From 822e7c66ae36691d6b82a82542177665ff06276b Mon Sep 17 00:00:00 2001
From: Jouni Malinen <j@w1.fi>
Date: Sun, 18 Aug 2019 15:23:12 +0300
Subject: [PATCH] EAP server: Use struct eap_config to avoid duplicated
 definitions

Use struct eap_config as-is within struct eap_sm and EAPOL authenticator
to avoid having to duplicate all the configuration variables at each
interface. Split the couple of session specific variables into a
separate struct to allow a single const struct eap_config to be used.

Signed-off-by: Jouni Malinen <j@w1.fi>
---
 eap_example/eap_example_server.c       |   6 +-
 src/ap/hostapd.h                       |   1 +
 src/ap/ieee802_1x.c                    |  87 ++++++---
 src/eap_server/eap.h                   | 126 ++++++++++++-
 src/eap_server/eap_i.h                 |  36 +---
 src/eap_server/eap_server.c            | 120 +++++-------
 src/eap_server/eap_server_aka.c        |  46 ++---
 src/eap_server/eap_server_eke.c        |  19 +-
 src/eap_server/eap_server_fast.c       |  49 ++---
 src/eap_server/eap_server_gpsk.c       |  21 ++-
 src/eap_server/eap_server_ikev2.c      |  10 +-
 src/eap_server/eap_server_mschapv2.c   |   4 +-
 src/eap_server/eap_server_peap.c       |  17 +-
 src/eap_server/eap_server_psk.c        |  16 +-
 src/eap_server/eap_server_pwd.c        |   4 +-
 src/eap_server/eap_server_sake.c       |  14 +-
 src/eap_server/eap_server_sim.c        |  36 ++--
 src/eap_server/eap_server_teap.c       |  67 +++----
 src/eap_server/eap_server_tls.c        |  11 +-
 src/eap_server/eap_server_tls_common.c |  37 ++--
 src/eap_server/eap_server_tnc.c        |   6 +-
 src/eap_server/eap_server_ttls.c       |  13 +-
 src/eap_server/eap_server_wsc.c        |  10 +-
 src/eapol_auth/eapol_auth_sm.c         |  90 +--------
 src/eapol_auth/eapol_auth_sm.h         |  27 +--
 src/radius/radius_server.c             | 250 +++++--------------------
 26 files changed, 486 insertions(+), 637 deletions(-)

diff --git a/eap_example/eap_example_server.c b/eap_example/eap_example_server.c
index 145bb9f7e..1e91fa8ed 100644
--- a/eap_example/eap_example_server.c
+++ b/eap_example/eap_example_server.c
@@ -207,6 +207,8 @@ static int eap_server_register_methods(void)
 
 int eap_example_server_init(void)
 {
+	struct eap_session_data eap_sess;
+
 	if (eap_server_register_methods() < 0)
 		return -1;
 
@@ -223,7 +225,9 @@ int eap_example_server_init(void)
 	eap_conf.eap_server = 1;
 	eap_conf.ssl_ctx = eap_ctx.tls_ctx;
 
-	eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf);
+	os_memset(&eap_sess, 0, sizeof(eap_sess));
+	eap_ctx.eap = eap_server_sm_init(&eap_ctx, &eap_cb, &eap_conf,
+					 &eap_sess);
 	if (eap_ctx.eap == NULL)
 		return -1;
 
diff --git a/src/ap/hostapd.h b/src/ap/hostapd.h
index 518c7f10b..5ae36e1f1 100644
--- a/src/ap/hostapd.h
+++ b/src/ap/hostapd.h
@@ -186,6 +186,7 @@ struct hostapd_data {
 
 	struct wpa_authenticator *wpa_auth;
 	struct eapol_authenticator *eapol_auth;
+	struct eap_config *eap_cfg;
 
 	struct rsn_preauth_interface *preauth_iface;
 	struct os_reltime michael_mic_failure;
diff --git a/src/ap/ieee802_1x.c b/src/ap/ieee802_1x.c
index a7a090190..34637f35e 100644
--- a/src/ap/ieee802_1x.c
+++ b/src/ap/ieee802_1x.c
@@ -2403,6 +2403,56 @@ static int ieee802_1x_erp_add_key(void *ctx, struct eap_server_erp_key *erp)
 #endif /* CONFIG_ERP */
 
 
+static struct eap_config * ieee802_1x_eap_config(struct hostapd_data *hapd)
+{
+	struct eap_config *cfg;
+
+	cfg = os_zalloc(sizeof(*cfg));
+	if (!cfg)
+		return NULL;
+
+	cfg->eap_server = hapd->conf->eap_server;
+	cfg->ssl_ctx = hapd->ssl_ctx;
+	cfg->msg_ctx = hapd->msg_ctx;
+	cfg->eap_sim_db_priv = hapd->eap_sim_db_priv;
+	cfg->tls_session_lifetime = hapd->conf->tls_session_lifetime;
+	cfg->tls_flags = hapd->conf->tls_flags;
+	if (hapd->conf->pac_opaque_encr_key)
+		cfg->pac_opaque_encr_key =
+			os_memdup(hapd->conf->pac_opaque_encr_key, 16);
+	if (hapd->conf->eap_fast_a_id) {
+		cfg->eap_fast_a_id = os_memdup(hapd->conf->eap_fast_a_id,
+					       hapd->conf->eap_fast_a_id_len);
+		cfg->eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
+	}
+	if (hapd->conf->eap_fast_a_id_info)
+		cfg->eap_fast_a_id_info =
+			os_strdup(hapd->conf->eap_fast_a_id_info);
+	cfg->eap_fast_prov = hapd->conf->eap_fast_prov;
+	cfg->pac_key_lifetime = hapd->conf->pac_key_lifetime;
+	cfg->pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
+	cfg->eap_teap_auth = hapd->conf->eap_teap_auth;
+	cfg->eap_teap_separate_result = hapd->conf->eap_teap_separate_result;
+	cfg->eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
+	cfg->eap_sim_id = hapd->conf->eap_sim_id;
+	cfg->tnc = hapd->conf->tnc;
+	cfg->wps = hapd->wps;
+	cfg->fragment_size = hapd->conf->fragment_size;
+	cfg->pwd_group = hapd->conf->pwd_group;
+	cfg->pbc_in_m1 = hapd->conf->pbc_in_m1;
+	if (hapd->conf->server_id) {
+		cfg->server_id = (u8 *) os_strdup(hapd->conf->server_id);
+		cfg->server_id_len = os_strlen(hapd->conf->server_id);
+	} else {
+		cfg->server_id = (u8 *) os_strdup("hostapd");
+		cfg->server_id_len = 7;
+	}
+	cfg->erp = hapd->conf->eap_server_erp;
+
+	return cfg;
+}
+
+
 int ieee802_1x_init(struct hostapd_data *hapd)
 {
 	int i;
@@ -2411,45 +2461,19 @@ int ieee802_1x_init(struct hostapd_data *hapd)
 
 	dl_list_init(&hapd->erp_keys);
 
+	hapd->eap_cfg = ieee802_1x_eap_config(hapd);
+	if (!hapd->eap_cfg)
+		return -1;
 	os_memset(&conf, 0, sizeof(conf));
+	conf.eap_cfg = hapd->eap_cfg;
 	conf.ctx = hapd;
 	conf.eap_reauth_period = hapd->conf->eap_reauth_period;
 	conf.wpa = hapd->conf->wpa;
 	conf.individual_wep_key_len = hapd->conf->individual_wep_key_len;
-	conf.eap_server = hapd->conf->eap_server;
-	conf.ssl_ctx = hapd->ssl_ctx;
-	conf.msg_ctx = hapd->msg_ctx;
-	conf.eap_sim_db_priv = hapd->eap_sim_db_priv;
 	conf.eap_req_id_text = hapd->conf->eap_req_id_text;
 	conf.eap_req_id_text_len = hapd->conf->eap_req_id_text_len;
 	conf.erp_send_reauth_start = hapd->conf->erp_send_reauth_start;
 	conf.erp_domain = hapd->conf->erp_domain;
-	conf.erp = hapd->conf->eap_server_erp;
-	conf.tls_session_lifetime = hapd->conf->tls_session_lifetime;
-	conf.tls_flags = hapd->conf->tls_flags;
-	conf.pac_opaque_encr_key = hapd->conf->pac_opaque_encr_key;
-	conf.eap_fast_a_id = hapd->conf->eap_fast_a_id;
-	conf.eap_fast_a_id_len = hapd->conf->eap_fast_a_id_len;
-	conf.eap_fast_a_id_info = hapd->conf->eap_fast_a_id_info;
-	conf.eap_fast_prov = hapd->conf->eap_fast_prov;
-	conf.pac_key_lifetime = hapd->conf->pac_key_lifetime;
-	conf.pac_key_refresh_time = hapd->conf->pac_key_refresh_time;
-	conf.eap_teap_auth = hapd->conf->eap_teap_auth;
-	conf.eap_teap_separate_result = hapd->conf->eap_teap_separate_result;
-	conf.eap_sim_aka_result_ind = hapd->conf->eap_sim_aka_result_ind;
-	conf.eap_sim_id = hapd->conf->eap_sim_id;
-	conf.tnc = hapd->conf->tnc;
-	conf.wps = hapd->wps;
-	conf.fragment_size = hapd->conf->fragment_size;
-	conf.pwd_group = hapd->conf->pwd_group;
-	conf.pbc_in_m1 = hapd->conf->pbc_in_m1;
-	if (hapd->conf->server_id) {
-		conf.server_id = (const u8 *) hapd->conf->server_id;
-		conf.server_id_len = os_strlen(hapd->conf->server_id);
-	} else {
-		conf.server_id = (const u8 *) "hostapd";
-		conf.server_id_len = 7;
-	}
 
 	os_memset(&cb, 0, sizeof(cb));
 	cb.eapol_send = ieee802_1x_eapol_send;
@@ -2520,6 +2544,9 @@ void ieee802_1x_deinit(struct hostapd_data *hapd)
 	eapol_auth_deinit(hapd->eapol_auth);
 	hapd->eapol_auth = NULL;
 
+	eap_server_config_free(hapd->eap_cfg);
+	hapd->eap_cfg = NULL;
+
 	ieee802_1x_erp_flush(hapd);
 }
 
diff --git a/src/eap_server/eap.h b/src/eap_server/eap.h
index 8ce499aea..6988e0b0f 100644
--- a/src/eap_server/eap.h
+++ b/src/eap_server/eap.h
@@ -108,39 +108,151 @@ struct eapol_callbacks {
 };
 
 struct eap_config {
+	/**
+	 * ssl_ctx - TLS context
+	 *
+	 * This is passed to the EAP server implementation as a callback
+	 * context for TLS operations.
+	 */
 	void *ssl_ctx;
 	void *msg_ctx;
+
+	/**
+	 * eap_sim_db_priv - EAP-SIM/AKA database context
+	 *
+	 * This is passed to the EAP-SIM/AKA server implementation as a
+	 * callback context.
+	 */
 	void *eap_sim_db_priv;
 	Boolean backend_auth;
 	int eap_server;
+
+	/**
+	 * pwd_group - The D-H group assigned for EAP-pwd
+	 *
+	 * If EAP-pwd is not used it can be set to zero.
+	 */
 	u16 pwd_group;
+
+	/**
+	 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
+	 *
+	 * This parameter is used to set a key for EAP-FAST to encrypt the
+	 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
+	 * set, must point to a 16-octet key.
+	 */
 	u8 *pac_opaque_encr_key;
+
+	/**
+	 * eap_fast_a_id - EAP-FAST authority identity (A-ID)
+	 *
+	 * If EAP-FAST is not used, this can be set to %NULL. In theory, this
+	 * is a variable length field, but due to some existing implementations
+	 * requiring A-ID to be 16 octets in length, it is recommended to use
+	 * that length for the field to provide interoperability with deployed
+	 * peer implementations.
+	 */
 	u8 *eap_fast_a_id;
+
+	/**
+	 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
+	 */
 	size_t eap_fast_a_id_len;
+	/**
+	 * eap_fast_a_id_info - EAP-FAST authority identifier information
+	 *
+	 * This A-ID-Info contains a user-friendly name for the A-ID. For
+	 * example, this could be the enterprise and server names in
+	 * human-readable format. This field is encoded as UTF-8. If EAP-FAST
+	 * is not used, this can be set to %NULL.
+	 */
 	char *eap_fast_a_id_info;
-	int eap_fast_prov;
+
+	/**
+	 * eap_fast_prov - EAP-FAST provisioning modes
+	 *
+	 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
+	 * 2 = only authenticated provisioning allowed, 3 = both provisioning
+	 * modes allowed.
+	 */
+	enum {
+		NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
+	} eap_fast_prov;
+
+	/**
+	 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
+	 *
+	 * This is the hard limit on how long a provisioned PAC-Key can be
+	 * used.
+	 */
 	int pac_key_lifetime;
+
+	/**
+	 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
+	 *
+	 * This is a soft limit on the PAC-Key. The server will automatically
+	 * generate a new PAC-Key when this number of seconds (or fewer) of the
+	 * lifetime remains.
+	 */
 	int pac_key_refresh_time;
 	int eap_teap_auth;
 	int eap_teap_pac_no_inner;
 	int eap_teap_separate_result;
+
+	/**
+	 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
+	 *
+	 * This controls whether the protected success/failure indication
+	 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
+	 */
 	int eap_sim_aka_result_ind;
 	int eap_sim_id;
+
+	/**
+	 * tnc - Trusted Network Connect (TNC)
+	 *
+	 * This controls whether TNC is enabled and will be required before the
+	 * peer is allowed to connect. Note: This is only used with EAP-TTLS
+	 * and EAP-FAST. If any other EAP method is enabled, the peer will be
+	 * allowed to connect without TNC.
+	 */
 	int tnc;
+
+	/**
+	 * wps - Wi-Fi Protected Setup context
+	 *
+	 * If WPS is used with an external RADIUS server (which is quite
+	 * unlikely configuration), this is used to provide a pointer to WPS
+	 * context data. Normally, this can be set to %NULL.
+	 */
 	struct wps_context *wps;
-	const struct wpabuf *assoc_wps_ie;
-	const struct wpabuf *assoc_p2p_ie;
-	const u8 *peer_addr;
 	int fragment_size;
 
 	int pbc_in_m1;
 
-	const u8 *server_id;
+	/**
+	 * server_id - Server identity
+	 */
+	u8 *server_id;
 	size_t server_id_len;
+
+	/**
+	 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
+	 *
+	 * This controls whether the authentication server derives ERP key
+	 * hierarchy (rRK and rIK) from full EAP authentication and allows
+	 * these keys to be used to perform ERP to derive rMSK instead of full
+	 * EAP authentication to derive MSK.
+	 */
 	int erp;
 	unsigned int tls_session_lifetime;
 	unsigned int tls_flags;
+};
 
+struct eap_session_data {
+	const struct wpabuf *assoc_wps_ie;
+	const struct wpabuf *assoc_p2p_ie;
+	const u8 *peer_addr;
 #ifdef CONFIG_TESTING_OPTIONS
 	u32 tls_test_flags;
 #endif /* CONFIG_TESTING_OPTIONS */
@@ -149,7 +261,8 @@ struct eap_config {
 
 struct eap_sm * eap_server_sm_init(void *eapol_ctx,
 				   const struct eapol_callbacks *eapol_cb,
-				   struct eap_config *eap_conf);
+				   const struct eap_config *conf,
+				   const struct eap_session_data *sess);
 void eap_server_sm_deinit(struct eap_sm *sm);
 int eap_server_sm_step(struct eap_sm *sm);
 void eap_sm_notify_cached(struct eap_sm *sm);
@@ -166,5 +279,6 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
 				   const u8 *challenge, const u8 *response);
 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
 void eap_user_free(struct eap_user *user);
+void eap_server_config_free(struct eap_config *cfg);
 
 #endif /* EAP_H */
diff --git a/src/eap_server/eap_i.h b/src/eap_server/eap_i.h
index 4cad1f235..cbdad5f19 100644
--- a/src/eap_server/eap_i.h
+++ b/src/eap_server/eap_i.h
@@ -154,7 +154,7 @@ struct eap_sm {
 	const struct eap_method *m; /* selected EAP method */
 	/* not defined in RFC 4137 */
 	Boolean changed;
-	void *eapol_ctx, *msg_ctx;
+	void *eapol_ctx;
 	const struct eapol_callbacks *eapol_cb;
 	void *eap_method_priv;
 	u8 *identity;
@@ -167,11 +167,9 @@ struct eap_sm {
 	struct eap_user *user;
 	int user_eap_method_index;
 	int init_phase2;
-	void *ssl_ctx;
-	struct eap_sim_db_data *eap_sim_db_priv;
-	Boolean backend_auth;
+	const struct eap_config *cfg;
+	struct eap_config cfg_buf;
 	Boolean update_user;
-	int eap_server;
 
 	int num_rounds;
 	enum {
@@ -181,23 +179,6 @@ struct eap_sm {
 	u8 *auth_challenge;
 	u8 *peer_challenge;
 
-	u8 *pac_opaque_encr_key;
-	u8 *eap_fast_a_id;
-	size_t eap_fast_a_id_len;
-	char *eap_fast_a_id_info;
-	enum {
-		NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
-	} eap_fast_prov;
-	int pac_key_lifetime;
-	int pac_key_refresh_time;
-	int eap_teap_auth;
-	int eap_teap_pac_no_inner;
-	int eap_teap_separate_result;
-	int eap_sim_aka_result_ind;
-	int eap_sim_id;
-	int tnc;
-	u16 pwd_group;
-	struct wps_context *wps;
 	struct wpabuf *assoc_wps_ie;
 	struct wpabuf *assoc_p2p_ie;
 
@@ -205,19 +186,8 @@ struct eap_sm {
 
 	u8 peer_addr[ETH_ALEN];
 
-	/* Fragmentation size for EAP method init() handler */
-	int fragment_size;
-
-	int pbc_in_m1;
-
-	const u8 *server_id;
-	size_t server_id_len;
-
 	Boolean initiate_reauth_start_sent;
 	Boolean try_initiate_reauth;
-	int erp;
-	unsigned int tls_session_lifetime;
-	unsigned int tls_flags;
 
 #ifdef CONFIG_TESTING_OPTIONS
 	u32 tls_test_flags;
diff --git a/src/eap_server/eap_server.c b/src/eap_server/eap_server.c
index 8085394c9..4c6ba6d34 100644
--- a/src/eap_server/eap_server.c
+++ b/src/eap_server/eap_server.c
@@ -223,7 +223,7 @@ SM_STATE(EAP, INITIALIZE)
 {
 	SM_ENTRY(EAP, INITIALIZE);
 
-	if (sm->eap_if.eapRestart && !sm->eap_server && sm->identity) {
+	if (sm->eap_if.eapRestart && !sm->cfg->eap_server && sm->identity) {
 		/*
 		 * Need to allow internal Identity method to be used instead
 		 * of passthrough at the beginning of reauthentication.
@@ -257,7 +257,7 @@ SM_STATE(EAP, INITIALIZE)
 	sm->m = NULL;
 	sm->user_eap_method_index = 0;
 
-	if (sm->backend_auth) {
+	if (sm->cfg->backend_auth) {
 		sm->currentMethod = EAP_TYPE_NONE;
 		/* parse rxResp, respId, respMethod */
 		eap_sm_parseEapResp(sm, sm->eap_if.eapRespData);
@@ -268,7 +268,7 @@ SM_STATE(EAP, INITIALIZE)
 	sm->num_rounds = 0;
 	sm->method_pending = METHOD_PENDING_NONE;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_STARTED
 		MACSTR, MAC2STR(sm->peer_addr));
 }
 
@@ -300,7 +300,7 @@ SM_STATE(EAP, PICK_UP_METHOD)
 		}
 	}
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
 		"method=%u", sm->currentMethod);
 }
 
@@ -325,7 +325,7 @@ SM_STATE(EAP, RETRANSMIT)
 			sm->eap_if.eapReq = TRUE;
 	}
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR,
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT MACSTR,
 		MAC2STR(sm->peer_addr));
 }
 
@@ -530,7 +530,7 @@ SM_STATE(EAP, METHOD_RESPONSE)
 				    sm->eap_if.eapSessionId,
 				    sm->eap_if.eapSessionIdLen);
 		}
-		if (sm->erp && sm->m->get_emsk && sm->eap_if.eapSessionId)
+		if (sm->cfg->erp && sm->m->get_emsk && sm->eap_if.eapSessionId)
 			eap_server_erp_init(sm);
 		sm->methodState = METHOD_END;
 	} else {
@@ -580,7 +580,7 @@ try_another_method:
 	else
 		sm->methodState = METHOD_PROPOSED;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_PROPOSED_METHOD
 		"vendor=%u method=%u", vendor, sm->currentMethod);
 	eap_log_msg(sm, "Propose EAP method vendor=%u method=%u",
 		    vendor, sm->currentMethod);
@@ -636,8 +636,8 @@ SM_STATE(EAP, TIMEOUT_FAILURE)
 
 	sm->eap_if.eapTimeout = TRUE;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR,
-		MAC2STR(sm->peer_addr));
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO,
+		WPA_EVENT_EAP_TIMEOUT_FAILURE MACSTR, MAC2STR(sm->peer_addr));
 }
 
 
@@ -651,7 +651,7 @@ SM_STATE(EAP, FAILURE)
 	sm->lastReqData = NULL;
 	sm->eap_if.eapFail = TRUE;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
 		MACSTR, MAC2STR(sm->peer_addr));
 }
 
@@ -668,7 +668,7 @@ SM_STATE(EAP, SUCCESS)
 		sm->eap_if.eapKeyAvailable = TRUE;
 	sm->eap_if.eapSuccess = TRUE;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
 		MACSTR, MAC2STR(sm->peer_addr));
 }
 
@@ -755,7 +755,7 @@ static void erp_send_finish_reauth(struct eap_sm *sm,
 
 	if ((flags & 0x80) || !erp) {
 		sm->eap_if.eapFail = TRUE;
-		wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
+		wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE
 			MACSTR, MAC2STR(sm->peer_addr));
 		return;
 	}
@@ -783,7 +783,7 @@ static void erp_send_finish_reauth(struct eap_sm *sm,
 			sm->eap_if.eapKeyData, sm->eap_if.eapKeyDataLen);
 	sm->eap_if.eapSuccess = TRUE;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS
 		MACSTR, MAC2STR(sm->peer_addr));
 }
 
@@ -855,7 +855,7 @@ SM_STATE(EAP, INITIATE_RECEIVED)
 	os_memcpy(nai, parse.keyname, parse.keyname_len);
 	nai[parse.keyname_len] = '\0';
 
-	if (!sm->eap_server) {
+	if (!sm->cfg->eap_server) {
 		/*
 		 * In passthrough case, EAP-Initiate/Re-auth replaces
 		 * EAP Identity exchange. Use keyName-NAI as the user identity
@@ -1018,7 +1018,7 @@ SM_STATE(EAP, RETRANSMIT2)
 			sm->eap_if.eapReq = TRUE;
 	}
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR,
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_RETRANSMIT2 MACSTR,
 		MAC2STR(sm->peer_addr));
 }
 
@@ -1111,8 +1111,8 @@ SM_STATE(EAP, TIMEOUT_FAILURE2)
 
 	sm->eap_if.eapTimeout = TRUE;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR,
-		MAC2STR(sm->peer_addr));
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO,
+		WPA_EVENT_EAP_TIMEOUT_FAILURE2 MACSTR, MAC2STR(sm->peer_addr));
 }
 
 
@@ -1123,7 +1123,7 @@ SM_STATE(EAP, FAILURE2)
 	eap_copy_buf(&sm->eap_if.eapReqData, sm->eap_if.aaaEapReqData);
 	sm->eap_if.eapFail = TRUE;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR,
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_FAILURE2 MACSTR,
 		MAC2STR(sm->peer_addr));
 }
 
@@ -1152,7 +1152,7 @@ SM_STATE(EAP, SUCCESS2)
 	 */
 	sm->start_reauth = TRUE;
 
-	wpa_msg(sm->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR,
+	wpa_msg(sm->cfg->msg_ctx, MSG_INFO, WPA_EVENT_EAP_SUCCESS2 MACSTR,
 		MAC2STR(sm->peer_addr));
 }
 
@@ -1173,7 +1173,7 @@ SM_STEP(EAP)
 		}
 	} else switch (sm->EAP_state) {
 	case EAP_INITIALIZE:
-		if (sm->backend_auth) {
+		if (sm->cfg->backend_auth) {
 			if (!sm->rxResp)
 				SM_ENTER(EAP, SELECT_ACTION);
 			else if (sm->rxResp &&
@@ -1336,7 +1336,7 @@ SM_STEP(EAP)
 		else if (sm->decision == DECISION_INITIATE_REAUTH_START)
 			SM_ENTER(EAP, INITIATE_REAUTH_START);
 #ifdef CONFIG_ERP
-		else if (sm->eap_server && sm->erp && sm->rxInitiate)
+		else if (sm->cfg->eap_server && sm->cfg->erp && sm->rxInitiate)
 			SM_ENTER(EAP, INITIATE_RECEIVED);
 #endif /* CONFIG_ERP */
 		else
@@ -1346,7 +1346,7 @@ SM_STEP(EAP)
 		SM_ENTER(EAP, SEND_REQUEST);
 		break;
 	case EAP_INITIATE_RECEIVED:
-		if (!sm->eap_server)
+		if (!sm->cfg->eap_server)
 			SM_ENTER(EAP, SELECT_ACTION);
 		break;
 	case EAP_TIMEOUT_FAILURE:
@@ -1706,7 +1706,7 @@ static enum eap_type eap_sm_Policy_getNextMethod(struct eap_sm *sm, int *vendor)
 
 static int eap_sm_Policy_getDecision(struct eap_sm *sm)
 {
-	if (!sm->eap_server && sm->identity && !sm->start_reauth) {
+	if (!sm->cfg->eap_server && sm->identity && !sm->start_reauth) {
 		wpa_printf(MSG_DEBUG, "EAP: getDecision: -> PASSTHROUGH");
 		return DECISION_PASSTHROUGH;
 	}
@@ -1837,7 +1837,8 @@ void eap_user_free(struct eap_user *user)
  */
 struct eap_sm * eap_server_sm_init(void *eapol_ctx,
 				   const struct eapol_callbacks *eapol_cb,
-				   struct eap_config *conf)
+				   const struct eap_config *conf,
+				   const struct eap_session_data *sess)
 {
 	struct eap_sm *sm;
 
@@ -1847,55 +1848,15 @@ struct eap_sm * eap_server_sm_init(void *eapol_ctx,
 	sm->eapol_ctx = eapol_ctx;
 	sm->eapol_cb = eapol_cb;
 	sm->MaxRetrans = 5; /* RFC 3748: max 3-5 retransmissions suggested */
-	sm->ssl_ctx = conf->ssl_ctx;
-	sm->msg_ctx = conf->msg_ctx;
-	sm->eap_sim_db_priv = conf->eap_sim_db_priv;
-	sm->backend_auth = conf->backend_auth;
-	sm->eap_server = conf->eap_server;
-	if (conf->pac_opaque_encr_key) {
-		sm->pac_opaque_encr_key = os_malloc(16);
-		if (sm->pac_opaque_encr_key) {
-			os_memcpy(sm->pac_opaque_encr_key,
-				  conf->pac_opaque_encr_key, 16);
-		}
-	}
-	if (conf->eap_fast_a_id) {
-		sm->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
-		if (sm->eap_fast_a_id) {
-			os_memcpy(sm->eap_fast_a_id, conf->eap_fast_a_id,
-				  conf->eap_fast_a_id_len);
-			sm->eap_fast_a_id_len = conf->eap_fast_a_id_len;
-		}
-	}
-	if (conf->eap_fast_a_id_info)
-		sm->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
-	sm->eap_fast_prov = conf->eap_fast_prov;
-	sm->pac_key_lifetime = conf->pac_key_lifetime;
-	sm->pac_key_refresh_time = conf->pac_key_refresh_time;
-	sm->eap_teap_auth = conf->eap_teap_auth;
-	sm->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
-	sm->eap_teap_separate_result = conf->eap_teap_separate_result;
-	sm->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
-	sm->eap_sim_id = conf->eap_sim_id;
-	sm->tnc = conf->tnc;
-	sm->wps = conf->wps;
-	if (conf->assoc_wps_ie)
-		sm->assoc_wps_ie = wpabuf_dup(conf->assoc_wps_ie);
-	if (conf->assoc_p2p_ie)
-		sm->assoc_p2p_ie = wpabuf_dup(conf->assoc_p2p_ie);
-	if (conf->peer_addr)
-		os_memcpy(sm->peer_addr, conf->peer_addr, ETH_ALEN);
-	sm->fragment_size = conf->fragment_size;
-	sm->pwd_group = conf->pwd_group;
-	sm->pbc_in_m1 = conf->pbc_in_m1;
-	sm->server_id = conf->server_id;
-	sm->server_id_len = conf->server_id_len;
-	sm->erp = conf->erp;
-	sm->tls_session_lifetime = conf->tls_session_lifetime;
-	sm->tls_flags = conf->tls_flags;
-
+	sm->cfg = conf;
+	if (sess->assoc_wps_ie)
+		sm->assoc_wps_ie = wpabuf_dup(sess->assoc_wps_ie);
+	if (sess->assoc_p2p_ie)
+		sm->assoc_p2p_ie = wpabuf_dup(sess->assoc_p2p_ie);
+	if (sess->peer_addr)
+		os_memcpy(sm->peer_addr, sess->peer_addr, ETH_ALEN);
 #ifdef CONFIG_TESTING_OPTIONS
-	sm->tls_test_flags = conf->tls_test_flags;
+	sm->tls_test_flags = sess->tls_test_flags;
 #endif /* CONFIG_TESTING_OPTIONS */
 
 	wpa_printf(MSG_DEBUG, "EAP: Server state machine created");
@@ -1925,9 +1886,6 @@ void eap_server_sm_deinit(struct eap_sm *sm)
 	wpabuf_free(sm->eap_if.eapRespData);
 	os_free(sm->identity);
 	os_free(sm->serial_num);
-	os_free(sm->pac_opaque_encr_key);
-	os_free(sm->eap_fast_a_id);
-	os_free(sm->eap_fast_a_id_info);
 	wpabuf_free(sm->eap_if.aaaEapReqData);
 	wpabuf_free(sm->eap_if.aaaEapRespData);
 	bin_clear_free(sm->eap_if.aaaEapKeyData, sm->eap_if.aaaEapKeyDataLen);
@@ -2117,3 +2075,15 @@ void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
 		   source, user, hex_challenge, hex_response);
 }
 #endif /* CONFIG_TESTING_OPTIONS */
+
+
+void eap_server_config_free(struct eap_config *cfg)
+{
+	if (!cfg)
+		return;
+	os_free(cfg->pac_opaque_encr_key);
+	os_free(cfg->eap_fast_a_id);
+	os_free(cfg->eap_fast_a_id_info);
+	os_free(cfg->server_id);
+	os_free(cfg);
+}
diff --git a/src/eap_server/eap_server_aka.c b/src/eap_server/eap_server_aka.c
index 4dadfe197..22dd965d6 100644
--- a/src/eap_server/eap_server_aka.c
+++ b/src/eap_server/eap_server_aka.c
@@ -100,7 +100,7 @@ static int eap_aka_check_identity_reauth(struct eap_sm *sm,
 		return 0;
 
 	wpa_printf(MSG_DEBUG, "EAP-AKA: Reauth username '%s'", username);
-	data->reauth = eap_sim_db_get_reauth_entry(sm->eap_sim_db_priv,
+	data->reauth = eap_sim_db_get_reauth_entry(sm->cfg->eap_sim_db_priv,
 						   username);
 	if (data->reauth == NULL) {
 		wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown reauth identity - "
@@ -157,7 +157,7 @@ static void eap_aka_check_identity(struct eap_sm *sm,
 		wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
 			   username);
 		permanent = eap_sim_db_get_permanent(
-			sm->eap_sim_db_priv, username);
+			sm->cfg->eap_sim_db_priv, username);
 		if (permanent == NULL) {
 			os_free(username);
 			wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
@@ -182,7 +182,7 @@ static void * eap_aka_init(struct eap_sm *sm)
 {
 	struct eap_aka_data *data;
 
-	if (sm->eap_sim_db_priv == NULL) {
+	if (!sm->cfg->eap_sim_db_priv) {
 		wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
 		return NULL;
 	}
@@ -208,7 +208,7 @@ static void * eap_aka_prime_init(struct eap_sm *sm)
 	/* TODO: make ANID configurable; see 3GPP TS 24.302 */
 	char *network_name = "WLAN";
 
-	if (sm->eap_sim_db_priv == NULL) {
+	if (sm->cfg->eap_sim_db_priv == NULL) {
 		wpa_printf(MSG_WARNING, "EAP-AKA: eap_sim_db not configured");
 		return NULL;
 	}
@@ -393,13 +393,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
 			      const u8 *nonce_s)
 {
 	os_free(data->next_pseudonym);
-	if (!(sm->eap_sim_id & 0x01)) {
+	if (!(sm->cfg->eap_sim_id & 0x01)) {
 		/* Use of pseudonyms disabled in configuration */
 		data->next_pseudonym = NULL;
 	} else if (!nonce_s) {
 		data->next_pseudonym =
 			eap_sim_db_get_next_pseudonym(
-				sm->eap_sim_db_priv,
+				sm->cfg->eap_sim_db_priv,
 				data->eap_method == EAP_TYPE_AKA_PRIME ?
 				EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
 	} else {
@@ -407,13 +407,13 @@ static int eap_aka_build_encr(struct eap_sm *sm, struct eap_aka_data *data,
 		data->next_pseudonym = NULL;
 	}
 	os_free(data->next_reauth_id);
-	if (!(sm->eap_sim_id & 0x02)) {
+	if (!(sm->cfg->eap_sim_id & 0x02)) {
 		/* Use of fast reauth disabled in configuration */
 		data->next_reauth_id = NULL;
 	} else if (data->counter <= EAP_AKA_MAX_FAST_REAUTHS) {
 		data->next_reauth_id =
 			eap_sim_db_get_next_reauth_id(
-				sm->eap_sim_db_priv,
+				sm->cfg->eap_sim_db_priv,
 				data->eap_method == EAP_TYPE_AKA_PRIME ?
 				EAP_SIM_DB_AKA_PRIME : EAP_SIM_DB_AKA);
 	} else {
@@ -505,7 +505,7 @@ static struct wpabuf * eap_aka_build_challenge(struct eap_sm *sm,
 
 	eap_aka_add_checkcode(data, msg);
 
-	if (sm->eap_sim_aka_result_ind) {
+	if (sm->cfg->eap_sim_aka_result_ind) {
 		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
 		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
 	}
@@ -582,7 +582,7 @@ static struct wpabuf * eap_aka_build_reauth(struct eap_sm *sm,
 
 	eap_aka_add_checkcode(data, msg);
 
-	if (sm->eap_sim_aka_result_ind) {
+	if (sm->cfg->eap_sim_aka_result_ind) {
 		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
 		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
 	}
@@ -767,7 +767,7 @@ static void eap_aka_determine_identity(struct eap_sm *sm,
 		wpa_printf(MSG_DEBUG, "EAP-AKA: Pseudonym username '%s'",
 			   username);
 		permanent = eap_sim_db_get_permanent(
-			sm->eap_sim_db_priv, username);
+			sm->cfg->eap_sim_db_priv, username);
 		os_free(username);
 		if (permanent == NULL) {
 			wpa_printf(MSG_DEBUG, "EAP-AKA: Unknown pseudonym "
@@ -803,7 +803,7 @@ static void eap_aka_fullauth(struct eap_sm *sm, struct eap_aka_data *data)
 	size_t identity_len;
 	int res;
 
-	res = eap_sim_db_get_aka_auth(sm->eap_sim_db_priv, data->permanent,
+	res = eap_sim_db_get_aka_auth(sm->cfg->eap_sim_db_priv, data->permanent,
 				      data->rand, data->autn, data->ik,
 				      data->ck, data->res, &data->res_len, sm);
 	if (res == EAP_SIM_DB_PENDING) {
@@ -998,7 +998,7 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
 
 	wpa_printf(MSG_DEBUG, "EAP-AKA: Challenge response includes the "
 		   "correct AT_MAC");
-	if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+	if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
 		data->use_result_ind = 1;
 		data->notification = EAP_SIM_SUCCESS;
 		eap_aka_state(data, NOTIFICATION);
@@ -1006,14 +1006,15 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
 		eap_aka_state(data, SUCCESS);
 
 	if (data->next_pseudonym) {
-		eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent,
+		eap_sim_db_add_pseudonym(sm->cfg->eap_sim_db_priv,
+					 data->permanent,
 					 data->next_pseudonym);
 		data->next_pseudonym = NULL;
 	}
 	if (data->next_reauth_id) {
 		if (data->eap_method == EAP_TYPE_AKA_PRIME) {
 #ifdef EAP_SERVER_AKA_PRIME
-			eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
+			eap_sim_db_add_reauth_prime(sm->cfg->eap_sim_db_priv,
 						    data->permanent,
 						    data->next_reauth_id,
 						    data->counter + 1,
@@ -1021,7 +1022,7 @@ static void eap_aka_process_challenge(struct eap_sm *sm,
 						    data->k_re);
 #endif /* EAP_SERVER_AKA_PRIME */
 		} else {
-			eap_sim_db_add_reauth(sm->eap_sim_db_priv,
+			eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv,
 					      data->permanent,
 					      data->next_reauth_id,
 					      data->counter + 1,
@@ -1051,7 +1052,7 @@ static void eap_aka_process_sync_failure(struct eap_sm *sm,
 	 * maintaining a local flag stating whether this AUTS has already been
 	 * reported. */
 	if (!data->auts_reported &&
-	    eap_sim_db_resynchronize(sm->eap_sim_db_priv, data->permanent,
+	    eap_sim_db_resynchronize(sm->cfg->eap_sim_db_priv, data->permanent,
 				     attr->auts, data->rand)) {
 		wpa_printf(MSG_WARNING, "EAP-AKA: Resynchronization failed");
 		data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
@@ -1118,7 +1119,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
 		return;
 	}
 
-	if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+	if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
 		data->use_result_ind = 1;
 		data->notification = EAP_SIM_SUCCESS;
 		eap_aka_state(data, NOTIFICATION);
@@ -1128,7 +1129,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
 	if (data->next_reauth_id) {
 		if (data->eap_method == EAP_TYPE_AKA_PRIME) {
 #ifdef EAP_SERVER_AKA_PRIME
-			eap_sim_db_add_reauth_prime(sm->eap_sim_db_priv,
+			eap_sim_db_add_reauth_prime(sm->cfg->eap_sim_db_priv,
 						    data->permanent,
 						    data->next_reauth_id,
 						    data->counter + 1,
@@ -1136,7 +1137,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
 						    data->k_re);
 #endif /* EAP_SERVER_AKA_PRIME */
 		} else {
-			eap_sim_db_add_reauth(sm->eap_sim_db_priv,
+			eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv,
 					      data->permanent,
 					      data->next_reauth_id,
 					      data->counter + 1,
@@ -1144,7 +1145,8 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
 		}
 		data->next_reauth_id = NULL;
 	} else {
-		eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+		eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv,
+					 data->reauth);
 		data->reauth = NULL;
 	}
 
@@ -1153,7 +1155,7 @@ static void eap_aka_process_reauth(struct eap_sm *sm,
 fail:
 	data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
 	eap_aka_state(data, NOTIFICATION);
-	eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+	eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth);
 	data->reauth = NULL;
 	os_free(decrypted);
 }
diff --git a/src/eap_server/eap_server_eke.c b/src/eap_server/eap_server_eke.c
index 71580bf7b..71fab9624 100644
--- a/src/eap_server/eap_server_eke.c
+++ b/src/eap_server/eap_server_eke.c
@@ -84,11 +84,11 @@ static void * eap_eke_init(struct eap_sm *sm)
 	eap_eke_state(data, IDENTITY);
 
 	data->serverid_type = EAP_EKE_ID_OPAQUE;
-	for (i = 0; i < sm->server_id_len; i++) {
-		if (sm->server_id[i] == '.' &&
+	for (i = 0; i < sm->cfg->server_id_len; i++) {
+		if (sm->cfg->server_id[i] == '.' &&
 		    data->serverid_type == EAP_EKE_ID_OPAQUE)
 			data->serverid_type = EAP_EKE_ID_FQDN;
-		if (sm->server_id[i] == '@')
+		if (sm->cfg->server_id[i] == '@')
 			data->serverid_type = EAP_EKE_ID_NAI;
 	}
 
@@ -186,7 +186,7 @@ static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm,
 
 	wpa_printf(MSG_DEBUG, "EAP-EKE: Request/Identity");
 
-	plen = 2 + 4 * 4 + 1 + sm->server_id_len;
+	plen = 2 + 4 * 4 + 1 + sm->cfg->server_id_len;
 	msg = eap_eke_build_msg(data, id, plen, EAP_EKE_ID);
 	if (msg == NULL)
 		return NULL;
@@ -223,7 +223,7 @@ static struct wpabuf * eap_eke_build_identity(struct eap_sm *sm,
 
 	/* Server IDType + Identity */
 	wpabuf_put_u8(msg, data->serverid_type);
-	wpabuf_put_data(msg, sm->server_id, sm->server_id_len);
+	wpabuf_put_data(msg, sm->cfg->server_id, sm->cfg->server_id_len);
 
 	wpabuf_free(data->msgs);
 	data->msgs = wpabuf_dup(msg);
@@ -252,7 +252,7 @@ static struct wpabuf * eap_eke_build_commit(struct eap_sm *sm,
 
 	if (eap_eke_derive_key(&data->sess, sm->user->password,
 			       sm->user->password_len,
-			       sm->server_id, sm->server_id_len,
+			       sm->cfg->server_id, sm->cfg->server_id_len,
 			       data->peerid, data->peerid_len, data->key) < 0) {
 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive key");
 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
@@ -338,7 +338,7 @@ static struct wpabuf * eap_eke_build_confirm(struct eap_sm *sm,
 	wpabuf_put(msg, prot_len);
 
 	if (eap_eke_derive_ka(&data->sess,
-			      sm->server_id, sm->server_id_len,
+			      sm->cfg->server_id, sm->cfg->server_id_len,
 			      data->peerid, data->peerid_len,
 			      data->nonce_p, data->nonce_s) < 0) {
 		wpabuf_free(msg);
@@ -552,7 +552,7 @@ static void eap_eke_process_commit(struct eap_sm *sm,
 	}
 
 	if (eap_eke_derive_ke_ki(&data->sess,
-				 sm->server_id, sm->server_id_len,
+				 sm->cfg->server_id, sm->cfg->server_id_len,
 				 data->peerid, data->peerid_len) < 0) {
 		wpa_printf(MSG_INFO, "EAP-EKE: Failed to derive Ke/Ki");
 		eap_eke_fail(data, EAP_EKE_FAIL_PRIVATE_INTERNAL_ERROR);
@@ -641,7 +641,8 @@ static void eap_eke_process_confirm(struct eap_sm *sm,
 		return;
 	}
 
-	if (eap_eke_derive_msk(&data->sess, sm->server_id, sm->server_id_len,
+	if (eap_eke_derive_msk(&data->sess, sm->cfg->server_id,
+			       sm->cfg->server_id_len,
 			       data->peerid, data->peerid_len,
 			       data->nonce_s, data->nonce_p,
 			       data->msk, data->emsk) < 0) {
diff --git a/src/eap_server/eap_server_fast.c b/src/eap_server/eap_server_fast.c
index 98142db6e..0270821cc 100644
--- a/src/eap_server/eap_server_fast.c
+++ b/src/eap_server/eap_server_fast.c
@@ -278,7 +278,7 @@ static void eap_fast_derive_key_auth(struct eap_sm *sm,
 	 * Extra key material after TLS key_block: session_key_seed[40]
 	 */
 
-	sks = eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
+	sks = eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn,
 				  EAP_FAST_SKS_LEN);
 	if (sks == NULL) {
 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive "
@@ -304,7 +304,7 @@ static void eap_fast_derive_key_provisioning(struct eap_sm *sm,
 {
 	os_free(data->key_block_p);
 	data->key_block_p = (struct eap_fast_key_block_provisioning *)
-		eap_fast_derive_key(sm->ssl_ctx, data->ssl.conn,
+		eap_fast_derive_key(sm->cfg->ssl_ctx, data->ssl.conn,
 				    sizeof(*data->key_block_p));
 	if (data->key_block_p == NULL) {
 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to derive key block");
@@ -440,7 +440,7 @@ static void * eap_fast_init(struct eap_sm *sm)
 		return NULL;
 	}
 
-	if (tls_connection_set_cipher_list(sm->ssl_ctx, data->ssl.conn,
+	if (tls_connection_set_cipher_list(sm->cfg->ssl_ctx, data->ssl.conn,
 					   ciphers) < 0) {
 		wpa_printf(MSG_INFO, "EAP-FAST: Failed to set TLS cipher "
 			   "suites");
@@ -448,7 +448,8 @@ static void * eap_fast_init(struct eap_sm *sm)
 		return NULL;
 	}
 
-	if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
+	if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx,
+						 data->ssl.conn,
 						 eap_fast_session_ticket_cb,
 						 data) < 0) {
 		wpa_printf(MSG_INFO, "EAP-FAST: Failed to set SessionTicket "
@@ -457,47 +458,48 @@ static void * eap_fast_init(struct eap_sm *sm)
 		return NULL;
 	}
 
-	if (sm->pac_opaque_encr_key == NULL) {
+	if (sm->cfg->pac_opaque_encr_key == NULL) {
 		wpa_printf(MSG_INFO, "EAP-FAST: No PAC-Opaque encryption key "
 			   "configured");
 		eap_fast_reset(sm, data);
 		return NULL;
 	}
-	os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key,
+	os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key,
 		  sizeof(data->pac_opaque_encr));
 
-	if (sm->eap_fast_a_id == NULL) {
+	if (sm->cfg->eap_fast_a_id == NULL) {
 		wpa_printf(MSG_INFO, "EAP-FAST: No A-ID configured");
 		eap_fast_reset(sm, data);
 		return NULL;
 	}
-	data->srv_id = os_memdup(sm->eap_fast_a_id, sm->eap_fast_a_id_len);
+	data->srv_id = os_memdup(sm->cfg->eap_fast_a_id,
+				 sm->cfg->eap_fast_a_id_len);
 	if (data->srv_id == NULL) {
 		eap_fast_reset(sm, data);
 		return NULL;
 	}
-	data->srv_id_len = sm->eap_fast_a_id_len;
+	data->srv_id_len = sm->cfg->eap_fast_a_id_len;
 
-	if (sm->eap_fast_a_id_info == NULL) {
+	if (sm->cfg->eap_fast_a_id_info == NULL) {
 		wpa_printf(MSG_INFO, "EAP-FAST: No A-ID-Info configured");
 		eap_fast_reset(sm, data);
 		return NULL;
 	}
-	data->srv_id_info = os_strdup(sm->eap_fast_a_id_info);
+	data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info);
 	if (data->srv_id_info == NULL) {
 		eap_fast_reset(sm, data);
 		return NULL;
 	}
 
 	/* PAC-Key lifetime in seconds (hard limit) */
-	data->pac_key_lifetime = sm->pac_key_lifetime;
+	data->pac_key_lifetime = sm->cfg->pac_key_lifetime;
 
 	/*
 	 * PAC-Key refresh time in seconds (soft limit on remaining hard
 	 * limit). The server will generate a new PAC-Key when this number of
 	 * seconds (or fewer) of the lifetime remains.
 	 */
-	data->pac_key_refresh_time = sm->pac_key_refresh_time;
+	data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time;
 
 	return data;
 }
@@ -552,8 +554,8 @@ static int eap_fast_phase1_done(struct eap_sm *sm, struct eap_fast_data *data)
 
 	wpa_printf(MSG_DEBUG, "EAP-FAST: Phase1 done, starting Phase2");
 
-	if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher))
-	    < 0) {
+	if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn,
+			   cipher, sizeof(cipher)) < 0) {
 		wpa_printf(MSG_DEBUG, "EAP-FAST: Failed to get cipher "
 			   "information");
 		eap_fast_state(data, FAILURE);
@@ -872,7 +874,8 @@ static struct wpabuf * eap_fast_buildReq(struct eap_sm *sm, void *priv, u8 id)
 	case START:
 		return eap_fast_build_start(sm, data, id);
 	case PHASE1:
-		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+		if (tls_connection_established(sm->cfg->ssl_ctx,
+					       data->ssl.conn)) {
 			if (eap_fast_phase1_done(sm, data) < 0)
 				return NULL;
 			if (data->state == PHASE2_START) {
@@ -1082,7 +1085,7 @@ static void eap_fast_process_phase2_response(struct eap_sm *sm,
 		next_vendor = EAP_VENDOR_IETF;
 		next_type = EAP_TYPE_NONE;
 #ifdef EAP_SERVER_TNC
-		if (sm->tnc && !data->tnc_started) {
+		if (sm->cfg->tnc && !data->tnc_started) {
 			wpa_printf(MSG_DEBUG, "EAP-FAST: Initialize TNC");
 			next_vendor = EAP_VENDOR_IETF;
 			next_type = EAP_TYPE_TNC;
@@ -1346,8 +1349,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
 		}
 
 		if (data->anon_provisioning &&
-		    sm->eap_fast_prov != ANON_PROV &&
-		    sm->eap_fast_prov != BOTH_PROV) {
+		    sm->cfg->eap_fast_prov != ANON_PROV &&
+		    sm->cfg->eap_fast_prov != BOTH_PROV) {
 			wpa_printf(MSG_DEBUG, "EAP-FAST: Client is trying to "
 				   "use unauthenticated provisioning which is "
 				   "disabled");
@@ -1355,8 +1358,8 @@ static void eap_fast_process_phase2_tlvs(struct eap_sm *sm,
 			return;
 		}
 
-		if (sm->eap_fast_prov != AUTH_PROV &&
-		    sm->eap_fast_prov != BOTH_PROV &&
+		if (sm->cfg->eap_fast_prov != AUTH_PROV &&
+		    sm->cfg->eap_fast_prov != BOTH_PROV &&
 		    tlv.request_action == EAP_TLV_ACTION_PROCESS_TLV &&
 		    eap_fast_pac_type(tlv.pac, tlv.pac_len,
 				      PAC_TYPE_TUNNEL_PAC)) {
@@ -1408,7 +1411,7 @@ static void eap_fast_process_phase2(struct eap_sm *sm,
 		return;
 	}
 
-	in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+	in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
 					      in_buf);
 	if (in_decrypted == NULL) {
 		wpa_printf(MSG_INFO, "EAP-FAST: Failed to decrypt Phase 2 "
@@ -1468,7 +1471,7 @@ static int eap_fast_process_phase1(struct eap_sm *sm,
 		return -1;
 	}
 
-	if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
+	if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
 	    wpabuf_len(data->ssl.tls_out) > 0)
 		return 1;
 
diff --git a/src/eap_server/eap_server_gpsk.c b/src/eap_server/eap_server_gpsk.c
index bebb17f40..a7742751a 100644
--- a/src/eap_server/eap_server_gpsk.c
+++ b/src/eap_server/eap_server_gpsk.c
@@ -117,7 +117,7 @@ static struct wpabuf * eap_gpsk_build_gpsk_1(struct eap_sm *sm,
 	wpa_hexdump(MSG_MSGDUMP, "EAP-GPSK: RAND_Server",
 		    data->rand_server, EAP_GPSK_RAND_LEN);
 
-	len = 1 + 2 + sm->server_id_len + EAP_GPSK_RAND_LEN + 2 +
+	len = 1 + 2 + sm->cfg->server_id_len + EAP_GPSK_RAND_LEN + 2 +
 		data->csuite_count * sizeof(struct eap_gpsk_csuite);
 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, len,
 			    EAP_CODE_REQUEST, id);
@@ -129,8 +129,8 @@ static struct wpabuf * eap_gpsk_build_gpsk_1(struct eap_sm *sm,
 	}
 
 	wpabuf_put_u8(req, EAP_GPSK_OPCODE_GPSK_1);
-	wpabuf_put_be16(req, sm->server_id_len);
-	wpabuf_put_data(req, sm->server_id, sm->server_id_len);
+	wpabuf_put_be16(req, sm->cfg->server_id_len);
+	wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
 	wpabuf_put_data(req, data->rand_server, EAP_GPSK_RAND_LEN);
 	wpabuf_put_be16(req,
 			data->csuite_count * sizeof(struct eap_gpsk_csuite));
@@ -152,7 +152,7 @@ static struct wpabuf * eap_gpsk_build_gpsk_3(struct eap_sm *sm,
 	wpa_printf(MSG_DEBUG, "EAP-GPSK: Request/GPSK-3");
 
 	miclen = eap_gpsk_mic_len(data->vendor, data->specifier);
-	len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + sm->server_id_len +
+	len = 1 + 2 * EAP_GPSK_RAND_LEN + 2 + sm->cfg->server_id_len +
 		sizeof(struct eap_gpsk_csuite) + 2 + miclen;
 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_GPSK, len,
 			    EAP_CODE_REQUEST, id);
@@ -168,8 +168,8 @@ static struct wpabuf * eap_gpsk_build_gpsk_3(struct eap_sm *sm,
 
 	wpabuf_put_data(req, data->rand_peer, EAP_GPSK_RAND_LEN);
 	wpabuf_put_data(req, data->rand_server, EAP_GPSK_RAND_LEN);
-	wpabuf_put_be16(req, sm->server_id_len);
-	wpabuf_put_data(req, sm->server_id, sm->server_id_len);
+	wpabuf_put_be16(req, sm->cfg->server_id_len);
+	wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
 	csuite = wpabuf_put(req, sizeof(*csuite));
 	WPA_PUT_BE32(csuite->vendor, data->vendor);
 	WPA_PUT_BE16(csuite->specifier, data->specifier);
@@ -294,8 +294,8 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
 		eap_gpsk_state(data, FAILURE);
 		return;
 	}
-	if (alen != sm->server_id_len ||
-	    os_memcmp(pos, sm->server_id, alen) != 0) {
+	if (alen != sm->cfg->server_id_len ||
+	    os_memcmp(pos, sm->cfg->server_id, alen) != 0) {
 		wpa_printf(MSG_DEBUG, "EAP-GPSK: ID_Server in GPSK-1 and "
 			   "GPSK-2 did not match");
 		eap_gpsk_state(data, FAILURE);
@@ -409,7 +409,7 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
 				 data->vendor, data->specifier,
 				 data->rand_peer, data->rand_server,
 				 data->id_peer, data->id_peer_len,
-				 sm->server_id, sm->server_id_len,
+				 sm->cfg->server_id, sm->cfg->server_id_len,
 				 data->msk, data->emsk,
 				 data->sk, &data->sk_len,
 				 data->pk, &data->pk_len) < 0) {
@@ -423,7 +423,8 @@ static void eap_gpsk_process_gpsk_2(struct eap_sm *sm,
 				       data->vendor, data->specifier,
 				       data->rand_peer, data->rand_server,
 				       data->id_peer, data->id_peer_len,
-				       sm->server_id, sm->server_id_len,
+				       sm->cfg->server_id,
+				       sm->cfg->server_id_len,
 				       EAP_TYPE_GPSK,
 				       data->session_id, &data->id_len) < 0) {
 		wpa_printf(MSG_DEBUG, "EAP-GPSK: Failed to derive Session-Id");
diff --git a/src/eap_server/eap_server_ikev2.c b/src/eap_server/eap_server_ikev2.c
index 32e687204..897637e8e 100644
--- a/src/eap_server/eap_server_ikev2.c
+++ b/src/eap_server/eap_server_ikev2.c
@@ -87,8 +87,8 @@ static void * eap_ikev2_init(struct eap_sm *sm)
 	if (data == NULL)
 		return NULL;
 	data->state = MSG;
-	data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size :
-		IKEV2_FRAGMENT_SIZE;
+	data->fragment_size = sm->cfg->fragment_size > 0 ?
+		sm->cfg->fragment_size : IKEV2_FRAGMENT_SIZE;
 	data->ikev2.state = SA_INIT;
 	data->ikev2.peer_auth = PEER_AUTH_SECRET;
 	data->ikev2.key_pad = (u8 *) os_strdup("Key Pad for EAP-IKEv2");
@@ -103,10 +103,10 @@ static void * eap_ikev2_init(struct eap_sm *sm)
 	data->ikev2.proposal.encr = ENCR_AES_CBC;
 	data->ikev2.proposal.dh = DH_GROUP2_1024BIT_MODP;
 
-	data->ikev2.IDi = os_memdup(sm->server_id, sm->server_id_len);
+	data->ikev2.IDi = os_memdup(sm->cfg->server_id, sm->cfg->server_id_len);
 	if (data->ikev2.IDi == NULL)
 		goto failed;
-	data->ikev2.IDi_len = sm->server_id_len;
+	data->ikev2.IDi_len = sm->cfg->server_id_len;
 
 	data->ikev2.get_shared_secret = eap_ikev2_get_shared_secret;
 	data->ikev2.cb_ctx = sm;
@@ -414,7 +414,7 @@ static void eap_ikev2_process(struct eap_sm *sm, void *priv,
 		eap_ikev2_state(data, FAIL);
 		return;
 	}
-		
+
 	if (flags & IKEV2_FLAGS_MORE_FRAGMENTS) {
 		if (eap_ikev2_process_fragment(data, flags, message_length,
 					       pos, end - pos) < 0)
diff --git a/src/eap_server/eap_server_mschapv2.c b/src/eap_server/eap_server_mschapv2.c
index e9e03b0af..8a1621aff 100644
--- a/src/eap_server/eap_server_mschapv2.c
+++ b/src/eap_server/eap_server_mschapv2.c
@@ -109,7 +109,7 @@ static struct wpabuf * eap_mschapv2_build_challenge(
 		return NULL;
 	}
 
-	ms_len = sizeof(*ms) + 1 + CHALLENGE_LEN + sm->server_id_len;
+	ms_len = sizeof(*ms) + 1 + CHALLENGE_LEN + sm->cfg->server_id_len;
 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_MSCHAPV2, ms_len,
 			    EAP_CODE_REQUEST, id);
 	if (req == NULL) {
@@ -131,7 +131,7 @@ static struct wpabuf * eap_mschapv2_build_challenge(
 		wpabuf_put(req, CHALLENGE_LEN);
 	wpa_hexdump(MSG_MSGDUMP, "EAP-MSCHAPV2: Challenge",
 		    data->auth_challenge, CHALLENGE_LEN);
-	wpabuf_put_data(req, sm->server_id, sm->server_id_len);
+	wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
 
 	return req;
 }
diff --git a/src/eap_server/eap_server_peap.c b/src/eap_server/eap_server_peap.c
index 697460bac..02d8b8e88 100644
--- a/src/eap_server/eap_server_peap.c
+++ b/src/eap_server/eap_server_peap.c
@@ -105,8 +105,8 @@ static void eap_peap_valid_session(struct eap_sm *sm,
 {
 	struct wpabuf *buf;
 
-	if (!sm->tls_session_lifetime ||
-	    tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
+	if (!sm->cfg->tls_session_lifetime ||
+	    tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
 		return;
 
 	buf = wpabuf_alloc(1 + 1 + sm->identity_len);
@@ -336,7 +336,7 @@ static int eap_peap_derive_cmk(struct eap_sm *sm, struct eap_peap_data *data)
 		return -1;
 	wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: TK", tk, 60);
 
-	if (tls_connection_resumed(sm->ssl_ctx, data->ssl.conn)) {
+	if (tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn)) {
 		/* Fast-connect: IPMK|CMK = TK */
 		os_memcpy(data->ipmk, tk, 40);
 		wpa_hexdump_key(MSG_DEBUG, "EAP-PEAP: IPMK from TK",
@@ -521,7 +521,8 @@ static struct wpabuf * eap_peap_buildReq(struct eap_sm *sm, void *priv, u8 id)
 		return eap_peap_build_start(sm, data, id);
 	case PHASE1:
 	case PHASE1_ID2:
-		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+		if (tls_connection_established(sm->cfg->ssl_ctx,
+					       data->ssl.conn)) {
 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Phase1 done, "
 				   "starting Phase2");
 			eap_peap_state(data, PHASE2_START);
@@ -1020,7 +1021,7 @@ static void eap_peap_process_phase2_response(struct eap_sm *sm,
 		}
 
 #ifdef EAP_SERVER_TNC
-		if (data->state != PHASE2_SOH && sm->tnc &&
+		if (data->state != PHASE2_SOH && sm->cfg->tnc &&
 		    data->peap_version == 0) {
 			eap_peap_state(data, PHASE2_SOH);
 			wpa_printf(MSG_DEBUG, "EAP-PEAP: Try to initialize "
@@ -1077,7 +1078,7 @@ static void eap_peap_process_phase2(struct eap_sm *sm,
 		return;
 	}
 
-	in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+	in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
 					      in_buf);
 	if (in_decrypted == NULL) {
 		wpa_printf(MSG_INFO, "EAP-PEAP: Failed to decrypt Phase 2 "
@@ -1237,8 +1238,8 @@ static void eap_peap_process(struct eap_sm *sm, void *priv,
 	}
 
 	if (data->state == SUCCESS ||
-	    !tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
-	    !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
+	    !tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
+	    !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
 		return;
 
 	buf = tls_connection_get_success_data(data->ssl.conn);
diff --git a/src/eap_server/eap_server_psk.c b/src/eap_server/eap_server_psk.c
index 0eab89339..511973c94 100644
--- a/src/eap_server/eap_server_psk.c
+++ b/src/eap_server/eap_server_psk.c
@@ -68,7 +68,7 @@ static struct wpabuf * eap_psk_build_1(struct eap_sm *sm,
 		    data->rand_s, EAP_PSK_RAND_LEN);
 
 	req = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PSK,
-			    sizeof(*psk) + sm->server_id_len,
+			    sizeof(*psk) + sm->cfg->server_id_len,
 			    EAP_CODE_REQUEST, id);
 	if (req == NULL) {
 		wpa_printf(MSG_ERROR, "EAP-PSK: Failed to allocate memory "
@@ -80,7 +80,7 @@ static struct wpabuf * eap_psk_build_1(struct eap_sm *sm,
 	psk = wpabuf_put(req, sizeof(*psk));
 	psk->flags = EAP_PSK_FLAGS_SET_T(0); /* T=0 */
 	os_memcpy(psk->rand_s, data->rand_s, EAP_PSK_RAND_LEN);
-	wpabuf_put_data(req, sm->server_id, sm->server_id_len);
+	wpabuf_put_data(req, sm->cfg->server_id, sm->cfg->server_id_len);
 
 	return req;
 }
@@ -110,13 +110,13 @@ static struct wpabuf * eap_psk_build_3(struct eap_sm *sm,
 	os_memcpy(psk->rand_s, data->rand_s, EAP_PSK_RAND_LEN);
 
 	/* MAC_S = OMAC1-AES-128(AK, ID_S||RAND_P) */
-	buflen = sm->server_id_len + EAP_PSK_RAND_LEN;
+	buflen = sm->cfg->server_id_len + EAP_PSK_RAND_LEN;
 	buf = os_malloc(buflen);
 	if (buf == NULL)
 		goto fail;
 
-	os_memcpy(buf, sm->server_id, sm->server_id_len);
-	os_memcpy(buf + sm->server_id_len, data->rand_p, EAP_PSK_RAND_LEN);
+	os_memcpy(buf, sm->cfg->server_id, sm->cfg->server_id_len);
+	os_memcpy(buf + sm->cfg->server_id_len, data->rand_p, EAP_PSK_RAND_LEN);
 	if (omac1_aes_128(data->ak, buf, buflen, psk->mac_s)) {
 		os_free(buf);
 		goto fail;
@@ -293,7 +293,7 @@ static void eap_psk_process_2(struct eap_sm *sm,
 	os_memcpy(data->rand_p, resp->rand_p, EAP_PSK_RAND_LEN);
 
 	/* MAC_P = OMAC1-AES-128(AK, ID_P||ID_S||RAND_S||RAND_P) */
-	buflen = data->id_p_len + sm->server_id_len + 2 * EAP_PSK_RAND_LEN;
+	buflen = data->id_p_len + sm->cfg->server_id_len + 2 * EAP_PSK_RAND_LEN;
 	buf = os_malloc(buflen);
 	if (buf == NULL) {
 		data->state = FAILURE;
@@ -301,8 +301,8 @@ static void eap_psk_process_2(struct eap_sm *sm,
 	}
 	os_memcpy(buf, data->id_p, data->id_p_len);
 	pos = buf + data->id_p_len;
-	os_memcpy(pos, sm->server_id, sm->server_id_len);
-	pos += sm->server_id_len;
+	os_memcpy(pos, sm->cfg->server_id, sm->cfg->server_id_len);
+	pos += sm->cfg->server_id_len;
 	os_memcpy(pos, data->rand_s, EAP_PSK_RAND_LEN);
 	pos += EAP_PSK_RAND_LEN;
 	os_memcpy(pos, data->rand_p, EAP_PSK_RAND_LEN);
diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c
index a8087c1d8..6bf3a23d0 100644
--- a/src/eap_server/eap_server_pwd.c
+++ b/src/eap_server/eap_server_pwd.c
@@ -97,7 +97,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
 	if (data == NULL)
 		return NULL;
 
-	data->group_num = sm->pwd_group;
+	data->group_num = sm->cfg->pwd_group;
 	wpa_printf(MSG_DEBUG, "EAP-pwd: Selected group number %d",
 		   data->group_num);
 	data->state = PWD_ID_Req;
@@ -134,7 +134,7 @@ static void * eap_pwd_init(struct eap_sm *sm)
 	data->in_frag_pos = data->out_frag_pos = 0;
 	data->inbuf = data->outbuf = NULL;
 	/* use default MTU from RFC 5931 if not configured otherwise */
-	data->mtu = sm->fragment_size > 0 ? sm->fragment_size : 1020;
+	data->mtu = sm->cfg->fragment_size > 0 ? sm->cfg->fragment_size : 1020;
 
 	return data;
 }
diff --git a/src/eap_server/eap_server_sake.c b/src/eap_server/eap_server_sake.c
index 2fc2c0575..56cfbfb32 100644
--- a/src/eap_server/eap_server_sake.c
+++ b/src/eap_server/eap_server_sake.c
@@ -123,7 +123,7 @@ static struct wpabuf * eap_sake_build_identity(struct eap_sm *sm,
 	wpa_printf(MSG_DEBUG, "EAP-SAKE: Request/Identity");
 
 	plen = 4;
-	plen += 2 + sm->server_id_len;
+	plen += 2 + sm->cfg->server_id_len;
 	msg = eap_sake_build_msg(data, id, plen, EAP_SAKE_SUBTYPE_IDENTITY);
 	if (msg == NULL) {
 		data->state = FAILURE;
@@ -135,7 +135,7 @@ static struct wpabuf * eap_sake_build_identity(struct eap_sm *sm,
 
 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_SERVERID");
 	eap_sake_add_attr(msg, EAP_SAKE_AT_SERVERID,
-			  sm->server_id, sm->server_id_len);
+			  sm->cfg->server_id, sm->cfg->server_id_len);
 
 	return msg;
 }
@@ -158,7 +158,7 @@ static struct wpabuf * eap_sake_build_challenge(struct eap_sm *sm,
 	wpa_hexdump(MSG_MSGDUMP, "EAP-SAKE: RAND_S (server rand)",
 		    data->rand_s, EAP_SAKE_RAND_LEN);
 
-	plen = 2 + EAP_SAKE_RAND_LEN + 2 + sm->server_id_len;
+	plen = 2 + EAP_SAKE_RAND_LEN + 2 + sm->cfg->server_id_len;
 	msg = eap_sake_build_msg(data, id, plen, EAP_SAKE_SUBTYPE_CHALLENGE);
 	if (msg == NULL) {
 		data->state = FAILURE;
@@ -171,7 +171,7 @@ static struct wpabuf * eap_sake_build_challenge(struct eap_sm *sm,
 
 	wpa_printf(MSG_DEBUG, "EAP-SAKE: * AT_SERVERID");
 	eap_sake_add_attr(msg, EAP_SAKE_AT_SERVERID,
-			  sm->server_id, sm->server_id_len);
+			  sm->cfg->server_id, sm->cfg->server_id_len);
 
 	return msg;
 }
@@ -198,7 +198,7 @@ static struct wpabuf * eap_sake_build_confirm(struct eap_sm *sm,
 	wpabuf_put_u8(msg, 2 + EAP_SAKE_MIC_LEN);
 	mic = wpabuf_put(msg, EAP_SAKE_MIC_LEN);
 	if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
-				 sm->server_id, sm->server_id_len,
+				 sm->cfg->server_id, sm->cfg->server_id_len,
 				 data->peerid, data->peerid_len, 0,
 				 wpabuf_head(msg), wpabuf_len(msg), mic, mic))
 	{
@@ -351,7 +351,7 @@ static void eap_sake_process_challenge(struct eap_sm *sm,
 	}
 
 	if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
-				 sm->server_id, sm->server_id_len,
+				 sm->cfg->server_id, sm->cfg->server_id_len,
 				 data->peerid, data->peerid_len, 1,
 				 wpabuf_head(respData), wpabuf_len(respData),
 				 attr.mic_p, mic_p) < 0) {
@@ -392,7 +392,7 @@ static void eap_sake_process_confirm(struct eap_sm *sm,
 	}
 
 	if (eap_sake_compute_mic(data->tek.auth, data->rand_s, data->rand_p,
-				 sm->server_id, sm->server_id_len,
+				 sm->cfg->server_id, sm->cfg->server_id_len,
 				 data->peerid, data->peerid_len, 1,
 				 wpabuf_head(respData), wpabuf_len(respData),
 				 attr.mic_p, mic_p) < 0) {
diff --git a/src/eap_server/eap_server_sim.c b/src/eap_server/eap_server_sim.c
index 5243568e7..d7ac87ce5 100644
--- a/src/eap_server/eap_server_sim.c
+++ b/src/eap_server/eap_server_sim.c
@@ -76,7 +76,7 @@ static void * eap_sim_init(struct eap_sm *sm)
 {
 	struct eap_sim_data *data;
 
-	if (sm->eap_sim_db_priv == NULL) {
+	if (!sm->cfg->eap_sim_db_priv) {
 		wpa_printf(MSG_WARNING, "EAP-SIM: eap_sim_db not configured");
 		return NULL;
 	}
@@ -150,24 +150,24 @@ static int eap_sim_build_encr(struct eap_sm *sm, struct eap_sim_data *data,
 			      const u8 *nonce_s)
 {
 	os_free(data->next_pseudonym);
-	if (!(sm->eap_sim_id & 0x01)) {
+	if (!(sm->cfg->eap_sim_id & 0x01)) {
 		/* Use of pseudonyms disabled in configuration */
 		data->next_pseudonym = NULL;
 	} else if (!nonce_s) {
 		data->next_pseudonym =
-			eap_sim_db_get_next_pseudonym(sm->eap_sim_db_priv,
+			eap_sim_db_get_next_pseudonym(sm->cfg->eap_sim_db_priv,
 						      EAP_SIM_DB_SIM);
 	} else {
 		/* Do not update pseudonym during re-authentication */
 		data->next_pseudonym = NULL;
 	}
 	os_free(data->next_reauth_id);
-	if (!(sm->eap_sim_id & 0x02)) {
+	if (!(sm->cfg->eap_sim_id & 0x02)) {
 		/* Use of fast reauth disabled in configuration */
 		data->next_reauth_id = NULL;
 	} else if (data->counter <= EAP_SIM_MAX_FAST_REAUTHS) {
 		data->next_reauth_id =
-			eap_sim_db_get_next_reauth_id(sm->eap_sim_db_priv,
+			eap_sim_db_get_next_reauth_id(sm->cfg->eap_sim_db_priv,
 						      EAP_SIM_DB_SIM);
 	} else {
 		wpa_printf(MSG_DEBUG, "EAP-SIM: Max fast re-authentication "
@@ -240,7 +240,7 @@ static struct wpabuf * eap_sim_build_challenge(struct eap_sm *sm,
 		return NULL;
 	}
 
-	if (sm->eap_sim_aka_result_ind) {
+	if (sm->cfg->eap_sim_aka_result_ind) {
 		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
 		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
 	}
@@ -279,7 +279,7 @@ static struct wpabuf * eap_sim_build_reauth(struct eap_sm *sm,
 		return NULL;
 	}
 
-	if (sm->eap_sim_aka_result_ind) {
+	if (sm->cfg->eap_sim_aka_result_ind) {
 		wpa_printf(MSG_DEBUG, "   AT_RESULT_IND");
 		eap_sim_msg_add(msg, EAP_SIM_AT_RESULT_IND, 0, NULL, 0);
 	}
@@ -475,7 +475,7 @@ static void eap_sim_process_start(struct eap_sm *sm,
 		wpa_printf(MSG_DEBUG, "EAP-SIM: Reauth username '%s'",
 			   username);
 		data->reauth = eap_sim_db_get_reauth_entry(
-			sm->eap_sim_db_priv, username);
+			sm->cfg->eap_sim_db_priv, username);
 		os_free(username);
 		if (data->reauth == NULL) {
 			wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown reauth "
@@ -497,7 +497,7 @@ static void eap_sim_process_start(struct eap_sm *sm,
 		wpa_printf(MSG_DEBUG, "EAP-SIM: Pseudonym username '%s'",
 			   username);
 		permanent = eap_sim_db_get_permanent(
-			sm->eap_sim_db_priv, username);
+			sm->cfg->eap_sim_db_priv, username);
 		os_free(username);
 		if (permanent == NULL) {
 			wpa_printf(MSG_DEBUG, "EAP-SIM: Unknown pseudonym "
@@ -538,7 +538,7 @@ skip_id_update:
 	data->reauth = NULL;
 
 	data->num_chal = eap_sim_db_get_gsm_triplets(
-		sm->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL,
+		sm->cfg->eap_sim_db_priv, data->permanent, EAP_SIM_MAX_CHAL,
 		(u8 *) data->rand, (u8 *) data->kc, (u8 *) data->sres, sm);
 	if (data->num_chal == EAP_SIM_DB_PENDING) {
 		wpa_printf(MSG_DEBUG, "EAP-SIM: GSM authentication triplets "
@@ -599,7 +599,7 @@ static void eap_sim_process_challenge(struct eap_sm *sm,
 
 	wpa_printf(MSG_DEBUG, "EAP-SIM: Challenge response includes the "
 		   "correct AT_MAC");
-	if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+	if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
 		data->use_result_ind = 1;
 		data->notification = EAP_SIM_SUCCESS;
 		eap_sim_state(data, NOTIFICATION);
@@ -607,12 +607,13 @@ static void eap_sim_process_challenge(struct eap_sm *sm,
 		eap_sim_state(data, SUCCESS);
 
 	if (data->next_pseudonym) {
-		eap_sim_db_add_pseudonym(sm->eap_sim_db_priv, data->permanent,
+		eap_sim_db_add_pseudonym(sm->cfg->eap_sim_db_priv,
+					 data->permanent,
 					 data->next_pseudonym);
 		data->next_pseudonym = NULL;
 	}
 	if (data->next_reauth_id) {
-		eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent,
+		eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent,
 				      data->next_reauth_id, data->counter + 1,
 				      data->mk);
 		data->next_reauth_id = NULL;
@@ -672,7 +673,7 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
 		return;
 	}
 
-	if (sm->eap_sim_aka_result_ind && attr->result_ind) {
+	if (sm->cfg->eap_sim_aka_result_ind && attr->result_ind) {
 		data->use_result_ind = 1;
 		data->notification = EAP_SIM_SUCCESS;
 		eap_sim_state(data, NOTIFICATION);
@@ -680,12 +681,13 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
 		eap_sim_state(data, SUCCESS);
 
 	if (data->next_reauth_id) {
-		eap_sim_db_add_reauth(sm->eap_sim_db_priv, data->permanent,
+		eap_sim_db_add_reauth(sm->cfg->eap_sim_db_priv, data->permanent,
 				      data->next_reauth_id,
 				      data->counter + 1, data->mk);
 		data->next_reauth_id = NULL;
 	} else {
-		eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+		eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv,
+					 data->reauth);
 		data->reauth = NULL;
 	}
 
@@ -694,7 +696,7 @@ static void eap_sim_process_reauth(struct eap_sm *sm,
 fail:
 	data->notification = EAP_SIM_GENERAL_FAILURE_BEFORE_AUTH;
 	eap_sim_state(data, NOTIFICATION);
-	eap_sim_db_remove_reauth(sm->eap_sim_db_priv, data->reauth);
+	eap_sim_db_remove_reauth(sm->cfg->eap_sim_db_priv, data->reauth);
 	data->reauth = NULL;
 	os_free(decrypted);
 }
diff --git a/src/eap_server/eap_server_teap.c b/src/eap_server/eap_server_teap.c
index 34a0d4c2e..f2f917b77 100644
--- a/src/eap_server/eap_server_teap.c
+++ b/src/eap_server/eap_server_teap.c
@@ -287,7 +287,7 @@ static int eap_teap_derive_key_auth(struct eap_sm *sm,
 	int res;
 
 	/* RFC 7170, Section 5.1 */
-	res = tls_connection_export_key(sm->ssl_ctx, data->ssl.conn,
+	res = tls_connection_export_key(sm->cfg->ssl_ctx, data->ssl.conn,
 					TEAP_TLS_EXPORTER_LABEL_SKS, NULL, 0,
 					data->simck_msk, EAP_TEAP_SIMCK_LEN);
 	if (res)
@@ -310,7 +310,7 @@ static int eap_teap_update_icmk(struct eap_sm *sm, struct eap_teap_data *data)
 	wpa_printf(MSG_DEBUG, "EAP-TEAP: Deriving ICMK[%d] (S-IMCK and CMK)",
 		   data->simck_idx + 1);
 
-	if (sm->eap_teap_auth == 1)
+	if (sm->cfg->eap_teap_auth == 1)
 		return eap_teap_derive_cmk_basic_pw_auth(data->tls_cs,
 							 data->simck_msk,
 							 data->cmk_msk);
@@ -370,7 +370,8 @@ static void * eap_teap_init(struct eap_sm *sm)
 	/* TODO: Add anon-DH TLS cipher suites (and if one is negotiated,
 	 * enforce inner EAP with mutual authentication to be used) */
 
-	if (tls_connection_set_session_ticket_cb(sm->ssl_ctx, data->ssl.conn,
+	if (tls_connection_set_session_ticket_cb(sm->cfg->ssl_ctx,
+						 data->ssl.conn,
 						 eap_teap_session_ticket_cb,
 						 data) < 0) {
 		wpa_printf(MSG_INFO,
@@ -379,48 +380,49 @@ static void * eap_teap_init(struct eap_sm *sm)
 		return NULL;
 	}
 
-	if (!sm->pac_opaque_encr_key) {
+	if (!sm->cfg->pac_opaque_encr_key) {
 		wpa_printf(MSG_INFO,
 			   "EAP-TEAP: No PAC-Opaque encryption key configured");
 		eap_teap_reset(sm, data);
 		return NULL;
 	}
-	os_memcpy(data->pac_opaque_encr, sm->pac_opaque_encr_key,
+	os_memcpy(data->pac_opaque_encr, sm->cfg->pac_opaque_encr_key,
 		  sizeof(data->pac_opaque_encr));
 
-	if (!sm->eap_fast_a_id) {
+	if (!sm->cfg->eap_fast_a_id) {
 		wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID configured");
 		eap_teap_reset(sm, data);
 		return NULL;
 	}
-	data->srv_id = os_malloc(sm->eap_fast_a_id_len);
+	data->srv_id = os_malloc(sm->cfg->eap_fast_a_id_len);
 	if (!data->srv_id) {
 		eap_teap_reset(sm, data);
 		return NULL;
 	}
-	os_memcpy(data->srv_id, sm->eap_fast_a_id, sm->eap_fast_a_id_len);
-	data->srv_id_len = sm->eap_fast_a_id_len;
+	os_memcpy(data->srv_id, sm->cfg->eap_fast_a_id,
+		  sm->cfg->eap_fast_a_id_len);
+	data->srv_id_len = sm->cfg->eap_fast_a_id_len;
 
-	if (!sm->eap_fast_a_id_info) {
+	if (!sm->cfg->eap_fast_a_id_info) {
 		wpa_printf(MSG_INFO, "EAP-TEAP: No A-ID-Info configured");
 		eap_teap_reset(sm, data);
 		return NULL;
 	}
-	data->srv_id_info = os_strdup(sm->eap_fast_a_id_info);
+	data->srv_id_info = os_strdup(sm->cfg->eap_fast_a_id_info);
 	if (!data->srv_id_info) {
 		eap_teap_reset(sm, data);
 		return NULL;
 	}
 
 	/* PAC-Key lifetime in seconds (hard limit) */
-	data->pac_key_lifetime = sm->pac_key_lifetime;
+	data->pac_key_lifetime = sm->cfg->pac_key_lifetime;
 
 	/*
 	 * PAC-Key refresh time in seconds (soft limit on remaining hard
 	 * limit). The server will generate a new PAC-Key when this number of
 	 * seconds (or fewer) of the lifetime remains.
 	 */
-	data->pac_key_refresh_time = sm->pac_key_refresh_time;
+	data->pac_key_refresh_time = sm->cfg->pac_key_refresh_time;
 
 	return data;
 }
@@ -500,8 +502,8 @@ static int eap_teap_phase1_done(struct eap_sm *sm, struct eap_teap_data *data)
 	wpa_printf(MSG_DEBUG, "EAP-TEAP: TLS cipher suite 0x%04x",
 		   data->tls_cs);
 
-	if (tls_get_cipher(sm->ssl_ctx, data->ssl.conn, cipher, sizeof(cipher))
-	    < 0) {
+	if (tls_get_cipher(sm->cfg->ssl_ctx, data->ssl.conn,
+			   cipher, sizeof(cipher)) < 0) {
 		wpa_printf(MSG_DEBUG,
 			   "EAP-TEAP: Failed to get cipher information");
 		eap_teap_state(data, FAILURE);
@@ -529,7 +531,7 @@ static struct wpabuf * eap_teap_build_phase2_req(struct eap_sm *sm,
 {
 	struct wpabuf *req;
 
-	if (sm->eap_teap_auth == 1) {
+	if (sm->cfg->eap_teap_auth == 1) {
 		wpa_printf(MSG_DEBUG, "EAP-TEAP: Initiate Basic-Password-Auth");
 		req = wpabuf_alloc(sizeof(struct teap_tlv_hdr));
 		if (!req)
@@ -567,7 +569,7 @@ static struct wpabuf * eap_teap_build_crypto_binding(
 		return NULL;
 
 	if (data->send_new_pac || data->anon_provisioning ||
-	    data->phase2_method || sm->eap_teap_separate_result)
+	    data->phase2_method || sm->cfg->eap_teap_separate_result)
 		data->final_result = 0;
 	else
 		data->final_result = 1;
@@ -846,7 +848,8 @@ static struct wpabuf * eap_teap_buildReq(struct eap_sm *sm, void *priv, u8 id)
 	case START:
 		return eap_teap_build_start(sm, data, id);
 	case PHASE1B:
-		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+		if (tls_connection_established(sm->cfg->ssl_ctx,
+					       data->ssl.conn)) {
 			if (eap_teap_phase1_done(sm, data) < 0)
 				return NULL;
 			if (data->state == PHASE2_START) {
@@ -1072,7 +1075,7 @@ static void eap_teap_process_phase2_response(struct eap_sm *sm,
 		next_vendor = EAP_VENDOR_IETF;
 		next_type = EAP_TYPE_NONE;
 #ifdef EAP_SERVER_TNC
-		if (sm->tnc && !data->tnc_started) {
+		if (sm->cfg->tnc && !data->tnc_started) {
 			wpa_printf(MSG_DEBUG, "EAP-TEAP: Initialize TNC");
 			next_vendor = EAP_VENDOR_IETF;
 			next_type = EAP_TYPE_TNC;
@@ -1463,7 +1466,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
 			return;
 		}
 
-		if (sm->eap_teap_auth != 1 &&
+		if (sm->cfg->eap_teap_auth != 1 &&
 		    tlv.iresult != TEAP_STATUS_SUCCESS) {
 			wpa_printf(MSG_DEBUG,
 				   "EAP-TEAP: Crypto-Binding TLV without intermediate Success Result");
@@ -1485,16 +1488,16 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
 		}
 
 		if (data->anon_provisioning &&
-		    sm->eap_fast_prov != ANON_PROV &&
-		    sm->eap_fast_prov != BOTH_PROV) {
+		    sm->cfg->eap_fast_prov != ANON_PROV &&
+		    sm->cfg->eap_fast_prov != BOTH_PROV) {
 			wpa_printf(MSG_DEBUG,
 				   "EAP-TEAP: Client is trying to use unauthenticated provisioning which is disabled");
 			eap_teap_state(data, FAILURE);
 			return;
 		}
 
-		if (sm->eap_fast_prov != AUTH_PROV &&
-		    sm->eap_fast_prov != BOTH_PROV &&
+		if (sm->cfg->eap_fast_prov != AUTH_PROV &&
+		    sm->cfg->eap_fast_prov != BOTH_PROV &&
 		    tlv.request_action == TEAP_REQUEST_ACTION_PROCESS_TLV &&
 		    eap_teap_pac_type(tlv.pac, tlv.pac_len,
 				      PAC_TYPE_TUNNEL_PAC)) {
@@ -1517,13 +1520,13 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
 			eap_teap_state(data, REQUEST_PAC);
 		} else if (data->final_result) {
 			eap_teap_state(data, SUCCESS);
-		} else if (sm->eap_teap_separate_result) {
+		} else if (sm->cfg->eap_teap_separate_result) {
 			eap_teap_state(data, SUCCESS_SEND_RESULT);
 		}
 	}
 
 	if (tlv.basic_auth_resp) {
-		if (sm->eap_teap_auth != 1) {
+		if (sm->cfg->eap_teap_auth != 1) {
 			wpa_printf(MSG_DEBUG,
 				   "EAP-TEAP: Unexpected Basic-Password-Auth-Resp when trying to use inner EAP");
 			eap_teap_state(data, FAILURE);
@@ -1534,7 +1537,7 @@ static void eap_teap_process_phase2_tlvs(struct eap_sm *sm,
 	}
 
 	if (tlv.eap_payload_tlv) {
-		if (sm->eap_teap_auth == 1) {
+		if (sm->cfg->eap_teap_auth == 1) {
 			wpa_printf(MSG_DEBUG,
 				   "EAP-TEAP: Unexpected EAP Payload TLV when trying to use Basic-Password-Auth");
 			eap_teap_state(data, FAILURE);
@@ -1573,7 +1576,7 @@ static void eap_teap_process_phase2(struct eap_sm *sm,
 		return;
 	}
 
-	in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+	in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
 					      in_buf);
 	if (!in_decrypted) {
 		wpa_printf(MSG_INFO,
@@ -1634,7 +1637,7 @@ static int eap_teap_process_phase1(struct eap_sm *sm,
 		return -1;
 	}
 
-	if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
+	if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
 	    wpabuf_len(data->ssl.tls_out) > 0)
 		return 1;
 
@@ -1668,7 +1671,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
 			next_vendor = EAP_VENDOR_IETF;
 			next_type = EAP_TYPE_NONE;
 			eap_teap_state(data, PHASE2_METHOD);
-		} else if (sm->eap_teap_pac_no_inner) {
+		} else if (sm->cfg->eap_teap_pac_no_inner) {
 			wpa_printf(MSG_DEBUG,
 				   "EAP-TEAP: Used PAC and identity already known - skip inner auth");
 			/* FIX: Need to derive CMK here. However, how is that
@@ -1679,7 +1682,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
 							  data->cmk_msk);
 			eap_teap_state(data, CRYPTO_BINDING);
 			return 1;
-		} else if (sm->eap_teap_auth == 1) {
+		} else if (sm->cfg->eap_teap_auth == 1) {
 			eap_teap_state(data, PHASE2_BASIC_AUTH);
 			return 1;
 		} else {
@@ -1691,7 +1694,7 @@ static int eap_teap_process_phase2_start(struct eap_sm *sm,
 			eap_teap_state(data, PHASE2_METHOD);
 		}
 
-	} else if (sm->eap_teap_auth == 1) {
+	} else if (sm->cfg->eap_teap_auth == 1) {
 		eap_teap_state(data, PHASE2_BASIC_AUTH);
 		return 0;
 	} else {
diff --git a/src/eap_server/eap_server_tls.c b/src/eap_server/eap_server_tls.c
index 0712d4ccd..c64cebb40 100644
--- a/src/eap_server/eap_server_tls.c
+++ b/src/eap_server/eap_server_tls.c
@@ -58,7 +58,7 @@ static void eap_tls_valid_session(struct eap_sm *sm, struct eap_tls_data *data)
 {
 	struct wpabuf *buf;
 
-	if (!sm->tls_session_lifetime)
+	if (!sm->cfg->tls_session_lifetime)
 		return;
 
 	buf = wpabuf_alloc(1);
@@ -187,7 +187,8 @@ static struct wpabuf * eap_tls_buildReq(struct eap_sm *sm, void *priv, u8 id)
 	case START:
 		return eap_tls_build_start(sm, data, id);
 	case CONTINUE:
-		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn))
+		if (tls_connection_established(sm->cfg->ssl_ctx,
+					       data->ssl.conn))
 			data->established = 1;
 		break;
 	default:
@@ -267,7 +268,7 @@ static void eap_tls_process_msg(struct eap_sm *sm, void *priv,
 	}
 
 	if (data->ssl.tls_v13 &&
-	    tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+	    tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn)) {
 		struct wpabuf *plain, *encr;
 
 		wpa_printf(MSG_DEBUG,
@@ -315,8 +316,8 @@ static void eap_tls_process(struct eap_sm *sm, void *priv,
 		return;
 	}
 
-	if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
-	    !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
+	if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
+	    !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
 		return;
 
 	buf = tls_connection_get_success_data(data->ssl.conn);
diff --git a/src/eap_server/eap_server_tls_common.c b/src/eap_server/eap_server_tls_common.c
index 5daee9081..b38f1e0ba 100644
--- a/src/eap_server/eap_server_tls_common.c
+++ b/src/eap_server/eap_server_tls_common.c
@@ -47,9 +47,9 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
 			    int verify_peer, int eap_type)
 {
 	u8 session_ctx[8];
-	unsigned int flags = sm->tls_flags;
+	unsigned int flags = sm->cfg->tls_flags;
 
-	if (sm->ssl_ctx == NULL) {
+	if (!sm->cfg->ssl_ctx) {
 		wpa_printf(MSG_ERROR, "TLS context not initialized - cannot use TLS-based EAP method");
 		return -1;
 	}
@@ -57,7 +57,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
 	data->eap = sm;
 	data->phase2 = sm->init_phase2;
 
-	data->conn = tls_connection_init(sm->ssl_ctx);
+	data->conn = tls_connection_init(sm->cfg->ssl_ctx);
 	if (data->conn == NULL) {
 		wpa_printf(MSG_INFO, "SSL: Failed to initialize new TLS "
 			   "connection");
@@ -75,17 +75,18 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
 		flags |= TLS_CONN_DISABLE_SESSION_TICKET;
 	os_memcpy(session_ctx, "hostapd", 7);
 	session_ctx[7] = (u8) eap_type;
-	if (tls_connection_set_verify(sm->ssl_ctx, data->conn, verify_peer,
+	if (tls_connection_set_verify(sm->cfg->ssl_ctx, data->conn, verify_peer,
 				      flags, session_ctx,
 				      sizeof(session_ctx))) {
 		wpa_printf(MSG_INFO, "SSL: Failed to configure verification "
 			   "of TLS peer certificate");
-		tls_connection_deinit(sm->ssl_ctx, data->conn);
+		tls_connection_deinit(sm->cfg->ssl_ctx, data->conn);
 		data->conn = NULL;
 		return -1;
 	}
 
-	data->tls_out_limit = sm->fragment_size > 0 ? sm->fragment_size : 1398;
+	data->tls_out_limit = sm->cfg->fragment_size > 0 ?
+		sm->cfg->fragment_size : 1398;
 	if (data->phase2) {
 		/* Limit the fragment size in the inner TLS authentication
 		 * since the outer authentication with EAP-PEAP does not yet
@@ -99,7 +100,7 @@ int eap_server_tls_ssl_init(struct eap_sm *sm, struct eap_ssl_data *data,
 
 void eap_server_tls_ssl_deinit(struct eap_sm *sm, struct eap_ssl_data *data)
 {
-	tls_connection_deinit(sm->ssl_ctx, data->conn);
+	tls_connection_deinit(sm->cfg->ssl_ctx, data->conn);
 	eap_server_tls_free_in_buf(data);
 	wpabuf_free(data->tls_out);
 	data->tls_out = NULL;
@@ -116,7 +117,7 @@ u8 * eap_server_tls_derive_key(struct eap_sm *sm, struct eap_ssl_data *data,
 	if (out == NULL)
 		return NULL;
 
-	if (tls_connection_export_key(sm->ssl_ctx, data->conn, label,
+	if (tls_connection_export_key(sm->cfg->ssl_ctx, data->conn, label,
 				      context, context_len, out, len)) {
 		os_free(out);
 		return NULL;
@@ -170,7 +171,7 @@ u8 * eap_server_tls_derive_session_id(struct eap_sm *sm,
 		return id;
 	}
 
-	if (tls_connection_get_random(sm->ssl_ctx, data->conn, &keys))
+	if (tls_connection_get_random(sm->cfg->ssl_ctx, data->conn, &keys))
 		return NULL;
 
 	if (keys.client_random == NULL || keys.server_random == NULL)
@@ -340,29 +341,30 @@ int eap_server_tls_phase1(struct eap_sm *sm, struct eap_ssl_data *data)
 		WPA_ASSERT(data->tls_out == NULL);
 	}
 
-	data->tls_out = tls_connection_server_handshake(sm->ssl_ctx,
+	data->tls_out = tls_connection_server_handshake(sm->cfg->ssl_ctx,
 							data->conn,
 							data->tls_in, NULL);
 	if (data->tls_out == NULL) {
 		wpa_printf(MSG_INFO, "SSL: TLS processing failed");
 		return -1;
 	}
-	if (tls_connection_get_failed(sm->ssl_ctx, data->conn)) {
+	if (tls_connection_get_failed(sm->cfg->ssl_ctx, data->conn)) {
 		/* TLS processing has failed - return error */
 		wpa_printf(MSG_DEBUG, "SSL: Failed - tls_out available to "
 			   "report error");
 		return -1;
 	}
 
-	if (tls_get_version(sm->ssl_ctx, data->conn, buf, sizeof(buf)) == 0) {
+	if (tls_get_version(sm->cfg->ssl_ctx, data->conn,
+			    buf, sizeof(buf)) == 0) {
 		wpa_printf(MSG_DEBUG, "SSL: Using TLS version %s", buf);
 		data->tls_v13 = os_strcmp(buf, "TLSv1.3") == 0;
 	}
 
 	if (!sm->serial_num &&
-	    tls_connection_established(sm->ssl_ctx, data->conn))
-		sm->serial_num = tls_connection_peer_serial_num(sm->ssl_ctx,
-								data->conn);
+	    tls_connection_established(sm->cfg->ssl_ctx, data->conn))
+		sm->serial_num = tls_connection_peer_serial_num(
+			sm->cfg->ssl_ctx, data->conn);
 
 	return 0;
 }
@@ -451,8 +453,7 @@ struct wpabuf * eap_server_tls_encrypt(struct eap_sm *sm,
 {
 	struct wpabuf *buf;
 
-	buf = tls_connection_encrypt(sm->ssl_ctx, data->conn,
-				     plain);
+	buf = tls_connection_encrypt(sm->cfg->ssl_ctx, data->conn, plain);
 	if (buf == NULL) {
 		wpa_printf(MSG_INFO, "SSL: Failed to encrypt Phase 2 data");
 		return NULL;
@@ -506,7 +507,7 @@ int eap_server_tls_process(struct eap_sm *sm, struct eap_ssl_data *data,
 	if (proc_msg)
 		proc_msg(sm, priv, respData);
 
-	if (tls_connection_get_write_alerts(sm->ssl_ctx, data->conn) > 1) {
+	if (tls_connection_get_write_alerts(sm->cfg->ssl_ctx, data->conn) > 1) {
 		wpa_printf(MSG_INFO, "SSL: Locally detected fatal error in "
 			   "TLS processing");
 		res = -1;
diff --git a/src/eap_server/eap_server_tnc.c b/src/eap_server/eap_server_tnc.c
index b568558fd..f6cdcb1ef 100644
--- a/src/eap_server/eap_server_tnc.c
+++ b/src/eap_server/eap_server_tnc.c
@@ -84,8 +84,8 @@ static void * eap_tnc_init(struct eap_sm *sm)
 		return NULL;
 	}
 
-	data->fragment_size = sm->fragment_size > 100 ?
-		sm->fragment_size - 98 : 1300;
+	data->fragment_size = sm->cfg->fragment_size > 100 ?
+		sm->cfg->fragment_size - 98 : 1300;
 
 	return data;
 }
@@ -508,7 +508,7 @@ static void eap_tnc_process(struct eap_sm *sm, void *priv,
 		eap_tnc_set_state(data, FAIL);
 		return;
 	}
-		
+
 	if (flags & EAP_TNC_FLAGS_MORE_FRAGMENTS) {
 		if (eap_tnc_process_fragment(data, flags, message_length,
 					     pos, end - pos) < 0)
diff --git a/src/eap_server/eap_server_ttls.c b/src/eap_server/eap_server_ttls.c
index caeef35cb..721835dbf 100644
--- a/src/eap_server/eap_server_ttls.c
+++ b/src/eap_server/eap_server_ttls.c
@@ -81,7 +81,7 @@ static void eap_ttls_valid_session(struct eap_sm *sm,
 {
 	struct wpabuf *buf;
 
-	if (!sm->tls_session_lifetime)
+	if (!sm->cfg->tls_session_lifetime)
 		return;
 
 	buf = wpabuf_alloc(1 + 1 + sm->identity_len);
@@ -480,7 +480,8 @@ static struct wpabuf * eap_ttls_buildReq(struct eap_sm *sm, void *priv, u8 id)
 	case START:
 		return eap_ttls_build_start(sm, data, id);
 	case PHASE1:
-		if (tls_connection_established(sm->ssl_ctx, data->ssl.conn)) {
+		if (tls_connection_established(sm->cfg->ssl_ctx,
+					       data->ssl.conn)) {
 			wpa_printf(MSG_DEBUG, "EAP-TTLS: Phase1 done, "
 				   "starting Phase2");
 			eap_ttls_state(data, PHASE2_START);
@@ -1029,7 +1030,7 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
 		return;
 	}
 
-	in_decrypted = tls_connection_decrypt(sm->ssl_ctx, data->ssl.conn,
+	in_decrypted = tls_connection_decrypt(sm->cfg->ssl_ctx, data->ssl.conn,
 					      in_buf);
 	if (in_decrypted == NULL) {
 		wpa_printf(MSG_INFO, "EAP-TTLS: Failed to decrypt Phase 2 "
@@ -1119,7 +1120,7 @@ done:
 static void eap_ttls_start_tnc(struct eap_sm *sm, struct eap_ttls_data *data)
 {
 #ifdef EAP_SERVER_TNC
-	if (!sm->tnc || data->state != SUCCESS || data->tnc_started)
+	if (!sm->cfg->tnc || data->state != SUCCESS || data->tnc_started)
 		return;
 
 	wpa_printf(MSG_DEBUG, "EAP-TTLS: Initialize TNC");
@@ -1209,8 +1210,8 @@ static void eap_ttls_process(struct eap_sm *sm, void *priv,
 		return;
 	}
 
-	if (!tls_connection_established(sm->ssl_ctx, data->ssl.conn) ||
-	    !tls_connection_resumed(sm->ssl_ctx, data->ssl.conn))
+	if (!tls_connection_established(sm->cfg->ssl_ctx, data->ssl.conn) ||
+	    !tls_connection_resumed(sm->cfg->ssl_ctx, data->ssl.conn))
 		return;
 
 	buf = tls_connection_get_success_data(data->ssl.conn);
diff --git a/src/eap_server/eap_server_wsc.c b/src/eap_server/eap_server_wsc.c
index 4a5cb980a..364c089aa 100644
--- a/src/eap_server/eap_server_wsc.c
+++ b/src/eap_server/eap_server_wsc.c
@@ -103,10 +103,10 @@ static void * eap_wsc_init(struct eap_sm *sm)
 	data->registrar = registrar;
 
 	os_memset(&cfg, 0, sizeof(cfg));
-	cfg.wps = sm->wps;
+	cfg.wps = sm->cfg->wps;
 	cfg.registrar = registrar;
 	if (registrar) {
-		if (sm->wps == NULL || sm->wps->registrar == NULL) {
+		if (!sm->cfg->wps || !sm->cfg->wps->registrar) {
 			wpa_printf(MSG_INFO, "EAP-WSC: WPS Registrar not "
 				   "initialized");
 			os_free(data);
@@ -138,14 +138,14 @@ static void * eap_wsc_init(struct eap_sm *sm)
 		cfg.p2p_dev_addr = p2p_get_go_dev_addr(sm->assoc_p2p_ie);
 	}
 #endif /* CONFIG_P2P */
-	cfg.pbc_in_m1 = sm->pbc_in_m1;
+	cfg.pbc_in_m1 = sm->cfg->pbc_in_m1;
 	data->wps = wps_init(&cfg);
 	if (data->wps == NULL) {
 		os_free(data);
 		return NULL;
 	}
-	data->fragment_size = sm->fragment_size > 0 ? sm->fragment_size :
-		WSC_FRAGMENT_SIZE;
+	data->fragment_size = sm->cfg->fragment_size > 0 ?
+		sm->cfg->fragment_size : WSC_FRAGMENT_SIZE;
 
 	return data;
 }
diff --git a/src/eapol_auth/eapol_auth_sm.c b/src/eapol_auth/eapol_auth_sm.c
index 5a2abb518..5a2ba261d 100644
--- a/src/eapol_auth/eapol_auth_sm.c
+++ b/src/eapol_auth/eapol_auth_sm.c
@@ -775,7 +775,7 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
 		 const char *identity, const char *radius_cui)
 {
 	struct eapol_state_machine *sm;
-	struct eap_config eap_conf;
+	struct eap_session_data eap_sess;
 
 	if (eapol == NULL)
 		return NULL;
@@ -823,38 +823,12 @@ eapol_auth_alloc(struct eapol_authenticator *eapol, const u8 *addr,
 	else
 		sm->portValid = TRUE;
 
-	os_memset(&eap_conf, 0, sizeof(eap_conf));
-	eap_conf.eap_server = eapol->conf.eap_server;
-	eap_conf.ssl_ctx = eapol->conf.ssl_ctx;
-	eap_conf.msg_ctx = eapol->conf.msg_ctx;
-	eap_conf.eap_sim_db_priv = eapol->conf.eap_sim_db_priv;
-	eap_conf.pac_opaque_encr_key = eapol->conf.pac_opaque_encr_key;
-	eap_conf.eap_fast_a_id = eapol->conf.eap_fast_a_id;
-	eap_conf.eap_fast_a_id_len = eapol->conf.eap_fast_a_id_len;
-	eap_conf.eap_fast_a_id_info = eapol->conf.eap_fast_a_id_info;
-	eap_conf.eap_fast_prov = eapol->conf.eap_fast_prov;
-	eap_conf.pac_key_lifetime = eapol->conf.pac_key_lifetime;
-	eap_conf.pac_key_refresh_time = eapol->conf.pac_key_refresh_time;
-	eap_conf.eap_teap_auth = eapol->conf.eap_teap_auth;
-	eap_conf.eap_teap_pac_no_inner = eapol->conf.eap_teap_pac_no_inner;
-	eap_conf.eap_teap_separate_result =
-		eapol->conf.eap_teap_separate_result;
-	eap_conf.eap_sim_aka_result_ind = eapol->conf.eap_sim_aka_result_ind;
-	eap_conf.eap_sim_id = eapol->conf.eap_sim_id;
-	eap_conf.tnc = eapol->conf.tnc;
-	eap_conf.wps = eapol->conf.wps;
-	eap_conf.assoc_wps_ie = assoc_wps_ie;
-	eap_conf.assoc_p2p_ie = assoc_p2p_ie;
-	eap_conf.peer_addr = addr;
-	eap_conf.fragment_size = eapol->conf.fragment_size;
-	eap_conf.pwd_group = eapol->conf.pwd_group;
-	eap_conf.pbc_in_m1 = eapol->conf.pbc_in_m1;
-	eap_conf.server_id = eapol->conf.server_id;
-	eap_conf.server_id_len = eapol->conf.server_id_len;
-	eap_conf.erp = eapol->conf.erp;
-	eap_conf.tls_session_lifetime = eapol->conf.tls_session_lifetime;
-	eap_conf.tls_flags = eapol->conf.tls_flags;
-	sm->eap = eap_server_sm_init(sm, &eapol_cb, &eap_conf);
+	os_memset(&eap_sess, 0, sizeof(eap_sess));
+	eap_sess.assoc_wps_ie = assoc_wps_ie;
+	eap_sess.assoc_p2p_ie = assoc_p2p_ie;
+	eap_sess.peer_addr = addr;
+	sm->eap = eap_server_sm_init(sm, &eapol_cb, eapol->conf.eap_cfg,
+				     &eap_sess);
 	if (sm->eap == NULL) {
 		eapol_auth_free(sm);
 		return NULL;
@@ -1189,19 +1163,12 @@ int eapol_auth_set_conf(struct eapol_state_machine *sm, const char *param,
 static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
 				 struct eapol_auth_config *src)
 {
+	dst->eap_cfg = src->eap_cfg;
 	dst->ctx = src->ctx;
 	dst->eap_reauth_period = src->eap_reauth_period;
 	dst->wpa = src->wpa;
 	dst->individual_wep_key_len = src->individual_wep_key_len;
-	dst->eap_server = src->eap_server;
-	dst->ssl_ctx = src->ssl_ctx;
-	dst->msg_ctx = src->msg_ctx;
-	dst->eap_sim_db_priv = src->eap_sim_db_priv;
 	os_free(dst->eap_req_id_text);
-	dst->pwd_group = src->pwd_group;
-	dst->pbc_in_m1 = src->pbc_in_m1;
-	dst->server_id = src->server_id;
-	dst->server_id_len = src->server_id_len;
 	if (src->eap_req_id_text) {
 		dst->eap_req_id_text = os_memdup(src->eap_req_id_text,
 						 src->eap_req_id_text_len);
@@ -1212,38 +1179,6 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
 		dst->eap_req_id_text = NULL;
 		dst->eap_req_id_text_len = 0;
 	}
-	if (src->pac_opaque_encr_key) {
-		dst->pac_opaque_encr_key = os_memdup(src->pac_opaque_encr_key,
-						     16);
-		if (dst->pac_opaque_encr_key == NULL)
-			goto fail;
-	} else
-		dst->pac_opaque_encr_key = NULL;
-	if (src->eap_fast_a_id) {
-		dst->eap_fast_a_id = os_memdup(src->eap_fast_a_id,
-					       src->eap_fast_a_id_len);
-		if (dst->eap_fast_a_id == NULL)
-			goto fail;
-		dst->eap_fast_a_id_len = src->eap_fast_a_id_len;
-	} else
-		dst->eap_fast_a_id = NULL;
-	if (src->eap_fast_a_id_info) {
-		dst->eap_fast_a_id_info = os_strdup(src->eap_fast_a_id_info);
-		if (dst->eap_fast_a_id_info == NULL)
-			goto fail;
-	} else
-		dst->eap_fast_a_id_info = NULL;
-	dst->eap_fast_prov = src->eap_fast_prov;
-	dst->pac_key_lifetime = src->pac_key_lifetime;
-	dst->pac_key_refresh_time = src->pac_key_refresh_time;
-	dst->eap_teap_auth = src->eap_teap_auth;
-	dst->eap_teap_pac_no_inner = src->eap_teap_pac_no_inner;
-	dst->eap_teap_separate_result = src->eap_teap_separate_result;
-	dst->eap_sim_aka_result_ind = src->eap_sim_aka_result_ind;
-	dst->eap_sim_id = src->eap_sim_id;
-	dst->tnc = src->tnc;
-	dst->wps = src->wps;
-	dst->fragment_size = src->fragment_size;
 
 	os_free(dst->erp_domain);
 	if (src->erp_domain) {
@@ -1254,9 +1189,6 @@ static int eapol_auth_conf_clone(struct eapol_auth_config *dst,
 		dst->erp_domain = NULL;
 	}
 	dst->erp_send_reauth_start = src->erp_send_reauth_start;
-	dst->erp = src->erp;
-	dst->tls_session_lifetime = src->tls_session_lifetime;
-	dst->tls_flags = src->tls_flags;
 
 	return 0;
 
@@ -1270,12 +1202,6 @@ static void eapol_auth_conf_free(struct eapol_auth_config *conf)
 {
 	os_free(conf->eap_req_id_text);
 	conf->eap_req_id_text = NULL;
-	os_free(conf->pac_opaque_encr_key);
-	conf->pac_opaque_encr_key = NULL;
-	os_free(conf->eap_fast_a_id);
-	conf->eap_fast_a_id = NULL;
-	os_free(conf->eap_fast_a_id_info);
-	conf->eap_fast_a_id_info = NULL;
 	os_free(conf->erp_domain);
 	conf->erp_domain = NULL;
 }
diff --git a/src/eapol_auth/eapol_auth_sm.h b/src/eapol_auth/eapol_auth_sm.h
index fc467da59..5fe89c64b 100644
--- a/src/eapol_auth/eapol_auth_sm.h
+++ b/src/eapol_auth/eapol_auth_sm.h
@@ -15,39 +15,14 @@
 #define EAPOL_SM_FROM_PMKSA_CACHE BIT(3)
 
 struct eapol_auth_config {
+	const struct eap_config *eap_cfg;
 	int eap_reauth_period;
 	int wpa;
 	int individual_wep_key_len;
-	int eap_server;
-	void *ssl_ctx;
-	void *msg_ctx;
-	void *eap_sim_db_priv;
 	char *eap_req_id_text; /* a copy of this will be allocated */
 	size_t eap_req_id_text_len;
 	int erp_send_reauth_start;
 	char *erp_domain; /* a copy of this will be allocated */
-	int erp; /* Whether ERP is enabled on authentication server */
-	unsigned int tls_session_lifetime;
-	unsigned int tls_flags;
-	u8 *pac_opaque_encr_key;
-	u8 *eap_fast_a_id;
-	size_t eap_fast_a_id_len;
-	char *eap_fast_a_id_info;
-	int eap_fast_prov;
-	int pac_key_lifetime;
-	int pac_key_refresh_time;
-	int eap_teap_auth;
-	int eap_teap_pac_no_inner;
-	int eap_teap_separate_result;
-	int eap_sim_aka_result_ind;
-	int eap_sim_id;
-	int tnc;
-	struct wps_context *wps;
-	int fragment_size;
-	u16 pwd_group;
-	int pbc_in_m1;
-	const u8 *server_id;
-	size_t server_id_len;
 
 	/* Opaque context pointer to owner data for callback functions */
 	void *ctx;
diff --git a/src/radius/radius_server.c b/src/radius/radius_server.c
index 100cf52ae..a24caec11 100644
--- a/src/radius/radius_server.c
+++ b/src/radius/radius_server.c
@@ -161,146 +161,10 @@ struct radius_server_data {
 	 */
 	int num_sess;
 
-	/**
-	 * eap_sim_db_priv - EAP-SIM/AKA database context
-	 *
-	 * This is passed to the EAP-SIM/AKA server implementation as a
-	 * callback context.
-	 */
-	void *eap_sim_db_priv;
-
-	/**
-	 * ssl_ctx - TLS context
-	 *
-	 * This is passed to the EAP server implementation as a callback
-	 * context for TLS operations.
-	 */
-	void *ssl_ctx;
-
-	/**
-	 * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
-	 *
-	 * This parameter is used to set a key for EAP-FAST to encrypt the
-	 * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
-	 * set, must point to a 16-octet key.
-	 */
-	u8 *pac_opaque_encr_key;
-
-	/**
-	 * eap_fast_a_id - EAP-FAST authority identity (A-ID)
-	 *
-	 * If EAP-FAST is not used, this can be set to %NULL. In theory, this
-	 * is a variable length field, but due to some existing implementations
-	 * requiring A-ID to be 16 octets in length, it is recommended to use
-	 * that length for the field to provide interoperability with deployed
-	 * peer implementations.
-	 */
-	u8 *eap_fast_a_id;
-
-	/**
-	 * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
-	 */
-	size_t eap_fast_a_id_len;
-
-	/**
-	 * eap_fast_a_id_info - EAP-FAST authority identifier information
-	 *
-	 * This A-ID-Info contains a user-friendly name for the A-ID. For
-	 * example, this could be the enterprise and server names in
-	 * human-readable format. This field is encoded as UTF-8. If EAP-FAST
-	 * is not used, this can be set to %NULL.
-	 */
-	char *eap_fast_a_id_info;
-
-	/**
-	 * eap_fast_prov - EAP-FAST provisioning modes
-	 *
-	 * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
-	 * 2 = only authenticated provisioning allowed, 3 = both provisioning
-	 * modes allowed.
-	 */
-	int eap_fast_prov;
-
-	/**
-	 * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
-	 *
-	 * This is the hard limit on how long a provisioned PAC-Key can be
-	 * used.
-	 */
-	int pac_key_lifetime;
-
-	/**
-	 * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
-	 *
-	 * This is a soft limit on the PAC-Key. The server will automatically
-	 * generate a new PAC-Key when this number of seconds (or fewer) of the
-	 * lifetime remains.
-	 */
-	int pac_key_refresh_time;
-
-	int eap_teap_auth;
-	int eap_teap_pac_no_inner;
-	int eap_teap_separate_result;
-
-	/**
-	 * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
-	 *
-	 * This controls whether the protected success/failure indication
-	 * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
-	 */
-	int eap_sim_aka_result_ind;
-
-	int eap_sim_id;
-
-	/**
-	 * tnc - Trusted Network Connect (TNC)
-	 *
-	 * This controls whether TNC is enabled and will be required before the
-	 * peer is allowed to connect. Note: This is only used with EAP-TTLS
-	 * and EAP-FAST. If any other EAP method is enabled, the peer will be
-	 * allowed to connect without TNC.
-	 */
-	int tnc;
-
-	/**
-	 * pwd_group - The D-H group assigned for EAP-pwd
-	 *
-	 * If EAP-pwd is not used it can be set to zero.
-	 */
-	u16 pwd_group;
-
-	/**
-	 * server_id - Server identity
-	 */
-	const char *server_id;
-
-	/**
-	 * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
-	 *
-	 * This controls whether the authentication server derives ERP key
-	 * hierarchy (rRK and rIK) from full EAP authentication and allows
-	 * these keys to be used to perform ERP to derive rMSK instead of full
-	 * EAP authentication to derive MSK.
-	 */
-	int erp;
-
 	const char *erp_domain;
 
 	struct dl_list erp_keys; /* struct eap_server_erp_key */
 
-	unsigned int tls_session_lifetime;
-
-	unsigned int tls_flags;
-
-	/**
-	 * wps - Wi-Fi Protected Setup context
-	 *
-	 * If WPS is used with an external RADIUS server (which is quite
-	 * unlikely configuration), this is used to provide a pointer to WPS
-	 * context data. Normally, this can be set to %NULL.
-	 */
-	struct wps_context *wps;
-
 	/**
 	 * ipv6 - Whether to enable IPv6 support in the RADIUS server
 	 */
@@ -352,11 +216,6 @@ struct radius_server_data {
 	 */
 	size_t eap_req_id_text_len;
 
-	/*
-	 * msg_ctx - Context data for wpa_msg() calls
-	 */
-	void *msg_ctx;
-
 #ifdef CONFIG_RADIUS_TEST
 	char *dump_msk_file;
 #endif /* CONFIG_RADIUS_TEST */
@@ -370,6 +229,8 @@ struct radius_server_data {
 #ifdef CONFIG_SQLITE
 	sqlite3 *db;
 #endif /* CONFIG_SQLITE */
+
+	struct eap_config *eap_cfg;
 };
 
 
@@ -620,7 +481,7 @@ radius_server_new_session(struct radius_server_data *data,
 #ifdef CONFIG_TESTING_OPTIONS
 static void radius_server_testing_options_tls(struct radius_session *sess,
 					      const char *tls,
-					      struct eap_config *eap_conf)
+					      struct eap_session_data *eap_conf)
 {
 	int test = atoi(tls);
 
@@ -665,7 +526,7 @@ static void radius_server_testing_options_tls(struct radius_session *sess,
 #endif /* CONFIG_TESTING_OPTIONS */
 
 static void radius_server_testing_options(struct radius_session *sess,
-					  struct eap_config *eap_conf)
+					  struct eap_session_data *eap_conf)
 {
 #ifdef CONFIG_TESTING_OPTIONS
 	const char *pos;
@@ -708,7 +569,7 @@ radius_server_get_new_session(struct radius_server_data *data,
 	size_t user_len, id_len;
 	int res;
 	struct radius_session *sess;
-	struct eap_config eap_conf;
+	struct eap_session_data eap_sess;
 	struct eap_user *tmp;
 
 	RADIUS_DEBUG("Creating a new session");
@@ -726,7 +587,7 @@ radius_server_get_new_session(struct radius_server_data *data,
 
 	res = data->get_eap_user(data->conf_ctx, user, user_len, 0, tmp);
 #ifdef CONFIG_ERP
-	if (res != 0 && data->erp) {
+	if (res != 0 && data->eap_cfg->erp) {
 		char *username;
 
 		username = os_zalloc(user_len + 1);
@@ -785,35 +646,10 @@ radius_server_get_new_session(struct radius_server_data *data,
 
 	srv_log(sess, "New session created");
 
-	os_memset(&eap_conf, 0, sizeof(eap_conf));
-	eap_conf.ssl_ctx = data->ssl_ctx;
-	eap_conf.msg_ctx = data->msg_ctx;
-	eap_conf.eap_sim_db_priv = data->eap_sim_db_priv;
-	eap_conf.backend_auth = TRUE;
-	eap_conf.eap_server = 1;
-	eap_conf.pac_opaque_encr_key = data->pac_opaque_encr_key;
-	eap_conf.eap_fast_a_id = data->eap_fast_a_id;
-	eap_conf.eap_fast_a_id_len = data->eap_fast_a_id_len;
-	eap_conf.eap_fast_a_id_info = data->eap_fast_a_id_info;
-	eap_conf.eap_fast_prov = data->eap_fast_prov;
-	eap_conf.pac_key_lifetime = data->pac_key_lifetime;
-	eap_conf.pac_key_refresh_time = data->pac_key_refresh_time;
-	eap_conf.eap_teap_auth = data->eap_teap_auth;
-	eap_conf.eap_teap_pac_no_inner = data->eap_teap_pac_no_inner;
-	eap_conf.eap_teap_separate_result = data->eap_teap_separate_result;
-	eap_conf.eap_sim_aka_result_ind = data->eap_sim_aka_result_ind;
-	eap_conf.eap_sim_id = data->eap_sim_id;
-	eap_conf.tnc = data->tnc;
-	eap_conf.wps = data->wps;
-	eap_conf.pwd_group = data->pwd_group;
-	eap_conf.server_id = (const u8 *) data->server_id;
-	eap_conf.server_id_len = os_strlen(data->server_id);
-	eap_conf.erp = data->erp;
-	eap_conf.tls_session_lifetime = data->tls_session_lifetime;
-	eap_conf.tls_flags = data->tls_flags;
-	radius_server_testing_options(sess, &eap_conf);
+	os_memset(&eap_sess, 0, sizeof(eap_sess));
+	radius_server_testing_options(sess, &eap_sess);
 	sess->eap = eap_server_sm_init(sess, &radius_server_eapol_cb,
-				       &eap_conf);
+				       data->eap_cfg, &eap_sess);
 	if (sess->eap == NULL) {
 		RADIUS_DEBUG("Failed to initialize EAP state machine for the "
 			     "new session");
@@ -2353,6 +2189,7 @@ struct radius_server_data *
 radius_server_init(struct radius_server_conf *conf)
 {
 	struct radius_server_data *data;
+	struct eap_config *eap_cfg;
 
 #ifndef CONFIG_IPV6
 	if (conf->ipv6) {
@@ -2365,45 +2202,56 @@ radius_server_init(struct radius_server_conf *conf)
 	if (data == NULL)
 		return NULL;
 
+	eap_cfg = data->eap_cfg = os_zalloc(sizeof(*eap_cfg));
+	if (!eap_cfg) {
+		os_free(data);
+		return NULL;
+	}
 	data->auth_sock = -1;
 	data->acct_sock = -1;
 	dl_list_init(&data->erp_keys);
 	os_get_reltime(&data->start_time);
 	data->conf_ctx = conf->conf_ctx;
-	data->eap_sim_db_priv = conf->eap_sim_db_priv;
-	data->ssl_ctx = conf->ssl_ctx;
-	data->msg_ctx = conf->msg_ctx;
+	eap_cfg->backend_auth = TRUE;
+	eap_cfg->eap_server = 1;
+	eap_cfg->eap_sim_db_priv = conf->eap_sim_db_priv;
+	eap_cfg->ssl_ctx = conf->ssl_ctx;
+	eap_cfg->msg_ctx = conf->msg_ctx;
 	data->ipv6 = conf->ipv6;
 	if (conf->pac_opaque_encr_key) {
-		data->pac_opaque_encr_key = os_malloc(16);
-		if (data->pac_opaque_encr_key) {
-			os_memcpy(data->pac_opaque_encr_key,
+		eap_cfg->pac_opaque_encr_key = os_malloc(16);
+		if (eap_cfg->pac_opaque_encr_key) {
+			os_memcpy(eap_cfg->pac_opaque_encr_key,
 				  conf->pac_opaque_encr_key, 16);
 		}
 	}
 	if (conf->eap_fast_a_id) {
-		data->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
-		if (data->eap_fast_a_id) {
-			os_memcpy(data->eap_fast_a_id, conf->eap_fast_a_id,
+		eap_cfg->eap_fast_a_id = os_malloc(conf->eap_fast_a_id_len);
+		if (eap_cfg->eap_fast_a_id) {
+			os_memcpy(eap_cfg->eap_fast_a_id, conf->eap_fast_a_id,
 				  conf->eap_fast_a_id_len);
-			data->eap_fast_a_id_len = conf->eap_fast_a_id_len;
+			eap_cfg->eap_fast_a_id_len = conf->eap_fast_a_id_len;
 		}
 	}
 	if (conf->eap_fast_a_id_info)
-		data->eap_fast_a_id_info = os_strdup(conf->eap_fast_a_id_info);
-	data->eap_fast_prov = conf->eap_fast_prov;
-	data->pac_key_lifetime = conf->pac_key_lifetime;
-	data->pac_key_refresh_time = conf->pac_key_refresh_time;
-	data->eap_teap_auth = conf->eap_teap_auth;
-	data->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
-	data->eap_teap_separate_result = conf->eap_teap_separate_result;
+		eap_cfg->eap_fast_a_id_info =
+			os_strdup(conf->eap_fast_a_id_info);
+	eap_cfg->eap_fast_prov = conf->eap_fast_prov;
+	eap_cfg->pac_key_lifetime = conf->pac_key_lifetime;
+	eap_cfg->pac_key_refresh_time = conf->pac_key_refresh_time;
+	eap_cfg->eap_teap_auth = conf->eap_teap_auth;
+	eap_cfg->eap_teap_pac_no_inner = conf->eap_teap_pac_no_inner;
+	eap_cfg->eap_teap_separate_result = conf->eap_teap_separate_result;
 	data->get_eap_user = conf->get_eap_user;
-	data->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
-	data->eap_sim_id = conf->eap_sim_id;
-	data->tnc = conf->tnc;
-	data->wps = conf->wps;
-	data->pwd_group = conf->pwd_group;
-	data->server_id = conf->server_id;
+	eap_cfg->eap_sim_aka_result_ind = conf->eap_sim_aka_result_ind;
+	eap_cfg->eap_sim_id = conf->eap_sim_id;
+	eap_cfg->tnc = conf->tnc;
+	eap_cfg->wps = conf->wps;
+	eap_cfg->pwd_group = conf->pwd_group;
+	if (conf->server_id) {
+		eap_cfg->server_id = (u8 *) os_strdup(conf->server_id);
+		eap_cfg->server_id_len = os_strlen(conf->server_id);
+	}
 	if (conf->eap_req_id_text) {
 		data->eap_req_id_text = os_malloc(conf->eap_req_id_text_len);
 		if (data->eap_req_id_text) {
@@ -2412,10 +2260,10 @@ radius_server_init(struct radius_server_conf *conf)
 			data->eap_req_id_text_len = conf->eap_req_id_text_len;
 		}
 	}
-	data->erp = conf->erp;
+	eap_cfg->erp = conf->erp;
 	data->erp_domain = conf->erp_domain;
-	data->tls_session_lifetime = conf->tls_session_lifetime;
-	data->tls_flags = conf->tls_flags;
+	eap_cfg->tls_session_lifetime = conf->tls_session_lifetime;
+	eap_cfg->tls_flags = conf->tls_flags;
 
 	if (conf->subscr_remediation_url) {
 		data->subscr_remediation_url =
@@ -2537,9 +2385,6 @@ void radius_server_deinit(struct radius_server_data *data)
 
 	radius_server_free_clients(data, data->clients);
 
-	os_free(data->pac_opaque_encr_key);
-	os_free(data->eap_fast_a_id);
-	os_free(data->eap_fast_a_id_info);
 	os_free(data->eap_req_id_text);
 #ifdef CONFIG_RADIUS_TEST
 	os_free(data->dump_msk_file);
@@ -2554,6 +2399,7 @@ void radius_server_deinit(struct radius_server_data *data)
 #endif /* CONFIG_SQLITE */
 
 	radius_server_erp_flush(data);
+	eap_server_config_free(data->eap_cfg);
 
 	os_free(data);
 }