[Edit: Using wolfSSL 5.7.0]

I can add that I just tried using a single context created thus:

  WOLFSSL_METHOD *method = wolfTLSv1_3_method();
  if ((tcp_tlsCTX = wolfSSL_CTX_new(method)) == NULL)
[...]

Examining the contents of the tcp_tlsCTX object I can see that tcp_tlsCTX->method->side == 3 (either side) just before I do

  WOLFSSL *ssl = wolfSSL_new(tcp_tlsCTX);
  ret = wolfSSL_accept_TLSv13(ssl);

But wolfSSL_accept_TLSv13() does not seem to have this piece of code that wolfSSL_accept() does:

    #if defined(OPENSSL_EXTRA) || defined(WOLFSSL_EITHER_SIDE)
        if (ssl->options.side == WOLFSSL_NEITHER_END) {
            WOLFSSL_MSG("Setting WOLFSSL_SSL to be server side");
            ssl->error = InitSSL_Side(ssl, WOLFSSL_SERVER_END);
            if (ssl->error != WOLFSSL_SUCCESS) {
                WOLFSSL_ERROR(ssl->error);
                return WOLFSSL_FATAL_ERROR;
            }
            ssl->error = 0; /* expected to be zero here */
        }
    #endif /* OPENSSL_EXTRA || WOLFSSL_EITHER_SIDE */

Thus I promptly get an -344 wrong side error from wolfSSL_accept_TLSv13(). I cannot seem to find anything in the documentation about this, is it by design or a bug?

"Is there any reason both the server and client would need to share the same context and ssl structs?"

The device runs a custom RTOS (not Linux), and all TCP/IP communication is run in a single task. Like I said, my first approach was to create two separate WOLFSSL_CTX objects in the same task context and I experienced problems, but of course that could be my own fault. I'm just wondering if this is a correct way to do it, so that I don't run too far down a blind alley.

I don't see any example of doing this in the example code or documentation, which makes me nervous.

Thanks Anthony, seems I had a problem on my side (duh). I got it to work fine with two separate context objects after some semi-related changes!