Support -key-file flag

Passing keys/passwords in command line is not very good from security standpoint.
One could examine password in runner script/process list/etc.

So I propose to add an option flag to load base64-encoded key from file.

It's also more convenient when running shadowsocks in Kubernetes where
one usually mounts secrets as files.

Author: marshall-lee

main.go

@@ -6,6 +6,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/url"
 	"os"
@@ -30,6 +31,7 @@ func main() {
 		Client     string
 		Server     string
 		Cipher     string
+		KeyFile    string
 		Key        string
 		Password   string
 		Keygen     int
@@ -47,7 +49,8 @@ func main() {
 
 	flag.BoolVar(&config.Verbose, "verbose", false, "verbose mode")
 	flag.StringVar(&flags.Cipher, "cipher", "AEAD_CHACHA20_POLY1305", "available ciphers: "+strings.Join(core.ListCipher(), " "))
-	flag.StringVar(&flags.Key, "key", "", "base64url-encoded key (derive from password if empty)")
+	flag.StringVar(&flags.KeyFile, "key-file", "", "path of base64url-encoded key file")
+	flag.StringVar(&flags.Key, "key", "", "base64url-encoded key (derive from password if both key-file and key are empty)")
 	flag.IntVar(&flags.Keygen, "keygen", 0, "generate a base64url-encoded random key of given length in byte")
 	flag.StringVar(&flags.Password, "password", "", "password")
 	flag.StringVar(&flags.Server, "s", "", "server listen address or url")
@@ -78,9 +81,21 @@ func main() {
 		return
 	}
 
-	var key []byte
+	var encodedKey string
+	if flags.KeyFile != "" {
+		e, err := ioutil.ReadFile(flags.KeyFile)
+		if err != nil {
+			log.Fatal(err)
+		}
+		encodedKey = string(e)
+	}
 	if flags.Key != "" {
-		k, err := base64.URLEncoding.DecodeString(flags.Key)
+		encodedKey = string(flags.Key)
+	}
+
+	var key []byte
+	if encodedKey != "" {
+		k, err := base64.URLEncoding.DecodeString(encodedKey)
 		if err != nil {
 			log.Fatal(err)
 		}