been received,
+ * BT_PASSKEY_RAND will be returned.
+ *
+ * @return Passkey to be used in the very next pairing;
+ *		   BT_PASSKEY_RAND if passkey is not set.
+ */
+uint32_t bt_mesh_le_pair_resp_passkey_get(void);
+
 /** @cond INTERNAL_HIDDEN */
 
 extern const struct bt_mesh_model_op _bt_mesh_le_pair_resp_op[];

@@ -47,12 +47,18 @@ static void pairing_confirm(struct bt_conn *conn)
 	printk("Pairing confirmed: %s\n", addr);
 }
 
+static uint32_t app_passkey(struct bt_conn *conn)
+{
+	return bt_mesh_le_pair_resp_passkey_get();
+}
+
 static struct bt_conn_auth_cb auth_cb = {
 	/* Enable passkey_display callback to enable the display capability. */
 	.passkey_display = passkey_display,
 	/* These 2 callbacks are required for passkey_display callback. */
 	.cancel = cancel,
 	.pairing_confirm = pairing_confirm,
+	.app_passkey = app_passkey,
 };
 
 static void pairing_complete(struct bt_conn *conn, bool bonded)

@@ -1,6 +1,6 @@
 CONFIG_MCUMGR_TRANSPORT_BT_PERM_RW_AUTHEN=y
 CONFIG_BT_SMP=y
-CONFIG_BT_FIXED_PASSKEY=y
+CONFIG_BT_APP_PASSKEY=y
 CONFIG_BT_MESH_LE_PAIR_RESP=y
 CONFIG_BT_SMP_SC_ONLY=y
 CONFIG_BT_SMP_ALLOW_UNAUTH_OVERWRITE=n
@@ -31,6 +31,9 @@ BT_CONN_CB_DEFINE(conn_callbacks) = {
 bt_conn_auth_cb Nrf::NUSService::sConnAuthCallbacks = {
 	.passkey_display = AuthPasskeyDisplay,
 	.cancel = AuthCancel,
+#if defined(CONFIG_BT_APP_PASSKEY)
+	.app_passkey = AuthAppPasskey,
+#endif /* defined(CONFIG_BT_APP_PASSKEY) */
 };
 bt_conn_auth_info_cb Nrf::NUSService::sConnAuthInfoCallbacks = {
 	.pairing_complete = PairingComplete,
@@ -40,7 +43,8 @@ bt_nus_cb Nrf::NUSService::sNusCallbacks = {
 	.received = RxCallback,
 };
 
-namespace Nrf {
+namespace Nrf
+{
 
 NUSService NUSService::sInstance;
 
@@ -234,6 +238,14 @@ void NUSService::AuthPasskeyDisplay(bt_conn *conn, unsigned int passkey)
 	LOG_INF("PROVIDE THE FOLLOWING CODE IN YOUR MOBILE APP: %d", passkey);
 }
 
+#if defined(CONFIG_BT_APP_PASSKEY)
+uint32_t NUSService::AuthAppPasskey(bt_conn *conn)
+{
+	return CONFIG_CHIP_NUS_FIXED_PASSKEY;
+}
+#endif /* defined(CONFIG_BT_APP_PASSKEY) */
+
+
 void NUSService::AuthCancel(bt_conn *conn)
 {
 	LOG_INF("NUS BT Pairing cancelled: %s", LogAddress(conn));

@@ -85,6 +85,9 @@ class NUSService {
 	static void PairingComplete(struct bt_conn *conn, bool bonded);
 	static void PairingFailed(struct bt_conn *conn, enum bt_security_err reason);
 	static char* LogAddress(struct bt_conn *conn);
+#if defined(CONFIG_BT_APP_PASSKEY)
+	static uint32_t AuthAppPasskey(struct bt_conn *conn);
+#endif /* defined(CONFIG_BT_APP_PASSKEY) */
 
 	static struct bt_conn_auth_cb sConnAuthCallbacks;
 	static struct bt_conn_auth_info_cb sConnAuthInfoCallbacks;

@@ -124,7 +124,7 @@ tests:
     build_only: true
     extra_args:
       - CONFIG_CHIP_NUS=y
-      - CONFIG_BT_FIXED_PASSKEY=y
+      - CONFIG_BT_APP_PASSKEY=y
       - CONFIG_CHIP_NUS_FIXED_PASSKEY=112233
     integration_platforms:
       - nrf52840dk/nrf52840

@@ -85,10 +85,10 @@ config BT_MESH_DM_SRV_REFLECTOR_RANGING_WINDOW_US
 endif # BT_MESH_DM_SRV
 
 config BT_MESH_LE_PAIR_RESP
-	bool "LE Pairing Responder model"
+	bool "LE Pairing Responder model [EXPERIMENTAL]"
 	select BT_MESH_VENDOR_MODELS
 	select EXPERIMENTAL
-	depends on BT_FIXED_PASSKEY
+	depends on BT_APP_PASSKEY
 	depends on BT_SMP_SC_ONLY
 	help
 	  Enable the LE Pairing Responder model. The LE Pairing Responder model is used to generate

@@ -24,31 +24,29 @@ LOG_MODULE_REGISTER(bt_mesh_le_pair_resp);
 #define STATUS_PASSKEY_SET 0x00
 #define STATUS_PASSKEY_NOT_SET 0x01
 
-static uint32_t predefined_passkey = BT_PASSKEY_INVALID;
+static uint32_t predefined_passkey = BT_PASSKEY_RAND;
 
 static int handle_reset(const struct bt_mesh_model *model, struct bt_mesh_msg_ctx *ctx,
 			struct net_buf_simple *buf)
 {
 	uint32_t passkey;
 	uint8_t status = STATUS_PASSKEY_SET;
-	int err;
 
 	if (buf->len != 0) {
 		return -EINVAL;
 	}
 
 	BT_MESH_MODEL_BUF_DEFINE(rsp, BT_MESH_LE_PAIR_OP, 5);
 
-	if (predefined_passkey != BT_PASSKEY_INVALID) {
+	if (predefined_passkey != BT_PASSKEY_RAND) {
 		passkey = predefined_passkey;
 	} else {
 		passkey = sys_rand32_get() % 1000000;
-	}
-
-	err = bt_passkey_set(passkey);
-	if (err) {
-		LOG_ERR("Unable to set passkey (err: %d)", err);
-		status = STATUS_PASSKEY_NOT_SET;
+		/* Overwrite the predefined passkey with the randomly generated passkey.
+		 * LE pair responder can use the randomly generated passkey for the next
+		 * pairing request.
+		 */
+		predefined_passkey = passkey;
 	}
 
 	bt_mesh_model_msg_init(&rsp, BT_MESH_LE_PAIR_OP);
@@ -112,10 +110,15 @@ const struct bt_mesh_model_cb _bt_mesh_le_pair_resp_cb = {
 
 void bt_mesh_le_pair_resp_passkey_invalidate(void)
 {
-	(void)bt_passkey_set(BT_PASSKEY_INVALID);
+	predefined_passkey = BT_PASSKEY_RAND;
 }
 
 void bt_mesh_le_pair_resp_passkey_set(uint32_t passkey)
 {
 	predefined_passkey = passkey;
 }
+
+uint32_t bt_mesh_le_pair_resp_passkey_get(void)
+{
+	return predefined_passkey;
+}
@@ -64,7 +64,7 @@ manifest:
     # https://developer.nordicsemi.com/nRF_Connect_SDK/doc/latest/zephyr/guides/modules.html
     - name: zephyr
       repo-path: sdk-zephyr
-      revision: 0985cced399a26c994a0736ba8c00dc852e22ec3
+      revision: d54a7f811327fe9cc3da2dffa7365de96c999c08
       import:
         # In addition to the zephyr repository itself, NCS also
         # imports the contents of zephyr/west.yml at the above
@@ -155,7 +155,7 @@ manifest:
     - name: matter
       repo-path: sdk-connectedhomeip
       path: modules/lib/matter
-      revision: 4c78bef4bfc9b66d8d4ed44813cf7560efe69323
+      revision: c9826122fccab36e7caec9654bd1c0fdd1d27242
       west-commands: scripts/west/west-commands.yml
       submodules:
         - name: nlio