The get_etype() callback originally only returned the AS-REP enctype
for PKINIT, but was changed for encrypted challenge to sometimes
return the enctype from etype-info. (Encrypted challenge no longer
uses the callback; PKINIT is currently the only known consumer.) Make
sure to always return the AS-REP enctype if an AS-REP has been
received, so that the PKINIT clpreauth module uses the correct enctype
even if the KDC sends a different enctype in etype-info in violation
of RFC 4120.