Imported Upstream version 5.5.0

14 files changed, 1786 insertions, 0 deletions

diff --git a/src/libcharon/tests/utils/exchange_test_asserts.c b/src/libcharon/tests/utils/exchange_test_asserts.c
new file mode 100644
index 000000000..2602b97b7
--- /dev/null
+++ b/src/libcharon/tests/utils/exchange_test_asserts.c
@@ -0,0 +1,182 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include <inttypes.h>
+
+#include <test_suite.h>
+
+#include "exchange_test_asserts.h"
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_hook(listener_t *listener)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+
+	this->count++;
+	return TRUE;
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_ike_updown(listener_t *listener, ike_sa_t *ike_sa,
+									  bool up)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+
+	this->count++;
+	assert_listener_msg(this->up == up, this, "IKE_SA not '%s'",
+						this->up ? "up" : "down");
+	return TRUE;
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_child_updown(listener_t *listener, ike_sa_t *ike_sa,
+										child_sa_t *child_sa, bool up)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+
+	this->count++;
+	assert_listener_msg(this->up == up, this, "CHILD_SA not '%s'",
+						this->up ? "up" : "down");
+	return TRUE;
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_ike_rekey(listener_t *listener, ike_sa_t *old,
+									 ike_sa_t *new)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+	ike_sa_id_t *id;
+	uint64_t spi;
+
+	this->count++;
+	id = old->get_id(old);
+	spi = id->get_initiator_spi(id);
+	assert_listener_msg(this->spi_old == spi, this, "unexpected old IKE_SA "
+						"%.16"PRIx64"_i instead of %.16"PRIx64"_i",
+						be64toh(spi), be64toh(this->spi_old));
+	id = new->get_id(new);
+	spi = id->get_initiator_spi(id);
+	assert_listener_msg(this->spi_new == spi, this, "unexpected new IKE_SA "
+						"%.16"PRIx64"_i instead of %.16"PRIx64"_i",
+						be64toh(spi), be64toh(this->spi_new));
+	return TRUE;
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_child_rekey(listener_t *listener, ike_sa_t *ike_sa,
+									   child_sa_t *old, child_sa_t *new)
+{
+	listener_hook_assert_t *this = (listener_hook_assert_t*)listener;
+	uint32_t spi, expected;
+
+	this->count++;
+	spi = old->get_spi(old, TRUE);
+	expected = this->spi_old;
+	assert_listener_msg(expected == spi, this, "unexpected old CHILD_SA %.8x "
+						"instead of %.8x", spi, expected);
+	spi = new->get_spi(new, TRUE);
+	expected = this->spi_new;
+	assert_listener_msg(expected == spi, this, "unexpected new CHILD_SA %.8x "
+						"instead of %.8x", spi, expected);
+	return TRUE;
+}
+
+/**
+ * Assert a given message rule
+ */
+static void assert_message_rule(listener_message_assert_t *this, message_t *msg,
+								listener_message_rule_t *rule)
+{
+	if (rule->expected)
+	{
+		if (rule->payload)
+		{
+			assert_listener_msg(msg->get_payload(msg, rule->payload),
+								this, "expected payload (%N) not found",
+								payload_type_names, rule->payload);
+
+		}
+		if (rule->notify)
+		{
+			assert_listener_msg(msg->get_notify(msg, rule->notify),
+								this, "expected notify payload (%N) not found",
+								notify_type_names, rule->notify);
+		}
+	}
+	else
+	{
+		if (rule->payload)
+		{
+			assert_listener_msg(!msg->get_payload(msg, rule->payload),
+								this, "unexpected payload (%N) found",
+								payload_type_names, rule->payload);
+
+		}
+		if (rule->notify)
+		{
+			assert_listener_msg(!msg->get_notify(msg, rule->notify),
+								this, "unexpected notify payload (%N) found",
+								notify_type_names, rule->notify);
+		}
+	}
+}
+
+/*
+ * Described in header
+ */
+bool exchange_test_asserts_message(listener_t *listener, ike_sa_t *ike_sa,
+								message_t *message, bool incoming, bool plain)
+{
+	listener_message_assert_t *this = (listener_message_assert_t*)listener;
+
+	if (plain && this->incoming == incoming)
+	{
+		if (this->count >= 0)
+		{
+			enumerator_t *enumerator;
+			int count = 0;
+			enumerator = message->create_payload_enumerator(message);
+			while (enumerator->enumerate(enumerator, NULL))
+			{
+				count++;
+			}
+			enumerator->destroy(enumerator);
+			assert_listener_msg(this->count == count, this, "unexpected payload "
+								"count in message (%d != %d)", this->count,
+								count);
+		}
+		if (this->num_rules)
+		{
+			int i;
+
+			for (i = 0; i < this->num_rules; i++)
+			{
+				assert_message_rule(this, message, &this->rules[i]);
+			}
+		}
+		return FALSE;
+	}
+	return TRUE;
+}
diff --git a/src/libcharon/tests/utils/exchange_test_asserts.h b/src/libcharon/tests/utils/exchange_test_asserts.h
new file mode 100644
index 000000000..32afcc2e4
--- /dev/null
+++ b/src/libcharon/tests/utils/exchange_test_asserts.h
@@ -0,0 +1,343 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Special assertions using listener_t.
+ *
+ * @defgroup exchange_test_asserts exchange_test_asserts
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef EXCHANGE_TEST_ASSERTS_H_
+#define EXCHANGE_TEST_ASSERTS_H_
+
+#include <bus/listeners/listener.h>
+
+typedef struct listener_hook_assert_t listener_hook_assert_t;
+typedef struct listener_message_assert_t listener_message_assert_t;
+typedef struct listener_message_rule_t listener_message_rule_t;
+
+struct listener_hook_assert_t {
+
+	/**
+	 * Implemented interface
+	 */
+	listener_t listener;
+
+	/**
+	 * Original source file
+	 */
+	const char *file;
+
+	/**
+	 * Source line
+	 */
+	int line;
+
+	/**
+	 * Name of the hook
+	 */
+	const char *name;
+
+	/**
+	 * Expected number of calls (-1 to ignore)
+	 */
+	int expected;
+
+	/**
+	 * Number of times the hook was called
+	 */
+	int count;
+
+	/**
+	 * Expected updown result
+	 */
+	bool up;
+
+	/**
+	 * Initiator/Inbound SPIs to expect in rekey event
+	 */
+	uint64_t spi_old, spi_new;
+};
+
+/**
+ * Basic callback for methods on listener_t, counting the number of calls.
+ */
+bool exchange_test_asserts_hook(listener_t *this);
+
+/**
+ * Implementation of listener_t::ike_updown.
+ */
+bool exchange_test_asserts_ike_updown(listener_t *this, ike_sa_t *ike_sa,
+									  bool up);
+
+/**
+ * Implementation of listener_t::child_updown.
+ */
+bool exchange_test_asserts_child_updown(listener_t *this, ike_sa_t *ike_sa,
+										child_sa_t *child_sa, bool up);
+
+/**
+ * Implementation of listener_t::ike_rekey.
+ */
+bool exchange_test_asserts_ike_rekey(listener_t *this, ike_sa_t *old,
+									 ike_sa_t *new);
+
+/**
+ * Implementation of listener_t::child_rekey.
+ */
+bool exchange_test_asserts_child_rekey(listener_t *this, ike_sa_t *ike_sa,
+									   child_sa_t *old, child_sa_t *new);
+
+/**
+ * Check if a statement evaluates to TRUE, use original source file and line
+ * in the error message if not.
+ *
+ * @param x			statement to evaluate
+ * @param l			listener providing original source file and line
+ * @param fmt		printf format string
+ * @param ...		arguments for fmt
+ */
+#define assert_listener_msg(x, l, fmt, ...) ({ \
+	test_fail_if_worker_failed(); \
+	if (!(x)) \
+	{ \
+		test_fail_msg((l)->file, (l)->line, "%s: " fmt, #x, ##__VA_ARGS__); \
+	} \
+})
+
+/**
+ * Initialize an assertion that enforces that the given hook was called.
+ * Must be matched by a call to assert_hook().
+ *
+ * @param name		name of the hook
+ */
+#define assert_hook_called(name) \
+	_assert_hook_init(name, exchange_test_asserts_hook, .expected = 1)
+
+/**
+ * Initialize an assertion that enforces that the given hook was not called.
+ * Must be matched by a call to assert_hook().
+ *
+ * @param name		name of the hook
+ */
+#define assert_hook_not_called(name) \
+	_assert_hook_init(name, exchange_test_asserts_hook, .expected = 0)
+
+/**
+ * Initialize an assertion that enforces that the given updown hook was called
+ * with the expected result.
+ * Must be matched by a call to assert_hook().
+ *
+ * @param name		name of the hook
+ * @param e			whether to expect up in the hook to be TRUE or not
+ */
+#define assert_hook_updown(name, e) \
+	_assert_hook_init(name, \
+		streq(#name, "ike_updown") ? (void*)exchange_test_asserts_ike_updown \
+								   : (void*)exchange_test_asserts_child_updown, \
+		.expected = 1, \
+		.up = e, \
+	)
+
+/**
+ * Initialize an assertion that enforces that the given rekey hook was called
+ * with the SAs with the matching initiator/inbound SPIs.
+ * Must be matched by a call to assert_hook().
+ *
+ * @param name		name of the hook
+ * @param old		SPI of the old SA
+ * @param new		SPI of the new SA
+ */
+#define assert_hook_rekey(name, old, new) \
+	_assert_hook_init(name, \
+		streq(#name, "ike_rekey") ? (void*)exchange_test_asserts_ike_rekey \
+								   : (void*)exchange_test_asserts_child_rekey, \
+		.expected = 1, \
+		.spi_old = old, \
+		.spi_new = new, \
+	)
+
+/**
+ * Initialize assertions against invocations of listener_t hooks.  Each call
+ * must be matched by a call to assert_hook().
+ */
+#define _assert_hook_init(n, callback, ...) \
+do { \
+	listener_hook_assert_t _hook_listener = { \
+		.listener = { .n = (void*)callback, }, \
+		.file = __FILE__, \
+		.line = __LINE__, \
+		.name = #n, \
+		##__VA_ARGS__ \
+	}; \
+	exchange_test_helper->add_listener(exchange_test_helper, &_hook_listener.listener)
+
+/**
+ * Enforce the most recently initialized hook assertion.
+ */
+#define assert_hook() \
+	charon->bus->remove_listener(charon->bus, &_hook_listener.listener); \
+	if (_hook_listener.expected > 0) { \
+		if (_hook_listener.count > 0) { \
+			assert_listener_msg(_hook_listener.expected == _hook_listener.count, \
+								&_hook_listener, "hook '%s' was called %d times " \
+								"instead of %d", _hook_listener.name, \
+								_hook_listener.count, _hook_listener.expected); \
+		} else { \
+			assert_listener_msg(_hook_listener.count, &_hook_listener, \
+				"hook '%s' was not called (expected %d)", _hook_listener.name, \
+				_hook_listener.expected); \
+		} \
+	} else if (_hook_listener.expected == 0) { \
+		assert_listener_msg(_hook_listener.count == 0, &_hook_listener, \
+				"hook '%s' was called unexpectedly", _hook_listener.name); \
+	} \
+} while(FALSE)
+
+/**
+ * Rules regarding payloads/notifies to expect/not expect in a message
+ */
+struct listener_message_rule_t {
+
+	/**
+	 * Whether the payload/notify is expected in the message, FALSE to fail if
+	 * it is found
+	 */
+	bool expected;
+
+	/**
+	 * Payload type to expect/not expect
+	 */
+	payload_type_t payload;
+
+	/**
+	 * Notify type to expect/not expect (paylod type does not have to be
+	 * specified)
+	 */
+	notify_type_t notify;
+};
+
+/**
+ * Data used to check plaintext messages via listener_t
+ */
+struct listener_message_assert_t {
+
+	/**
+	 * Implemented interface
+	 */
+	listener_t listener;
+
+	/**
+	 * Original source file
+	 */
+	const char *file;
+
+	/**
+	 * Source line
+	 */
+	int line;
+
+	/**
+	 * Whether to check the next inbound or outbound message
+	 */
+	bool incoming;
+
+	/**
+	 * Payload count to expect (-1 to ignore the count)
+	 */
+	int count;
+
+	/**
+	 * Payloads to expect or not expect in a message
+	 */
+	listener_message_rule_t *rules;
+
+	/**
+	 * Number of rules
+	 */
+	int num_rules;
+};
+
+/**
+ * Implementation of listener_t::message collecting data and asserting
+ * certain things.
+ */
+bool exchange_test_asserts_message(listener_t *this, ike_sa_t *ike_sa,
+							message_t *message, bool incoming, bool plain);
+
+/**
+ * Assert that the next in- or outbound plaintext message is empty.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ */
+#define assert_message_empty(dir) \
+				_assert_payload(dir, 0)
+
+/**
+ * Assert that the next in- or outbound plaintext message contains exactly
+ * one payload of the given type.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ * @param expected		expected payload type
+ */
+#define assert_single_payload(dir, expected) \
+				_assert_payload(dir, 1, { TRUE, expected, 0 })
+
+/**
+ * Assert that the next in- or outbound plaintext message contains exactly
+ * one notify of the given type.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ * @param expected		expected notify type
+ */
+#define assert_single_notify(dir, expected) \
+				_assert_payload(dir, 1, { TRUE, 0, expected })
+
+/**
+ * Assert that the next in- or outbound plaintext message contains a notify
+ * of the given type.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ * @param expected		expected notify type
+ */
+#define assert_notify(dir, expected) \
+				_assert_payload(dir, -1, { TRUE, 0, expected })
+
+/**
+ * Assert that the next in- or outbound plaintext message does not contain a
+ * notify of the given type.
+ *
+ * @param dir			IN or OUT to check the next in- or outbound message
+ * @param unexpected	not expected notify type
+ */
+#define assert_no_notify(dir, unexpected) \
+				_assert_payload(dir, -1, { FALSE, 0, unexpected })
+
+#define _assert_payload(dir, c, ...) ({ \
+	listener_message_rule_t _rules[] = { __VA_ARGS__ }; \
+	listener_message_assert_t _listener = { \
+		.listener = { .message = exchange_test_asserts_message, }, \
+		.file = __FILE__, \
+		.line = __LINE__, \
+		.incoming = streq(#dir, "IN") ? TRUE : FALSE, \
+		.count = c, \
+		.rules = _rules, \
+		.num_rules = countof(_rules), \
+	}; \
+	exchange_test_helper->add_listener(exchange_test_helper, &_listener.listener); \
+})
+
+#endif /** EXCHANGE_TEST_ASSERTS_H_ @}*/
diff --git a/src/libcharon/tests/utils/exchange_test_helper.c b/src/libcharon/tests/utils/exchange_test_helper.c
new file mode 100644
index 000000000..f32906d5d
--- /dev/null
+++ b/src/libcharon/tests/utils/exchange_test_helper.c
@@ -0,0 +1,372 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "exchange_test_helper.h"
+#include "mock_dh.h"
+#include "mock_ipsec.h"
+#include "mock_nonce_gen.h"
+
+#include <collections/array.h>
+#include <credentials/sets/mem_cred.h>
+
+typedef struct private_exchange_test_helper_t private_exchange_test_helper_t;
+typedef struct private_backend_t private_backend_t;
+
+/**
+ * Private data
+ */
+struct private_exchange_test_helper_t {
+
+	/**
+	 * Public interface
+	 */
+	exchange_test_helper_t public;
+
+	/**
+	 * Credentials
+	 */
+	mem_cred_t *creds;
+
+	/**
+	 * IKE_SA SPI counter
+	 */
+	refcount_t ike_spi;
+
+	/**
+	 * List of registered listeners
+	 */
+	array_t *listeners;
+};
+
+/**
+ * Custom backend_t implementation
+ */
+struct private_backend_t {
+
+	/**
+	 * Public interface
+	 */
+	backend_t public;
+
+	/**
+	 * Responder ike_cfg
+	 */
+	ike_cfg_t *ike_cfg;
+
+	/**
+	 * Responder peer_cfg/child_cfg
+	 */
+	peer_cfg_t *peer_cfg;
+};
+
+CALLBACK(get_ike_spi, uint64_t,
+	private_exchange_test_helper_t *this)
+{
+	return (uint64_t)ref_get(&this->ike_spi);
+}
+
+/*
+ * Described in header
+ */
+exchange_test_helper_t *exchange_test_helper;
+
+static ike_cfg_t *create_ike_cfg(bool initiator, exchange_test_sa_conf_t *conf)
+{
+	ike_cfg_t *ike_cfg;
+	char *proposal = NULL;
+
+	ike_cfg = ike_cfg_create(IKEV2, TRUE, FALSE, "127.0.0.1", IKEV2_UDP_PORT,
+							 "127.0.0.1", IKEV2_UDP_PORT, FRAGMENTATION_NO, 0);
+	if (conf)
+	{
+		proposal = initiator ? conf->initiator.ike : conf->responder.ike;
+	}
+	if (proposal)
+	{
+		ike_cfg->add_proposal(ike_cfg,
+							proposal_create_from_string(PROTO_IKE, proposal));
+	}
+	else
+	{
+		ike_cfg->add_proposal(ike_cfg, proposal_create_default(PROTO_IKE));
+	}
+	return ike_cfg;
+}
+
+static child_cfg_t *create_child_cfg(bool initiator,
+									 exchange_test_sa_conf_t *conf)
+{
+	child_cfg_t *child_cfg;
+	child_cfg_create_t child = {
+		.mode = MODE_TUNNEL,
+	};
+	char *proposal = NULL;
+
+	child_cfg = child_cfg_create(initiator ? "init" : "resp", &child);
+	if (conf)
+	{
+		proposal = initiator ? conf->initiator.esp : conf->responder.esp;
+	}
+	if (proposal)
+	{
+		child_cfg->add_proposal(child_cfg,
+							proposal_create_from_string(PROTO_ESP, proposal));
+	}
+	else
+	{
+		child_cfg->add_proposal(child_cfg, proposal_create_default(PROTO_ESP));
+	}
+	child_cfg->add_traffic_selector(child_cfg, TRUE,
+								traffic_selector_create_dynamic(0, 0, 65535));
+	child_cfg->add_traffic_selector(child_cfg, FALSE,
+								traffic_selector_create_dynamic(0, 0, 65535));
+	return child_cfg;
+}
+
+static void add_auth_cfg(peer_cfg_t *peer_cfg, bool initiator, bool local)
+{
+	auth_cfg_t *auth;
+	char *id = "init";
+
+	auth = auth_cfg_create();
+	auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PSK);
+	if (initiator ^ local)
+	{
+		id = "resp";
+	}
+	auth->add(auth, AUTH_RULE_IDENTITY, identification_create_from_string(id));
+	peer_cfg->add_auth_cfg(peer_cfg, auth, local);
+}
+
+static peer_cfg_t *create_peer_cfg(bool initiator,
+								   exchange_test_sa_conf_t *conf)
+{
+	peer_cfg_t *peer_cfg;
+	peer_cfg_create_t peer = {
+		.cert_policy = CERT_SEND_IF_ASKED,
+		.unique = UNIQUE_REPLACE,
+		.keyingtries = 1,
+	};
+
+	peer_cfg = peer_cfg_create(initiator ? "init" : "resp",
+							   create_ike_cfg(initiator, conf), &peer);
+	add_auth_cfg(peer_cfg, initiator, TRUE);
+	add_auth_cfg(peer_cfg, initiator, FALSE);
+	return peer_cfg;
+}
+
+METHOD(backend_t, create_ike_cfg_enumerator, enumerator_t*,
+	private_backend_t *this, host_t *me, host_t *other)
+{
+	return enumerator_create_single(this->ike_cfg, NULL);
+}
+
+METHOD(backend_t, create_peer_cfg_enumerator, enumerator_t*,
+	private_backend_t *this, identification_t *me, identification_t *other)
+{
+	return enumerator_create_single(this->peer_cfg, NULL);
+}
+
+METHOD(exchange_test_helper_t, process_message, status_t,
+	private_exchange_test_helper_t *this, ike_sa_t *ike_sa, message_t *message)
+{
+	status_t status = FAILED;
+	ike_sa_id_t *id;
+
+	if (!message)
+	{
+		message = this->public.sender->dequeue(this->public.sender);
+	}
+	id = message->get_ike_sa_id(message);
+	id = id->clone(id);
+	id->switch_initiator(id);
+	if (!id->get_responder_spi(id) || id->equals(id, ike_sa->get_id(ike_sa)))
+	{
+		charon->bus->set_sa(charon->bus, ike_sa);
+		status = ike_sa->process_message(ike_sa, message);
+		charon->bus->set_sa(charon->bus, NULL);
+	}
+	message->destroy(message);
+	id->destroy(id);
+	return status;
+}
+
+METHOD(exchange_test_helper_t, establish_sa, void,
+	private_exchange_test_helper_t *this, ike_sa_t **init, ike_sa_t **resp,
+	exchange_test_sa_conf_t *conf)
+{
+	private_backend_t backend = {
+		.public = {
+			.create_ike_cfg_enumerator = _create_ike_cfg_enumerator,
+			.create_peer_cfg_enumerator = _create_peer_cfg_enumerator,
+			.get_peer_cfg_by_name = (void*)return_null,
+		},
+	};
+	ike_sa_id_t *id_i, *id_r;
+	ike_sa_t *sa_i, *sa_r;
+	peer_cfg_t *peer_cfg;
+	child_cfg_t *child_cfg;
+
+	sa_i = *init = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+														IKEV2, TRUE);
+	id_i = sa_i->get_id(sa_i);
+
+	sa_r = *resp = charon->ike_sa_manager->checkout_new(charon->ike_sa_manager,
+														IKEV2, FALSE);
+	id_r = sa_r->get_id(sa_r);
+
+	peer_cfg = create_peer_cfg(TRUE, conf);
+	child_cfg = create_child_cfg(TRUE, conf);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+	sa_i->set_peer_cfg(sa_i, peer_cfg);
+	peer_cfg->destroy(peer_cfg);
+	call_ikesa(sa_i, initiate, child_cfg, 0, NULL, NULL);
+
+	backend.ike_cfg = create_ike_cfg(FALSE, conf);
+	peer_cfg = backend.peer_cfg = create_peer_cfg(FALSE, conf);
+	child_cfg = create_child_cfg(FALSE, conf);
+	peer_cfg->add_child_cfg(peer_cfg, child_cfg->get_ref(child_cfg));
+	child_cfg->destroy(child_cfg);
+	charon->backends->add_backend(charon->backends, &backend.public);
+
+	/* IKE_SA_INIT --> */
+	id_r->set_initiator_spi(id_r, id_i->get_initiator_spi(id_i));
+	process_message(this, sa_r, NULL);
+	/* <-- IKE_SA_INIT */
+	id_i->set_responder_spi(id_i, id_r->get_responder_spi(id_r));
+	process_message(this, sa_i, NULL);
+	/* IKE_AUTH --> */
+	process_message(this, sa_r, NULL);
+	/* <-- IKE_AUTH */
+	process_message(this, sa_i, NULL);
+
+	charon->backends->remove_backend(charon->backends, &backend.public);
+	DESTROY_IF(backend.peer_cfg);
+	DESTROY_IF(backend.ike_cfg);
+}
+
+METHOD(exchange_test_helper_t, add_listener, void,
+	private_exchange_test_helper_t *this, listener_t *listener)
+{
+	array_insert_create(&this->listeners, ARRAY_TAIL, listener);
+	charon->bus->add_listener(charon->bus, listener);
+}
+
+/**
+ * Enable logging in charon as requested
+ */
+static void initialize_logging()
+{
+	int level = LEVEL_SILENT;
+	char *verbosity;
+
+	verbosity = getenv("TESTS_VERBOSITY");
+	if (verbosity)
+	{
+		level = atoi(verbosity);
+	}
+	lib->settings->set_int(lib->settings, "%s.filelog.stderr.default",
+			lib->settings->get_int(lib->settings, "%s.filelog.stderr.default",
+								   level, lib->ns), lib->ns);
+	lib->settings->set_bool(lib->settings, "%s.filelog.stderr.ike_name", TRUE,
+							lib->ns);
+	charon->load_loggers(charon, NULL, TRUE);
+}
+
+/**
+ * Create a nonce generator with the first byte
+ */
+static nonce_gen_t *create_nonce_gen()
+{
+	return mock_nonce_gen_create(exchange_test_helper->nonce_first_byte);
+}
+
+/*
+ * Described in header
+ */
+void exchange_test_helper_init(char *plugins)
+{
+	private_exchange_test_helper_t *this;
+	plugin_feature_t features[] = {
+		PLUGIN_REGISTER(DH, mock_dh_create),
+			/* we only need to support a limited number of DH groups */
+			PLUGIN_PROVIDE(DH, MODP_2048_BIT),
+			PLUGIN_PROVIDE(DH, MODP_3072_BIT),
+			PLUGIN_PROVIDE(DH, ECP_256_BIT),
+		PLUGIN_REGISTER(NONCE_GEN, create_nonce_gen),
+			PLUGIN_PROVIDE(NONCE_GEN),
+				PLUGIN_DEPENDS(RNG, RNG_WEAK),
+	};
+
+	INIT(this,
+		.public = {
+			.sender = mock_sender_create(),
+			.establish_sa = _establish_sa,
+			.process_message = _process_message,
+			.add_listener = _add_listener,
+		},
+		.creds = mem_cred_create(),
+	);
+
+	initialize_logging();
+	lib->plugins->add_static_features(lib->plugins, "exchange-test-helper",
+								features, countof(features), TRUE, NULL, NULL);
+	/* the libcharon unit tests only load the libstrongswan plugins, unless
+	 * TESTS_PLUGINS is defined */
+	charon->initialize(charon, plugins);
+	lib->plugins->status(lib->plugins, LEVEL_CTRL);
+
+	/* the original sender is not initialized because there is no socket */
+	charon->sender = (sender_t*)this->public.sender;
+	/* and there is no kernel plugin loaded
+	 * TODO: we'd have more control if we'd implement kernel_interface_t */
+	charon->kernel->add_ipsec_interface(charon->kernel, mock_ipsec_create);
+	/* like SPIs for IPsec SAs, make IKE SPIs predictable */
+	charon->ike_sa_manager->set_spi_cb(charon->ike_sa_manager, get_ike_spi,
+									   this);
+
+	lib->credmgr->add_set(lib->credmgr, &this->creds->set);
+
+	this->creds->add_shared(this->creds,
+			shared_key_create(SHARED_IKE, chunk_clone(chunk_from_str("test"))),
+			identification_create_from_string("%any"), NULL);
+
+	exchange_test_helper = &this->public;
+}
+
+/*
+ * Described in header
+ */
+void exchange_test_helper_deinit()
+{
+	private_exchange_test_helper_t *this;
+	listener_t *listener;
+
+	this = (private_exchange_test_helper_t*)exchange_test_helper;
+
+	while (array_remove(this->listeners, ARRAY_HEAD, &listener))
+	{
+		charon->bus->remove_listener(charon->bus, listener);
+	}
+	lib->credmgr->remove_set(lib->credmgr, &this->creds->set);
+	this->creds->destroy(this->creds);
+	/* flush SAs before destroying the sender (in case of test failures) */
+	charon->ike_sa_manager->flush(charon->ike_sa_manager);
+	/* charon won't destroy this as it didn't initialize the original sender */
+	charon->sender->destroy(charon->sender);
+	charon->sender = NULL;
+	array_destroy(this->listeners);
+	free(this);
+}
diff --git a/src/libcharon/tests/utils/exchange_test_helper.h b/src/libcharon/tests/utils/exchange_test_helper.h
new file mode 100644
index 000000000..e1fdb012a
--- /dev/null
+++ b/src/libcharon/tests/utils/exchange_test_helper.h
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * This class and singleton object initializes charon and provides helper
+ * methods to create unit tests for IKEv2 exchanges.
+ *
+ * It also registers special implementations for the kernel_ipsec_t interface,
+ * the sender and provides dummy configs and credentials.
+ *
+ * @defgroup exchange_test_helper exchange_test_helper
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef EXCHANGE_TEST_HELPER_H_
+#define EXCHANGE_TEST_HELPER_H_
+
+#include <daemon.h>
+
+#include "mock_sender.h"
+
+typedef struct exchange_test_helper_t exchange_test_helper_t;
+typedef struct exchange_test_sa_conf_t exchange_test_sa_conf_t;
+
+struct exchange_test_helper_t {
+
+	/**
+	 * Sender instance used during tests
+	 */
+	mock_sender_t *sender;
+
+	/**
+	 * Set the initial byte of all nonces generated by future nonce
+	 * generators (already instatiated nonce generators are not affected).
+	 */
+	u_char nonce_first_byte;
+
+	/**
+	 * Creates an established IKE_SA/CHILD_SA
+	 *
+	 * @param[out] init		IKE_SA of the initiator
+	 * @param[out] resp		IKE_SA of the responder
+	 * @param conf			configuration for SAs
+	 */
+	void (*establish_sa)(exchange_test_helper_t *this, ike_sa_t **init,
+						 ike_sa_t **resp, exchange_test_sa_conf_t *conf);
+
+	/**
+	 * Pass a message to the given IKE_SA for processing, setting the IKE_SA on
+	 * the bus while processing the message.
+	 *
+	 * @param ike_sa		the IKE_SA receiving the message
+	 * @param message		the message, or NULL to pass the next message in the
+	 *						send queue (adopted)
+	 * @return				return value from ike_sa_t::process_message()
+	 */
+	status_t (*process_message)(exchange_test_helper_t *this, ike_sa_t *sa,
+								message_t *message);
+
+	/**
+	 * Register a listener with the bus.
+	 *
+	 * Don't use bus_t::add_listener() directly for listeners on the stack
+	 * as that could lead to invalid listeners registered when hooks are
+	 * triggered during cleanup if a test case fails.  All of the listeners
+	 * added this way are unregistered with the bus before cleaning up.
+	 *
+	 * @param listener		listener to add to the bus
+	 */
+	void (*add_listener)(exchange_test_helper_t *this, listener_t *listener);
+};
+
+struct exchange_test_sa_conf_t {
+
+	/**
+	 * Configuration for initiator and responder
+	 */
+	struct {
+		/** IKE proposal */
+		char *ike;
+		/** ESP proposal */
+		char *esp;
+	} initiator, responder;
+};
+
+/**
+ * Since we don't use the IKE_SA manager to checkout SAs use this to call a
+ * method on the given IKE_SA in its context.
+ */
+#define call_ikesa(sa, method, ...) ({ \
+	charon->bus->set_sa(charon->bus, sa); \
+	sa->method(sa, ##__VA_ARGS__); \
+	charon->bus->set_sa(charon->bus, NULL); \
+})
+
+/**
+ * The one and only instance of the helper object.
+ *
+ * Set between exchange_test_helper_setup() and exchange_test_helper_teardown()
+ * calls.
+ */
+extern exchange_test_helper_t *exchange_test_helper;
+
+/**
+ * Initialize charon and the helper object.
+ *
+ * @param plugins			plugins to load
+ */
+void exchange_test_helper_init(char *plugins);
+
+/**
+ * Deinitialize the helper object.
+ */
+void exchange_test_helper_deinit();
+
+#endif /** EXCHANGE_TEST_HELPER_H_ @} */
diff --git a/src/libcharon/tests/utils/job_asserts.h b/src/libcharon/tests/utils/job_asserts.h
new file mode 100644
index 000000000..3491f08c3
--- /dev/null
+++ b/src/libcharon/tests/utils/job_asserts.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Special assertions against job handling.
+ *
+ * @defgroup job_asserts job_asserts
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef JOB_ASSERTS_H_
+#define JOB_ASSERTS_H_
+
+/**
+ * Initialize an assertion that enforces that no jobs were scheduled.
+ * Must be matched by a call to assert_scheduler().
+ */
+#define assert_no_jobs_scheduled() _assert_jobs_scheduled(0)
+
+/**
+ * Initialize an assertion that enforces that a specific number of jobs was
+ * scheduled.
+ * Must be matched by a call to assert_scheduler().
+ *
+ * @param count			expected number of jobs getting scheduled
+ */
+#define assert_jobs_scheduled(count) _assert_jobs_scheduled(count)
+
+/**
+ * Initialize assertions against job scheduling.
+ * Must be matched by a call to assert_scheduler().
+ */
+#define _assert_jobs_scheduled(count) \
+do { \
+	u_int _initial = lib->scheduler->get_job_load(lib->scheduler); \
+	u_int _expected = count
+
+/**
+ * Enforce scheduler asserts.
+ */
+#define assert_scheduler() \
+	u_int _actual = lib->scheduler->get_job_load(lib->scheduler) - _initial; \
+	test_assert_msg(_expected == _actual, "unexpected number of jobs " \
+					"scheduled (%u != %u)", _expected, _actual); \
+} while(FALSE)
+
+#endif /** JOB_ASSERTS_H_ @}*/
diff --git a/src/libcharon/tests/utils/mock_dh.c b/src/libcharon/tests/utils/mock_dh.c
new file mode 100644
index 000000000..153bf1166
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_dh.c
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mock_dh.h"
+
+typedef struct private_diffie_hellman_t private_diffie_hellman_t;
+
+/**
+ * Private data
+ */
+struct private_diffie_hellman_t {
+
+	/**
+	 * Public interface
+	 */
+	diffie_hellman_t public;
+
+	/**
+	 * Instantiated DH group
+	 */
+	diffie_hellman_group_t group;
+};
+
+METHOD(diffie_hellman_t, get_my_public_value, bool,
+	private_diffie_hellman_t *this, chunk_t *value)
+{
+	*value = chunk_empty;
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, set_other_public_value, bool,
+	private_diffie_hellman_t *this, chunk_t value)
+{
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_shared_secret, bool,
+	private_diffie_hellman_t *this, chunk_t *secret)
+{
+	*secret = chunk_empty;
+	return TRUE;
+}
+
+METHOD(diffie_hellman_t, get_dh_group, diffie_hellman_group_t,
+	private_diffie_hellman_t *this)
+{
+	return this->group;
+}
+
+METHOD(diffie_hellman_t, destroy, void,
+	private_diffie_hellman_t *this)
+{
+	free(this);
+}
+
+/**
+ * See header
+ */
+diffie_hellman_t *mock_dh_create(diffie_hellman_group_t group)
+{
+	private_diffie_hellman_t *this;
+
+	INIT(this,
+		.public = {
+			.get_shared_secret = _get_shared_secret,
+			.set_other_public_value = _set_other_public_value,
+			.get_my_public_value = _get_my_public_value,
+			.get_dh_group = _get_dh_group,
+			.destroy = _destroy,
+		},
+		.group = group,
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/tests/utils/mock_dh.h b/src/libcharon/tests/utils/mock_dh.h
new file mode 100644
index 000000000..332c65537
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_dh.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Provides a DH implementation that does no real work to make the tests run
+ * faster.
+ *
+ * @defgroup mock_dh mock_dh
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef MOCK_DH_H_
+#define MOCK_DH_H_
+
+#include <crypto/diffie_hellman.h>
+
+/**
+ * Creates a diffie_hellman_t object.
+ *
+ * @param group			Diffie Hellman group, supports MODP_NULL only
+ * @return				created object
+ */
+diffie_hellman_t *mock_dh_create(diffie_hellman_group_t group);
+
+#endif /** MOCK_DH_H_ @}*/
diff --git a/src/libcharon/tests/utils/mock_ipsec.c b/src/libcharon/tests/utils/mock_ipsec.c
new file mode 100644
index 000000000..d57a26a87
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_ipsec.c
@@ -0,0 +1,128 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * Copyright (C) 2008 Martin Willi
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mock_ipsec.h"
+
+typedef struct private_kernel_ipsec_t private_kernel_ipsec_t;
+
+/**
+ * Private data
+ */
+struct private_kernel_ipsec_t {
+
+	/**
+	 * Public interface
+	 */
+	kernel_ipsec_t public;
+
+	/**
+	 * Allocated SPI
+	 */
+	refcount_t spi;
+};
+
+METHOD(kernel_ipsec_t, get_spi, status_t,
+	private_kernel_ipsec_t *this, host_t *src, host_t *dst, uint8_t protocol,
+	uint32_t *spi)
+{
+	*spi = (uint32_t)ref_get(&this->spi);
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, get_cpi, status_t,
+	private_kernel_ipsec_t *this, host_t *src, host_t *dst, uint16_t *cpi)
+{
+	return FAILED;
+}
+
+METHOD(kernel_ipsec_t, add_sa, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_add_sa_t *data)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, update_sa, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_update_sa_t *data)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_sa, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_query_sa_t *data, uint64_t *bytes, uint64_t *packets,
+	time_t *time)
+{
+	return NOT_SUPPORTED;
+}
+
+METHOD(kernel_ipsec_t, del_sa, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_sa_id_t *id,
+	kernel_ipsec_del_sa_t *data)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, add_policy, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
+{
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, query_policy, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_query_policy_t *data, time_t *use_time)
+{
+	*use_time = 1;
+	return SUCCESS;
+}
+
+METHOD(kernel_ipsec_t, del_policy, status_t,
+	private_kernel_ipsec_t *this, kernel_ipsec_policy_id_t *id,
+	kernel_ipsec_manage_policy_t *data)
+{
+	return SUCCESS;
+}
+
+/*
+ * Described in header
+ */
+kernel_ipsec_t *mock_ipsec_create()
+{
+	private_kernel_ipsec_t *this;
+
+	INIT(this,
+		.public = {
+			.get_spi = _get_spi,
+			.get_cpi = _get_cpi,
+			.add_sa = _add_sa,
+			.update_sa = _update_sa,
+			.query_sa = _query_sa,
+			.del_sa = _del_sa,
+			.flush_sas = (void*)return_failed,
+			.add_policy = _add_policy,
+			.query_policy = _query_policy,
+			.del_policy = _del_policy,
+			.flush_policies = (void*)return_failed,
+			.bypass_socket = (void*)return_true,
+			.enable_udp_decap = (void*)return_true,
+			.destroy = (void*)free,
+		},
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/tests/utils/mock_ipsec.h b/src/libcharon/tests/utils/mock_ipsec.h
new file mode 100644
index 000000000..cbf21524a
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_ipsec.h
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * kernel_ipsec_t implementation used for exchange unit tests.  Currently
+ * returns sequential SPIs, all other methods are noops.
+ *
+ * @defgroup mock_ipsec mock_ipsec
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef MOCK_IPSEC_H_
+#define MOCK_IPSEC_H_
+
+#include <kernel/kernel_ipsec.h>
+
+/**
+ * Create an instance of kernel_ipsec_t
+ *
+ * @return		created object
+ */
+kernel_ipsec_t *mock_ipsec_create();
+
+#endif /** MOCK_IPSEC_H_ @}*/
diff --git a/src/libcharon/tests/utils/mock_nonce_gen.c b/src/libcharon/tests/utils/mock_nonce_gen.c
new file mode 100644
index 000000000..30910f991
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_nonce_gen.c
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mock_nonce_gen.h"
+
+typedef struct private_nonce_gen_t private_nonce_gen_t;
+
+struct private_nonce_gen_t {
+
+	/**
+	 * Public interface
+	 */
+	nonce_gen_t public;
+
+	/**
+	 * Random number generator
+	 */
+	rng_t* rng;
+
+	/**
+	 * First byte to set to the nonces
+	 */
+	u_char first;
+};
+
+METHOD(nonce_gen_t, get_nonce, bool,
+	private_nonce_gen_t *this, size_t size, uint8_t *buffer)
+{
+	if (size > 0)
+	{
+		buffer[0] = this->first;
+		buffer++;
+		size--;
+	}
+	return this->rng->get_bytes(this->rng, size, buffer);
+}
+
+METHOD(nonce_gen_t, allocate_nonce, bool,
+	private_nonce_gen_t *this, size_t size, chunk_t *chunk)
+{
+	*chunk = chunk_alloc(size);
+	if (!get_nonce(this, chunk->len, chunk->ptr))
+	{
+		chunk_free(chunk);
+		return FALSE;
+	}
+	return TRUE;
+}
+
+METHOD(nonce_gen_t, destroy, void,
+	private_nonce_gen_t *this)
+{
+	DESTROY_IF(this->rng);
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+nonce_gen_t *mock_nonce_gen_create(u_char first)
+{
+	private_nonce_gen_t *this;
+
+	INIT(this,
+		.public = {
+			.get_nonce = _get_nonce,
+			.allocate_nonce = _allocate_nonce,
+			.destroy = _destroy,
+		},
+		.rng = lib->crypto->create_rng(lib->crypto, RNG_WEAK),
+		.first = first,
+	);
+	if (!this->rng)
+	{
+		destroy(this);
+		return NULL;
+	}
+	return &this->public;
+}
diff --git a/src/libcharon/tests/utils/mock_nonce_gen.h b/src/libcharon/tests/utils/mock_nonce_gen.h
new file mode 100644
index 000000000..feeab8bc0
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_nonce_gen.h
@@ -0,0 +1,37 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Special nonce generator that sets the first byte of the generated nonces to
+ * a fixed specified value.
+ *
+ * @defgroup mock_nonce_gen mock_nonce_gen
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef MOCK_NONCE_GEN_H_
+#define MOCK_NONCE_GEN_H_
+
+#include <crypto/nonce_gen.h>
+
+/**
+ * Creates a nonce_gen_t instance.
+ *
+ * @param first		first byte to set in generated nonces
+ * @return			created object
+ */
+nonce_gen_t *mock_nonce_gen_create(u_char first);
+
+#endif /** MOCK_NONCE_GEN_H_ @} */
diff --git a/src/libcharon/tests/utils/mock_sender.c b/src/libcharon/tests/utils/mock_sender.c
new file mode 100644
index 000000000..c090ff439
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_sender.c
@@ -0,0 +1,85 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "mock_sender.h"
+
+#include <collections/linked_list.h>
+
+typedef struct private_mock_sender_t private_mock_sender_t;
+
+/**
+ * Private data
+ */
+struct private_mock_sender_t {
+
+	/**
+	 * Public interface
+	 */
+	mock_sender_t public;
+
+	/**
+	 * Packet queue, as message_t*
+	 */
+	linked_list_t *queue;
+};
+
+
+METHOD(sender_t, send_, void,
+	private_mock_sender_t *this, packet_t *packet)
+{
+	message_t *message;
+
+	message = message_create_from_packet(packet);
+	message->parse_header(message);
+	this->queue->insert_last(this->queue, message);
+}
+
+METHOD(mock_sender_t, dequeue, message_t*,
+	private_mock_sender_t *this)
+{
+	message_t *message = NULL;
+
+	this->queue->remove_first(this->queue, (void**)&message);
+	return message;
+}
+
+METHOD(sender_t, destroy, void,
+	private_mock_sender_t *this)
+{
+	this->queue->destroy_offset(this->queue, offsetof(message_t, destroy));
+	free(this);
+}
+
+/*
+ * Described in header
+ */
+mock_sender_t *mock_sender_create()
+{
+	private_mock_sender_t *this;
+
+	INIT(this,
+		.public = {
+			.interface = {
+				.send = _send_,
+				.send_no_marker = (void*)nop,
+				.flush = (void*)nop,
+				.destroy = _destroy,
+			},
+			.dequeue = _dequeue,
+		},
+		.queue = linked_list_create(),
+	);
+	return &this->public;
+}
diff --git a/src/libcharon/tests/utils/mock_sender.h b/src/libcharon/tests/utils/mock_sender.h
new file mode 100644
index 000000000..5eabddadc
--- /dev/null
+++ b/src/libcharon/tests/utils/mock_sender.h
@@ -0,0 +1,56 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * sender_t implementation that does not pass the sent packet to a socket but
+ * instead provides it for immediate delivery to an ike_sa_t object.
+ *
+ * @defgroup mock_sender mock_sender
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef MOCK_SENDER_H_
+#define MOCK_SENDER_H_
+
+#include <encoding/message.h>
+#include <network/sender.h>
+
+typedef struct mock_sender_t mock_sender_t;
+
+struct mock_sender_t {
+
+	/**
+	 * Implemented interface
+	 */
+	sender_t interface;
+
+	/**
+	 * Remove the next packet in the send queue as message_t object.  The IKE
+	 * header is already parsed (which is assumed does not fail) so it can
+	 * directly be passed to ike_sa_t::process_message().
+	 *
+	 * @return		message or NULL if none is queued
+	 */
+	message_t *(*dequeue)(mock_sender_t *this);
+};
+
+/**
+ * Creates a mock_sender_t instance.
+ *
+ * @return			created object
+ */
+mock_sender_t *mock_sender_create();
+
+#endif /** MOCK_SENDER_H_ @} */
diff --git a/src/libcharon/tests/utils/sa_asserts.h b/src/libcharon/tests/utils/sa_asserts.h
new file mode 100644
index 000000000..7afa3b55b
--- /dev/null
+++ b/src/libcharon/tests/utils/sa_asserts.h
@@ -0,0 +1,145 @@
+/*
+ * Copyright (C) 2016 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * Special assertions against IKE_SAs and CHILD_SAs (e.g. regarding their
+ * state).
+ *
+ * @defgroup sa_asserts sa_asserts
+ * @{ @ingroup test_utils_c
+ */
+
+#ifndef SA_ASSERTS_H_
+#define SA_ASSERTS_H_
+
+#include <inttypes.h>
+
+/**
+ * Check that there exists a specific number of IKE_SAs in the manager.
+ */
+#define assert_ike_sa_count(count) \
+({ \
+	typeof(count) _count = count; \
+	u_int _actual = charon->ike_sa_manager->get_count(charon->ike_sa_manager); \
+	test_assert_msg(_count == _actual, "unexpected number of IKE_SAs in " \
+					"manager (%d != %d)", _count, _actual); \
+})
+
+/**
+ * Check that the IKE_SA with the given SPIs and initiator flag is in the
+ * manager and return it.  Does not actually keep the SA checked out as
+ * that would block cleaning up if asserts against it fail (since we control
+ * access to SAs it's also not really necessary).
+ */
+#define assert_ike_sa_checkout(spi_i, spi_r, initiator) \
+({ \
+	typeof(spi_i) _spi_i = spi_i; \
+	typeof(spi_r) _spi_r = spi_r; \
+	typeof(initiator) _init = initiator; \
+	ike_sa_id_t *_id = ike_sa_id_create(IKEV2, _spi_i, _spi_r, _init); \
+	ike_sa_t *_ike_sa = charon->ike_sa_manager->checkout(charon->ike_sa_manager, _id); \
+	test_assert_msg(_ike_sa, "IKE_SA with SPIs %.16"PRIx64"_i %.16"PRIx64"_r " \
+					"(%d) does not exist", be64toh(_spi_i), be64toh(_spi_r), _init); \
+	_id->destroy(_id); \
+	charon->ike_sa_manager->checkin(charon->ike_sa_manager, _ike_sa); \
+	_ike_sa; \
+})
+
+/**
+ * Check if the given IKE_SA is in the expected state.
+ */
+#define assert_ike_sa_state(ike_sa, state) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(state) _state = state; \
+	test_assert_msg(_state == _sa->get_state(_sa), "%N != %N", \
+					ike_sa_state_names, _state, \
+					ike_sa_state_names, _sa->get_state(_sa)); \
+})
+
+/**
+ * Check that there exists a specific number of CHILD_SAs.
+ */
+#define assert_child_sa_count(ike_sa, count) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(count) _count = count; \
+	test_assert_msg(_count == _sa->get_child_count(_sa), "unexpected number " \
+					"of CHILD_SAs in IKE_SA %s (%d != %d)", #ike_sa, _count, \
+					_sa->get_child_count(_sa)); \
+})
+
+/**
+ * Check if the CHILD_SA with the given SPI is in the expected state.
+ */
+#define assert_child_sa_state(ike_sa, spi, state) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(spi) _spi = spi; \
+	typeof(state) _state = state; \
+	child_sa_t *_child = _sa->get_child_sa(_sa, PROTO_ESP, _spi, TRUE) ?: \
+						 _sa->get_child_sa(_sa, PROTO_ESP, _spi, FALSE); \
+	test_assert_msg(_child, "CHILD_SA with SPI %.8x does not exist", \
+					ntohl(_spi)); \
+	test_assert_msg(_state == _child->get_state(_child), "%N != %N", \
+					child_sa_state_names, _state, \
+					child_sa_state_names, _child->get_state(_child)); \
+})
+
+/**
+ * Assert that the CHILD_SA with the given inbound SPI does not exist.
+ */
+#define assert_child_sa_not_exists(ike_sa, spi) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(spi) _spi = spi; \
+	child_sa_t *_child = _sa->get_child_sa(_sa, PROTO_ESP, _spi, TRUE) ?: \
+						 _sa->get_child_sa(_sa, PROTO_ESP, _spi, FALSE); \
+	test_assert_msg(!_child, "CHILD_SA with SPI %.8x exists", ntohl(_spi)); \
+})
+
+/**
+ * Assert that there is a specific number of tasks in a given queue
+ *
+ * @param ike_sa		IKE_SA to check
+ * @param count			number of expected tasks
+ * @param queue			queue to check (task_queue_t)
+ */
+#define assert_num_tasks(ike_sa, count, queue) \
+({ \
+	typeof(ike_sa) _sa = ike_sa; \
+	typeof(count) _count = count; \
+	int _c = 0; task_t *_task; \
+	enumerator_t *_enumerator = _sa->create_task_enumerator(_sa, queue); \
+	while (_enumerator->enumerate(_enumerator, &_task)) { _c++; } \
+	_enumerator->destroy(_enumerator); \
+	test_assert_msg(_count == _c, "unexpected number of tasks in " #queue " " \
+					"of IKE_SA %s (%d != %d)", #ike_sa, _count, _c); \
+})
+
+/**
+ * Assert that all task queues of the given IKE_SA are empty
+ *
+ * @param ike_sa		IKE_SA to check
+ */
+#define assert_sa_idle(ike_sa) \
+({ \
+	typeof(ike_sa) _ike_sa = ike_sa; \
+	assert_num_tasks(_ike_sa, 0, TASK_QUEUE_QUEUED); \
+	assert_num_tasks(_ike_sa, 0, TASK_QUEUE_ACTIVE); \
+	assert_num_tasks(_ike_sa, 0, TASK_QUEUE_PASSIVE); \
+})
+
+#endif /** SA_ASSERTS_H_ @}*/