diff --git a/src/ap/ieee802_11.c b/src/ap/ieee802_11.c
index 0bc7f5b75..76607da5b 100644
--- a/src/ap/ieee802_11.c
+++ b/src/ap/ieee802_11.c
@@ -17,6 +17,7 @@
 #include "common/ieee802_11_defs.h"
 #include "common/ieee802_11_common.h"
 #include "common/wpa_ctrl.h"
+#include "common/sae.h"
 #include "radius/radius.h"
 #include "radius/radius_client.h"
 #include "p2p/p2p.h"
@@ -344,8 +345,8 @@ static struct wpabuf * auth_build_sae_confirm(struct hostapd_data *hapd,
 	if (buf == NULL)
 		return NULL;
 
-	wpabuf_put_le16(buf, sta->sae_send_confirm);
-	sta->sae_send_confirm++;
+	wpabuf_put_le16(buf, sta->sae->send_confirm);
+	sta->sae->send_confirm++;
 	/* TODO: Confirm */
 
 	return buf;
@@ -393,6 +394,12 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 	u16 resp = WLAN_STATUS_SUCCESS;
 	struct wpabuf *data;
 
+	if (!sta->sae) {
+		sta->sae = os_zalloc(sizeof(*sta->sae));
+		if (sta->sae == NULL)
+			return;
+	}
+
 	if (auth_transaction == 1) {
 		hostapd_logger(hapd, sta->addr, HOSTAPD_MODULE_IEEE80211,
 			       HOSTAPD_LEVEL_DEBUG,
@@ -401,9 +408,9 @@ static void handle_auth_sae(struct hostapd_data *hapd, struct sta_info *sta,
 					 ((u8 *) mgmt) + len -
 					 mgmt->u.auth.variable);
 		if (resp == WLAN_STATUS_SUCCESS)
-			sta->sae_state = SAE_COMMIT;
+			sta->sae->state = SAE_COMMIT;
 	} else if (auth_transaction == 2) {
-		if (sta->sae_state != SAE_COMMIT) {
+		if (sta->sae->state != SAE_COMMIT) {
 			hostapd_logger(hapd, sta->addr,
 				       HOSTAPD_MODULE_IEEE80211,
 				       HOSTAPD_LEVEL_DEBUG,
diff --git a/src/ap/sta_info.c b/src/ap/sta_info.c
index 97cd0136b..84973b6e1 100644
--- a/src/ap/sta_info.c
+++ b/src/ap/sta_info.c
@@ -240,6 +240,10 @@ void ap_free_sta(struct hostapd_data *hapd, struct sta_info *sta)
 	os_free(sta->identity);
 	os_free(sta->radius_cui);
 
+#ifdef CONFIG_SAE
+	os_free(sta->sae);
+#endif /* CONFIG_SAE */
+
 	os_free(sta);
 }
 
diff --git a/src/ap/sta_info.h b/src/ap/sta_info.h
index d5e92faa7..32ea46e04 100644
--- a/src/ap/sta_info.h
+++ b/src/ap/sta_info.h
@@ -127,8 +127,7 @@ struct sta_info {
 	struct os_time connected_time;
 
 #ifdef CONFIG_SAE
-	enum { SAE_INIT, SAE_COMMIT, SAE_CONFIRM } sae_state;
-	u16 sae_send_confirm;
+	struct sae_data *sae;
 #endif /* CONFIG_SAE */
 };
 
diff --git a/src/common/sae.h b/src/common/sae.h
new file mode 100644
index 000000000..4894e9480
--- /dev/null
+++ b/src/common/sae.h
@@ -0,0 +1,17 @@
+/*
+ * Simultaneous authentication of equals
+ * Copyright (c) 2012, Jouni Malinen <j@w1.fi>
+ *
+ * This software may be distributed under the terms of the BSD license.
+ * See README for more details.
+ */
+
+#ifndef SAE_H
+#define SAE_H
+
+struct sae_data {
+	enum { SAE_INIT, SAE_COMMIT, SAE_CONFIRM } state;
+	u16 send_confirm;
+};
+
+#endif /* SAE_H */
diff --git a/wpa_supplicant/sme.c b/wpa_supplicant/sme.c
index 77ad1d2e1..d1e42e2b7 100644
--- a/wpa_supplicant/sme.c
+++ b/wpa_supplicant/sme.c
@@ -14,6 +14,7 @@
 #include "common/ieee802_11_common.h"
 #include "eapol_supp/eapol_supp_sm.h"
 #include "common/wpa_common.h"
+#include "common/sae.h"
 #include "rsn_supp/wpa.h"
 #include "rsn_supp/pmksa_cache.h"
 #include "config.h"
@@ -70,8 +71,8 @@ static struct wpabuf * sme_auth_build_sae_confirm(struct wpa_supplicant *wpa_s)
 
 	wpabuf_put_le16(buf, 2); /* Transaction seq# */
 	wpabuf_put_le16(buf, WLAN_STATUS_SUCCESS);
-	wpabuf_put_le16(buf, wpa_s->sme.sae_send_confirm);
-	wpa_s->sme.sae_send_confirm++;
+	wpabuf_put_le16(buf, wpa_s->sme.sae.send_confirm);
+	wpa_s->sme.sae.send_confirm++;
 	/* TODO: Confirm */
 
 	return buf;
@@ -332,7 +333,7 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
 			return;
 		params.sae_data = wpabuf_head(resp);
 		params.sae_data_len = wpabuf_len(resp);
-		wpa_s->sme.sae_state = start ? SME_SAE_COMMIT : SME_SAE_CONFIRM;
+		wpa_s->sme.sae.state = start ? SAE_COMMIT : SAE_CONFIRM;
 	}
 #endif /* CONFIG_SAE */
 
@@ -377,8 +378,10 @@ static void sme_send_authentication(struct wpa_supplicant *wpa_s,
 void sme_authenticate(struct wpa_supplicant *wpa_s,
 		      struct wpa_bss *bss, struct wpa_ssid *ssid)
 {
-	wpa_s->sme.sae_state = SME_SAE_INIT;
-	wpa_s->sme.sae_send_confirm = 0;
+#ifdef CONFIG_SAE
+	wpa_s->sme.sae.state = SAE_INIT;
+	wpa_s->sme.sae.send_confirm = 0;
+#endif /* CONFIG_SAE */
 	sme_send_authentication(wpa_s, bss, ssid, 1);
 }
 
@@ -433,7 +436,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
 		if (wpa_s->current_bss == NULL ||
 		    wpa_s->current_ssid == NULL)
 			return -1;
-		if (wpa_s->sme.sae_state != SME_SAE_COMMIT)
+		if (wpa_s->sme.sae.state != SAE_COMMIT)
 			return -1;
 		if (sme_sae_process_commit(wpa_s, data, len) < 0)
 			return -1;
@@ -442,7 +445,7 @@ static int sme_sae_auth(struct wpa_supplicant *wpa_s, u16 auth_transaction,
 		return 0;
 	} else if (auth_transaction == 2) {
 		wpa_dbg(wpa_s, MSG_DEBUG, "SME SAE confirm");
-		if (wpa_s->sme.sae_state != SME_SAE_CONFIRM)
+		if (wpa_s->sme.sae.state != SAE_CONFIRM)
 			return -1;
 		if (sme_sae_process_confirm(wpa_s, data, len) < 0)
 			return -1;
diff --git a/wpa_supplicant/wpa_supplicant_i.h b/wpa_supplicant/wpa_supplicant_i.h
index 544977b47..74c3c0f97 100644
--- a/wpa_supplicant/wpa_supplicant_i.h
+++ b/wpa_supplicant/wpa_supplicant_i.h
@@ -11,6 +11,7 @@
 
 #include "utils/list.h"
 #include "common/defs.h"
+#include "common/sae.h"
 #include "config_ssid.h"
 
 extern const char *wpa_supplicant_version;
@@ -513,12 +514,9 @@ struct wpa_supplicant {
 		u8 sched_obss_scan;
 		u16 obss_scan_int;
 		u16 bss_max_idle_period;
-		enum {
-			SME_SAE_INIT,
-			SME_SAE_COMMIT,
-			SME_SAE_CONFIRM
-		} sae_state;
-		u16 sae_send_confirm;
+#ifdef CONFIG_SAE
+		struct sae_data sae;
+#endif /* CONFIG_SAE */
 	} sme;
 #endif /* CONFIG_SME */