Regaring the C scrypt implementation, after the decrypt call regenerates the key and compares it against the hmac, it will reject everything right there if your password is wrong - but if it's right, it'll proceed to also decrypt the data package.
Is the above statement correct? If so, this is doing a lot of extra work the attacker won't have to
perform - they don't even have to derive 64 bytes, just the 32 needed
to check the signature. Therefore should one ignore the decrypt implementation in the C implementation?
the decrypt utility's "max time" limitation is wrong for password hashing - each time decrypt is called, it estimates your system's speed, and does some "guessing" as to whether it can calculate the key within max time - which is more overhead your attacker doesn't have to do, but also means it could start rejecting passwords under heavy load.