### Issues:
N/A

### Description of changes: 
The `openssl sclient -connect` CLI command would only attempt to connect
to the first resolved DNS entry. Failing that,
it considers the entire connection attempt failed. This change updates
the command to iterate through the linked list of
entries until it can successfully connect. This is in-line with upstream
[OpenSSL](https://github.com/openssl/openssl/blob/OpenSSL_1_1_1-stable/apps/s_socket.c#L93).

It's particularly useful in cases where the first address resolved is
either unavailable or otherwise unusable. This can
be common when trying to resolve an address such as `localhost` and the
OS returns the ipv6 loopback address before the
ipv4 version and your web server is only listening with ipv4.

### Call-outs:
I did not exhaustively consider other uses of this function beyond this
specific CLI tool. A glance check of the references suggests low usage
and it's still the right change to make overall.

### Testing:
- Tested this in a build container which resolves `localhost` as `[::1,
127.0.0.1]` with a web server that listens on ipv4 and asserted that the
CLI tool can connect successfully to that web server.

- CI

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

### Description of changes: 
File change got lost in a rebase from prior PR.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

Internal consumers are depending on the `openssl genpkey` cli tool, so
this adds the necessary functionality to support that. This is mainly
used for generating a private key or key pair.
I've only added the necessary options for now which are `-algorithm`,
`-pkeyopt`, and `-out`. We can add more if needed, but there haven't
been more use cases discovered yet. I've also reused and cleaned up a
bit of the surrounding code while I was at it. Would like to refactor
more, but that would be a separate PR.

### Testing:
new unit tests. I haven't added any comparison tests, since it didn't
really make sense to compare generated private keys from two different
libraries.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

There are users that expect the stdin format when using the openssl
pkcs8 tool. I've removed some unnecessary cruft. There doesn't seem to
be an actual reason to cap the limit here, none of the other cli
implement this behavior and the relevant BIO functions will already fail
if the file loading becomes too excessive.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

### Issue:
`EVP_PKEY_pqdsa_new_raw_private_key()` accepts malformed keys with
secret vectors `s1` and `s2` containing coefficients outside the valid
range `[-η, η]`. These keys lead to undefined behavior, like producing
signatures that fail verification.

### Description of changes: 
Adds the missing validation checks to `ml_dsa_pack_pk_from_sk()` in
`crypto/fipsmodule/ml_dsa/ml_dsa_ref/packing.c`. It now rejects keys if
`s1` or `s2` have coefficients exceeding `[-η, η]`.

### Call-outs:
- With the addition of these validation checks, we should reject *all*
invalid private keys.
- Discovered via Wycheproof test vector:
https://github.com/C2SP/wycheproof/blob/e3c37e9db0f85a762dfcef1642b046bd31090ca4/testvectors_v1/mldsa_44_sign_noseed_test.json#L626-L646
- **Upstream considerations**: While this change should ideally be made
upstream in mldsa-native, we are landing this now since this code is in
production and mldsa-native will take time to land. I will open an
upstream PR soon to ensure consistency.
- **Import protection**: If these checks get overridden during a future
upstream import, the tests added in this PR will fail in CI, preventing
that merge and ensuring the validation remains in place.

### Testing:

- Adds test vector generation script
`crypto/fipsmodule/ml_dsa/make_corrupted_key_tests.cc`
- Adds the generated test vectors
`crypto/evp_extra/mldsa_corrupted_key_tests.txt`
- Adds a test `crypto/evp_extra/mldsa_test.cc` that uses these test
vectors

To run the test:
```
$ cd build
$ ./crypto/crypto_test --gtest_filter="*MLDSATest.ExpandedKeyValidation*"
```

To (re-)generate the test vectors:
```
$ cd crypto/fipsmodule/ml_dsa
$ make generate
```

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.

### Description of changes: 
Prepare release Prepare v1.66.1

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.