Signal's Key Wrap: is it safe and is it custom?

The iOS version of Signal application (not the protocol) includes a form of key wrap that I've never seen elsewhere: SHA256-HMAC-SIV.

It's used to encrypt your master key with your pwHash(PIN) before sending it to signal.org's Key Backup Service.

So far as I can tell, it does the following:

SHA256-HMAC-SIV(kek, raw)
kek: key encryption key
raw: original master key bytes

key_auth = HMAC(kek, "auth")
key_enc  = HMAC(kek, "enc")
iv       = Truncate(HMAC(key_auth, raw), 16 bytes)
key_xor  = HMAC(iv, key_enc)

output   = key_xor ^ raw

It derives 2 subkeys, for auth & encryption, like many approaches do. Then it creates a truncated MAC over the raw key for the deterministic IV.

But then it uses the IV as an HMAC key, and the encryption key as the HMAC message to produce a single "block" that they XOR with the raw key.

It seems very clever, but what's the right way to reason about the security overall?

Yes, it is.

After the comment by forest, I found this other question about building a stream cipher from HMAC in CTR mode. One answer gives a detailed explanation of using any one-way hash function as a stream cipher. Another answer gives quotes from Applied Cryptography about using such a cipher in CFB mode.

See the full discussion here:

Can I use HMAC-SHA1 in counter mode to make a stream cipher?