Read Michael MIC keys through TK2 union instead of offset from TK1

This gets rid of potential warnings about buffer bounds errors. The earlier
code works fine, but it is not the cleanest way of using the struct wpa_ptk
definition for TK1/TK2.

src/rsn_supp/peerkey.c

@@ -867,8 +867,8 @@ static void wpa_supplicant_process_stk_3_of_4(struct wpa_sm *sm,
 	if (peerkey->cipher == WPA_CIPHER_TKIP) {
 		/* Swap Tx/Rx keys for Michael MIC */
 		os_memcpy(key_buf, _key, 16);
-		os_memcpy(key_buf + 16, _key + 24, 8);
-		os_memcpy(key_buf + 24, _key + 16, 8);
+		os_memcpy(key_buf + 16, peerkey->stk.u.auth.rx_mic_key, 8);
+		os_memcpy(key_buf + 24, peerkey->stk.u.auth.tx_mic_key, 8);
 		_key = key_buf;
 		key_len = 32;
 	} else