According to http://www.openwall.com/lists/oss-security/2011/11/15/3, it would be preferable to use something else than ':' when an error is encountered.
According to crypt(3), crypt() should return NULL values on errors. Index: src/lib/libc/crypt/bcrypt.c =================================================================== RCS file: /cvs/src/lib/libc/crypt/bcrypt.c,v retrieving revision 1.24 diff -u -p -r1.24 bcrypt.c --- src/lib/libc/crypt/bcrypt.c 2 Apr 2008 19:54:05 -0000 1.24 +++ src/lib/libc/crypt/bcrypt.c 26 Feb 2012 05:19:27 -0000 @@ -70,7 +70,6 @@ static void decode_base64(u_int8_t *, u_ static char encrypted[_PASSWORD_LEN]; static char gsalt[7 + (BCRYPT_MAXSALT * 4 + 2) / 3 + 1]; -static char error[] = ":"; const static u_int8_t Base64Code[] = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; @@ -185,8 +184,9 @@ bcrypt(const char *key, const char *salt salt++; if (*salt > BCRYPT_VERSION) { - /* How do I handle errors ? Return ':' */ - return error; + /* How do I handle errors ? Return NULL according to + crypt(3) */ + return NULL; } /* Check for minor versions */ @@ -198,7 +198,7 @@ bcrypt(const char *key, const char *salt salt++; break; default: - return error; + return NULL; } } else minor = 0; @@ -208,21 +208,21 @@ bcrypt(const char *key, const char *salt if (salt[2] != '$') /* Out of sync with passwd entry */ - return error; + return NULL; /* Computer power doesn't increase linear, 2^x should be fine */ n = atoi(salt); if (n > 31 || n < 0) - return error; + return NULL; logr = (u_int8_t)n; if ((rounds = (u_int32_t) 1 << logr) < BCRYPT_MINROUNDS) - return error; + return NULL; /* Discard num rounds + "$" identifier */ salt += 3; if (strlen(salt) * 3 / 4 < BCRYPT_MAXSALT) - return error; + return NULL; /* We dont want the base64 salt but the raw data */ decode_base64(csalt, BCRYPT_MAXSALT, (u_int8_t *) salt);