security: clear auth credential buffers from stack after use

Information Disclosure: Medium

The RAOP authentication header construction leaves sensitive material
on the stack after the function returns: Base64-encoded credentials in
enc[], MD5 password-derived hashes in h1/h2/resp[], and the assembled
Authorization header in auth[]. These persist in stack memory and can
be recovered via core dumps, memory disclosure vulnerabilities, or
cold boot attacks.

The plaintext password buffer (buf[]) was already properly cleared with
explicit_bzero, but the derived credential buffers were not. Apply
explicit_bzero to enc, h1, h2, resp, and auth before returning.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/modules/module-raop-sink.c

@@ -728,6 +728,7 @@ static int rtsp_add_raop_auth_header(struct impl *impl, const char *method)
 		pw_base64_encode((uint8_t*)buf, strlen(buf), enc, '=');
 		explicit_bzero(buf, sizeof(buf));
 		spa_scnprintf(auth, sizeof(auth), "Basic %s", enc);
+		explicit_bzero(enc, sizeof(enc));
 	}
 	else if (spa_streq(impl->auth_method, "Digest")) {
 		const char *url;
@@ -744,12 +745,16 @@ static int rtsp_add_raop_auth_header(struct impl *impl, const char *method)
 		spa_scnprintf(auth, sizeof(auth),
 				"username=\"%s\", realm=\"%s\", nonce=\"%s\", uri=\"%s\", response=\"%s\"",
 				RAOP_AUTH_USER_NAME, impl->realm, impl->nonce, url, resp);
+		explicit_bzero(h1, sizeof(h1));
+		explicit_bzero(h2, sizeof(h2));
+		explicit_bzero(resp, sizeof(resp));
 	}
 	else
 		goto error;
 
 	pw_properties_setf(impl->headers, "Authorization", "%s %s",
 			impl->auth_method, auth);
+	explicit_bzero(auth, sizeof(auth));
 
 	return 0;
 error: