I'm going through the DTLS part in libcoap and trying to understand how it works. For coap with DTLS, the following additional checks are defined to match the response received to the correct request in Section 9.1.2 of the CoAP RFC:

9.1.2. Request/Response Layer

The following rules are added for matching a response to a request:
The DTLS session MUST be the same, and the epoch MUST be the same.

This means the response to a DTLS secured request MUST always be DTLS
secured using the same security session and epoch. Any attempt to
supply a NoSec response to a DTLS request simply does not match the
request and therefore MUST be rejected (unless it does match an
unrelated NoSec request).

How is this done in libcoap? I tried looking at the different coap_dtls_receive() provided for each DTLS stack and if I understand correctly, only decryption and event handling are done in those functions. I also looked at coap_dispatch() and found nothing related to matching DTLS session and epoch.

If the check is done in libcoap, can anyone help to point me to the correct place I should look at?