Disallow compressed padding, and set padding to all zeros

IMO, claiming that "random octets make the length obfuscation more robust even when compressed" is dubious, as messages are most likely low-entropy, and given a similar compression ratio, the compression will reveal the length difference between messages even if they are padded with random data before compression. Thus, compression should only be used before padding, or not at all. And, at that point we can set the padding to all zeros.

This MR is mutually exclusive with !203 (closed).