BLE: Conditional compilation of the security manager

Depends on the role (central or peripheral), signing enabled and secure connection enabled.

connectivity/FEATURE_BLE/include/ble/SecurityManager.h

@@ -247,6 +247,7 @@ public:
         // Pairing
         //
 
+#if BLE_ROLE_PERIPHERAL
         /**
          * Request application to accept or reject pairing. Application should respond by
          * calling the appropriate function: acceptPairingRequest or cancelPairingRequest
@@ -256,6 +257,7 @@ public:
         virtual void pairingRequest(ble::connection_handle_t connectionHandle) {
             (void)connectionHandle;
         }
+#endif // BLE_ROLE_PERIPHERAL
 
         /**
          * Indicate to the application that pairing has completed.
@@ -327,6 +329,7 @@ public:
             (void)passkey;
         }
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
         /**
          * Indicate to the application that a confirmation is required. This is used
          * when the device does not have a keyboard but has a yes/no button. The device
@@ -339,6 +342,7 @@ public:
         virtual void confirmationRequest(ble::connection_handle_t connectionHandle) {
             (void)connectionHandle;
         }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
         /**
          * Indicate to the application that a passkey is required. The application should
@@ -350,6 +354,7 @@ public:
             (void)connectionHandle;
         }
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
         /**
          * Notify the application that a key was pressed by the peer during passkey entry.
          *
@@ -360,6 +365,7 @@ public:
             (void)connectionHandle;
             (void)keypress;
         }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
         /**
          * Indicate to the application it needs to return legacy pairing OOB to the stack.
@@ -402,6 +408,7 @@ public:
         // Keys
         //
 
+#if BLE_FEATURE_SIGNING
         /**
          * Deliver the signing key to the application.
          *
@@ -414,6 +421,8 @@ public:
             (void)csrk;
             (void)authenticated;
         }
+#endif // BLE_FEATURE_SIGNING
+
         /**
          * Prevent polymorphic deletion and avoid unnecessary virtual destructor
          * as the SecurityManager class will never delete the instance it contains.
@@ -526,6 +535,7 @@ public:
     // Pairing
     //
 
+#if BLE_ROLE_CENTRAL
     /**
      * Request pairing with the peer. Called by the master.
      * @note Slave can call requestAuthentication or setLinkEncryption to achieve security.
@@ -534,7 +544,9 @@ public:
      * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
      */
     ble_error_t requestPairing(ble::connection_handle_t connectionHandle);
+#endif // BLE_ROLE_CENTRAL
 
+#if BLE_ROLE_PERIPHERAL
     /**
      * Accept the pairing request. Called as a result of pairingRequest being called
      * on the event handler.
@@ -543,6 +555,7 @@ public:
      * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
      */
     ble_error_t acceptPairingRequest(ble::connection_handle_t connectionHandle);
+#endif // BLE_ROLE_PERIPHERAL
 
     /**
      * Reject pairing request if the local device is the slave or cancel an outstanding
@@ -577,6 +590,7 @@ public:
     // Feature support
     //
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Allow of disallow the use of legacy pairing in case the application only wants
      * to force the use of Secure Connections. If legacy pairing is disallowed and either
@@ -594,6 +608,7 @@ public:
      * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
      */
     ble_error_t getSecureConnectionsSupport(bool *enabled);
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     ////////////////////////////////////////////////////////////////////////////
     // Security settings
@@ -766,6 +781,7 @@ public:
      */
     ble_error_t setOOBDataUsage(ble::connection_handle_t connectionHandle, bool useOOB, bool OOBProvidesMITM = true);
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Report to the stack if the passkey matches or not. Used during pairing to provide MITM protection.
      *
@@ -774,6 +790,7 @@ public:
      * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
      */
     ble_error_t confirmationEntered(ble::connection_handle_t connectionHandle, bool confirmation);
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /**
      * Supply the stack with the user entered passkey.
@@ -784,6 +801,7 @@ public:
      */
     ble_error_t passkeyEntered(ble::connection_handle_t connectionHandle, Passkey_t passkey);
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Send a notification to the peer that the user pressed a key on the local device.
      * @note This will only be delivered if the keypress notifications have been enabled during pairing.
@@ -793,6 +811,7 @@ public:
      * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
      */
     ble_error_t sendKeypressNotification(ble::connection_handle_t connectionHandle, ble::Keypress_t keypress);
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /**
      * Supply the stack with the OOB data for legacy connections.
@@ -803,6 +822,7 @@ public:
      */
     ble_error_t legacyPairingOobReceived(const ble::address_t *address, const ble::oob_tk_t *tk);
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Supply the stack with the OOB data for secure connections.
      *
@@ -813,11 +833,13 @@ public:
      * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
      */
     ble_error_t oobReceived(const ble::address_t *address, const ble::oob_lesc_value_t *random, const ble::oob_confirm_t *confirm);
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     ////////////////////////////////////////////////////////////////////////////
     // Keys
     //
 
+#if BLE_FEATURE_SIGNING
     /**
      * Retrieves a signing key through a signingKey event.
      * If a signing key is not present, pairing/authentication will be attempted.
@@ -830,6 +852,7 @@ public:
      * @return BLE_ERROR_NONE or appropriate error code indicating the failure reason.
      */
     ble_error_t getSigningKey(ble::connection_handle_t connectionHandle, bool authenticated);
+#endif // BLE_FEATURE_SIGNING
 
     ////////////////////////////////////////////////////////////////////////////
     // Privacy

connectivity/FEATURE_BLE/source/SecurityManager.cpp

@@ -57,15 +57,19 @@ ble_error_t SecurityManager::generateWhitelistFromBondTable(::ble::whitelist_t *
     return impl->generateWhitelistFromBondTable(whitelist);
 }
 
+#if BLE_ROLE_CENTRAL
 ble_error_t SecurityManager::requestPairing(ble::connection_handle_t connectionHandle)
 {
     return impl->requestPairing(connectionHandle);
 }
+#endif
 
+#if BLE_ROLE_PERIPHERAL
 ble_error_t SecurityManager::acceptPairingRequest(ble::connection_handle_t connectionHandle)
 {
     return impl->acceptPairingRequest(connectionHandle);
 }
+#endif
 
 ble_error_t SecurityManager::cancelPairingRequest(ble::connection_handle_t connectionHandle)
 {
@@ -82,6 +86,7 @@ ble_error_t SecurityManager::getPeerIdentity(ble::connection_handle_t connection
     return impl->getPeerIdentity(connectionHandle);
 }
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t SecurityManager::allowLegacyPairing(bool allow)
 {
     return impl->allowLegacyPairing(allow);
@@ -91,6 +96,7 @@ ble_error_t SecurityManager::getSecureConnectionsSupport(bool *enabled)
 {
     return impl->getSecureConnectionsSupport(enabled);
 }
+#endif
 
 ble_error_t SecurityManager::setIoCapability(SecurityIOCapabilities_t iocaps)
 {
@@ -162,35 +168,43 @@ ble_error_t SecurityManager::setOOBDataUsage(ble::connection_handle_t connection
     return impl->setOOBDataUsage(connectionHandle, useOOB, OOBProvidesMITM);
 }
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t SecurityManager::confirmationEntered(ble::connection_handle_t connectionHandle, bool confirmation)
 {
     return impl->confirmationEntered(connectionHandle, confirmation);
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 ble_error_t SecurityManager::passkeyEntered(ble::connection_handle_t connectionHandle, Passkey_t passkey)
 {
     return impl->passkeyEntered(connectionHandle, passkey);
 }
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t SecurityManager::sendKeypressNotification(ble::connection_handle_t connectionHandle, ble::Keypress_t keypress)
 {
     return impl->sendKeypressNotification(connectionHandle, keypress);
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 ble_error_t SecurityManager::legacyPairingOobReceived(const ble::address_t *address, const ble::oob_tk_t *tk)
 {
     return impl->legacyPairingOobReceived(address, tk);
 }
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t SecurityManager::oobReceived(const ble::address_t *address, const ble::oob_lesc_value_t *random, const ble::oob_confirm_t *confirm)
 {
     return impl->oobReceived(address, random, confirm);
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
+#if BLE_FEATURE_SIGNING
 ble_error_t SecurityManager::getSigningKey(ble::connection_handle_t connectionHandle, bool authenticated)
 {
     return impl->getSigningKey(connectionHandle, authenticated);
 }
+#endif // BLE_FEATURE_SIGNING
 
 #if BLE_FEATURE_PRIVACY
 ble_error_t SecurityManager::setPrivateAddressTimeout(

connectivity/FEATURE_BLE/source/cordio/source/PalSecurityManagerImpl.cpp

@@ -36,10 +36,7 @@ namespace impl {
 PalSecurityManager::PalSecurityManager() :
     _pal_event_handler(nullptr),
     _use_default_passkey(false),
-    _default_passkey(0),
+    _default_passkey(0)
-    _lesc_keys_generated(false),
-    _public_key_x(),
-    _peer_csrks()
 {
 }
 
@@ -57,7 +54,9 @@ ble_error_t PalSecurityManager::initialize()
     // reset local state
     _use_default_passkey = false;
     _default_passkey = 0;
+#if BLE_FEATURE_SECURE_CONNECTIONS
     _lesc_keys_generated = false;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 #if BLE_FEATURE_SIGNING
     memset(_peer_csrks, 0, sizeof(_peer_csrks));
 #endif
@@ -116,9 +115,14 @@ ble_error_t PalSecurityManager::get_secure_connections_support(
     bool &enabled
 )
 {
+#if BLE_FEATURE_SECURE_CONNECTIONS
     // FIXME: should depend of the controller
     enabled = false;
     return BLE_ERROR_NONE;
+#else
+    enabled = false;
+    return BLE_ERROR_NONE;
+#endif
 }
 
 ////////////////////////////////////////////////////////////////////////////
@@ -143,7 +147,7 @@ ble_error_t PalSecurityManager::get_authentication_timeout(
     return BLE_ERROR_NOT_IMPLEMENTED;
 }
 
-
+#if BLE_ROLE_PERIPHERAL
 ble_error_t PalSecurityManager::slave_security_request(
     connection_handle_t connection,
     AuthenticationMask authentication
@@ -152,12 +156,13 @@ ble_error_t PalSecurityManager::slave_security_request(
     DmSecSlaveReq(connection, authentication.value());
     return BLE_ERROR_NONE;
 }
+#endif // BLE_ROLE_PERIPHERAL
 
 ////////////////////////////////////////////////////////////////////////////
 // Encryption
 //
 
-
+#if BLE_ROLE_CENTRAL
 ble_error_t PalSecurityManager::enable_encryption(
     connection_handle_t connection,
     const ltk_t &ltk,
@@ -180,7 +185,7 @@ ble_error_t PalSecurityManager::enable_encryption(
     return BLE_ERROR_NONE;
 }
 
-
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t PalSecurityManager::enable_encryption(
     connection_handle_t connection,
     const ltk_t &ltk,
@@ -199,6 +204,8 @@ ble_error_t PalSecurityManager::enable_encryption(
 
     return BLE_ERROR_NONE;
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
+#endif // BLE_ROLE_CENTRAL
 
 
 ble_error_t PalSecurityManager::encrypt_data(
@@ -275,6 +282,7 @@ ble_error_t PalSecurityManager::set_identity_address(
     return BLE_ERROR_NONE;
 }
 
+#if BLE_FEATURE_SIGNING
 ble_error_t PalSecurityManager::set_csrk(
     const csrk_t &csrk,
     sign_count_t sign_counter
@@ -335,6 +343,7 @@ ble_error_t PalSecurityManager::remove_peer_csrk(connection_handle_t connection)
     AttsSetCsrk(connection, nullptr, false);
     return BLE_ERROR_NONE;
 }
+#endif // BLE_FEATURE_SIGNING
 
 ////////////////////////////////////////////////////////////////////////////
 // Global parameters
@@ -380,7 +389,7 @@ ble_error_t PalSecurityManager::set_encryption_key_requirements(
 // Authentication
 //
 
-
+#if BLE_ROLE_CENTRAL
 ble_error_t PalSecurityManager::send_pairing_request(
     connection_handle_t connection,
     bool oob_data_flag,
@@ -399,8 +408,9 @@ ble_error_t PalSecurityManager::send_pairing_request(
 
     return BLE_ERROR_NONE;
 }
+#endif // BLE_ROLE_CENTRAL
 
-
+#if BLE_ROLE_PERIPHERAL
 ble_error_t PalSecurityManager::send_pairing_response(
     connection_handle_t connection,
     bool oob_data_flag,
@@ -419,6 +429,7 @@ ble_error_t PalSecurityManager::send_pairing_response(
 
     return BLE_ERROR_NONE;
 }
+#endif // BLE_ROLE_PERIPHERAL
 
 
 ble_error_t PalSecurityManager::cancel_pairing(
@@ -469,7 +480,7 @@ ble_error_t PalSecurityManager::legacy_pairing_oob_request_reply(
     return BLE_ERROR_NONE;
 }
 
-
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t PalSecurityManager::confirmation_entered(
     connection_handle_t connection, bool confirmation
 )
@@ -520,6 +531,7 @@ ble_error_t PalSecurityManager::secure_connections_oob_request_reply(
 
     return BLE_ERROR_NONE;
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 
 PalSecurityManager &PalSecurityManager::get_security_manager()
@@ -703,6 +715,7 @@ bool PalSecurityManager::sm_handler(const wsfMsgHdr_t *msg)
             return true;
         }
 
+#if BLE_ROLE_PERIPHERAL
         case DM_SEC_PAIR_IND: {
             auto *evt = (dmSecPairIndEvt_t *) msg;
             handler->on_pairing_request(
@@ -714,7 +727,9 @@ bool PalSecurityManager::sm_handler(const wsfMsgHdr_t *msg)
             );
             return true;
         }
+#endif // BLE_ROLE_PERIPHERAL
 
+#if BLE_ROLE_CENTRAL
         case DM_SEC_SLAVE_REQ_IND: {
             auto *evt = (dmSecPairIndEvt_t *) msg;
             handler->on_slave_security_request(
@@ -723,7 +738,9 @@ bool PalSecurityManager::sm_handler(const wsfMsgHdr_t *msg)
             );
             return true;
         }
+#endif // BLE_ROLE_CENTRAL
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
         case DM_SEC_CALC_OOB_IND: {
             auto *evt = (dmSecOobCalcIndEvt_t *) msg;
             handler->on_secure_connections_oob_generated(
@@ -733,7 +750,6 @@ bool PalSecurityManager::sm_handler(const wsfMsgHdr_t *msg)
             return true;
         }
 
-#if BLE_FEATURE_SECURE_CONNECTIONS
         case DM_SEC_ECC_KEY_IND: {
             auto *evt = (secEccMsg_t *) msg;
             DmSecSetEccKey(&evt->data.key);
@@ -741,7 +757,6 @@ bool PalSecurityManager::sm_handler(const wsfMsgHdr_t *msg)
             self._lesc_keys_generated = true;
             return true;
         }
-#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
         case DM_SEC_COMPARE_IND: {
             auto *evt = (dmSecCnfIndEvt_t *) msg;
@@ -761,6 +776,7 @@ bool PalSecurityManager::sm_handler(const wsfMsgHdr_t *msg)
             );
             return true;
         }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
         default:
             return false;
@@ -769,6 +785,7 @@ bool PalSecurityManager::sm_handler(const wsfMsgHdr_t *msg)
 
 // Helper functions for privacy
 
+#if BLE_FEATURE_SIGNING
 void PalSecurityManager::cleanup_peer_csrks()
 {
     for (auto & peer_csrk : _peer_csrks) {
@@ -778,6 +795,7 @@ void PalSecurityManager::cleanup_peer_csrks()
         }
     }
 }
+#endif // BLE_FEATURE_SIGNING
 
 void PalSecurityManager::set_event_handler(
     PalSecurityManagerEventHandler *event_handler

connectivity/FEATURE_BLE/source/cordio/source/PalSecurityManagerImpl.h

@@ -63,6 +63,7 @@ public:
     // Pairing
     //
 
+#if BLE_ROLE_CENTRAL
     /**
      * @see ::ble::PalSecurityManager::send_pairing_request
      */
@@ -73,7 +74,9 @@ public:
         KeyDistribution initiator_dist,
         KeyDistribution responder_dist
     ) final;
+#endif // BLE_ROLE_CENTRAL
 
+#if BLE_ROLE_PERIPHERAL
     /**
      * @see ::ble::PalSecurityManager::send_pairing_response
      */
@@ -84,6 +87,7 @@ public:
         KeyDistribution initiator_dist,
         KeyDistribution responder_dist
     ) final;
+#endif // BLE_ROLE_PERIPHERAL
 
     /**
      * @see ::ble::PalSecurityManager::cancel_pairing
@@ -134,6 +138,7 @@ public:
         uint8_t max_encryption_key_size
     ) final;
 
+#if BLE_ROLE_PERIPHERAL
     /**
      * @see ::ble::PalSecurityManager::slave_security_request
      */
@@ -141,11 +146,13 @@ public:
         connection_handle_t connection,
         AuthenticationMask authentication
     ) final;
+#endif
 
     ////////////////////////////////////////////////////////////////////////////
     // Encryption
     //
 
+#if BLE_ROLE_CENTRAL
     /**
      * @see ::ble::PalSecurityManager::enable_encryption
      */
@@ -157,6 +164,7 @@ public:
         bool mitm
     ) final;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * @see ::ble::PalSecurityManager::enable_encryption
      */
@@ -165,6 +173,8 @@ public:
         const ltk_t &ltk,
         bool mitm
     ) final;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
+#endif // BLE_ROLE_CENTRAL
 
     /**
      * @see ::ble::PalSecurityManager::encrypt_data
@@ -207,6 +217,7 @@ public:
         const address_t &address, bool public_address
     ) final;
 
+#if BLE_FEATURE_SIGNING
     /**
      * @see ::ble::PalSecurityManager::set_csrk
      */
@@ -226,6 +237,7 @@ public:
     ) final;
 
     ble_error_t remove_peer_csrk(connection_handle_t connection) final;
+#endif // BLE_FEATURE_SIGNING
 
     ////////////////////////////////////////////////////////////////////////////
     // Authentication
@@ -253,6 +265,7 @@ public:
         passkey_num_t passkey
     ) final;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * @see ::ble::PalSecurityManager::secure_connections_oob_request_reply
      */
@@ -262,6 +275,7 @@ public:
         const oob_lesc_value_t &peer_random,
         const oob_confirm_t &peer_confirm
     ) final;
+#endif // /BLE_FEATURE_SECURE_CONNECTIONS
 
     /**
      * @see ::ble::PalSecurityManager::legacy_pairing_oob_request_reply
@@ -271,6 +285,7 @@ public:
         const oob_tk_t &oob_data
     ) final;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * @see ::ble::PalSecurityManager::confirmation_entered
      */
@@ -289,6 +304,7 @@ public:
      * @see ::ble::PalSecurityManager::generate_secure_connections_oob
      */
     ble_error_t generate_secure_connections_oob() final;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /**
      * @see ::ble::PalSecurityManager::set_event_handler
@@ -309,17 +325,23 @@ public:
 
 private:
 
+#if BLE_FEATURE_SIGNING
     void cleanup_peer_csrks();
+#endif // BLE_FEATURE_SIGNING
 
     PalSecurityManagerEventHandler *_pal_event_handler;
 
     bool _use_default_passkey;
     passkey_num_t _default_passkey;
-    bool _lesc_keys_generated;
+#if BLE_FEATURE_SECURE_CONNECTIONS
-    uint8_t _public_key_x[SEC_ECC_KEY_LEN];
+    bool _lesc_keys_generated = false;
+    uint8_t _public_key_x[SEC_ECC_KEY_LEN] = {0};
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
     irk_t _irk;
+#if BLE_FEATURE_SIGNING
     csrk_t _csrk;
-    csrk_t *_peer_csrks[DM_CONN_MAX];
+    csrk_t *_peer_csrks[DM_CONN_MAX] = {0};
+#endif // BLE_FEATURE_SIGNING
 };
 
 } // namespace impl

connectivity/FEATURE_BLE/source/generic/SecurityManagerImpl.cpp

@@ -243,7 +243,7 @@ ble_error_t SecurityManager::generateWhitelistFromBondTable(::ble::whitelist_t *
 // Pairing
 //
 
-
+#if BLE_ROLE_CENTRAL
 ble_error_t SecurityManager::requestPairing(connection_handle_t connection)
 {
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@@ -297,8 +297,9 @@ ble_error_t SecurityManager::requestPairing(connection_handle_t connection)
         responder_distribution
     );
 }
+#endif // BLE_ROLE_CENTRAL
 
-
+#if BLE_ROLE_PERIPHERAL
 ble_error_t SecurityManager::acceptPairingRequest(connection_handle_t connection)
 {
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@@ -357,6 +358,7 @@ ble_error_t SecurityManager::acceptPairingRequest(connection_handle_t connection
         responder_distribution
     );
 }
+#endif
 
 
 ble_error_t SecurityManager::cancelPairingRequest(connection_handle_t connection)
@@ -405,7 +407,7 @@ ble_error_t SecurityManager::getPeerIdentity(connection_handle_t connection)
 // Feature support
 //
 
-
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t SecurityManager::allowLegacyPairing(bool allow)
 {
     _legacy_pairing_allowed = allow;
@@ -417,6 +419,7 @@ ble_error_t SecurityManager::getSecureConnectionsSupport(bool *enabled)
 {
     return _pal.get_secure_connections_support(*enabled);
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 ////////////////////////////////////////////////////////////////////////////
 // Security settings
@@ -485,11 +488,13 @@ ble_error_t SecurityManager::setLinkSecurity(
         case SECURITY_MODE_ENCRYPTION_WITH_MITM:
             return setLinkEncryption(connection, link_encryption_t::ENCRYPTED_WITH_MITM);
 
+#if BLE_FEATURE_SIGNING
         case SECURITY_MODE_SIGNED_NO_MITM:
             return getSigningKey(connection, false);
 
         case SECURITY_MODE_SIGNED_WITH_MITM:
             return getSigningKey(connection, true);
+#endif // BLE_FEATURE_SIGNING
 
         default:
             return BLE_ERROR_INVALID_PARAM;
@@ -535,9 +540,17 @@ ble_error_t SecurityManager::enableSigning(
             /* create keys if needed and exchange them */
             init_signing();
             if (cb->is_master) {
+#if BLE_ROLE_CENTRAL
                 return requestPairing(connection);
+#else
+                return BLE_ERROR_NOT_IMPLEMENTED;
+#endif
             } else {
+#if BLE_ROLE_PERIPHERAL
                 return slave_security_request(connection);
+#else
+                return BLE_ERROR_NOT_IMPLEMENTED;
+#endif
             }
         }
     } else {
@@ -702,6 +715,7 @@ ble_error_t SecurityManager::setEncryptionKeyRequirements(
 // Keys
 //
 
+#if BLE_FEATURE_SIGNING
 ble_error_t SecurityManager::getSigningKey(connection_handle_t connection, bool authenticated)
 {
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@@ -730,12 +744,21 @@ ble_error_t SecurityManager::getSigningKey(connection_handle_t connection, bool
         if (authenticated) {
             return requestAuthentication(connection);
         } else if (cb->is_master) {
+#if BLE_ROLE_CENTRAL
             return requestPairing(connection);
+#else
+            return BLE_ERROR_NOT_IMPLEMENTED;
+#endif
         } else {
+#if BLE_ROLE_PERIPHERAL
             return slave_security_request(connection);
+#else
+            return BLE_ERROR_NOT_IMPLEMENTED;
+#endif
         }
     }
 }
+#endif // BLE_FEATURE_SIGNING
 
 ////////////////////////////////////////////////////////////////////////////
 // Privacy
@@ -780,9 +803,17 @@ ble_error_t SecurityManager::requestAuthentication(connection_handle_t connectio
     } else {
         cb->mitm_requested = true;
         if (cb->is_master) {
+#if BLE_ROLE_CENTRAL
             return requestPairing(connection);
+#else
+            return BLE_ERROR_NOT_IMPLEMENTED;
+#endif
         } else {
+#if BLE_ROLE_PERIPHERAL
             return slave_security_request(connection);
+#else
+            return BLE_ERROR_NOT_IMPLEMENTED;
+#endif
         }
     }
 }
@@ -811,6 +842,7 @@ ble_error_t SecurityManager::generateOOB(
         return status;
     }
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /* Secure connections. Avoid generating if we're already waiting for it.
      * If a local random is set to 0 it means we're already calculating. */
     if (!is_all_zeros(_oob_local_random)) {
@@ -833,6 +865,7 @@ ble_error_t SecurityManager::generateOOB(
     } else {
         return BLE_STACK_BUSY;
     }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     return BLE_ERROR_NONE;
 }
@@ -860,7 +893,7 @@ ble_error_t SecurityManager::setOOBDataUsage(
     }
 }
 
-
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t SecurityManager::confirmationEntered(
     connection_handle_t connection,
     bool confirmation
@@ -869,7 +902,7 @@ ble_error_t SecurityManager::confirmationEntered(
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
     return _pal.confirmation_entered(connection, confirmation);
 }
-
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 ble_error_t SecurityManager::passkeyEntered(
     connection_handle_t connection,
@@ -883,7 +916,7 @@ ble_error_t SecurityManager::passkeyEntered(
     );
 }
 
-
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t SecurityManager::sendKeypressNotification(
     connection_handle_t connection,
     ble::Keypress_t keypress
@@ -892,6 +925,7 @@ ble_error_t SecurityManager::sendKeypressNotification(
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
     return _pal.send_keypress_notification(connection, keypress);
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 
 ble_error_t SecurityManager::legacyPairingOobReceived(
@@ -929,7 +963,7 @@ ble_error_t SecurityManager::legacyPairingOobReceived(
     return BLE_ERROR_NONE;
 }
 
-
+#if BLE_FEATURE_SECURE_CONNECTIONS
 ble_error_t SecurityManager::oobReceived(
     const address_t *address,
     const oob_lesc_value_t *random,
@@ -946,6 +980,7 @@ ble_error_t SecurityManager::oobReceived(
 
     return BLE_ERROR_INVALID_PARAM;
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 ////////////////////////////////////////////////////////////////////////////
 // Helper functions
@@ -1104,6 +1139,7 @@ ble_error_t SecurityManager::get_random_data(uint8_t *buffer, size_t size)
 }
 
 
+#if BLE_ROLE_PERIPHERAL
 ble_error_t SecurityManager::slave_security_request(connection_handle_t connection)
 {
     if (!_db) return BLE_ERROR_INITIALIZATION_INCOMPLETE;
@@ -1115,6 +1151,7 @@ ble_error_t SecurityManager::slave_security_request(connection_handle_t connecti
     link_authentication.set_mitm(cb->mitm_requested);
     return _pal.slave_security_request(connection, link_authentication);
 }
+#endif // BLE_ROLE_PERIPHERAL
 
 
 ble_error_t SecurityManager::enable_encryption(connection_handle_t connection)
@@ -1131,6 +1168,7 @@ ble_error_t SecurityManager::enable_encryption(connection_handle_t connection)
     }
 
     if (cb->is_master) {
+#if BLE_ROLE_CENTRAL
         if (flags->ltk_stored) {
             _db->get_entry_peer_keys(
                 mbed::callback(this, &SecurityManager::enable_encryption_cb),
@@ -1140,12 +1178,19 @@ ble_error_t SecurityManager::enable_encryption(connection_handle_t connection)
         } else {
             return requestPairing(connection);
         }
+#else
+        return BLE_ERROR_NOT_IMPLEMENTED;
+#endif // BLE_ROLE_CENTRAL
     } else {
+#if BLE_ROLE_PERIPHERAL
         return slave_security_request(connection);
+#else
+        return BLE_ERROR_NOT_IMPLEMENTED;
+#endif // BLE_ROLE_PERIPHERAL
     }
 }
 
-
+#if BLE_ROLE_CENTRAL
 void SecurityManager::enable_encryption_cb(
     SecurityDb::entry_handle_t db_entry,
     const SecurityEntryKeys_t* entryKeys
@@ -1163,14 +1208,17 @@ void SecurityManager::enable_encryption_cb(
     }
 
     if (entryKeys) {
+#if BLE_FEATURE_SECURE_CONNECTIONS
         if (flags->secure_connections_paired) {
             _pal.enable_encryption(cb->connection, entryKeys->ltk, flags->ltk_mitm_protected);
-        } else {
+        } else
+#endif
+        {
             _pal.enable_encryption(cb->connection, entryKeys->ltk, entryKeys->rand, entryKeys->ediv, flags->ltk_mitm_protected);
         }
     }
 }
-
+#endif
 
 void SecurityManager::set_ltk_cb(
     SecurityDb::entry_handle_t db_entry,
@@ -1200,7 +1248,7 @@ void SecurityManager::set_ltk_cb(
     }
 }
 
-
+#if BLE_FEATURE_SIGNING
 void SecurityManager::set_peer_csrk_cb(
     SecurityDb::entry_handle_t db_entry,
     const SecurityEntrySigning_t* signing
@@ -1247,7 +1295,7 @@ void SecurityManager::return_csrk_cb(
         flags->csrk_mitm_protected
     );
 }
-
+#endif // BLE_FEATURE_SIGNING
 
 void SecurityManager::update_oob_presence(connection_handle_t connection)
 {
@@ -1410,7 +1458,7 @@ void SecurityManager::on_identity_list_retrieved(
 // Pairing
 //
 
-
+#if BLE_ROLE_PERIPHERAL
 void SecurityManager::on_pairing_request(
     connection_handle_t connection,
     bool use_oob,
@@ -1441,7 +1489,7 @@ void SecurityManager::on_pairing_request(
         acceptPairingRequest(connection);
     }
 }
-
+#endif // BLE_ROLE_PERIPHERAL
 
 void SecurityManager::on_pairing_error(
     connection_handle_t connection,
@@ -1505,7 +1553,7 @@ void SecurityManager::on_valid_mic_timeout(connection_handle_t connection)
     (void)connection;
 }
 
-
+#if BLE_FEATURE_SIGNING
 void SecurityManager::on_signed_write_received(
     connection_handle_t connection,
     sign_count_t sign_counter
@@ -1538,9 +1586,13 @@ void SecurityManager::on_signed_write_verification_failure(
         if (cb->csrk_failures == 3) {
             cb->csrk_failures = 0;
             if (cb->is_master) {
+#if BLE_ROLE_CENTRAL
                 requestPairing(connection);
+#endif
             } else {
+#if BLE_ROLE_PERIPHERAL
                 slave_security_request(connection);
+#endif
             }
         }
     }
@@ -1552,8 +1604,9 @@ void SecurityManager::on_signed_write()
     MBED_ASSERT(_db);
     _db->set_local_sign_counter(_db->get_local_sign_counter() + 1);
 }
+#endif // BLE_FEATURE_SIGNING
 
-
+#if BLE_ROLE_CENTRAL
 void SecurityManager::on_slave_security_request(
     connection_handle_t connection,
     AuthenticationMask authentication
@@ -1589,6 +1642,7 @@ void SecurityManager::on_slave_security_request(
         enable_encryption(connection);
     }
 }
+#endif // BLE_ROLE_CENTRAL
 
 ////////////////////////////////////////////////////////////////////////////
 // Encryption
@@ -1622,7 +1676,9 @@ void SecurityManager::on_link_encryption_result(
         cb->authenticated = true;
         cb->encrypted = true;
 
-    } else if (result == link_encryption_t::NOT_ENCRYPTED
+    }
+#if BLE_ROLE_CENTRAL
+    else if (result == link_encryption_t::NOT_ENCRYPTED
                && cb->encryption_requested
                && !cb->encryption_failed) {
 
@@ -1633,6 +1689,7 @@ void SecurityManager::on_link_encryption_result(
         /* don't return an event yet since we are retrying */
         return;
     }
+#endif // BLE_ROLE_CENTRAL
 
     eventHandler->linkEncryptionResult(connection, result);
 }
@@ -1662,55 +1719,12 @@ void SecurityManager::on_passkey_display(
     eventHandler->passkeyDisplay(connection, PasskeyAscii(passkey).value());
 }
 
-
-void SecurityManager::on_keypress_notification(
-    connection_handle_t connection,
-    ble::Keypress_t keypress
-)
-{
-    set_mitm_performed(connection);
-    eventHandler->keypressNotification(connection, keypress);
-}
-
-
 void SecurityManager::on_passkey_request(connection_handle_t connection)
 {
     set_mitm_performed(connection);
     eventHandler->passkeyRequest(connection);
 }
 
-
-void SecurityManager::on_confirmation_request(connection_handle_t connection)
-{
-    set_mitm_performed(connection);
-    eventHandler->confirmationRequest(connection);
-}
-
-
-void SecurityManager::on_secure_connections_oob_request(connection_handle_t connection)
-{
-    set_mitm_performed(connection);
-
-    ControlBlock_t *cb = get_control_block(connection);
-    if (!cb) {
-        return;
-    }
-
-    SecurityDistributionFlags_t* flags = _db->get_distribution_flags(cb->db_entry);
-    if (!flags) {
-        return;
-    }
-
-    if (flags->peer_address == _oob_peer_address) {
-        _pal.secure_connections_oob_request_reply(connection, _oob_local_random, _oob_peer_random, _oob_peer_confirm);
-        /* do not re-use peer OOB */
-        set_all_zeros(_oob_peer_address);
-    } else {
-        _pal.cancel_pairing(connection, pairing_failure_t::OOB_NOT_AVAILABLE);
-    }
-}
-
-
 void SecurityManager::on_legacy_pairing_oob_request(connection_handle_t connection)
 {
     MBED_ASSERT(_db);
@@ -1743,6 +1757,44 @@ void SecurityManager::on_legacy_pairing_oob_request(connection_handle_t connecti
     }
 }
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
+void SecurityManager::on_keypress_notification(
+    connection_handle_t connection,
+    ble::Keypress_t keypress
+)
+{
+    set_mitm_performed(connection);
+    eventHandler->keypressNotification(connection, keypress);
+}
+
+void SecurityManager::on_confirmation_request(connection_handle_t connection)
+{
+    set_mitm_performed(connection);
+    eventHandler->confirmationRequest(connection);
+}
+
+void SecurityManager::on_secure_connections_oob_request(connection_handle_t connection)
+{
+    set_mitm_performed(connection);
+
+    ControlBlock_t *cb = get_control_block(connection);
+    if (!cb) {
+        return;
+    }
+
+    SecurityDistributionFlags_t* flags = _db->get_distribution_flags(cb->db_entry);
+    if (!flags) {
+        return;
+    }
+
+    if (flags->peer_address == _oob_peer_address) {
+        _pal.secure_connections_oob_request_reply(connection, _oob_local_random, _oob_peer_random, _oob_peer_confirm);
+        /* do not re-use peer OOB */
+        set_all_zeros(_oob_peer_address);
+    } else {
+        _pal.cancel_pairing(connection, pairing_failure_t::OOB_NOT_AVAILABLE);
+    }
+}
 
 void SecurityManager::on_secure_connections_oob_generated(
     const oob_lesc_value_t &random,
@@ -1752,12 +1804,13 @@ void SecurityManager::on_secure_connections_oob_generated(
     eventHandler->oobGenerated(&_oob_local_address, &random, &confirm);
     _oob_local_random = random;
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 ////////////////////////////////////////////////////////////////////////////
 // Keys
 //
 
-
+#if BLE_FEATURE_SECURE_CONNECTIONS
 void SecurityManager::on_secure_connections_ltk_generated(
     connection_handle_t connection,
     const ltk_t &ltk
@@ -1780,6 +1833,7 @@ void SecurityManager::on_secure_connections_ltk_generated(
     _db->set_entry_peer_ltk(cb->db_entry, ltk);
     _db->set_entry_local_ltk(cb->db_entry, ltk);
 }
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
 
 void SecurityManager::on_keys_distributed_ltk(
@@ -1895,7 +1949,7 @@ void SecurityManager::on_keys_distributed_bdaddr(
     );
 }
 
-
+#if BLE_FEATURE_SIGNING
 void SecurityManager::on_keys_distributed_csrk(
     connection_handle_t connection,
     const csrk_t &csrk
@@ -1921,6 +1975,7 @@ void SecurityManager::on_keys_distributed_csrk(
         flags->csrk_mitm_protected
     );
 }
+#endif // BLE_FEATURE_SIGNING
 
 
 void SecurityManager::on_ltk_request(

connectivity/FEATURE_BLE/source/generic/SecurityManagerImpl.h

@@ -46,8 +46,11 @@ namespace impl {
 
 class SecurityManager :
     public ble::PalSecurityManagerEventHandler,
-    public ble::PalConnectionMonitorEventHandler,
+    public ble::PalConnectionMonitorEventHandler
-    public ble::PalSigningMonitorEventHandler {
+#if BLE_FEATURE_SIGNING
+    , public ble::PalSigningMonitorEventHandler
+#endif // BLE_FEATURE_SIGNING
+    {
     friend class ble::PalConnectionMonitorEventHandler;
 
     friend PalGenericAccessService;
@@ -94,9 +97,13 @@ public:
     // Pairing
     //
 
+#if BLE_ROLE_CENTRAL
     ble_error_t requestPairing(ble::connection_handle_t connectionHandle);
+#endif // BLE_ROLE_CENTRAL
 
+#if BLE_ROLE_PERIPHERAL
     ble_error_t acceptPairingRequest(ble::connection_handle_t connectionHandle);
+#endif // BLE_ROLE_PERIPHERAL
 
     ble_error_t cancelPairingRequest(ble::connection_handle_t connectionHandle);
 
@@ -107,10 +114,11 @@ public:
     ////////////////////////////////////////////////////////////////////////////
     // Feature support
     //
-
+#if BLE_FEATURE_SECURE_CONNECTIONS
     ble_error_t allowLegacyPairing(bool allow = true);
 
     ble_error_t getSecureConnectionsSupport(bool *enabled);
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     ////////////////////////////////////////////////////////////////////////////
     // Security settings
@@ -161,26 +169,27 @@ public:
 
     ble_error_t setOOBDataUsage(ble::connection_handle_t connectionHandle, bool useOOB, bool OOBProvidesMITM = true);
 
-    ble_error_t confirmationEntered(ble::connection_handle_t connectionHandle, bool confirmation);
-
     ble_error_t passkeyEntered(ble::connection_handle_t connectionHandle, Passkey_t passkey);
 
-    ble_error_t sendKeypressNotification(ble::connection_handle_t connectionHandle, ble::Keypress_t keypress);
-
     ble_error_t legacyPairingOobReceived(const ble::address_t *address, const ble::oob_tk_t *tk);
+#if BLE_FEATURE_SECURE_CONNECTIONS
+    ble_error_t confirmationEntered(ble::connection_handle_t connectionHandle, bool confirmation);
+
+    ble_error_t sendKeypressNotification(ble::connection_handle_t connectionHandle, ble::Keypress_t keypress);
 
     ble_error_t oobReceived(
         const ble::address_t *address,
         const ble::oob_lesc_value_t *random,
         const ble::oob_confirm_t *confirm
     );
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     ////////////////////////////////////////////////////////////////////////////
     // Keys
     //
-
+#if BLE_FEATURE_SIGNING
     ble_error_t getSigningKey(ble::connection_handle_t connectionHandle, bool authenticated);
-
+#endif // BLE_FEATURE_SIGNING
     ////////////////////////////////////////////////////////////////////////////
     // Privacy
     //
@@ -241,6 +250,7 @@ private:
     // Pairing
     //
 
+#if BLE_ROLE_PERIPHERAL
     /** @copydoc PalSecurityManager::on_pairing_request
      */
     void on_pairing_request(
@@ -250,6 +260,7 @@ private:
         KeyDistribution initiator_dist,
         KeyDistribution responder_dist
     ) override;
+#endif
 
     /** @copydoc PalSecurityManager::on_pairing_error
      */
@@ -280,6 +291,7 @@ private:
         connection_handle_t connection
     ) override;
 
+#if BLE_FEATURE_SIGNING
     /** @copydoc PalSecurityManager::on_signed_write_received
      */
     void on_signed_write_received(
@@ -296,13 +308,16 @@ private:
     /** @copydoc PalSecurityManager::on_signed_write
      */
     void on_signed_write() override;
+#endif // BLE_FEATURE_SIGNING
 
+#if BLE_ROLE_CENTRAL
     /** @copydoc PalSecurityManager::on_slave_security_request
      */
     void on_slave_security_request(
         connection_handle_t connection,
         AuthenticationMask authentication
     ) override;
+#endif // BLE_ROLE_CENTRAL
 
     ////////////////////////////////////////////////////////////////////////////
     // Encryption
@@ -332,12 +347,14 @@ private:
         passkey_num_t passkey
     ) override;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /** @copydoc PalSecurityManager::on_keypress_notification
      */
     void on_keypress_notification(
         connection_handle_t connection,
         ble::Keypress_t keypress
     ) override;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /** @copydoc PalSecurityManager::on_passkey_request
      */
@@ -345,6 +362,7 @@ private:
         connection_handle_t connection
     ) override;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /** @copydoc PalSecurityManager::on_confirmation_request
      */
     void on_confirmation_request(
@@ -356,6 +374,7 @@ private:
     void on_secure_connections_oob_request(
         connection_handle_t connection
     ) override;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /** @copydoc PalSecurityManager::on_legacy_pairing_oob_request
      */
@@ -363,23 +382,27 @@ private:
         connection_handle_t connection
     ) override;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /** @copydoc PalSecurityManager::on_secure_connections_oob_generated
      */
     void on_secure_connections_oob_generated(
         const oob_lesc_value_t &random,
         const oob_confirm_t &confirm
     ) override;
+#endif
 
     ////////////////////////////////////////////////////////////////////////////
     // Keys
     //
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /** @copydoc PalSecurityManager::on_secure_connections_ltk_generated
      */
     void on_secure_connections_ltk_generated(
         connection_handle_t connection,
         const ltk_t &ltk
     ) override;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /** @copydoc PalSecurityManager::on_keys_distributed_ltk
      */
@@ -426,12 +449,14 @@ private:
         const address_t &peer_identity_address
     ) override;
 
+#if BLE_FEATURE_SIGNING
     /** @copydoc PalSecurityManager::on_keys_distributed_csrk
      */
     void on_keys_distributed_csrk(
         connection_handle_t connection,
         const csrk_t &csrk
     ) override;
+#endif // BLE_FEATURE_SIGNING
 
     /** @copydoc PalSecurityManager::on_ltk_requeston_ltk_request
      */
@@ -516,9 +541,11 @@ private:
         size_t size
     );
 
+#if BLE_ROLE_PERIPHERAL
     ble_error_t slave_security_request(
         connection_handle_t connection
     );
+#endif
 
     ble_error_t enable_encryption(
         connection_handle_t connection
@@ -534,6 +561,7 @@ private:
         const SecurityEntryKeys_t *entryKeys
     );
 
+#if BLE_FEATURE_SIGNING
     void return_csrk_cb(
         SecurityDb::entry_handle_t connection,
         const SecurityEntrySigning_t *signing
@@ -543,6 +571,7 @@ private:
         SecurityDb::entry_handle_t connection,
         const SecurityEntrySigning_t *signing
     );
+#endif
 
     void update_oob_presence(
         connection_handle_t connection

connectivity/FEATURE_BLE/source/pal/PalSecurityManager.h

@@ -212,6 +212,7 @@ public:
     // Pairing
     //
 
+#if BLE_ROLE_PERIPHERAL
     /**
      * Request pairing. This is called on the slave in response to a request from the master.
      * Upper layer shall either send a pairing response (send_pairing_response)
@@ -230,6 +231,7 @@ public:
         KeyDistribution initiator_dist,
         KeyDistribution responder_dist
     ) = 0;
+#endif
 
     /**
      * Indicate that the pairing has failed.
@@ -277,6 +279,7 @@ public:
         connection_handle_t connection
     ) = 0;
 
+#if BLE_ROLE_CENTRAL
     /**
      * Ask the stack to evaluate the security request received from the slave.
      * This might result in the stack enabling encryption, or pairing/re-pairing.
@@ -288,6 +291,7 @@ public:
         connection_handle_t connection,
         AuthenticationMask authentication
     ) = 0;
+#endif
 
     ////////////////////////////////////////////////////////////////////////////
     // Encryption
@@ -330,6 +334,7 @@ public:
         passkey_num_t passkey
     ) = 0;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Indicate that user confirmation is required to confirm matching
      * passkeys displayed on devices.
@@ -340,6 +345,7 @@ public:
     virtual void on_confirmation_request(
         connection_handle_t connection
     ) = 0;
+#endif
 
     /**
      * Request the passkey entered during pairing.
@@ -352,6 +358,7 @@ public:
         connection_handle_t connection
     ) = 0;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Indicate that a key has been pressed by the peer.
      *
@@ -374,6 +381,7 @@ public:
     virtual void on_secure_connections_oob_request(
         connection_handle_t connection
     ) = 0;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /**
      * Request OOB data from the user application.
@@ -386,6 +394,7 @@ public:
         connection_handle_t connection
     ) = 0;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Send OOB data to the application for transport to the peer.
      *
@@ -399,11 +408,13 @@ public:
         const oob_lesc_value_t &random,
         const oob_confirm_t &confirm
     ) = 0;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     ////////////////////////////////////////////////////////////////////////////
     // Keys
     //
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Store the results of key generation of the stage 2 of secure connections pairing
      * @see BLUETOOTH SPECIFICATION Version 5.0 | Vol 3, Part H - 2.3.5.6.5
@@ -415,6 +426,7 @@ public:
         connection_handle_t connection,
         const ltk_t &ltk
     ) = 0;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /**
      * Store the results of key distribution after LTK has been received.
@@ -491,6 +503,7 @@ public:
         const address_t &peer_identity_address
     ) = 0;
 
+#if BLE_FEATURE_SIGNING
     /**
      * Store the peer's CSRK after it has been distributed.
      *
@@ -501,6 +514,7 @@ public:
         connection_handle_t connection,
         const csrk_t &csrk
     ) = 0;
+#endif // BLE_FEATURE_SIGNING
 
     /**
      * Request the LTK since the peer is asking us to encrypt the link. We need to
@@ -563,6 +577,7 @@ public:
     // Pairing
     //
 
+#if BLE_ROLE_CENTRAL
     /**
      * Send a pairing request to a slave.
      *
@@ -581,7 +596,9 @@ public:
         KeyDistribution initiator_dist,
         KeyDistribution responder_dist
     ) = 0;
+#endif // BLE_ROLE_CENTRAL
 
+#if BLE_ROLE_PERIPHERAL
     /**
      * Send a pairing response to a master.
      *
@@ -600,6 +617,7 @@ public:
         KeyDistribution initiator_dist,
         KeyDistribution responder_dist
     ) = 0;
+#endif // BLE_ROLE_PERIPHERAL
 
     /**
      * Cancel an ongoing pairing.
@@ -686,6 +704,7 @@ public:
         uint8_t max_encryption_key_size
     ) = 0;
 
+#if BLE_ROLE_PERIPHERAL
     /**
      * Request change of security level from the master. This is called by the slave when
      * it needs to elevate the security level as it can't change it itself. This will be
@@ -700,11 +719,13 @@ public:
         connection_handle_t connection,
         AuthenticationMask authentication
     ) = 0;
+#endif
 
     ////////////////////////////////////////////////////////////////////////////
     // Encryption
     //
 
+#if BLE_ROLE_CENTRAL
     /**
      * Enabled encryption using the LTK given. The EDIV and RAND will be sent to the peer and
      * used to identify the LTK. This is called by the master. This will refresh the key if
@@ -725,6 +746,7 @@ public:
         bool mitm
     ) = 0;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Enabled encryption using the LTK given on a connection established with secure
      * connections pairing.
@@ -739,6 +761,8 @@ public:
         const ltk_t &ltk,
         bool mitm
     ) = 0;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
+#endif // BLE_ROLE_CENTRAL
 
     /**
      * Encrypt data with a given key. This uses the facility on the controller to
@@ -804,6 +828,7 @@ public:
         const address_t &address, bool public_address
     ) = 0;
 
+#if BLE_FEATURE_SIGNING
     /**
      * Set the local CSRK.
      *
@@ -833,6 +858,7 @@ public:
     ) = 0;
 
     virtual ble_error_t remove_peer_csrk(connection_handle_t connection) = 0;
+#endif // BLE_FEATURE_SIGNING
 
     ////////////////////////////////////////////////////////////////////////////
     // Authentication
@@ -887,6 +913,7 @@ public:
         passkey_num_t passkey
     ) = 0;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Reply to a Secure Connections oob data request received from the EventHandler.
      *
@@ -903,6 +930,7 @@ public:
         const oob_lesc_value_t &peer_random,
         const oob_confirm_t &peer_confirm
     ) = 0;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /**
      * Reply to a legacy pairing oob data request received from the EventHandler.
@@ -916,6 +944,7 @@ public:
         const oob_tk_t &oob_data
     ) = 0;
 
+#if BLE_FEATURE_SECURE_CONNECTIONS
     /**
      * Notify the stack that the user has confirmed the values during numerical
      * comparison stage of pairing.
@@ -942,11 +971,13 @@ public:
         ble::Keypress_t keypress
     ) = 0;
 
+
     /**
      * Generate local OOB data to be sent to the application which sends it to the peer.
      * @return BLE_ERROR_NONE On success, else an error code indicating reason for failure
      */
     virtual ble_error_t generate_secure_connections_oob() = 0;
+#endif // BLE_FEATURE_SECURE_CONNECTIONS
 
     /* Entry points for the underlying stack to report events back to the user. */